In today's offering I will be presenting an outline of cost-effective physical security measures that can be easily implemented yet are so often taken for granted, implied or simply overlooked. But before we fly straight into it let us first have a look at just what it is that we mean by physical security in respect to computers, networks and IT in general and some of its implications and ramifications.
Physical Security
From the IT, computer and networking perspectives physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media. It can be as simple as a locked door or as elaborate as multiple layers of armed guard both patrolling and stationary at predefined established sentry posts such as points of entry.
Familiarity
We are all too familiar and accustomed to these aspects of security and the multitude of other more recent and sophisticated measures such as metal detectors, x-ray scanners, electronic sensors and magnetic security features that are commonly used in retail stores.
Even sniffer dogs with their highly educated noses poised should the faintest whiff of explosives be carried their way on the prevailing winds as you finally proceed; all be it delayed as a direct result of implementing these security measures, in an ecstatic and gleefully euphoric state through the airport boarding processes and onto the jet that will whisk you away to some sunny tropical paradise.
Information Technology Related Security
Those of us involved in IT and IT related security are also well aware of the extremes that a perceived “need” for greater security has invaded our daily working lives and yet as we hear only all too often on the news it is not enough.
Some security related scandal or other seems to be occurring every other hour and yet if we are to believe many analysts this is but the froth on the tidal wave of incidents that actually occur. Business is only too well aware of the negative effects a security breach and any subsequent media publicity that ensues can bring.
So Where Do We Begin?
The answer to this is surprisingly simple and maybe so obvious that it is often overlooked and the answer to which I refer is the physical security of our systems and the data contained within or stored as a result of the activities of our systems (sales, backups, records etc.).
I will begin by discussing locks, keys and locking device authentication systems from both the human physical access perspective and the device(s) perspective.
Locks
Lock and key is one of the oldest security systems known to human-kind. The ancient Egyptians, Greeks, Romans, Chinese and many more civilizations have used various forms of the lock and key system to secure physical assets. One of the more notable and legendary of this class of security devices is the chastity belt which we will not be discussing any further; rather we will explore how the lock and key system is used today to secure IT assets.
The first set of lock and key systems pertains to access-ways such as doors by which humans gain access to restricted areas.
Lock-Up
Physically secure your Server Room(s) including the Network Communication(s) & the Administration Facility as well as the datacenter and on-site storage facilities.Quality
Ensure that all locks; not just those to your server room are of high quality and reliability.Security In-Depth
The principles of security-in-depth are of particular relevance here. Multiple layers of security are far harder to penetrate than those exhibiting a single-point-of-failure. This is why banks, armored security services (Chubb®, Wormalds®, Amourguard® and Brinks® etc.) use these strategies.Change Frequently
Design, implement and maintain a system whereby all locks are changed-out frequently and regularly at irregular intervals. Pattern avoidance is one of the most crucial elements in maintaining the integrity of all locking systems. This includes the physical locks and their associated keys as well as the electronic varieties. For reasons of economy you may consider implementing a rotation policy to be appropriate here.Key Code Access Locks
Many organisations have gone down the electronically keyed physical locks pathway. This type of mechanism teams a number of different technologies all targeting the regulation and flow of physical access. Lock Unattended/Vacant Facilities
Always lock currently unoccupied offices. This is in fact considered by most organisations to be the responsibility of the regular occupant of that office. The usual occupant may be on vacation and so the network administration and security teams should know this and take the appropriate actions.
Keys to all locks in this situation should reside with the organisation's designated general key holder and not go on holiday with the worker. You never know it may become necessary to enter the office while its regular occupant is away.
