Physical Security is just one aspect of cyber security or information assurance. It cannot stand alone however. Physical Security needs to work in conjunction with a strong overall Cyber Security posture. One of the main aspects of a strong cybersecurity program is defense in depth.
Defense in depth means that you have multiple layers of security, without it you are not secure. Each layer of your Cyber Security Posture must involve defense in depth, physical security is no different. If you have a strong multilayered defense you will for the most part be secure. I say for the most part because if someone has enough technical skills and enough money and a high enough motivation they can get through.
How does defense in depth work when talking about physical security? I will provide some examples.
First, we start with the perimeter then work our way inside. Is there a guard gate with a manned guard checking or verifying that individuals are authorized to enter the facility or at least a gate which you must swipe a badge to gain access? Once you pass the gate, are there guards patrolling, with guard dogs?
Do you have security cameras all around the parking lot and entrance to the building? Are there high-powered lights at night to completely illuminate the area? Are there bollards to prevent someone from ramming a truck or car into the building itself? Is the facility unobstructed, all trees and debris cut so that no one can sneak in unperceived?
Once the entrance do you need to swipe your badge or to have your ID physically checked before entering the building? Are your bags checked? Do you need to swipe your badge at the elevator to gain access to certain floors? How about the different offices, is accessed controlled by permission levels or does every employee have access to the entire facility?
Is the server room locked? How many people have access to sensitive areas such as the server room, the offices of executives and senior management, the it offices, accounting, finance? Are these folks that have access thoroughly vetted? Are there cameras inside the facility? Are there guards inside with dogs patrolling? Do they regularly make their rounds? Are the schedules of the guards kept secret to avoid collusion?
These are some of the key elements of physical security implementations. In an ideal environment all companies or organizations would have these features and even more. However due to budgetary constraints and the type of corporate environment this may not be possible. The main key is that security weather it’s purely physical security or cyber security be layered and utilize defense in depth. Defense in depth works because if one layer fails you have multiple layers left to protect the firm’s assets. Defense in Depth works if you work it!