Physical Security Controls – SY0-601 CompTIA Security+ : 2.7

We often focus on digital technologies to protect our networks, but there are many physical devices that can provide additional security. In this video, you’ll learn about access control vestibules, alarms, signs, industrial camouflage, and more.

<< Previous Video: Embedded Systems Constraints Next: Secure Areas >>


If you would like to limit the access to a particular area you might want to use a barricade or a bollard. These are used to prevent people from accessing a particular area or in the case of bollards usually would prevent someone in a car or truck from entering an area. These can be used to restrict access temporarily to a particular area, for example, there may be construction going on and instead of having people walk through the construction area, you could surround it with barricades.

You could also use something like bollards, which are these concrete poles which are designed to stop large items from being able to pass through an area. This could be used as a concrete barrier to prevent cars or trucks from entering a particular location. And you could use a water feature such as a moat to surround an area and that would create a natural barricade.

If you’ve ever visited a highly secure data center then you probably step through an access control vestibule. There’s usually a door providing access to the vestibule and another door providing access to the data center that’s just beyond. The configuration of the door locking mechanisms will depend on the vestibule that you’re using.

For example, it might be that all doors are normally unlocked until one person opens a door. And as soon as that door is open all of the other doors in the vestibule are locked automatically, or it could be that all the doors are normally locked and if you unlock one of those doors it restricts any of the other doors from being unlocked at the same time.

And it may be that these locking mechanism is based on whether the doors open or not. If someone opens the door it may restrict other doors from being open at the same time. This allows the person who’s managing access to the data center to control exactly who may be allowed access through the vestibule and to limit how many people can pass through at any particular time.

Here is the view from outside of an access control vestibule, looks like you need to first authenticate to gain access through the locked door. Once inside you may have to provide some type of identification to whoever may be sitting here for security. And then inside the room that security would then open the second door and allow you access to the data center.

Another type of physical security device is an alarm system. If you have an alarm system on a door or window you know that the alarm goes off if that door happens to open or the window is open, that’s usually based on a circuit. There’s usually a sensor connected to the door or window and if that door window moves then the circuit is broken and the alarm goes off.

There are also motion detection that you can get with certain alarms that will look for reflections or some type of infrared motion and be able to alarm if it happens to see either of those. Your alarm system might also have a duress button, sometimes this is called a panic button if you feel the situation is threatening and you want to be able to call for a third party you can push the panic button and it will handle calling for additional reinforcements.

It’s always important to provide signage, so that people know exactly what should be expected from an area. There may be certain types of protection that are required, maybe a particular group of people is allowed or not allowed on a location and there may be a requirement to inform people of a dangerous environment.

This is not only important for the people that work in a particular area but you also have to consider visitors who’ve never been in the area before and know nothing of the requirements or the potential danger of an area. Signs for personal safety may provide information about fire exits, there may be warning signs that describe where there may be chemicals or other types of construction going on. And it may be useful to also point people towards medical resources or first aid kits.

And although this sign doesn’t have any contact information, it might be useful to add some contact details here especially if there are any emergencies. If you have a very large facility, you may want to consider adding video surveillance, this is sometimes seen as a CCTV or closed circuit television, especially if it’s an environment that’s only accessible from that single facility.

The features that are enabled in these cameras can also be important, some cameras can constantly monitor an area but only inform you if there happens to be some type of motion detection. Or there may be specific object detection built into the camera that can recognize whether something moving through the camera range is an automobile or a person’s face and be able to lock onto that and track it as it moves from place to place.

Very often many cameras are installed in a single facility and all of those cameras are brought back to a single recording device. From that device you can either monitor in real time or be able to go back in time to see what may have happened previously. I visited probably hundreds of data centers and it’s remarkable how many of them you may have driven by not realizing that just inside that building was millions of dollars of technology.

This is industrial camouflage, it’s concealing what would be an important facility behind what is normally seen in a particular area. If you’re in an industrial area this looks like a building that could be a warehouse, it might be a small workplace, or it could possibly be a data center. Of course, you wouldn’t put signs telling people that the data center is here and looking at this there doesn’t seem to be any type of visual cue that tells us that inside of this building is a data center.

I’ve visited data centers that have water features around them to prevent people from gaining access and they might have a guard gate in front that would prevent someone from driving in. If you ever look at a data center like this you may even find that they’re big planters in the front that are actually bollards, very large concrete devices that would prevent somebody from driving into or through the walls of that building.

Although we can automate many aspects of security one of the best physical security features we have are people. And we can put guards and access lists in front of a facility to be able to have a human interaction with who might be coming in. This would provide a validation of existing employees and allow them access to the building and it would allow someone to provide authentication of any guest that may be arriving and make sure that they have the proper access to the facility.

