Physical Security
In this chapter, we discuss physical security. We address the main categories of physical security controls, to include deterrent, detective, and preventive measures, and discuss how they might be put in place to mitigate physical security issues. We talk about the foremost concern in physical security, ensuring the safety of our people, and about how data and equipment can generally be replaced when proper precautions are taken, though people can be very difficult to replace. We also cover the protection of data, secondary only to protecting our people, and how this is a highly critical activity in our world of technology-based business. Lastly, we discuss protecting our equipment, both outside of and within our facilities.
Keywords
Access controls; administrative controls; backups; data; detective; deterrent; environmental; equipment; preventive; residual data; safety; site selection; threats
Information in This Chapter
Introduction
Physical security is largely concerned with the protection of three main categories of assets: people, equipment, and data. Our primary concern, of course, is to protect people. People are considerably more difficult to replace than equipment or data, particularly when they are experienced in their particular field and are familiar with the processes and tasks they perform.
Next in order of priority of protection is our data. If we have sufficiently planned and prepared in advance, we should be able to easily protect our data from any disaster that is not global in scale. If we do not prepare for such an issue, we can very easily lose our data permanently.
Alert!
Although we will discuss the protection of people, data, and equipment as separate concepts in this chapter, they are actually closely integrated. We generally cannot, and should not, develop security plans that protect any of these categories in isolation from the others.
Lastly, we protect our equipment and the facilities that house it. This may seem to be a very important set of objects to which we might want to assign a greater level of priority when planning our physical security measures. However, this is generally not the case, outside of a few situations, most of which actually revolve around keeping people safe. In the technology world, much of the hardware we use is relatively generic and easily replaced. Even if we are using more specialized equipment, we can often replace it in a matter of days or weeks.
In many larger organizations, protection of people, data, and equipment is covered under a set of policies and procedures collectively referred to as business continuity planning (BCP) and disaster recovery planning (DRP), often referred to as one entity called BCP/DRP. BCP refers specifically to the plans we put in place to ensure that critical business functions can continue operations through the state of emergency. DRP covers the plans we put in place in preparation for a potential disaster, and what exactly we will do during and after a particular disaster strikes to replace infrastructure.
The threats we face when we are concerned with physical security generally fall into a few main categories, as listed here and shown in Figure 9.1:
The first seven of these categories—extreme temperature, gases, liquids, living organisms, projectiles, movement, and energy anomalies—were defined by Donn Parker in his book Fighting Computer Crime.
Additional resources
The book Fighting Computer Crime, also the source of the Parkerian hexad that we discussed in Chapter 1, is a must-read for the serious information security practitioner. Although it was written more than a decade ago, it is still very relevant to the field and is an excellent book as well. It is available from Wiley (ISBN: 0471163783).
As we move through the sections in this chapter on protecting people, equipment, and data, we will discuss how the different threats apply to each of them. In some cases, we might find that all the threats apply in a given category, or we may find that some of them are nullified entirely.
Physical security controls
Physical security controls are the devices, systems, people, and other methods we put in place to ensure our security in a physical sense. There are three main types of physical controls: deterrent, detective, and preventive, as shown in Figure 9.2. Each has a different focus, but none is completely distinct and separate from the others, as we will discuss shortly. Additionally, these controls work best when used in concert. Any one of them is not sufficient to ensure our physical security in most situations.
Deterrent
Deterrent controls are designed to discourage those who might seek to violate our security controls from doing so, whether the threat is external or internal. A variety of controls might be considered to be a deterrent, including, as we discussed earlier in this section, several that overlap with the other categories. In the sense of pure detective controls, we can point to specific items that are intended to indicate that other controls may be in place.
Examples of this include signs in public places that indicate that video monitoring is in place, and the yard signs with alarm company logos that we might find in residential areas. The signs themselves do nothing to prevent people from acting in an undesirable fashion, but they do point out that there may be consequences for doing so. Such measures, while not directly adding to what we might think of as physical security, do help to keep honest people honest.
Next comes policies and regulations. Violation of a policy could result in the employing being disciplined or fired. Violation of a regulation or law could result in criminal or civil prosecution.
We may also see security measures in the other categories serve double duty as deterrents. If we have obvious security measures in place that are visible to those who might want to violate our security, such as guards, dogs, well-lit areas, fences, and other similar measures, our would-be criminal might decide we are too difficult a target to be worth the effort.
