Top 7 Physical Security Controls
Every company with computers has a network and data to protect. These are super essential, but intangible things that only exist as bytes on a wire or disk. But what about the rest of the company's physical assets, the stuff? Property, buildings, equipment, furniture, paperwork, snacks, all the physical things that make up any company's sum total of assets.
IT is always concerned with protecting the network, data, and access, but the best infosec policies, firewalls, pentests are nothing if someone can get into your building, steal desktops, paperwork, or even servers. Also, gaining network access is a whole lot easier if you can just bypass the firewall and plug straight into a network port, so physical security and infosec are directly related. Physical security controls are the individual layers of protection that reduce risk to the organization's physical assets.
It definitely helps to view them as layers. Each control is important and plays its role. Some have a more tangible effectiveness than others, but no single one is considered enough. It's the same as a multi layered security stack protecting a server including firewalls, IPSes, antivirus software, OS upgrades, and WAFs.
Like a layer of technical controls protecting a server, there must be a balance between securing systems and convenience. A server that requires an admin to review and approve every login by every employee may reduce intrusions, but at a huge inconvenience for everyone and a huge expense for IT's time. In the same way, a guard shack checking every car that enters the property may prevent intruders, but at what cost? A huge financial one to pay for all those guards, wasting everyone's time just to get onsite, and possibly little in return for added security benefit. Some level of risk must be deemed acceptable when the returns start diminishing.
Let's look at some specific physical security controls that you might consider implementing.
I hear you already yelling, "BORING, I was hoping for robots armed with lasers patrolling our darkened halls, vaporizing intruders at all hours of the night!" First, that's not a terrible idea. Second, we agree that fences are boring, but remember our premise of a layered approach to security. Fencing can form the outermost layer, detracting someone from even approaching the building, or at least making a harder day or someone determined enough to try to climb or cut through.
Okay, this is a little better than fences, at least it's something that plugs in. A security camera system offers both a historical record of what actually happened in an area — along with being an active deterrent to someone going where they shouldn't be. For the former, there should be enough cameras to cover at least all entrances and exits, for the later they should be installed in plain sight.
Forget about the grainy black and white security tapes of old. Today's modern camera systems record HD video onto hard drives and offer immediate queuing up of timestamped footage. Need to see who came in the side entrance at 6 a.m. last Tuesday? Forget finding the right video tape and rewinding to the correct spot. Just choose your date and time in the app and there's your footage.
Did we mention these modern cameras connect and are powered via ethernet? No need for special tools or running new cabling, just repurpose network drops that you already have. Some have cool features too like infrared recording at night and motion-based recording software that only records when it detects motion. There's no sense in filling up your hard drive with unchanging video of a door that no one's using for 16 hours a day.
3. Alarm Systems
We recommend lots of ears piercing sirens, spinning red lights, and a robot voice repeatedly yelling "INTRUDER ALERT! INTRUDER ALERT!"
Seriously though, alarm systems are an essential reactive layer on top of the historical event capturing layer that is your cameras. These can be your classic sensors detecting doors opening, motion or sound detectors in case Tom Cruise comes in through the ceiling, or other environmental monitoring like smoke detectors that can dispatch the fire department. Not the most super exciting stuff, but definitely a super essential layer to your physical security.
4. Access Control Systems
Access control is exactly like it sounds like: only granting certain people access to certain areas. This can be only letting your employees through the building's front door or onto your floor of a multi-tenant building. It can also include only allowing select employees into specific areas within the property, for example, only allowing IT into the server room. A system can also be on a timer, allowing free access into the building during work hours when a reception area is staffed to greet and monitor incoming guests, but automatically locking at 5 p.m.
The means of granting access can be as simple as a physical key and door lock, but generally for more sophisticated businesses there's some tech involved. A PIN code inputted on a pad could open a door, or a biometric scanner could read a fingerprint, but most typical are RFID cards, commonly known as prox cards or HID cards. The card is scanned at a reader that releases the door's lock if the card is valid.
RFID cards are super convenient in a lot of ways. The cards themselves are cheap and easy to replace if one is lost. They can be programmed to open different sets of doors within the system. Their greatest advantage over physical keys, though, is in the situation where many employees have a copy to the building's front door. In the case of one lost key, you're stuck having to rekey the door and reissue many keys to guarantee building security. With RFID cards just deactivate that one key in the system, done. Add on top of all of this automatic auditing of who's coming in and when, you've got a pretty slick access system.
However, these cards do have some pretty steep downsides. First and foremost, they are incredibly easy to copy with the right equipment. The card reader emits just enough electromagnetic energy to power a small chip and antenna on the card which then transmits a code. The system validates your code as good (door unlocks) or not (door stays locked). A high-powered card reader can easily hide in a backpack, reading the cards of any victim within a few feet of the attacker. The attacker then writes a code to a new card and bingo, easy access.
Sounds like an awful solution, right? Well, again, RFID cards are one of many security layers you should implement. Also, it's a measured risk versus the cost and time to maintain physical keys. RFID systems are being improved constantly also to thwart card code stealing.
5. Proper Lighting
This one seems pretty obvious. Good lighting both inside and out can be enough to deter bad guys from trying to get in at night. At the very least, all building entrances should be well lit. This will help employees working late feel a little better. While on the subject, battery-backed emergency lights should be installed in interior hallways to provide illumination in the event of a power outage.
6. Document and Equipment Disposal
This one is often overlooked, but sensitive company information, either in paper or hard drive form, can be a huge liability. Old or unneeded documents should be removed from the premises by a document disposal company who will thoroughly shred documents either in the building or in a truck outfitted with mega shredders outside your door. Either way, everything is destroyed before it can unintentionally walk out the door.
Old computers can be a big problem in the same way. Hard drives filled with company docs can be a goldmine for criminals looking for company trade secrets, financial reports, or other information that needs to remain private. Machines that are in storage to be eventually reissued should be promptly wiped of all data. For old computers that are no longer needed, you have two decent options. They can be disposed of by an e-waste company who will destroy the hard drives and recycle the hardware or you can use a program like the classic Boot and Nuke to take care of securely erasing drives yourself.
7. Regular Audits of Systems
Any system or security control put in place is only effective if it's well maintained. After a burglary is a bad time to realize that the camera by the back door stopped recording months ago.
Every security control should be regularly audited to make sure things are still working as expected. It's not always fun work, but installing any control is only the beginning. Check the cameras to make sure they are all still recording. Audit access control logs, have all former employee cards been deactivated? Is anyone coming in at weird times? Do any fences need some TLC to repair broken sections? Are old laptops piling up in that closet (you know the one, where broken hardware is left to "one day" be sorted through)? Do the emergency lights work or are the batteries long dead?
Hopefully, these physical controls will help you begin to think about security a step beyond the network. Some are cheap and easy to implement, while some will require some investment of time and money. However, all of these controls contribute to your physical security posture — and help protect both your company's assets and your fellow employees. That helps everyone sleep a little easier at night.