never heard of a story where physical security at any cloud provider has been a problem. are you worried about governments, or employees, or someone breaking in?
When I worked at AWS they were insanely hardcore about mandating physical access controls, that is all I’ll say, even to the point of ridiculousness. For all the things AWS does poorly security is not one of them.
If I were to guess CF is locating their PoPs at cheap peering points and the reason they are evading the question is because other customers in the facility have physical access to their equipment, which is both an expensive problem to solve and something that is not even remotely allowed at a real cloud provider.
Even your cheapest of colo's offer locked cage areas. For someone on Cloudflare's scale, the cost is trivial.
I've been inside some really "low rent" colo's and even they would provide an escort to unlock your cabinet.
Obviously standards/expectations will vary from DC to DC. I'd wager the situation might be different in some of the smaller countries CF operates in around the world though.
That's definitely a thing. Additionally, humans are surprisingly friendly in all the wrong ways when it comes to physical security (tailgating, "forgotten ID/credentials", etc.).
I've visited data centres (with various impressing sounding accreditations) where the doors have been wedged open because the employees found the security annoying
I've also had DC employees, without authorisation: reboot my machines, give themselves access rights and then tamper with my systems
admittedly the latter was a long time ago, before any of this stuff was considered critical infrastructure
If I were to guess CF is locating their PoPs at cheap peering points and the reason they are evading the question is because other customers in the facility have physical access to their equipment, which is both an expensive problem to solve and something that is not even remotely allowed at a real cloud provider.