Detective
Detective controls serve to detect and report undesirable events that are taking place. The classic example of a detective control can be found in burglar alarms and physical intrusion detection systems. Such systems typically monitor for indicators of unauthorized activity, such as doors or windows opening, glass being broken, movement, and temperature changes, and also can be in place to monitor for undesirable environmental conditions such as flooding, smoke and fire, electrical outages, and excessive carbon dioxide in the air.
We may also see detective systems in the form of human or animal guards (i.e., dogs), whether they are physically patrolling an area or monitoring secondhand through the use of technology such as camera systems. This type of monitoring has both good and bad points, in that a living being may be technically less focused than an electronic system, but does have the potential to become distracted and will need to be relieved for meals, bathroom breaks, and other similar activities. Additionally, we can scale such guards from the lowliest unarmed security guard to highly trained and well-armed security forces, as is appropriate for the situation. Finally the cost of maintaining 24/7 security staff is very expensive. As is true for most implementations involving security, the principle of defense in depth, as we discussed in Chapter 1, applies here.
Preventive
Preventive controls are used to physically prevent unauthorized entities from breaching our physical security. An excellent example of preventive security can be found in the simple mechanical lock. Locks are nearly ubiquitous for securing various facilities against unauthorized entry, including businesses, residences, and other locations.
In addition to locks, we can also see preventive controls in the form of high fences, bollards (the brightly painted and cement-filled posts that are placed to prevent vehicles from driving into buildings), and, once again, guards and dogs on patrol. We may also see preventive controls focused specifically on people, vehicles, or other particular areas of concern, depending on the environment in question.
How we use physical access controls
Preventive controls are generally the core of our security efforts, and in some cases, they may be the only effort and the only physical security control actually in place. We can commonly see this in residences, where there are locks on the doors, but no alarm systems or any other measures that might deter a criminal from gaining unauthorized entry.
In commercial facilities, we are much more likely to see all three types of controls implemented, in the form of locks, alarm systems, and signs indicating the presence of the alarm systems. Following the principles of defense in depth, the more layers we put in place for physical security, the better-off the overall security posture.
Another important consideration in implementing physical security is to only put security in place that is reasonably consistent with the value of what we are protecting. If we have an empty warehouse, it does not make sense to put in high-security locks, alarm systems, and armed guards. Likewise, if we have a house full of expensive computers and electronics, it does not make sense to equip it with cheap locks and forgo an alarm system entirely. Physical security requires the same risk management analysis we used in the earlier network-based chapters.
Protecting people
The primary concern of physical security is to protect the individuals on which our business depends and those that are close to us. While we put security measures and backup systems in place to ensure that our facilities, equipment, and data remain in functional condition, if we lose the people we depend on to work with the equipment and data, we have a rather difficult problem to solve. In many cases, we can restore our data from backups, we can build new facilities if they become destroyed or damaged, and we can buy new equipment; but replacing experienced people beyond the one or two at a time that we find with normal turnover is difficult, if not impossible, within any reasonable period of time.
Physical concerns for people
As people are rather fragile in comparison to equipment, they can be susceptible to nearly the entire scope of threats we discussed at the beginning of this chapter. Extreme temperatures, or even not so extreme temperatures, can quickly render a person very uncomfortable, at best.
In the case of liquids, gases, or toxins, the absence, presence, or incorrect proportion of a variety of them can be harmful to individuals. We can very clearly see how a liquid such as water, in excessive quantities, might be an undesirable thing, as we saw in the case of the massive flooding that took place in the southern United States during Hurricane Sandy in 2012. Likewise, the lack of a gas such as oxygen, or too much of the same, can become deadly to people very quickly. Although we can see where harm might come from a toxin being introduced to an environment very clearly, a number of common substances may already be present but are not toxic in the quantities or mixtures in which they are commonly used. We might see certain chemicals as being beneficial when they are used to filter the water in our facilities, but the same might not be true if the chemical ratios or mixtures are changed.
Any variety of living organisms can be dangerous to people, from larger animals, to insects, to nearly invisible molds, fungi, or other microscopic organisms. People can suffer from contact with living organisms in a variety of ways, from being bitten or stung by various critters, to developing breathing problems from inhaling mold.
Movement can be very harmful to people, particularly when said movement is the result of an earthquake, mudslide, avalanche, building structural issue, or other similar problems. In most cases, such threats can be both very harmful and very difficult to protect against.
