Physical Security Controls – CompTIA Security+ SY0-501 – 3.9

We rely on physical controls to provide a layer of security that’s not available from digital security controls. In this video, you’ll learn about some of the most popular physical security controls in use today.

<< Previous Video: Redundancy, Fault Tolerance, and High Availability Next: AAA and Authentication >>

Bad guys don’t like to be seen, which is why lighting is so important if you’re trying to provide security. More light means that there’s going to be more security. It’s easier to see everything when it’s lit. And if you have cameras that don’t have any type of infrared capability, more light means that there will be more information that you could see on your video recordings.

This may be more complex than simply adding a single light outside your door. You need to consider the overall light levels in the particular area that you’re trying to secure. And the angle of the lighting may be important, especially if you’re trying to capture face or other types of details of people who may be walking through. You want to try to avoid any shadows or any glare that might disrupt the video that you’re trying to save.

You might also want to look around your organization at what signs might be posted. If you’re a longtime employee, then you probably know exactly what parts of the building people are allowed to be in and other parts that are restricted. If you don’t have a sign that tells you that, it may be difficult for a first time employee or a visitor in your building to know exactly where they should be going and what areas are restricted to them.

It’s also important to have the proper signage for personal safety. If there’s areas that are dangerous, you need to be sure that you identify them with some signs. And also, provide security signs like fire exits or warning signs so that people will know where to go if there’s a problem. And there should also be informational signs that would tell someone who to call or who to contact if there’s any problems that happen to occur.

Another common physical security device is a fence. You’re able to build a perimeter around your secure area to keep people out who should not be inside of that fence. This might be a fence that you can see through that’s relatively transparent like the one here, or maybe opaque, where you’re trying to hide exactly what might be inside of that fence. It should be a fence that’s very robust. You should prevent anyone from knocking down or damaging this fence. And it needs to be tall enough to prevent anyone from climbing over. Some organizations might also include razor wire or some other type of deterrent to keep anybody from climbing over that fence.

It’s also good to have some physical security on the inside of your data center. It’s very common to have monitoring systems that might look at the environment of where all your servers happen to be. You might add webcams or security cameras to your data center so you can look in and see the current status of the lights or anything else that might be going on in that area. And very often, you can integrate these with an enterprise monitoring system so you’ll know if the temperature happens to go too high or there’s any movement anywhere near your servers.

And third party data centers or even data centers with many different departments– you might want to take advantage of closed rocks or fences to be able to physically separate some equipment from other equipment inside of the data center. One very obvious physical security control is a security guard. This is someone who may be providing a level of physical protection and may be allowing or disallowing people to go through a particular security checkpoint. This is also a good place to provide guest access and validation for new people who are arriving on site at your location.

These security guards may work in conjunction with a set of ID badges in your organization, which may have a picture and a name and other details about you. And they would allow the security guard or other automated systems to properly identify you and then allow or disallow access to different parts of the building. In many organizations, a pre-approval is required to gain access to that facility. And in those cases, an access list may be provided to the security guard, who can then provide additional authentication and then allow or disallow people from accessing your organization’s buildings.

Of course, our security teams can’t be everywhere, constantly monitoring every door and every window, and that’s why it’s useful to have alarms available to be able to identify if anyone opens a door or opens a window. This is also very useful to have on the perimeter of your office space so that you know anyone who may be approaching your building. This might also be including some motion detection– either through radio reflection or some passive infrared identification– so that you’ll know if anyone happens to go through a particular area. There are also alarms that can be triggered by a person. If somebody feels that they are under duress or they feel that there is an alarm situation, they can push the big red button, which would | sound the alarm.

To provide protection for other types of hardware components in your organization, you might want to invest in a safe. This might protect your backup tapes or other important hardware devices from theft, or fire, or water damage. These are usually very big and very heavy, which makes them very difficult to steal. But this also means that you need to carefully manage who has access to this safe. You don’t want to share the combination or the keys with a large number of people, and there needs to be a contingency if you happen to lose that combination or that key.

