Ensuring information security is one of the most important, complex, and expensive tasks that enterprises with their IT structure must deal with. It requires very important systematic approaches, where individual problems are solved within the system, and there is no disparity. In addition, one should be aware of the basic paradigm in the field of data protection. The data is considered reliably protected only when the costs for the illegal acquisition of this data exceed the value of this data. Security of information (data) is defined by the absence of unacceptable risk of leakage of information through technical channels, unauthorized and unintended effects on the data, and (or) on the other resources of the automated information systems used in the automated system.
Today, there are three basic principles of information security. The first principle is the integrity of the data, or protection against failures that lead to data loss and unauthorized creation or destruction of data. Secondly, it is the confidentiality of information and, at the same time, its availability to all authorized users.
The classification of a company’s assets includes tangible, intangible assets, and employers. Physical security means taking security measures to protect all kinds of assets, to prevent and prohibit unauthorized access to information centers, facilities, resources, and equipment (Collett, 2013). Additionally, physical security includes personnel and property protection from damage or harm (Collett, 2013). Physical security issues and their solution are crucial to information security, and physical security means preventing any damage, saving information in case of natural disasters, improving backups, preventing unauthorized access, managing cabling systems, and so on, which will be discussed in the paper.
Physical security issues are stipulated by threats to information. These threats can be different: failure of the equipment, which includes failure of the cable system, power outages, failure of disk systems and backup systems. There can be the loss of information caused by incorrect operation of the software: failure of servers, workstations, network cards, and so on, and the loss or modification of data because of software errors. There may be losses due to unauthorized access or losses of information caused by computer viruses and theft, destruction or tampering of information. Threats include loss of information related to the improper storage of archived data. Additionally, there is a human factor in the form of errors of staff members: giving confidential information constituting secrets to unauthorized persons, or accidental destruction or modification of data.
Depending on the possible types of violations, the software and hardware levels of information security include three sub-layers: the physical, technical (hardware), and software (Collett, 2013). Physical sublayer solves problems with limited physical access to information and information systems. Accordingly, there are technical means implemented in the form of stand-alone devices and systems that are not associated with the processing, storing and transmitting information: alarm and surveillance systems, means of physical obstruction of access such as locks, fences, railings, and so on. It should be noted that modern technologies develop in the direction of a combination of hardware and software protection. The most widely used ones are observed in the area of access control, virus protection, and so on.
All objects of physical protection can be divided into three categories: means of prevention, means of detection, and means of threat elimination. All of them aim to solve physical security issues (Collett, 2013). Alarm system and closed-circuit television, for example, refer to the means of threat detection; fences around objects are the means of preventing unauthorized entry into the territory. The functions of reinforced doors, walls, ceilings, grates on the windows and other measures are the same because they protect information facilities from any physical violation and possible criminal acts such as eavesdropping, firing, throwing grenades and flash-bangs, and others. Extinguishing media relate to systems of threats elimination.
There are several physical security issues. First, a cabling system is a major weak point of most local area networks since it is the cause of more than half of all network failures. Therefore, this system should have special attention from the moment of designing the network. The best way to solve improper cable routing issues is the use of the so-called structured cabling systems using the same cables for data transmission in a local area network, the local telephone network, the transmission of video and sensor signals of fire safety or security systems. Structured cabling systems include, for example, SYSTIMAX SCS of AT&T Company, OPEN DECconnect of Digital company, and IBM cable system (Saeed & Pejas, 2005). The term ‘structured’ indicates that the cable system of the building can be divided into several levels, depending on the purpose and location of the components of this system. For example, SYSTIMAX SCS cabling system consists of external subsystem (campus subsystem), hardware (equipment room), administrative subsystem, turnpike (backbone cabling), and the horizontal subsystem (Saeed & Pejas, 2005).
External subsystem consists of copper and fiber optic cables, protection devices and grounding, and connects the communication and processing equipment in the building or building complex. In addition, this subsystem includes interfaces external to internal cable lines. Hardware used to accommodate various communication equipment is intended to ensure proper operation of the subsystem. The administrative subsystem is designed for quick and easy management of the cabling system when changing plans to deploy personnel and departments. It consists of the cable system (unshielded twisted pair and fiber optic), switching devices and interface lines and horizontal cabling, patch cords, marking agents, etc. (LaRoche, n.d.). The backbone cabling connects the floors of a building or large areas of the same floor. The horizontal system based on twisted copper cable extends the main highway from the entry points of the administrative system of floor outlets in the workplace.
