Physical layer security is the cornerstone of all security controls. While security controls at other layers may fail without catastrophic results, the loss of physical security usually results in total exposure.
Security controls cost money, and many times their value is underrated. A large portion of security controls limits insiders' access, with the side effect being that it limits many companies’ motivation to implement robust controls.
We like to think that these trusted employees are on our team, but numbers show that many more attacks originate from inside an organisation than from the outside.
Physical controls are not always expensive. Items like locks are relatively cheap yet deter and delay attackers. Session controls, password-protected screen savers, and auto logoffs are also inexpensive to deploy.
Good physical security also requires the management of paper documents. Shredders are an easy way to prevent dumpster diving.
Attacks on physical security are nothing new. They existed long before computer networks or modern organisations were envisioned. There are many tools at an attacker’s disposal.
Lock pick sets, wiretapping equipment, and scanners are accessible for an attacker to acquire.
Attackers with basic computer skills can use wireless hacking tools or acquire security equipment for disassembly and analysis. In the end, security professionals must realise that they are not fighting a single battle but are part of an ongoing war that will continue for the unforeseeable future.
It’s often said that the best defence is a good offence. Before criminals target your company, strike them first with a sound business security system.
A solid physical security system will provide you with reliable criminal-deterrent protection. However, the best defence is to invest in a security system that provides physical security layers of protection.
A sound commercial security system will protect your property, the exterior part of the building and the interior part of the building. The complicated layers will make it harder for criminals to steal important information.
What Is Layered Security?
Layered security, in an IT context, means protecting digital assets with several layers of protection. The concept behind layered security is simple. If a hacker manages to breach one security measure, all sensitive data is still protected by the other layers of protection that are in place.
This makes it harder for a hacker to perform a successful cyber attack. In this layered approach, each layer of security can work together to ensure enhanced protection against threats.
This is somewhat similar to the security approach portrayed in classic "heist movies," where a team of burglars must get past obstacle after obstacle, each one providing its challenge before they finally manage to gain access to the valuable jewels and make off with them into the night. The first layer of security might be the locked doors and windows on the building's exterior.
In contrast, the second layer would be intrusion detection systems, such as the alarms on all doors and windows, which detect if someone manages to get in through that first layer.
The guards inside the building represent yet another level of security, as do the video cameras monitoring the rooms. In addition, in the movies, fancy laser beam detectors surround the case where the jewels are kept, and then a final layer to get past - the motion detector that issues an alarm if the treasures are moved from their place.
For the burglars to get their prize, it's not enough to defeat one layer - they have to get past all of the many layers of security protecting the jewels.
Layered security is also known as 'defence in depth', a term borrowed from the military tactic with the same name. In a war, an army might choose to concentrate all of its forces along the front so that it's as well defended as possible.
The danger is that if the enemy focuses its energies and breaks through the show in one spot, no other defences are protecting the area behind. With defence-in-depth, some defensive resources - troops, fortifications, weapons - are further back. If the front is breached, there are still troops and equipment available to stop the enemy advance.
In the military context, even if less concentration in the first level makes it easier for the enemy to make an initial breach, they can be ultimately stopped more quickly because their losses will continue to grow as they continue to try to work their way toward the goal.
Another classic example of defence in depth is the "concentric castle" model. A castle may be protected by an outer wall, then a moat, then a higher and more heavily fortified inner wall.
In the IT environment, layered security provides inherent redundancy. If one layer of protection fails, another layer keeps the system and its data secure. To get through to the data, a threat would have to infiltrate every level of security. Layered security involves three main types of security controls.
Layered Security Controls
To secure your data, it needs to be protected in three different realms - through administrative, physical, and technical controls. In each domain, multiple security measures can be deployed to provide a layered defence.
Administrative controls consist of policies and procedures put in place by an organisation to minimise vulnerabilities and to prevent users within the company from accessing information they are not authorised to access. Some layers of administrative controls could include:
- They ensure that only current employees have user accounts by putting a procedure to close an employee's statement on the network if someone leaves the company.
- They were putting detailed policies and procedures in place to ensure that all employees take the mandated steps required to secure corporate data, compassionate data.
- They were implementing role-based access control, which enables employees to only access the actual data that they need to do their jobs. See our article on access control for more information about different access control schemes.
- They are minimising the use of privileged accounts, such as administrator accounts, and placing additional restrictions on their use.
Physical controls are another crucial aspect of the layered approach. These include anything that prevents actual physical access to the IT system. For example:
- Physical doors with locks in any area with computer equipment.
- Fingerprint scanners for access to areas with computer equipment and for logging into the system.
- CCTV footage as a deterrent and to alert security to any possible cyber threats.
- Security guards monitor the area.
- Gates to prevent easy access to the site.
Layers of physical controls could be the types of things described in the heist movie example - the multiple layers of protection preventing burglars from gaining access to the jewels.
Typically the most complex of the controls, technical controls for network security is another security approach that is necessary for comprehensive protection.
These controls include software and hardware-based information security solutions that prevent unauthorised access to the IT system and the data within it.
Different hardware and software solutions provide the best protection from a wide array of cyber threats. With the many cyber threats constantly emerging today, multiple layers of technical controls are a necessity for every business. Layers of technical controls could include the following:
- It required users to use strong passwords that are difficult to guess or crack using password cracking tools.
- Two-factor authentication or multi-factor authentication (2FA/ MFA) to verify the user's identity by using multiple devices to log in.
- Biometric authentication to ensure a user's identity through facial recognition or fingerprint scanning, for example.
Preventing Infections from Malware and Similar Threats
- The first layer might be from the administrative realm - educating users not to click on suspicious links on the web or open suspicious files sent to them by email.
- The next layer could be conventional detection-based anti-virus and anti-malware software.
