Physical Security for Cybersecurity
Physical security for cybersecurity encompasses the controls that protect the physical infrastructure, devices, and media that digital systems depend on.
Continue your mission
Physical security for cybersecurity encompasses the controls that protect the physical infrastructure, devices, and media that digital systems depend on.
# Physical Security for Cybersecurity
Physical security for cybersecurity encompasses the controls that protect the physical infrastructure, devices, and media that digital systems depend on. Every digital control assumes a physical foundation: encryption protects data on disk, but the disk can be stolen. Network segmentation isolates systems logically, but the network cables can be tapped. Access control restricts who can log in, but the server room door may be unlocked.
Physical security is the oldest security discipline. It predates digital security by millennia. Castles, vaults, guards, locks, and walls are physical security. In the cybersecurity context, physical security protects the hardware that runs the software, the facilities that house the hardware, the media that stores the data, and the people who operate the systems.
The cybersecurity industry often treats physical security as someone else's problem: the facilities team manages the building, the data center provider manages the server room, and the security team manages the digital controls. This organizational separation creates gaps. An attacker who gains physical access to a server can bypass every software-based access control by booting from external media, extracting the hard drive, or connecting a hardware implant. Physical access is often the most direct path to complete system compromise.
Perimeter controls. Fencing, gates, barriers, and exterior lighting define the facility boundary and deter unauthorized approach. Perimeter controls are the physical equivalent of the network firewall: they establish the boundary between trusted and untrusted space. CCTV cameras covering the perimeter provide surveillance and deterrence. Signage ("Restricted Area," "Authorized Personnel Only") establishes legal notice that unauthorized entry is prohibited.
Entry controls. Badge readers, PIN pads, biometric scanners (fingerprint, facial recognition, iris), and mantrap/airlock entries control who enters the facility. Multi-factor physical authentication (badge plus PIN, badge plus biometric) provides stronger assurance than single-factor (badge alone, which can be stolen or cloned).
Tailgating (following an authorized person through a secured door without presenting credentials) is the most common physical entry attack. Anti-tailgating controls include turnstiles, mantraps (two interlocked doors where only one opens at a time), and security guard presence at entry points. Cultural controls (training employees to challenge unfamiliar individuals, not hold doors for people without badges) complement technical controls.
Visitor management. Visitors are registered, issued temporary badges, escorted by authorized personnel, and logged out upon departure. Visitor badges should be visually distinct from employee badges (different color, "VISITOR" label, expiration date). Unescorted visitors in secure areas are a physical security finding equivalent to an unauthenticated session on a production server.
CCTV and surveillance. Camera coverage of entry points, server rooms, storage areas, and critical infrastructure provides both deterrence and forensic evidence. CCTV footage is retained for a defined period (30 to 90 days is standard) and reviewed when incidents occur. Camera systems should be networked (enabling centralized monitoring and remote review) but segmented from the corporate network (cameras are IoT devices with their own vulnerability profile).
Data centers and server rooms contain the physical infrastructure that the entire digital environment depends on. Their physical security is disproportionately important:
Access control. Data center access should require multi-factor physical authentication (badge plus biometric or badge plus PIN). Access should be logged with identity, timestamp, and duration. Access lists should be reviewed quarterly and limited to personnel with operational need. A developer who needs access to deploy code does not need physical data center access. Remote management tools (iDRAC, iLO, IPMI) provide the same capability without physical presence.
Environmental controls. Temperature and humidity monitoring (overheating causes hardware failure), fire suppression (clean agent systems like FM-200 or Novec 1230 that suppress fire without damaging equipment), water detection (raised floors with leak sensors), and uninterruptible power supplies (UPS) with generator backup. Environmental failures cause data loss and downtime just as effectively as cyberattacks.
Rack security. Individual server racks should have locks (key or electronic) that restrict access to specific racks based on the authorized personnel for those systems. A shared data center (colocation facility) where multiple tenants share the same physical space requires rack-level locking to prevent cross-tenant physical access.
Secure disposal. Storage media that has reached end-of-life must be securely destroyed to prevent data recovery. Degaussing (magnetic media), physical destruction (shredding, crushing), or cryptographic erasure (destroying the encryption key for self-encrypting drives) ensure that decommissioned drives do not become data breach vectors. NIST SP 800-88 defines media sanitization standards.
A common failure: organizations decommission servers and donate or recycle them without sanitizing the drives. The drives contain production data that is recoverable with standard forensic tools. Every decommissioned drive must pass through the secure disposal process with documented evidence of destruction.
Full-disk encryption. Laptops and mobile devices that leave the facility (and even those that do not) should have full-disk encryption enabled (BitLocker, FileVault, LUKS). FDE ensures that a stolen or lost device yields encrypted data that is unreadable without the authentication credential. Without FDE, a stolen laptop's hard drive can be removed and read on another system without any authentication.