Energy anomalies, are, of course, very dangerous to people. We might find equipment with poorly maintained shielding or insulation, or mechanical and/or electrical faults that could expose people to microwaves, electricity, radio waves, infrared light, radiation, or other harmful emissions. The results of such exposures may be immediately obvious, in the case of an electric shock, or they may be very long term, in the case of exposure to radiation.
People, of course, are one of the most severe threats against other people. There are an endlessly variable number of ways that other people can cause us trouble as we plan for the safety of our own. We might encounter civil unrest as a real possibility in certain parts of the world. We could encounter social engineering attacks, in an effort to extract information from our personnel or to gain unauthorized access to facilities or data through them. Our people could be physically attacked in a dark parking lot or subjected to other similar circumstances. We can also add projectiles into this category, as people-harming projectiles are often launched at the behest of other people.
Smoke and fire can also be very dangerous to people in the sense of burns, smoke inhalation, temperature issues, and other similar problems. Particularly in the case of large facilities, smoke and fire can render the physical layout of the area very confusing or impassible, and can make it very difficult for our personnel to navigate their way to safety. We may also see the issue compounded by supplies, infrastructure, or the fabric of the building itself reacting in an unfavorable way and releasing toxins, collapsing, or producing the threats we have discussed in this section.
Safety
As we mentioned at the beginning of the chapter, the safety of people is the first and foremost concern on our list when we plan for physical security. Safety of people falls above any other concern and must be prioritized above saving equipment or data, even when such actions will directly cause such items to be damaged.
We might find an example of this in the fire suppression systems in use in some data centers. In many cases, the chemicals, gases, or liquids that are used to extinguish fires in such environments are very harmful to people and in some cases can kill them if used in such an environment, halogen-based fire suppression systems being one example of such a case. For this reason, fire suppression systems are often equipped with a safety override that can prevent them from being deployed if there are people in the area. If we were to prevent the suppression system from extinguishing the fire because we knew a person was still in the data center, we might lose all the equipment in the data center and potentially data that we could not replace. This would still be the correct choice to make with human life at stake.
Likewise, if we are in a facility where an emergency is taking place, our priority should be the evacuation of the facility, not the safety of the equipment.
Evacuation
Evacuation is one of the best methods we can use to keep our people safe. In almost any dangerous situation, an orderly evacuation away from the source of danger is the best thing we can do. There are a few main principles to consider when planning an evacuation: where, how, and who.
Where
Where we will be evacuating to is an important piece of information to consider in advance, whether we are evacuating a commercial building or a residence. We need to get everyone to a rally point to ensure that they are at a safe distance and that we can account for everyone. If we do not do this in an orderly and consistent fashion, we may end up with a variety of issues. In commercial buildings, evacuation meeting places are often marked with signs and on evacuation maps.
How
Also of importance is the route we will follow to reach the evacuation meeting place. When planning such routes, we should consider where the nearest exit from a given area can be reached, as well as alternate routes if some routes are impassable in an emergency. We should also avoid the use of areas that are dangerous or unusable in emergencies, such as elevators or areas that might be blocked by automatically closing fire doors.
Who
The most vital portion of the evacuation, of course, is to ensure that we actually get everyone out of the building, and that we can account for everyone at the evacuation meeting place. This process typically requires at least two people to be responsible for any given group of people: one person to ensure that everyone he or she is responsible for has actually left the building and another at the meeting place to ensure that everyone has arrived safely.
Practice
Particularly in large facilities, a full evacuation can be a complicated prospect. In a true emergency, if we do not evacuate quickly and properly, a great number of lives may be lost. As an unfortunate attestation to this, we can look to the example of the 2001 attacks on the World Trade Center in the United States, as shown in Figure 9.3.
A study conducted in 2008 determined that only 8.6% of the people in the buildings actually evacuated when the alarms were sounded. The rest remained in the buildings, gathering belongings, shutting down computers, and performing other such tasks [2]. It is important that we train our personnel to evacuate safely and to respond quickly and properly when the signal to evacuate has been given.
Administrative controls
We may, and likely will, also have a variety of administrative controls in place to protect people, in addition to the physical measures we put in place. Administrative controls are usually based on rules of some variety. More specifically, they may be policies, procedures, guidelines, regulations, laws, or similar bodies, and may be instituted at any level from informal company policies to federal laws.