In some data centers, we need to be able to protect the servers and the components that we’re putting inside of our racks. So very often, we will use locking cabinets so that we can put the equipment inside of the rack and then lock them up so that nobody else can gain access to those systems. The challenge we have is that we need to provide some type of air cooling through these systems, but we still need to protect them. We can often install the racks side by side so that nobody can gain access from the side.

And a number of these cabinets have locks on them but still would provide ventilation on the front, the back, the top, or the bottom. Here’s an example of some locked cabinets. Some of them have glass on the front, others that need more ventilation have holes in the front. And you can see that all of them have locks on them to prevent anyone from gaining physical access to those devices.

We not only have to think about the physical servers that we’re protecting, but we also have to protect the network. We do that by using a Protected Distribution System, or a PDS. This would allow us to physically protect the cables and the fibers that are used for our network. This usually involves implementing some type of protected conduit, and then we would add all of our fiber and all of our cable to that conduit. This would prevent someone from tapping into our cable or our fiber, either by using a direct tap that you would need with a fiber connection or an inductive tap that could be used with copper.

This would also prevent somebody from performing a denial of service by cutting the copper or fiber that might be used for our networks. It’s very common to use a sealed metal conduit to be able to protect our fiber and copper network connections. And occasionally, an organization will perform a visual inspection of these conduits to make sure that all of these conduits remain secure.

On very secure networks, it’s common to implement an air gap. This is a physical separation between devices. If you want to avoid anybody from the internet from gaining access to a server, then you would physically separate that server from the internet. On most networks, this is not the common implementation, because most of the time, we’re sharing the resources available in our infrastructure. We may be sharing the same router or the same switch, and we’re using security controls within those devices to provide the security.

On an air gapped network, we’re not sharing any of those resources. We are physically separating those devices from any of those shared resources. If you have a network that is performing some type of power system, the network that’s on an airplane, or the networks that are handling financial systems, then you are probably air gapping those networks from the rest of your organization’s infrastructure.

If you’ve ever gone into a large data center or some other secure area, then you’ve probably had to go through a mantrap. There are different kinds of mantraps. Some mantraps have all doors into that area normally unlocked. But when one of those doors is opened, the other doors connected to that mantrap will then automatically lock themselves.

Another type of mantrap might be that all of the doors are normally locked. And if you unlock one of the doors, the rest of the doors will remain locked and will not unlock until that door is then closed. You might also have a mantrap that has two doors. When one door is open, the other door is locked. And when that other door is locked, it cannot be unlocked until the first door is finally locked again.

As you can tell by these descriptions of a mantrap, we’re limiting how many people may go through a particular area at any particular time. Sometimes these mantraps are a small room that you first authenticate or unlock into the room, and then a security guard processes a group of people and then allows you to continue through the mantrap. Sometimes the mantrap is a one person room where you would authenticate, walk into the door, allow the door to shut behind you, and then you are unlocked into the rest of the facility.

These are very commonly used in highly secure environments or environments where it’s very important to know exactly who’s going in and who’s going out. So you might authenticate into the mantrap, pass through security, who would then allow you access into the rest of the data center.

A Faraday cage is designed to block electromagnetic fields. It was discovered by Michael Faraday in 1836, and we continue to use Faraday cages today. A good example of a Faraday cage is on the door of a microwave oven, where we’re able to look inside of the oven to see what’s going on, but none of those electromagnetic fields are able to come out of that door.

This is not a comprehensive solution, because not all signal types are able to be blocked by a Faraday cage. If the field is stable or it’s slowly varying, the Faraday cage will not be able to block that signal. This could also restrict very important types of electromagnetic fields, such as those used by our mobile phones. We rely on these mobile phones as a way to call for help. So if you’re working inside of a Faraday cage, there needs to be some type of contingency that would allow you to make emergency calls.

