Domain 3 · Lesson 6 of 6

Physical Security & Environmental Controls

Bảo mật Vật lý & Kiểm soát Môi trường

Key Terms

Mantrap CPTED Tailgating Piggybacking UPS PDU Generator Wet Pipe Dry Pipe Pre-action FM-200 CO2 Halon HVAC Data Center Tier

Physical Access Control Layers (Outer → Inner)

Physical security follows the Defense in Depth principle — concentric rings of protection from the perimeter to the most sensitive equipment. Each layer must be independently secured.

Layer 1 — Site Perimeter
Fencing (3ft deters casual, 8ft+ deters determined), bollards (anti-vehicle), lighting (eliminates shadows — no dark areas near doors), CCTV (deter + evidence), security guards, natural barriers (landscaping as CPTED)
Layer 2 — Building Exterior
Badge readers at all entrances, visitor management system (sign-in, escort required), reception desk, parking access control (separate employee/visitor parking), motion-activated lighting
Layer 3 — Interior Access Control
Mantrap/Airlock: Two doors with interlocking control — only ONE door can be open at a time. Person enters first door, door closes and locks, identity verified, second door opens. Defeats tailgating and piggybacking. CCTV on all corridors. Turnstiles at floor access points.
Layer 4 — Equipment Room / Data Center
Biometric + badge (two-factor physical authentication required), cage locks for individual racks, cable locks for portable equipment, no windows, raised flooring, positive air pressure (keeps dust out), all visitor access logged and escorted
CPTED — Crime Prevention Through Environmental Design:
  • Natural Surveillance: Design spaces so legitimate users can observe what is happening (open sight lines, adequate lighting)
  • Natural Access Control: Use landscaping, fencing, and building layout to guide traffic through controlled entry points
  • Territorial Reinforcement: Clear signals about public vs. private space (signage, fencing, landscaping) discourages unauthorized access
Tailgating vs. Piggybacking:
  • Tailgating: Unauthorized person follows an authorized person through a door WITHOUT the authorized person's knowledge or consent
  • Piggybacking: Unauthorized person follows WITH the authorized person's consent ("hold the door") — insider threat element
  • Mantrap defeats BOTH — the second door cannot open until the first is fully closed and identity is verified

Environmental Controls

Temperature & Humidity Requirements

Temperature
64–76°F (18–24°C)
Too hot: equipment thermal throttling, failures, shortened lifespan. Too cold: condensation risk. ASHRAE recommends 18-27°C for server inlet.
Relative Humidity
45–55% RH
Too dry (<40% RH): static electricity discharge (ESD) can destroy components. Too humid (>60% RH): condensation on components causes shorts and corrosion.

Power Controls

ControlPurposeNotes
UPS (Uninterruptible Power Supply) Battery backup — instant failover during power interruptions Provides minutes to hours of power. Allows graceful shutdown or generator startup.
Generator Extended power backup via diesel/gas generator Takes 10-30 seconds to start — UPS bridges the gap. Fuel supply must be maintained.
Dual Power Feeds Two independent utility feeds from different substations If one utility feed fails, the other takes over. Highest availability for critical facilities.
PDU (Power Distribution Unit) Distributes power within rack; monitors per-outlet power consumption Intelligent PDUs provide remote outlet control and power monitoring alerts.
Under-floor Water Sensors Detect water intrusion before equipment is damaged Critical in raised-floor data centers. Alert before water reaches server level.

Fire Suppression Systems

Fire suppression is a critical exam topic. The system chosen depends on the environment, occupancy, and trade-offs between equipment protection and human safety.