The best way to protect the cable from physical and sometimes thermal and chemical effects, for example, in manufacturing plants is to lay the cables with varying degrees of protected baskets. The installation of the network cable near sources of electromagnetic radiation is necessary to fulfill certain requirements as cable should be laid out far from the electric cable, outlets, transformers, and so on (Collett, 2013). Another major problem is the proper installation and trouble-free operation of cable systems, including conformity of all components to international standards.
The next physical security issue concerns power supply systems. The most reliable way to prevent data loss in the short-term power outage is the installation of an uninterruptible power supply. Such devices have various terms of technical and consumer characteristics, and they may provide power to the entire network or a single computer for the period of time sufficient to reduce the supply voltage or to store information on a medium.
Most uninterruptible power supply devices act also as voltage stabilizers, which is additional protection against surges. Many modern network devices such as servers, hubs, bridges, and so on are equipped with their own duplicated power systems. Large corporations have their own emergency generators and backup power supply lines. These lines are connected to different substations, and in case of failure of one of them, there is a backup power supply carried out by the substation.
The third physical security issue is system backup and duplication of information. The organization of a reliable and efficient data archiving system is one of the most important tasks to secure information on the network. In small networks, where there are one or two servers, backup systems are most commonly installed directly to the free server slots. In large corporate networks, it is most preferable to organize specialized servers dedicated to backup (Cheminod, Durante, & Valenzano, 2013). This server automatically backs up data from hard drives for servers and workstations to the specified local area network, issuing the report on the backup. This ensures control of the entire process of archiving from the administration console. For example, one can specify the specific volume, directory, or individual files to archive. It is also possible for the organization of automatic archiving of information on the occurrence of an event (‘event driven backup’). For example, it can be used when receiving the information that the hard disk of the server or workstation does not have enough space or in case of failure of one of the ‘mirror’ drives on the file server. Among the most common server models, one can distinguish Storage Express System of Intel, ARCserve for Windows, products by Cheyenne and others (Saeed & Pejas, 2005).
The storage of information of particular value should be in a special protected area. Experts recommend storing duplicate files of the most valuable data in another building in case of fire or natural disaster. To ensure data recovery in case of failures of mediums in the recent years, there have been used the disk arrays systems, or disk groups, working as a single unit, relevant to the standard RAID (Redundant Arrays of Inexpensive Disks (Collett, 2013). These arrays provide the most high-speed read/write data, the ability to recover the data and replace failed drives in ‘hot’ mode – without shutting down the remaining drives in the array.
Organization of storage arrays provides various technical solutions implemented at several levels. Level 0 provides a simple separation of the flow of data between two or more disks. At the same time, such a solution does not allow recovering information in case of failure of one of the disks in the array. RAID level 1 is chosen to organize the so-called ‘mirror’ disks. During recording, the data information of the main drive system is duplicated on the mirror disk. Levels 2 and 3 provide the creation of the so-called parallel disk arrays, when recorded data distributes between the disks at the bit level. Levels 4 and 5 represent a modification of the zero level, at which the data stream is distributed over the disks in the array. The difference is that at level 4, a special drive is allocated for storing redundant information, and level 5 distributes redundant information across all drives in the array (Saeed & Pejas, 2005).
Increased reliability and data protection in a network, based on the use of redundant information, is realized not only by the individual network elements such as disk arrays but also on the level of network operating systems. For example, there is fault-tolerant operating system Netware – SFT (System Fault Tolerance) (LaRoche, n.d.). It has three main levels. The first level provides the creation of additional copies of the FAT and Directory Entries Tables, immediate verification of each newly recorded data block on the file server, and reservation on each hard drive about 2% of the disk (LaRoche, n.d.). When a failure is detected, data are forwarded to the reserved area of the disk, and the failure block is marked as ‘bad’, so it will not be used. SFT Level II contains the possibility of establishing ‘mirror’ disks as well as duplication of disk controllers, power supplies, and interface cables. SFT Level III uses duplicated servers in the local network, one of which is the main one and the other contains a copy of all the information, and it comes into operation in the event of the ‘main’ server failure (LaRoche, n.d.).
Another more issue is the features of information storage. To protect the equipment and storage media, significant measures must be taken. There are locks with different working principles (mechanical, code, chip, radio-controlled), and the locks are mounted on the front doors, blinds, shutters, cabinets, safes, devices. Some locks use microswitches that fix the opening or closing of doors and windows. There are also special barcodes affixed to all devices, documents, and so forth to prevent their removal out of the premises. There are special safes and metal cabinets installed in the individual elements of the automated information system and moveable media with confidential information.