Cable locks and device anchoring. Physical locks (Kensington lock slots) anchor laptops and desktops to furniture, preventing casual theft. Device anchoring is particularly important in shared workspaces, conference rooms, and public-facing areas where devices may be left unattended.
USB port restrictions. Endpoint DLP and device control policies restrict which USB devices can connect to managed systems. Unauthorized USB devices (unencrypted flash drives, USB-based attack tools like Rubber Ducky or O.MG cables, unauthorized external drives) are blocked at the endpoint level through MDM/EDR policies.
Screen lock and clean desk. Automatic screen lock after a defined inactivity period (5 to 15 minutes) prevents unauthorized access to an unattended workstation. Clean desk policies require employees to secure sensitive documents, lock workstations, and store portable media when leaving their workspace. Clean desk is not aesthetics. It is operational security: a sensitive document left on a desk is accessible to anyone who walks by.
Physical security assessments (part of comprehensive penetration testing) test the human and technical controls that protect physical access:
Tailgating. The tester follows an employee through a secured door to test whether employees challenge unknown individuals. Success rate in untrained organizations: disturbingly high.
Impersonation. The tester impersonates a vendor, delivery person, IT technician, or building maintenance worker to gain access to secured areas. A clipboard, a high-visibility vest, and a confident demeanor defeat most physical access controls in organizations without strong visitor management.
USB drop. The tester places USB drives (containing benign tracking payloads) in common areas: parking lots, lobbies, break rooms. Success is measured by how many drives are connected to corporate systems. USB drops test both physical security awareness and endpoint USB device control policies.
Dumpster diving. Examining discarded materials (documents, media, equipment) for sensitive information. Organizations that do not shred sensitive documents or sanitize decommissioned equipment are providing intelligence to anyone who checks their waste.
An attacker with physical access to a system can bypass every software-based control. Boot from external media to bypass OS authentication. Remove the hard drive and read it on another system. Install a hardware keylogger to capture credentials. Connect a network tap to intercept traffic. Install a rogue wireless access point to create a persistent remote access channel. Every one of these attacks requires physical access and defeats software-based defenses.
Physical security is the control that prevents this access. Without it, every software-based control operates on the assumption that the hardware has not been tampered with, an assumption that physical access invalidates.
Physical security is required by every major compliance framework. ISO 27001 A.7 (Physical Controls) includes 14 controls covering physical security perimeters, entry controls, securing offices, monitoring, and equipment protection. PCI DSS Requirement 9 (Restrict Physical Access to Cardholder Data) specifies physical access controls, visitor management, media handling, and device security. HIPAA requires physical safeguards for systems containing PHI. SOC 2 CC6 includes physical access as a component of logical and physical access controls. CMMC includes physical protection practices.
Auditors examine physical controls alongside logical controls. A SOC 2 audit that finds strong logical access controls but an unlocked server room door has a finding that undermines the logical controls' effectiveness.
Remote and hybrid work models extend physical security concerns beyond the office. Employees working from home, coffee shops, airports, and coworking spaces handle sensitive data in environments the organization does not physically control. Physical security for remote workers relies on endpoint controls (FDE, screen lock, USB restrictions, VPN), policy enforcement (clean desk/screen in home offices, no sensitive work in public spaces), and security awareness (recognizing shoulder surfing, protecting devices from theft in public).
Physical security sits in the SPH (Security Posture and Hygiene) domain of the Planetary Defense Model. SPH is the terrain: the ground the organization defends on. Physical security is literally the terrain: the buildings, rooms, racks, and devices that contain the digital environment.
CDA's Autonomous Posture Command (APC) methodology monitors physical security posture through the same continuous framework as digital posture. Badge reader health, CCTV coverage, visitor log completeness, FDE compliance on endpoints, and USB device control policy enforcement are SPH posture metrics. A badge reader that goes offline or an FDE-uncompliant endpoint degrades the posture score.
The terrain metaphor is direct. Roman forts had walls (perimeter controls), gates with guards (entry controls), interior compartments (zone-based access), and daily inspections of every defensive position (posture monitoring). The fort's digital equivalent has the same structure: facility perimeter, controlled entry, segmented zones (server room, office, public), and continuous monitoring. The Romans understood that a wall without a guard is a suggestion, not a defense. A locked server room door without badge logging and access review is the same.
SPH-B01 (Network Security Hardening, 24 estimated hours) includes physical security assessment as a component: data center access controls, endpoint physical security, media handling procedures, and visitor management. The physical assessment is integrated with the network assessment because physical and logical controls are interdependent: a physical bypass defeats the logical control, and a logical bypass (remote access to a system inside the server room) defeats the physical control.
Word count: 1,967
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.