Companies put several common practices in place specifically to protect our people and our interests in general. One of the most common is the background check. When an individual has made it far enough through the hiring process that it seems likely he or she will be hired, the hiring company will often institute a background check. A number of companies globally carry out such background checks, including AccuScreen and LexisNexis. Such investigations will typically involve checks for criminal history, verification of previous employment, verification of education, credit checks, drug testing, and other items, depending on the position being pursued.
We may also conduct a variety of reoccurring checks on those in our employ. One of the more common and well-known examples can be seen in the drug tests conducted by certain employers. We may also see any of the checks we discussed as being common at the initiation of employment repeated in a similar fashion. Whether such checks occur or not often depends on the specific employer in question, and some employers may not conduct them at all.
The other areas in which we may see similar types of checks are when a person is terminated from employment, or perhaps when he or she leaves voluntarily. Here, we may see an exit interview take place, a process to ensure that the employee has returned all company property and that any accesses to systems or areas have been revoked. We may also ask the individual to sign paperwork agreeing not to pursue legal action against the company, additional nondisclosure agreements (NDAs), and other agreements, varying by the position as well as local or federal laws.
Protecting data
Second only to the safety of our personnel is the safety of our data. As we discussed in Chapter 5, one of our primary means of protecting data is the use of encryption. Although this is a reasonably sure solution, certain attacks may render it useless, such as those that break the encryption algorithm itself, or use other means to obtain the encryption keys. Following the concept of defense in depth that we covered in Chapter 1, another layer of security we need to ensure is the physical element. If we keep our physical storage media physically safe against attackers, unfavorable environmental conditions, or other threats that might harm them, we place ourselves on a considerably more sound security footing.
Physical concerns for data
Depending on the type of physical media on which our data is stored, any number of adverse physical conditions may be problematic or harmful to their integrity. Such media are often sensitive to temperature, humidity, magnetic fields, electricity, impact, and more, with each type of media having its particular strong and weak points.
Magnetic media, whether we refer to hard drives, tapes, floppy disks, or otherwise, generally involves some variety of movement and magnetically sensitive material on which the data is recorded. The combination of magnetic sensitivity and moving parts often makes such storage media fragile in one way or another. In most cases, strong magnetic fields can harm the integrity of data stored on magnetic media, with media outside of metal casing, such as magnetic tapes, being even more sensitive to such disruption. Additionally, jolting such media while it is in motion, typically while it is being read from or written to, can have a variety of undesirable effects, often rendering the media unusable.
Flash media, referring to the general category of media that stores data on nonvolatile memory chips, is actually rather hardy in nature. If we can avoid impacts that might directly crush the chips on which the data is stored and we do not expose them to electrical shocks, they will generally withstand conditions that many other types of media will not. They are not terribly sensitive to temperature ranges below what would actually destroy the housing and will often survive brief immersion in liquid, if properly dried afterward. Some flash drives are designed specifically to survive extreme conditions that would normally destroy such media, for those that might consider such conditions to be a potential issue.
Optical media, such as CDs and DVDs, is fairly fragile, as those with small children or pets can attest to. Even small scratches on the surface of the media may render it unusable. It is also very temperature sensitive, being constructed largely of plastic and thin metal foil. Outside of a protected environment, such as a purpose-built media storage vault, any of a variety of threats may destroy the data on such media.
An additional factor that can potentially cause concern when dealing with storage media over an extended period of time is that of technical obsolescence. Type of storage media, software, interfaces, and other factors can affect our ability to read stored data. For example, Sony ended production of floppy diskettes in March 2011, after having been responsible for 70% of the remaining production of such media [3]. Although floppy diskettes are only now completely fading from use, very few new computers come equipped with drives to read them. In a few short years, finding hardware to read these disks will become very difficult indeed.
Availability
One of our larger concerns when we discuss protecting data is to ensure that the data is available to us when we need to access it. The availability of our data often hinges on both our equipment and our facilities remaining in functioning condition, as we discussed earlier, and the media on which our data is stored being in working condition. Any of the physical concerns we discussed earlier can render our data inaccessible, in the sense of being able to read it from the media on which it is stored.
Although we are specifically discussing access to data here, and we talked about some of the potential hardware issues in accessing certain types of media earlier, there is also a fairly substantial equipment and infrastructure component to consider when discussing availability. Not only can we experience issues in reading the data from the media, but we may also have problems in getting to where the data is stored. If we are experiencing an outage, whether it is related to network, power, computer systems, or other components, at any point between our location and a remote data location, we may not be able to access our data remotely. Many businesses operate globally today, and it is possible that the loss of ability to access data remotely, even temporarily, will be a rather serious issue.