- An additional layer would be adding Remote Browser Isolation so that if a user did click through to an infected site, the damage would be contained away from the endpoint machine.
- They are securing the network behind a firewall, which can be implemented as either a hardware or software solution, depending on the network infrastructure.
- I was encrypting data servers to protect data even if an evil character manages to access the server.
- I was encrypting emails as an additional layer to prevent information sent via email from being intercepted and compromised by an unknown third party.
- Following best practices for remote access can be an additional layer of protection that closes a vulnerability often exploited by hackers. For more information, see our Virtual article Computing as a Security Solution.
For maximum protection, multiple solutions should be used for each type of control, providing a layered security solution that is hard to breach.
Organisations must ensure that their chosen solutions are compatible and provide seamless coverage for the entire network.
Together, the multiple layers of security should fill in any gaps through which cybercriminals could gain access to the system and the valuable data stored inside it.
Why Is A Layered Approach To Physical Security Important?
When it comes to physical security measures, a layered approach is often the most effective.
Security provisions for most types of sites and sectors you will find are based on the principle of layered defences. Think back to medieval castles and the layers of defence lines used to protect the internal asset.
Firstly, a steep hill within an exposed location, a wide moat, thick castle walls and a cumbersome main door sealed from attack. This is an excellent example of very early physical security. The principles remain the same to this day.
You can liken this approach to the skins of an onion, with each layer delaying or deterring the physical attack strategies used by criminals, terrorists and saboteurs to force entry into areas with critical or valuable assets.
Adequate physical security is ultimately an investment in time; that is, procuring engineered protection that will sufficiently delay or deter attempts at physical infiltration by hostile assailants until first responders arrive.
This tried and tested approach of detect, delay, respond, mitigate, and deter is the foundation for implementing practical solutions to protect against attempted security breaches or attacks using force.
When it comes to critical national infrastructure (CNI), security breaches or physical attacks pose the risk of impacting essential services, resulting in casualties or loss of life.
These kinds of attacks could also have a significant detrimental effect on national security, defence or the country's running.
It’s for these reasons that protecting essential public and private sector services from wide-ranging threats is a crucial part of the National Security Strategy.
Each essential sector, from water and energy through to government and communications, will be at greater risk from different threats.
It is essential to build resilience to these threats by identifying and implementing the right solution for that sector.
For example, in the case of securing a water supply, it’s not just about stopping someone from breaching the perimeter but also securing outdoor assets and access covers so that the store can’t be tampered with.
The Eight Layers Of Security Your Data Centre Must Have
Digital transformation has resulted in cloud service providers demanding more storage facilities to keep up with the growing volume of big data generated every year. Because a data centre houses information, applications and services that businesses use every day, organisations must ensure they use appropriate security measures to protect the facility.
In our previous blog, we highlighted the consequences of inadequate data centre security. But what are the security standards your facility should have to meet and maintain compliance? Here, we outline how Spaces 8 layers of security set the benchmark for best practices in safeguarding your data.
On the outer perimeter of the data centre is the multi-faceted wall, the first line of defence to withstand every possible type of attack and natural disaster. In 2017, five suspects were arrested after breaking into a data centre in Johannesburg and stealing more than USD 130,000 worth of copper cables. Physical barriers are significant as they serve to dishearten potential intruders. To ensure security at a maximum level, the perimeter wall needs to be coupled with additional features that we have highlighted below.
The second layer is the guardhouse at the fence. All visitors should be required to register at least 48 hours before their visit and answer a series of security questions from the Access-Request Application System regarding their background, the purpose of visit and a list of accompanying people. They should only be allowed access to the facility in limited zone areas after prior screening and approval.
Upon entry, any items that visitors carry must be declared through an industrial x-ray and metal detector to ensure no unauthorised items are brought into the site.
Personal Access To Secure Zone
Visitors to the data centre should then be given access passes to specify which areas they can enter and which prohibited sites. Then, the visitor should pass through a small air-locked room – the human trap – where they get weighed. Any significant discrepancies in the visitors’ weight at the site of arrival and departure will be highlighted to security to uncover the root cause. This ensures that no item gets left behind that could potentially cripple the safety of the facility.
Lift Access Control
For high rise data centre buildings, visitors can move from the airlock to the lift access control and should only be permitted to use their designated lifts. Visitors will only be given access to specific floors to prevent unauthorised personnel. Every person with access to the facility can undermine any of the security systems. Limiting the movement of visitors around the facility is crucial to keeping the integrity of the data centre.
Data Hall Secure Corridor
Smart sensors and CCTV should be installed along the aisle to prohibit tailgating. A no tailgating policy is essential to enable the Network Operations Centre (NOC) to monitor every individual entering the data hall and beyond. This is crucial as it ensures the accuracy of all visitor data, which would be required in a security breach at the facility.
Vaults should be under comprehensive CCTV surveillance for any suspicious activity and maintain visual contact of every visitor at all times, as this is where the racks are housed. At any point in time, a data centre must know precisely who is in the vault, where they are and what they are doing. If there are more people than there should be, an alert should go off.
Rack Level Access
Only a careful, pre-assessed, pre-approved selection of people will be given a biometric key to access the rack. As biometric passports cannot be duplicated or physically stolen, it ensures the safety of the data housed on the shelves. On top of this, many customers can opt to have their rack surveillance based on their specific needs.
A good operations team needs to consider the worst-case scenario and apply all possible security measures to ensure an impregnable facility. Following the industry standard is not enough. Facilities should constantly be updated on new technology advancements or developments in the threat landscape and proactively anticipate them.
Space understands the importance of maintaining data security and implements the latest safety standards to keep your information intact. We set the best practices in security innovations to create a formidable fortress against break-ins and unlawful entry in the interests of your businesses.