Physical Security

Physical access threats can be placed into four major categories:

• Electrical: Electrical vulnerabilities are seen in things such as spikes in voltage to different devices and hardware systems, or brownouts due to an insufficient voltage supply. Electrical threats also come from the noise of unconditioned power and, in some extreme circumstances, total power loss;
• Environmental: Not only do you need to secure your systems from human interference, but you also need to secure them from the interference of natural disasters such as fires, hurricanes, tornados, and flooding, which fall under the realm of environmental threat. Environmental issues also come from extreme temperature or humidity;
• Hardware: Hardware threats are simply the threat of physical damage to corporate hardware or its theft;
• Maintenance: Maintenance threats are due to poor handling of electronic components, which cause ESD (electrostatic discharge), the lack of spare parts, poor cabling, poor device labeling, etc.

Place your systems (servers, routers, switches, appliances, management stations, etc.) in a controlled environment whenever feasible. Mission-critical equipment must be confined to computer rooms, server rooms, or wiring closets. Here are some recommendations for equipment security:

• Offer limited and locked (physical or electronic) access to authorized personnel only;
• The area should not be accessible through dropped ceilings, raised floors, windows, or ductwork;
• An official, secured access point must be the only point of entry;
• Electronic access control should be implemented, if feasible, with all attempts to access logged by security systems and monitored by security personnel;
• Trained security personnel should monitor security cameras with automatic log recording if possible.

In addition to the electrical threats mentioned earlier in this section, electrical supply problems should be limited with the following measures:

• Install UPS (uninterruptible power supply) systems for mission-critical hardware;
• Deploy backup generator systems for mission-critical disaster recovery if feasible;
• Test and maintain UPS and/or generators based on the manufacturers' suggested preventative maintenance schedule;
• Monitor and alarm power-related parameters at the supply and device level;
• Use filtered power and install redundant power supplies on mission-critical devices.

The following guidelines should be used to mitigate against hardware and maintenance-related threats:

• Always follow ESD procedures when replacing or working inside hardware devices;
• Label and secure cabling to equipment racks to protect against accidental disconnection or damage. This also helps prevent hardware from walking away with the assistance of thieves;
• Use cable runs and/or raceways to traverse rack-to-ceiling or rack-to-rack links;
• Maintain critical spare parts and modules in case of emergencies;
• Don't leave a console, workstation, or management station logged on with administrative access when you leave the area for any significant amount of time. Be sure these systems are locked down with cables and locks as well;
• Maintain a regularly updated database of all hardware documentation and technical support information in case of emergencies.

One of the most significant reasons for placing physical security as the top security layer is that it can often be implemented with low cost, diligence, and common sense. Remember that an entire fleet of expensive security software tools can quickly be rendered impotent if a malicious user can gain physical access to your corporate servers, networking devices, and management workstations.