In many environments you’re required to carry around an ID badge and display that badge at all times, so that anyone walking by can easily see that you are where you are supposed to be in that building. If there is a security guard, they may be able to look at an access list to confirm whether someone should have or not have access to a particular part of that facility.

And if you’re an employee you’re probably using that ID badge to unlock a door which of course will create a log entry. If you’re a visitor, the security guard is usually adding your name to a visitor logs, so that everyone knows exactly who has gained access to that facility. If you’ve worked somewhere with security guards you may have noticed that it’s unusual to have a single security guard working.

It’s very common to see more than one working at the same time, this is called two-person integrity or two-person control. This is a way to minimize the exposure you might have especially for someone who is in control of access to a building. This two-person integrity ensures that no single person would have access to any particular asset in the building, for example, to enter a locked area may require two separate security guards to be present.

And in some facilities we can replace a human who’s doing rounds and checking things periodically with a robot, this is an emerging technology but it’s one that allows us to replace the human with something that is much more automated and then have our human guards perform much more important tasks.

If you’ve ever gained access to a room or through a locked door using a fingerprint or handprint then you were using biometrics. Biometrics can also be used for retinas, and voice prints or anything that might be associated with an individual. This is usually storing a mathematical representation of something you are, so this might store a mathematical representation of your fingerprint and not the actual picture of your fingerprint.

But of course your fingerprint is something that is very difficult to change and it’s something that’s also very difficult for someone else to duplicate. This means that, that particular mathematical representation is something that could only be associated with you. These biometrics are powerful physical controls but they aren’t foolproof.

We very commonly would combine biometrics with some other type of authentication. This particular biometric system requires you to put in a biometric fingerprint and then also include a personal identification number. The secondary bit of authentication is one that makes sure that the person is providing the biometrics is the person who really should gain access into that room.

And indeed there are many different ways to control access through a door, for example, a traditional lock and key is one of the most common and well-known ways of locking a facility. This door might include a deadbolt for additional security. And if this is an office you may be using an electronic lock, this could be a keyless lock like the one shown here or it may require you to put in a personal identification number.

There might also be locks that are based on a token, this would be one that’s associated with an RFID badge like this one. It could be a magnetic swipe card or it might be a key fob that’s connected to your key ring. We’ve already seen that biometrics can be used for door locks especially handprints or fingerprints and in some cases, you might even use a smart card with a personal identification number to gain access through a locked door.

Here’s the inside of one of those RFID badges, you can see the antenna around the outside that receives the power for the RFID and is able to send and receive signals and on the inside of this is the RFID chip itself. Cable locks are often used to prevent a piece of equipment from being stolen in an area, these are usually temporary locks but they’re ones that can be connected to almost anything around you.

For example, you may connect a cable lock to a laptop and then connect the other end of that cable to something sturdy that can’t be moved such as the leg of a table. This is a standard type of connector that has a reinforced notch and if you look at your laptop you’ll probably see on the side of it that there is a notch that is perfectly sized to fit one of these cable locks.

This is obviously not something that is built for long-term protection and you can see by the size of this cable that it would not be very difficult for someone to cut through with the right equipment. But if you’re in an area temporarily and you simply want to prevent a piece of equipment from being stolen while you happen to be working this might be a great way to provide that level of security.

In a previous video we talked about an exploit called Juice jacking– this is where you’re connecting your mobile device like a mobile phone to a USB charging port. That USB charging port is also transferring information over the data lines as well. And if your device is susceptible to this juice jacking you may be unknowingly providing your data to a third party.

This is why some people will use a USB data blocker like this small cable here, which connects to the USB interface but only connects to the power lines of the USB connection and not the data connections. And if you are someone who is traveling or needs access to power in an area where normally you would not be working it may be worth your while to bring along your own power adapter and avoid this problem entirely.

Providing proper lighting is one of the best security controls you can have, especially in environments that need to be monitored 24 hours a day. The attackers avoid any place that may be lit, because they don’t want to be seen. It’s easier to see exactly who might be in a particular area if there’s plenty of lighting and if you’re using cameras that don’t use infrared then you’ll want as much lighting as possible to get the best possible picture.

There are many different kinds of lighting and many different ways to install these lights, so you want to make sure that the lighting for an area matches the requirements that you have for security. You want to make sure you’re providing enough light levels for the cameras or the people who need to be monitoring that area.

You also have to think about the lighting angles especially if there are shadows and you’re doing some type of facial recognition. This can be especially useful for cameras that need to avoid any shadows and glare to be able to get the best possible picture. Although fences are very good ways to prevent someone from gaining access to an area they might also advertise that you have something in this area that you don’t want people to gain access to.