Residual data
When we look at the idea of keeping data safe, we not only need to have the data available when we need access to it, but we also must be able to render the data inaccessible when it is no longer required. In some cases, this need is relatively obvious; for instance, we might not overlook the need to shred a stack of paper containing sensitive data before we throw it away. But the data stored on electronic media may not present itself so clearly to everyone that might be handling it or disposing of it.
In many cases, we can find stored data in several computing-related devices, such as computers, disk arrays, portable media devices, flash drives, backup tapes, CD or DVD media, and similar items. We would hope that the relatively computer savvy people would realize the media or device might contain some sensitive data, and that they should erase the data before they dispose of it. Unfortunately, this is not always the case.
In the early 2000s, a study was conducted on more than 150 used hard drives purchased from a variety of different sources, with a large number of them being purchased from eBay. When the contents of the disks were analyzed, it was discovered that many of them still contained data, to include medical data, pornography, e-mail messages, and several disks that appeared to have been used for financial data containing more than 6500 credit card numbers [4]. In many cases, no attempt had been made to erase the data from the disks.
In addition to the devices that obviously contain storage and may hold potentially sensitive data, there are a variety of other places that we might find stored data. Although they may not immediately appear to be computing devices, a broad variety of office equipment such as copiers, printers, and fax machines may contain volatile or nonvolatile internal storage, often in the form of a hard drive. On such storage media, we can often find copies of the documents that have been processed by the drive, to include sensitive business data. When these types of devices are retired from service, or are sent for repair, we may not always think to remove the data from the storage media, and as such, we may be exposing data that we would not normally want made public.
Backups
In order to ensure that we can maintain the availability of our data, we will likely want to maintain backups. Not only do we need to back up the data itself, but we also need to maintain backups of the equipment and infrastructure that are used to provide access to the data.
We can perform data backups in a number of ways. We can utilize redundant arrays of inexpensive disks (RAID) in a variety of configurations to ensure that we do not lose data from hardware failures in individual disks, we can replicate data from one machine to another over a network, or we can make copies of data onto backup storage media, such as DVDs or magnetic tapes.
More advanced
RAID, often redundantly referred to as RAID arrays, was developed in the late 1980s at the University of California at Berkeley [5]. There are a number of different ways to configure RAID, but the ultimate goal is to copy data to more than one storage device in order to prevent the loss of any one device from destroying its stored data. The original RAID paper describing the basic concepts, “A case for redundant arrays of inexpensive disks (RAID),” can be read at the Association for Computing Machinery (ACM) Digital Library.
Protecting equipment
Last on the list of our concerns for physical security, although still very important and significant, is protecting our equipment, and, to a certain extent, the facilities that house it. This category falls last on the list because it represents the easiest and cheapest segment of our assets to replace. Even in the case of a major disaster that completely destroys our facility and all the computing equipment inside it, as long as we still have the people needed to run our operation and are able to restore or access our critical data, we can be back in working order very shortly. Replacing floor space or relocating to another area nearby can generally be accomplished with relative ease, and computing equipment is both cheap and plentiful. Although it may take us some time to be back to the same state we were in before the incident, getting to a bare minimum working state technology-wise is often a simple, if arduous, task.
Physical concerns for equipment
The physical threats that might harm our equipment, although fewer than those we might find harmful to people, are still numerous.
Extreme temperatures can be very harmful to equipment. We typically think of heat as being the most harmful to computing equipment, and this is largely correct. In environments that contain large numbers of computers and associated equipment, such as in a data center, we rely on environmental conditioning equipment to keep the temperature down to a reasonable level, typically in the high-60s to mid-70s on the Fahrenheit scale, although there is some debate over the subject [6].
Liquids can be very harmful to equipment, even when in quantities as small as those that can be found in humid air. Depending on the liquid in question, and the quantity of its present, we may find corrosion in a variety of devices, short circuits in electrical equipment, and other harmful effects. Clearly, in extreme cases, such as we might find in flooding, such equipment will often be rendered completely unusable after having been immersed.
Living organisms can also be harmful to equipment, although in the environments with which we will typically be concerned, these will often be of the smaller persuasion. Insects and small animals that have gained access to our equipment may cause electrical shorts, interfere with cooling fans, chew on wiring, and generally wreak havoc.