SystemMechanismBest ForKey Risk / NoteExam Rating
Wet Pipe Pipes always filled with pressurized water; sprinklers activate individually on heat General office areas, warehouses Accidental discharge (pipe break, mechanical failure); freezing risk in cold environments Most common general use
Dry Pipe Pipes filled with pressurized air; water released only when sprinkler opens Cold storage, unheated warehouses, parking structures Slower response than wet pipe (air must vent before water flows) Cold environment use
Pre-action Two independent triggers required before water releases: (1) heat/smoke detector fires, (2) sprinkler head opens. Double interlock prevents accidental discharge. DATA CENTERS — occupied equipment rooms Most complex; highest equipment protection; almost no accidental discharge risk EXAM FAVORITE
Deluge All sprinkler heads open simultaneously on system activation — floods area instantly Aircraft hangars, chemical plants, transformer vaults NOT FOR DATA CENTERS — total flooding destroys all equipment Industrial only
Halon Chemical agent that disrupts combustion chain reaction; no residue N/A — prohibited BANNED — Montreal Protocol (1987). Depletes ozone layer. Existing systems being phased out. BANNED — exam trap
FM-200 (HFC-227ea) Clean agent — removes heat from combustion; no water; no residue Data centers with people present, telecom rooms, archives Safe for humans at design concentrations. NOAEL threshold must not be exceeded. Legal Halon replacement. Data center standard
CO₂ Displaces oxygen — suppresses fire by removing oxygen from combustion triangle Unoccupied areas: electrical switchgear rooms, transformer vaults, machinery spaces DANGEROUS TO HUMANS — must evacuate before activation. Causes rapid unconsciousness and death at fire-suppression concentrations. EVACUATE FIRST
Fire Triangle: Combustion requires Fuel + Heat + Oxygen. Fire suppression works by removing one element:
  • Water (wet/dry pipe): removes HEAT (cooling)
  • FM-200: removes HEAT (molecular level interruption)
  • CO₂: removes OXYGEN (displacement)
  • Halon (banned): interrupts COMBUSTION CHAIN REACTION (chemical)
Exam Tips — Physical Security
  1. Pre-action sprinkler = BEST for data centers — requires two independent triggers before water releases. Lowest risk of accidental water damage to equipment.
  2. CO₂ is dangerous to humans — must evacuate before activation. At fire-suppression concentrations (35%+), CO₂ causes rapid loss of consciousness and death within minutes.
  3. Halon is BANNED under the Montreal Protocol (ozone depleting). FM-200 (HFC-227ea) is the legal, approved clean agent replacement for data centers.
  4. Mantrap prevents tailgating — two interlocking doors with only one open at a time. The most effective physical control for high-security server room entrances.
  5. Wet pipe = most common but always has water in pipes — risk of accidental discharge in freezing environments or from mechanical failure. Not ideal for data centers.
  6. Temperature: 18–24°C; Humidity: 45–55% RH — memorize these ranges. Too dry = ESD; too humid = condensation; too hot = equipment failure.
FinTech Company X Work Application — Partner E Manila Data Center Planning

For Platform C's planned Manila data center supporting Partner E Philippines card processing, the following physical and environmental controls should be specified in the data center requirements:

  1. Fire suppression: Pre-action system (preferred — engineers work in the server room daily, equipment is expensive). FM-200 clean agent is acceptable as an alternative, especially for areas where pre-action pipes would be impractical. Do NOT use deluge (destroys all equipment) or Halon (banned in Philippines under Montreal Protocol).
  2. Environmental: Temperature maintained at 20°C (within 18–24°C range); relative humidity 50% (within 45–55% range). Automated HVAC alerts to operations team when temperature exceeds 22°C or drops below 17°C. N+1 HVAC redundancy.
  3. Power: Dual power feeds from different utility substations (Meralco primary + backup substation). APC UPS with 30-minute battery runtime. Diesel generator with 72-hour fuel supply. Automatic transfer switch <100ms failover.
  4. Physical access: Mantrap at server room entrance (biometric + badge — two-factor physical auth). All visitor access logged with escort. CCTV coverage of all access points with 90-day retention. No windows in server room.
  5. Equipment: All racks locked. Cable locks on portable devices. Raised flooring with under-floor water sensors. Positive air pressure to prevent dust ingress.
  6. No single point of failure: Partner E card processing infrastructure distributed across at least two physical racks on separate power circuits, with cross-rack redundancy for all critical services.

