Can vendors go unescorted in a secure colocation center?

Unescorted access to colocation facilities is a big NO.

That engineer coming in from ABC123 Computer Equipment Inc. to patch your cables is just like any other employee of any company. Can you personally vouch for him? Has ABC123 or its partners vetted the person's background to the extent that the colocation provider would have -- or to the same degree to which you vet employees?

You should have chosen a colocation partner after carrying out due diligence on every possible area of security. A secure colocation center vets all of its own employees; it only allows named personnel from your company to have access to your cage or rack; all people entering the facility are logged.

When looking for security vulnerabilities, think like a 'black hat' that wants access to one or more companies' information: The criminal could try corrupting an employee of each company or they could target just one relatively poorly paid engineer working for a third-party vendor. That support technician knows any weakness in the system, has all the "master keys" to certain systems, and understands where users might leave an area open by default or by mistake -- without any particular loyalty to the company that owns this IT infrastructure. An unhappy vendor employee is not only easier to corrupt, but they are more valuable too, as they have access to multiple systems.

To ensure a secure colocation center, always send an escort with a vendor's employee and verify that the technician has a proper job sheet stating what systems they should touch and what actions to take. Only the company that owns the IT equipment can permit the vendor to do anything not on the job sheet, such as log onto a different system or reboot a related system. If only the colocation center's escort communicates with the vendor, allow no changes.