Physical security is the set of controls that protect people, buildings, and hardware from theft, damage, and unsafe access, not just data. In CompTIA A+ Core 2 (220-1202), