Back in the late 90s/early 00s when I was a precocious teenager, I ran a somewhat popular website. At some point it made sense to just buy a 1U rack moubtable server and having it colocated (commercial webhosting was expensive then). I couldn't find anyone to give me a ride to the datacenter, so I took a bus. By the time I got there my arms were numb from carrying the bloody thing.
There was a single security guard, I signed in and he gave me directions and a big keychain. The keys opened most of the rooms and most of the cages around the racks. To this day I remain mystified at the level of trust (or nonchalance) that security guard had in a spotty teenager.
Back in the early 2000s I had a job that required me to enter a certain phone companies' datacenter. But, I couldn't, because I was a consultant and it was an employees-only area. I had permission to make changes to machines in a rack but they didn't allow me to enter. There was a guard who would check badges but who didn't really check if he recognized people, and there were some people who had to enter and leave multipel times in a day. Myself, I couldn't get permission to enter via the correct channels.
With my director's unofficial approval I was allowed to _try_ to enter the datacenter. So I just walked very confidently towards the entrance, nodded to the security guard like all of the regulars who didn't bother showing their badges, and he let me in.
Having run hosting companies from the mid 90s as well, from memory this kind of thing was pretty normal, even in allegedly secure places like London Telehouse.
Quite a few of us in that era were juggling it with being students, so it wouldn't surprise me if the security staff were used to it and expected you to look young enough to be their kid!
To this day I can get into pretty much any rack or room I feel like at datacenters everyone here has heard of. It just takes experience these days and a bit of charm. Plus having a million keys and staff rack combination codes doesn't hurt. These were freely given and simply added to my collection over time, nothing stolen or social engineered.
I've never done anything nefarious with these abilities, and no one I know has either. It's simply a matter of practicality when you staff a 150,000 square foot facility with 2 security guards who have no idea what they are doing.
If I (and many others) had wanted to, we could have caused multi-week/month outages you'd be reading about on the news with 5 minutes of effort. This is basically the status quo for any sensitive industry.
The world turns because 99.9999% of people want to give you a hug vs. hit you. Society falls when that ratio goes much lower.
That won't work everywhere. I've been to a datacenter in London around 2010 where the entry was similar to the automated airport passport booths. The doors would not open if you were not registered for a visit and there were no visible guards (I hope someone was around in case you got trapped...) I wanna say it was Telehouse West, but my memory is not great.
This is not my experience at all (frequently visiting datacenters for my job).
At the main entrance, anti-tailgating locks requiring an electronic badge + fingerprints are the norm. Once inside, electronic badges required at all doors and in the lifts to navigate in the building. Badge + fingerprint to enter server rooms.
Deliveries are only received under the supervision of a DC employee (or received directly by a DC employee) and must go through a lock to enter the building. No extern (delivery person or w/ever) is allowed in (if somebody sneaks into the lock, the guard never opens the second door obviously).
The biggest weakness imo (but still requires a bit of insider access, so it's not completely out in the open for anybody to exploit) is that the registration process for new access requests seems fairly weak security-wise.
It's usually a simple email from the client to the DC provider with the date of the intervention and the identity of the person. Will the DC provider notice if the access request is sent from a spoofed domain? or from a legitimate domain but by another person than the one who's accredited to issue access requests? Will they notice if the person who shows up for the intervention has a fake ID?
There was a single security guard, I signed in and he gave me directions and a big keychain. The keys opened most of the rooms and most of the cages around the racks. To this day I remain mystified at the level of trust (or nonchalance) that security guard had in a spotty teenager.