And it may be that you have to use different types of fences depending on the security that you need. If it’s OK for people to be able to see into a particular area, then you may want a fence that you’re able to look through. This of course also means that you’re able to look out to see who may be on the other side of the fence.

But there may be times when people shouldn’t have access to be able to see what’s on the inside and in those cases you may want to use an opaque fence. With the right kind of fence you have a very solid security barrier, this is usually a fence that might be very difficult to cut through and usually they’re tall enough to prevent somebody from climbing over the fence especially if you add razor wire or some other method to prevent somebody from gaining access over this fence.

When we’re putting together plans for physical security, we’re planning for the worst possible scenario. And one of those scenarios might involve a fire, especially a fire in an area with lots of electronics. In that situation you wouldn’t necessarily want to use water but instead use some other type of fire suppressant.

You’ll first want some type of warning or alarm that the potential for fire exists, there may be a smoke detector, flame detector, or heat detector that can tell you when this situation may be occurring. You may want to use water where appropriate, especially if there isn’t a lot of electronics. But if there is something that is plugged into the wall you may want to use chemicals.

We used to use halon for this method but these days we use something that’s a little better for the environment, such as DuPont’s FM-100 and this is a chemical fire suppression that would be able to put out the fire in a data center without completely destroying all of the electronics. It’s usually useful for the security team to be informed or get an alert if something is occurring in an area that they aren’t actively watching.

We would commonly want to have sensors that are deployed that provide us with this type of information. For example, you may want a motion detection sensor, so that you could tell if anyone else happens to be in a particular area. This might also be combined with noise detection, so that you could see if there are any noises occurring in an area and recognize if any increase or decrease in sound is occurring.

If you need to gain access to a room there may be an electronic code reader which has a sensor inside of that, that recognizes the RFID chip that’s in your access card. You might also want to include moisture detection which might tell you if there is a water pipe that breaks and water begins flowing out onto the floor. You might be able to get a heads up very quickly and prevent any further water damage.

If you’re in a data center, one common sensor to have is a temperature sensor especially when you have all of this equipment that can very quickly heat up the room. It’s nice to know if there happens to be a spike or an increase in that temperature, which may show you that there is a problem with the cooling system in the data center.

Some security teams have started to use drones to be able to monitor large areas especially when those areas are places that would not be easy to access through a car or by walking. This might be a situation where there are multiple buildings, and you could have a drone quickly cover a very large area in a very short period of time.

These drones may not be used for constant security but may be used for very specific situations. For example, if you need to perform a site survey or be able to assess the damage that may have occurred already at a facility, a drone would be a great way to deploy and be able to get a wide view of a particular area.

Mini drones include sensors that may show us motion or any type of heat in an area and mini drones include high resolution video, so that you’re able to get a recorded view of exactly what the drone was able to see. Some specialized environments may have a Faraday cage, this is a method of signal suppression that was originally created by Michael Faraday in 1836.

This is a mesh of conductive material that either restricts or prevents radio signals from traversing through this particular cage. A good example of this is the window on a microwave oven, which allows you to see in but prevents any of those microwaves from getting out. This is not a solution that blocks every type of radio signal and there are some types of radio signals that can’t be blocked by a Faraday cage.

You also have to keep in mind that if you’re blocking radio signals you could be blocking the ability for someone to call for help or call 911 on their mobile device. So there always needs to be a way for someone to gain access to a proper emergency service, even if you’re blocking those signals. If you’re working on an internal network and you realize you have something you need to provide access to people on the internet you may not want those people getting into the internal network of your organization.

In those cases, you may want to build a separate physical network called a screen subnet. We used to call this a demilitarized zone or a DMZ, this is a network that does have controlled access usually through a firewall and people coming in through the internet would have access to the services that are on the screen subnet.

But this would also prevent these people from the internet from gaining access to your internal network. So you can still keep all of your private resources private and still provide access and resources to the people that might need it from the internet. In some very secure facilities we have to think about the access that people might have to the cabling and the fiber that are running our networks.

This is a protected distribution system or PDS and it usually requires that you have all of your network cables and infrastructure behind some type of protected environment. This means that all of your cables and fibers that are on your networks may be inside of a metal conduit, which would effectively prevent somebody from gaining physical access to those cables.

This also means that someone wouldn’t be able to break a cable apart and put their own tap in the middle effectively allowing them access to all of the data that flows over that cable. This might also prevent a denial of service, because if you’ve got all of your cables inside of this metal conduit no one would be able to cut or modify any of those cables or fibers. And to ensure the ongoing security of your protected distribution system, it’s very common to have periodic audits to make sure that nobody can gain access to your networking infrastructure.