Some of the most common physical security controls are those attached to our doors. There are a number of different ways to keep somebody into or out of a particular room. The conventional way is with a lock and a key, just like we might have on our home. We might also have a deadbolt or some type of larger physical bolt associated with that particular kind of lock.

In larger organizations– and even at home these days– we’re seeing more electronic locks, where you might punch in a number to gain access through the lock. Or in larger organizations, it might be token-based, where you have a proximity reader like the one here, or you’re swiping a magnetic card to gain access through a door. There’s also multiple factors. So you might be using a proximity reader in conjunction with some type of biometrics that would finally allow you to unlock a door and gain access.

Indeed, the use of biometrics is becoming much more common for our physical security controls, where we’re either taking a fingerprint, we’re taking an iris reading, or even a voiceprint to gain access through a physical device. This is not usually storing your actual voice or your actual fingerprint. It’s usually storing some type of mathematical representation of that biometric. In these cases, the actual picture of your fingerprint is not usually what’s being saved inside of these biometric devices.

The big advantage of biometrics, of course, is that it is very difficult for somebody else to have exactly the same type of biometrics that you have. And it’s very difficult for you to change the type of biometrics that you’re using. It’s very easy to change a password, but it’s not easy at all to change your fingerprint. These biometric systems are used in very specific situations, very commonly as an additional form of authentication, because they’re not foolproof. They’re not 100% effective, but they’re very good when used in conjunction with other types of physical access systems.

Sometimes you need to prevent access to a particular area, and you can do that by using some type of barricade or a bollard. These would channel people through a specific point but keep out other larger things, such as cars and trucks. These are commonly used to prevent injuries and prevent anybody from taking large pieces of equipment into particular areas of your facility.

You can even take this idea to an extreme. It’s common to have these concrete barriers, but I have visited data centers that have surrounded the data centers with water. They effectively have a moat that channels everyone through one single drive to be able to gain access to that data center.

It’s very common to have some type of physical component that will allow us to gain access to our computer systems. One of these is by using things like a smart card, which could be slid into your laptop or computer. And that’s usually integrated along with some other type of authentication. USB tokens are also becoming very common. You plug into your USB connection, and a certificate on that USB token identifies that it must be you since you have physical access to that device.

There are also hardware or software based tokens that can be used to provide additional authentication factors. These additional authentication factors may also be integrated with your mobile phone. There might be software based tokens on your mobile phone, or your phone may be receiving an SMS message each time you log in to provide an additional factor of authentication.

In large data centers, your HVAC is a significant security concern. This is your heating, ventilating, and air conditioning. This is a very complex process of being able to cool down these very warm systems as we create heat from all of our computing devices. These are often integrated into our fire systems so that we can constantly monitor the status. And if the fire system does report a fire, we can shut down all of the ventilating to minimize the impact of a fire in that area.

Usually, the HVAC system used in your data center is completely separate from the rest of the building because there are such unique requirements for cooling down these very warm systems. Overheating in a data center is such a huge issue that you want to be sure that it’s managed as closely as possible. These HVAC systems often take advantage of a closed-loop recirculating and positive pressurization system, which means that we are recycling the internal air. And any additional air is pushed outside of the data center, preventing any contaminants from the outside from coming in.

In most data centers, our cooling systems use cold aisles and hot aisles to be able to cool our computing systems. This is a cross section of a data center, where we have an HVAC system on one side, and an HVAC system on the other. And we’ve cut right down the middle of our floor and our racks to see things from the side.

These HVAC systems are creating cool air that’s going under the floor, and that cool air is going up into the cold aisle. In that cold aisle, the cool air is pulled through the servers and into the back of that server rack, where there is then a hot aisle. That hot air then goes to the top and is then recirculated into the HVAC system, and the entire process circulates through again.

When you walk through a data center these days, there may be aisles that have either a hard wall or a soft wall like this one that will separate the cold aisle from the hot aisle. If there is a fire in a data center, there probably needs to be a very unique response to that fire. You have a lot of electronic equipment and power in one place, so using water is probably not the right response to a fire.

