By Jay Palter | July 20, 2023
What is physical security? The definition of physical security
Physical security is the discipline for protecting an organization’s real-world assets, such as people, property, real estate, IT infrastructure, vehicles, and merchandise. If an asset’s loss or compromise would harm your operations, you must protect it with physical security measures.
The threats physical security programs can protect against include theft, attack, natural disasters, and fire. The goals of instituting physical security measures could vary from organization to organization. One might care about mitigating financial losses, another reducing production downtime, and a third might prioritize protecting its people.
- What is physical security? The definition of physical security
- What is the importance of physical security?
- What is security convergence?
- What are the goals of physical security?
- Are there different physical security models?
- What are the components of physical security?
- What are the most important physical security best practices?
What is the importance of physical security?
We may live in an increasingly digital world, but all the people, businesses, and infrastructure that matter are still in the real world. If anything, physical security for public and private organizations might be even more important today than ever before.
Network technology has allowed organizations to become much less centralized. Physical assets are more likely to be distributed across multiple local offices and worksites. That decentralization introduces many more perimeters and isolated clusters of assets that you must secure.
What is security convergence?
We now know what is physical security, but what is security convergence? Anyone getting up to speed on the latest business security practices must understand this topic. It is the blending of the physical and network security disciplines. The idea of convergence has been around for decades but has surged in importance recently due to the rise of Internet of Things (IoT) technology.
Now more than ever, the boundaries between the physical and digital worlds are becoming blurred. Physical attacks can target IoT infrastructure. Network attacks can take down connected real-world infrastructure. Our physical security teams must collaborate with their network security peers—potentially even as part of the same team.
What are the goals of physical security?
Any physical security program you design or individual security measure you implement must still be considered within the context of your wider physical security goals. In most cases, the goal you will want to achieve is implementing as many of the Five Ds of Physical Security As possible:
- Deter
- Detect
- Deny
- Delay
- Defend
Deter
The first goal of physical security is to deter unauthorized access, be that to a physical space, to your people, merchandise, or other assets. You can deter access through various means, including obvious physical barriers, lighting to deter suspicious activity, and surveillance. The goal of deterrence is to make it as difficult and noticeable as possible for an unauthorized person to attempt to access your resources.
Detect
If an intruder does attempt to gain access, the next goal is to detect the intrusion as quickly as possible. That can be accomplished through surveillance systems, motion detectors, or content surveillance sensors. The goal is to identify the intruder and their location as soon as possible so that appropriate action can be taken.
Deny
Once an intrusion has been detected, the next goal is to deny the intruder access to your resources. That can be accomplished using access control systems or physical barriers like doors or locking cabinets.
Delay
Even if the intruder can access your facility, you still have measures you can take. The next goal is to delay them as long as possible. You can use interior locking doors, security personnel, and other threat response measures. Security personnel will need easy access to weapons and equipment to make delaying actions effective.
Defend
The final goal of physical security is to defend against intrusions. That may involve the use of security personnel and law enforcement working together. They will need access to weapons, security equipment, and information about your facility. The goal is to apprehend the intruder and mitigate the damage as much as possible.
Are there different physical security models?
Beyond simple perimeter security, several defense-in-depth physical security models have been developed over the years. Defense-in-depth is a security approach in which overlapping defensive mechanisms protect an organization's assets. If one mechanism fails, another taking a different security approach attempts to thwart the intruder.
This multi-layered approach includes purposeful redundancies to address as many different attack vectors as possible and increase the chances that any individual intrusion is eventually thwarted before reaching critical assets.
Two of the most commonly used modern defense-in-depth physical security strategies include the Onion Model and the Garlic Clove Model.
The Onion Model
This model treats defense-in-depth as a series of concentric layers, like an onion. Each layer represents a different security method. The outer layers are the most accessible, while the inner layers are the most secure. If one layer of security fails, the other layers will still be in place to protect an organization’s assets.
When the physical security program works as intended, people and materials move between the layers only using accountable access control or other security you have implemented at their boundaries. For example, the first layer might only allow authorized personnel to enter the facility through the well-lit front door in an open, observable space. While the second requires swiping an access card at an access control point.
The Garlic Clove Model
The onion model is a simple but effective way to visualize physical security. In comparison, the Garlic Clove Model is a more sophisticated and realistic extension of it. In the Garlic Clove model, the layers of security are not concentric layers but rather various pockets of security distributed throughout a facility inside an outer layer of perimeter security. Neither approach relies on a single outer perimeter to protect everything simultaneously.
These pockets make it more difficult for intruders to bypass every security measure. While it is more sophisticated and effective in the real world than the Onion Model, the Garlic Clove Model is also more complicated to implement as it requires a more detailed understanding of the facility and the assets that must be protected.
What are the components of physical security?
In most organizations, physical security operations consist of three processes: access control, surveillance, and testing and training. These are your primary methods for applying the five D’s of physical security. Each can be applied on its own, but are most effective when used in unison.
Access Control
Access control is the process of limiting who has access to a facility, a specific zone within a facility, or an organization’s material assets. It is the first and most common defense against unauthorized access to an organization's people, equipment, vehicles, and other assets.
Surveillance
Surveillance is the use of personnel or technology—such as closed-circuit television (CCTV) or management system content surveillance—to monitor activity within a facility.
Testing and training
Testing is the process of evaluating the effectiveness of an organization's physical security program. Training is the process of instructing personnel how to apply that program most effectively. It is important to test and train regularly to ensure that your physical security program is sufficient to protect your organization's assets.
How to apply physical security policies and procedures
Many factors should be considered when deciding how to apply these processes, including:
- Your organization's specific asset types
- Your facility or worksite’s local environment
- The specific threats you expect to face
- And your physical security budget
It is important to tailor your physical security processes to the organization's specific needs.
What are the most important physical security best practices?
Deploying an effective physical security program can be a complex process. Structuring your program according to the goals, models, and processes defined here can help point you in the right direction. Applying a few best practices can also help ensure a successful deployment.
Take a risk-based approach to physical security
Assess your organization's risk profile—the specific threats you face, the probability of each occurring, and your current capability to respond to each. That will help you identify the physical security controls you must implement to mitigate those threats best. For example, you don’t need to employ a whole team of security guards and a full-time asset manager to protect an equipment inventory when a smart asset management system will do.
Customize access controls by individual or role
Generic all-or-nothing access control is the easiest for a would-be attacker to compromise. Where possible, tailor access control for each staff member. For example, your CEO might need physical access to the C-suite offices and all other locations during the day, but perhaps not the warehouse during off hours. Meanwhile, your warehouse personnel might only need access to the warehouse, but for all hours.
Maintain an audit trail & keep inventory
Track who has access to your facilities and equipment and when they have access. Detailed access logs will help you to identify any unauthorized access attempts during or after the event.
You should also keep an inventory of all keys, equipment, and other secured assets. It is difficult to secure all of your assets if you don’t actually know what you have.
Test, test, and test your processes again
If your physical security program stands still, it falls behind. The only way to know whether your current measures are adequate is to test them. That might mean evacuation or other emergency response drills, system testing, mock disasters, or simple audits. The goal is to identify any weaknesses in your security program.
Subscribe to our blog
Jay Palter
Vice President of Marketing & Partnerships