Practice Questions

Q1. A company is building a new data center where engineers work inside the server room regularly. They need a fire suppression system that protects expensive equipment from water damage and does not endanger personnel who may be present when a fire is detected. Which system is MOST appropriate?

A. Pre-action sprinkler system — requires two independent signals before water releases, minimizing accidental discharge risk while protecting equipment
Pre-action is the gold standard for occupied data centers. It requires (1) a heat or smoke detector to activate AND (2) a sprinkler head to physically open before water is released. This double interlock prevents accidental water release from a single sensor malfunction or a mechanical sprinkler failure. FM-200 is also acceptable for occupied spaces. Wet pipe (water always in pipes) risks accidental discharge; deluge floods the entire area and destroys all equipment.

Q2. An electrical equipment room is protected by a CO₂ fire suppression system. A fire is detected and the suppression system activates. What is the primary danger to personnel?

A. CO₂ at fire-suppression concentrations (35%+) rapidly displaces oxygen, causing unconsciousness and death — all personnel must evacuate BEFORE system activation
CO₂ fire suppression works by displacing oxygen to below the level that supports combustion (~15%). At fire-suppression concentrations (typically 34–75% CO₂), the atmosphere is immediately life-threatening. Unconsciousness can occur within seconds, and death within minutes. CO₂ is appropriate only for unoccupied or normally unoccupied spaces where personnel can evacuate before or when the system activates. Alarms must sound well before discharge to allow evacuation.

Q3. A legacy telecommunications facility uses Halon gas fire suppression. During a compliance audit, the auditor flags this as a regulatory violation. Why?

A. Halon is banned under the Montreal Protocol (1987) due to its ozone-depleting properties — it must be replaced with an approved clean agent such as FM-200
The Montreal Protocol on Substances that Deplete the Ozone Layer banned the production and import of Halon in most countries. Organizations with existing Halon systems must phase them out. FM-200 (HFC-227ea) is the most common legal replacement — it is a clean agent that does not deplete the ozone layer, leaves no residue, and is safe for personnel at design concentrations. Exam tip: if a question mentions Halon as an option, it is almost always the wrong answer for a new installation.

Q4. A high-security data center requires that no unauthorized person can enter the server room even if they follow immediately behind an authorized employee. Which physical control prevents this?

A. Mantrap (airlock) — two interlocking doors where only one can be open at a time; the second door does not open until the first is fully closed and identity is verified
A mantrap (also called an airlock or sally port) is specifically designed to prevent tailgating and piggybacking. A person enters through the first door, which closes and locks. The person's identity is verified (badge + biometric). Only then does the second inner door unlock. This physical separation ensures only one verified person enters at a time. Even if an attacker waits for the first door to open, they cannot follow through — the first door must fully close before the second can open.

Q5. During an inspection of a data center in a tropical climate (Manila), an auditor measures 28°C server room temperature and 65% relative humidity. Which of the following identifies the risks correctly?

A. Both measurements are out of spec — 28°C exceeds the 18–24°C target (risk: equipment thermal failure) and 65% RH exceeds the 45–55% target (risk: condensation and component corrosion)
CISSP standards: temperature range is 18–24°C (64–76°F) and humidity is 45–55% RH. At 28°C, servers may thermal-throttle, reducing performance, and components have shortened operational lifespans. At 65% RH, condensation can form on cold components when airflow changes, causing short circuits and corrosion over time. In tropical climates, HVAC sizing and redundancy are critical — Manila's ambient heat and humidity require significantly more cooling capacity than temperate locations.
Domain 3 Complete!

You've completed all 6 lessons of Domain 3: Security Architecture & Engineering. You've covered secure design principles, security models, cryptography, PKI, cloud/container security, and physical security.

01 Design Principles 02 Security Models 03 Cryptography 04 PKI & Key Mgmt 05 Virtualization 06 Physical (this page)
← Lesson 05: Virtualization & Cloud Domain 4: Network Security →