We usually can detect a fire situation by using a smoke detector– and in some cases, a flame detector or heat detector– to be able to know if a fire or flame really does exist. If the fire is in an area that does not have electronics or a lot of power systems, you may be able to suppress it with water. But most of our modern data centers are using chemicals to suppress this, and thereby protecting the power and the electronics that are in the data center. We used to use halon to provide this, but we found that halon destroys the ozone. So a very common way to have chemicals as a way of fire suppression is to use a chemical called FM-200 that will prevent a fire, but still protect the electronics and those powered systems in a data center.

Cable locks can be a useful way to protect the hardware components and keep them locked down to a particular area. And they’re often used as a temporary security mechanism, especially if you have a laptop that you tend to take from place to place. These cables will work almost anywhere. You can wrap them around the leg of a table, and they work very well with these mobile devices that we use today.

Most of these laptops have a standard type of reinforced notch connector on them that connects to these very common cable locks that you can buy. These are obviously not designed for any type of long-term storage or long-term protection. These cables can be easily cut. But if you’re looking for a temporary solution that would deter or prevent at least some type of theft, you might want to look into getting a cable lock.

If you’re someone who travels or needs a way to protect what’s being shown on your screen, you may want to look at getting a smart screen filter. These are sometimes called privacy filters, and they’re exceptionally good at only showing what’s on the screen to the person who is right in the front of that screen or monitor. These screen filters are very useful, especially if your monitor is in a place where people are walking by or can easily see your screen. Or if you’re in an area with a lot of people, like on an airplane or an airport, this would be a very good way to protect anyone else from seeing what you’re doing on your laptop computer.

It’s very common to take advantage of Closed Circuit Television, or CCTV, video surveillance if you want to be able to see what’s happening in your particular facility. We want to be sure that we’re using cameras with exactly the right properties for what we’re examining. For example, we need to be sure that the focal length is correct. A shorter focal length means that we have a wider angle of view.

We also want to have a good depth of field that allows us to see everything in focus across a very large area. And we also like cameras that have infrared, or the ability to see details even in the very darkest of areas. It’s very common to have multiple cameras, all of them networked together and recorded back to a centralized video network surveillance device.

If you worked in security for any amount of time, then you know there are a lot of logs to deal with. Even with physical security, we tend to have a lot of different points where we might be logging information. For example, there might be access to your parking area that you would badge in– there is one place where there would be a log. You would be logged when you entered the building with your access badge.

And then as you’re moving from place to place within the building, each one of those instances will be logged through your central security system. This means you may also be able to correlate these logs together between the physical world and the digital world. For example, you can have someone physically log in to the room with their badge and then only allow authentication to a digital system if they happen to be in that room.

The legalities involved in keeping and storing this logged information may vary from place to place, so you need to check with your particular area to make sure that you’re handling these logs in the proper way. Some of these logs might be physical logs, where someone is logging into a physical piece of paper, and some are digital as people are signing in with their card. These may also fall under the privacy laws in your particular area, so you need to double check with your legal representatives to know exactly how these logs are to be managed.

In most organizations, we have some type of keys that are used to gain access to the different areas of our building. These might be physical keys, or they might be digital keys. But in both of these cases, we need to be sure that we have some way to manage the keys, who’s using them, and how they’re used.

The process to generate this key– whether it’s generating a physical key or a digital key– is one that needs to be closely managed. And there needs to be a formal process when somebody is gaining access to a particular area or is given a key. Usually there is a checks and balance that takes place, where a third party or management is signing off on the ability for someone to gain access to a particular area.

There also needs to be a policy in place to understand what happens when a key is breached. If somebody gains access to your keys or uses the keys in an inappropriate way, there needs to be a set of policies to determine what to do next. The creation of these policies is usually the first step to a good set of key management for your organization, and it’s one that you should absolutely implement if you’re using any type of physical or digital keys in your environment.