Note
The term bug being used to indicate a problem in a computer system originated in September 1947. In this case, a system being tested was found to have a moth shorting two connections together and causing the system to malfunction. When the moth was removed, the system was described as having been debugged [7], and the actual “bug” in question can be seen in Figure 9.4.
Movement in earth and in the structure of our facilities can be a very bad thing for our equipment. One of the more obvious examples we can look at is an earthquake. Not only can earthquakes cause structural damage to our facilities, but the resultant shaking, vibrations, and potential for impacts due to structural failures can cause a large amount of damage.
Energy anomalies can be extremely harmful to any type of electrical equipment in a variety of ways. If we see issues with power being absent or temporarily not sending the expected amount of voltage, our equipment may be damaged beyond repair as a result. Good facility design will provide some measure of protection against such threats, but we generally cannot completely mitigate the effects of severe electrical issues, such as lightning strikes.
Smoke and fire are very bad for our equipment, as they introduce a number of harmful conditions. With smoke or fire, we might experience extreme temperatures, electrical issues, movement, liquids, and a variety of other problems. Efforts to extinguish fires, depending on the methods used, may also cause as much harm as the fire itself.
Site selection
When we are planning a new facility, or selecting a new location to which to move, we should be aware of the area in which the facility will be located. A number of factors could cause us issues in terms of protecting our equipment and may impact the safety of our people and data as well. If the site is located in an area prone to natural disasters such as floods, storms, tornadoes, mudslides, or similar issues, we may find our facility to be completely unusable or destroyed at some point.
Similar issues might include areas that have the potential for civil unrest, unstable power or utilities, poor network connectivity, and extreme temperature conditions. With the proper facility design, we may be able to compensate for some problems without great difficulty, by installing power filtering and generators in order to compensate for power problems, for instance, but others such as the local temperature, we may ultimately not be able to mitigate to any great extent.
Although potential site selection issues may not completely preclude our use of the facility, we should be aware that they may cause us problems and plan for such occurrences. For certain types of facilities, such as data centers, for instance, it may be very important for us to have as problem-free of an environment as we can possibly select, and, in the case of such site issues, we may want to look elsewhere.
Securing access
When we discuss securing access to our equipment or our facility, we return again to the concept of defense in depth. There are multiple areas, inside and outside, where we may want to place a variety of security measures, depending on the environment. A military installation may have the highest level of security available, whereas a small retail store may have the lowest level.
We can often see measures for securing physical access implemented on the perimeter of the property on which various facilities sit. Very often, we will at least see minimal measures in place to ensure that vehicle traffic is controlled and does not enter undesirable places. Such measures may take the form of security landscaping. For example, we may see trees, large boulders, large cement planters, and the like placed in front of buildings or next to driveways in order to prevent vehicle entry. At more secure facilities, we might see fences, concrete barriers, and other more obvious measures. Such controls are generally in place as deterrents and may be preventive in nature as well.
At the facility itself, we will likely see some variety of locks, whether mechanical or electronic with access badges, in place on the doors entering the building. A typical arrangement for nonpublic buildings is for the main entrance of the building to be unlocked during business hours and a security guard or receptionist stationed inside. In more secure facilities, we are likely to see all doors locked at all times, and a badge or key required to enter the building. Typically, once inside the building, visitors will have limited access to a lobby area, and, perhaps, meeting and restrooms, whereas those authorized to enter the rest of the building will use a key or badge to access it.
Once inside the facility, we will often see a variety of physical access controls, depending on the work and processes being carried out. We may see access controls on internal doors or individual floors of the building in order to keep visitors or unauthorized people from freely accessing the entire facility. Very often, in the case where computer rooms or data centers are present, access to them will be restricted to those that specifically need to enter them for business reasons. We may also find more complex physical access controls in place in areas, such as biometric systems.
Environmental conditions
For the equipment within our facilities, maintaining proper environmental conditions can be crucial to continued operations. Computing equipment can be very sensitive to changes in power, temperature, and humidity, as well as electromagnetic disturbances. Particularly in areas where we have large quantities of equipment, such as we might find in a data center, maintaining the proper conditions can be challenging, to say the least.