Preventing information leakage is of high importance. To prevent information leakage through electromagnetic channels, special shielding and radio absorbing materials and products are used frequently and widely. This is done in different ways. First, there are special walls, floor, ceiling covered with metallic wallpaper, conductive enamel, and special mortars. To protect the windows, the curtains are metallized (metal fibers used in the fabric), and glass with a conductive layer. All openings are closed with a metal grid connected to the grounding. There are magnetic devices that prevent the distribution of radio waves on ventilation ducts installed. To protect the circuits units and blocks of the automated information system of protection from interference, people use screened cables, chokes, surges of electromagnetic radiation suppression, wires, capacitors as well as other electrical equipment that suppresses any interference. To control the power, there are devices that include a fault alarm.
Special areas of top management, including certain office spaces, should always be closed to prevent unauthorized passage. All, without exception, visitors of all business partners and clients visiting protected facilities must be met and guided by a security personnel, HR, or guards. It is advisable to meet the visitors as well as to work with them in the specially equipped rooms with technical means of protection, surveillance, and alarm installation. Offices of the company’s management, storage of confidential documents, meeting rooms, and some units should not be available for visits by outsiders as well as to employees of companies not admitted to the trade secret. Therefore, another important physical security issue is authentication that is performed when the account holder supplies the appropriate credentials to the system. Credentials may be different: password, smart card, USB, or key fob that contains a chip with authentication data, fingerprints etc. It is necessary to protect these credentials, to ensure that they are unique, and only authorized people have them.
The main factor contributing to the protection of confidential information are security measures aimed at minimizing and preventing the leakage of specific information. The adoption of special measures that aim to protect intellectual property or any other information depends primarily on the owner of the information, which is protected, and on the current competitive situation as well as the value that industrial or commercial information represents.
It is also important to detect unauthorized access by using electronic security systems. Modern electronic security systems are very diverse and generally quite effective. However, most of them have a common drawback: they cannot provide early detection of intrusion into the facility. Such systems tend to focus on the detection of an intruder who has already entered the protected area or building. This applies, in particular, to video surveillance systems; often, using digital video recorders, they may only confirm the intrusion after it has already occurred (Shinder, 2007).
The last physical security issue is related to natural disasters. Natural disasters may be both predictable and unexpected. The main and most common method of protecting information and equipment from a variety of natural disasters such as fires, earthquakes, floods, and so on is to store backup copies of the information or to place some of the networking devices such as database servers, in special protected areas (Shinder, 2007). As a rule, information is stored in other buildings or, rarely, even in another part of town or another city.
Physical security issues are connected with preventing any damage, saving information in case of natural disasters, improving backups and cabling systems etc. Physical protection of information ensures the protection of the territory of the object from the outside, to protect all components of the automated information systems and other enterprises and it is usually done in the form of independent devices and systems. Along with the traditional and customary mechanical protection, there are versatile automated electronic systems of physical protection that are designed to ensure the protection of the premises and facilities as well as for the organization of access control, video surveillance, fire alarm systems, etc.
To solve physical security issues, there should be certain measures. There should be developed, documented and periodically updated the policy of physical protection and environment protection of information systems. It is necessary to develop procedures and measures related to implementation of the policy of physical protection and protection of IT systems. It is necessary to develop a list of the personnel who are allowed to access according to the security policy as well as the mechanism of personnel identification. Relevant officials must review and approve the access lists and revise them in accordance with the specified intervals. The level of security of premises should be commensurate with the potential risks. There should be a system of access management to all points of access to information resources and assets.
It is necessary to use well-defined security parameters to protect rooms and areas, in which means for processing information are located. An access to the premises and buildings should be granted only to the authorized personnel. Equipping a network server or workstation, for example, with the reader of smart cards and special software, one can greatly increase the degree of protection against unauthorized access. Moreover, the monitoring of physical access is compulsory. The monitoring device should use monitoring and signaling one a real-time basis and it should have automated tools that provide recognition of violations and trigger retaliatory action. Control of physical access to the premises must be provided using the most stringent methods of identification / authentication.
The protection equipment should be positioned and protected to reduce the risks from the environment and the possibility of unauthorized access. The equipment must be protected from power outages and other failures related to electricity (redundant power supplies, generators, etc.). It is necessary to provide fire protection as well as protection from other environmental and manmade disasters that may cause considerable information damage. It is necessary to protect telecommunications cabling from interception or damage and to carry out proper maintenance of equipment to ensure its continuous availability and integrity. Solely technical solutions (physical, hardware or software protection) are not enough to provide reliable and safe operation of complex networks that contain significant amounts of highly important information. Any information, network, or company requires a single comprehensive plan that includes both a list of daily safety measures and urgent data recovery in case of failures of the system and specific plans of action in emergencies such as fire, power failure, natural disasters, and so on.