> [!abstract] In short: Physical security protects the actual hardware and facilities that store and process data. If someone can physically reach a device, they can usually bypass most of the digital controls protecting it, which is why this sits at the foundation of everything else. ## What it covers Physical security refers to protecting the real hardware and facilities behind your data: computers, servers, server racks, network equipment, and even printed documents. The goal is to stop unauthorized people from physically reaching these resources, since that access can lead to data breaches, theft, or damage. ## The goal: layers of protection The primary goal is to create layers of protective measures that **deter, detect, delay, and respond** to physical threats. This layered approach is known as **defense in depth**: if one measure fails, others are still in place to maintain protection. > [!info] Defense in depth: No single lock, camera, or guard is meant to be the whole defense. Each layer buys time and coverage for the next one. ## Why it matters 1. **Protects valuable assets**, including expensive equipment and the critical data stored on devices, from theft or damage. 2. **Safeguards people**, ensuring the safety of employees and visitors. 3. **Maintains operational continuity** by preventing disruptions caused by physical breaches. 4. **Supports regulatory compliance**, since many industries are required to implement specific measures to protect sensitive information. > [!warning] Connection to the CIA triad Physical security is a foundation of the CIA triad. Someone with physical access to a device can usually bypass most of the digital controls protecting confidentiality, integrity, and availability. ## Who is responsible Physical security does not rest only on the infosec team, CSO, or CISO. Several roles share it. - **Facilities management team** maintains the building and ensures physical security measures are in place and working. - **IT security team** focuses on securing hardware and network equipment, often working closely with the infosec team. - **All employees** follow security protocols: watching for tailgating, not propping open secure doors, and not sharing access cards. The **red team** is normally responsible for testing physical security through penetration testing. ## Common physical vulnerabilities |Vulnerability|What it looks like| |---|---| |**Unsecured access points**|Doors, windows, or other entry points left unlocked or easily bypassed.| |**Weak locks**|Outdated or low-quality locks that can be picked or broken.| |**Inadequate perimeter security**|No fences, barriers, or surveillance around the facility's perimeter.| |**Poor key management**|Improper handling or storage of keys, access cards, or other credentials.| |**Insufficient lighting**|Dark areas that could conceal intruders or criminal activity.| |**Exposed IT infrastructure**|Servers, network devices, or wiring closets physically accessible to unauthorized people.| |**Lack of visitor management**|Weak protocols to identify, escort, and monitor visitors in secure areas.| |**Unattended workstations**|Computers or devices left unlocked and accessible in public or shared areas.| > [!tip] Digital defenses assume the attacker is remote. Physical security is what holds up when the attacker is standing in the room.