When facilities that will contain equipment sensitive to such conditions are constructed, they are often equipped with the means to provide emergency electrical power, often in the form of generators, as well as systems that can heat, cool, and moderate the humidity, as required. Outside of locations that are so equipped, our equipment will be at considerably greater risk of malfunction and damage. Unfortunately, such controls can be prohibitively expensive and we may not find smaller facilities appropriately equipped.
Physical security in the real world
Physical security is a fact of daily life in both our business and personal lives. The physical controls we discussed can be seen in use in many environments. We can see locks, fences, cameras, security guards, lighting, and other such measures all over the world, in nearly any area we care to look. In higher security environments, we can begin to see more complex security measures, such as the use of iris scanners, mantraps (think a phone booth with two doors that lock), identification badges equipped to store certificates, and other such tools.
We can also see examples of measures that are put in place to protect people in almost any office building or public building we walk into. We can almost always find evacuation routes posted in the form of maps throughout the facility to indicate the different routes, as well as signage indicating meeting places in the case of an evacuation. We can also see administrative controls in place specifically to protect people in the background checks that most companies run when hiring, and the periodic tests that are run in some environments to test for drug use. One of the best examples of this type of administrative control can be found in the militaries of various countries. Such institutions often conduct background checks that are far more rigorous than we would ever find outside of such an environment, and they continue to do so on an ongoing basis through the careers of their members.
Protecting data is a large concern in any business or institution based on the use of technology. The idea of keeping backups for data is an institution in the world of information technology and is a given for most organizations. Unfortunately, this is not also the case for securing the media on which data is stored. Although this is not a universal issue, it is frequent enough that we see security breaches often in the media related to missing backup tapes, stolen laptops, and the like. The concept of residual data has also risen quite a bit higher in public view lately, with people becoming more aware of the possibility of data remaining behind on a variety of storage devices, even after attempts have been made to erase or format the media.
Protecting equipment and facilities is another concept with fairly ubiquitous acceptance in most commercial industries. The idea that we need to secure buildings, set guards where appropriate, and apply any other security measures that are appropriate to the value of what we are protecting is implicit. This is understandable, as the concept of physical security for protecting facilities and equipment is a truly ancient one. We can also see the idea of site selection for security reasons quite far back in history. The idea of maintaining environmental conditions in order to facilitate computing environments is rather new, however, and is also very common in business. Many office buildings are equipped with the large environmental and power conditioning systems that are required for such efforts, particularly those that were built with the inclusion of a data center in mind.
Summary
Physical security controls, to include deterrent, detective, and preventive measures, are the means we put in place to mitigate physical security issues. Deterrents aim to discourage those that might violate our security, detective measures alert us to or allow us to detect when we have a potential intrusion, and preventive controls actually prevent intrusions from taking place. In isolation, none of these controls is a complete solution, but together, they can put us on a much stronger footing for physical security.
Protecting people is the foremost concern when planning our physical security. Although data and equipment can generally be replaced, when proper precautions are taken, people can be very difficult to replace. People are fragile creatures, and one of the best steps we can take when faced with a situation where they might be harmed is to remove them from the dangerous situation. Additionally, we may implement a variety of administrative controls in order to keep them safe in their working environments.
Protecting data, second only to protecting our people, is a highly critical activity in our world of technology-based business. One of our primary concerns with data is being able to ensure its availability when it is needed, and another is being able to ensure that we can completely delete it when we no longer desire to keep it. One of our main methods of ensuring availability is to perform backups, whether this is through the use of RAID to protect against storage media failures, or backups onto removable media such as DVDs or magnetic tape.
Protecting our equipment, although the lowest of the three categories on our priority list, is still a vital task. When we select the site for our facility, we need to take into account the threats that might be relevant to the location and take steps to mitigate them. We also need to take the necessary steps to secure access outside, to, and within our facility. We have to protect our equipment not only from those that would intrude from the outside but also from those that have legitimate access to the facility, but not to certain areas within it. Lastly, we need to maintain the appropriate environmental conditions for our equipment to function, largely power, temperature, and humidity.
Exercises
1. Name the three major concerns for physical security, in order of importance.
2. Name the three main categories in which we are typically concerned with physical security.
3. Why might we want to use RAID?
4. What is the foremost concern as related to physical security?
5. What type of physical access control might we put in place in order to block access to a vehicle?
6. Give three examples of a physical control that constitutes a deterrent.
7. Give an example of how a living organism might constitute a threat to our equipment.
8. Which category of physical control might include a lock?
9. What is residual data and why is it a concern when protecting the security of our data?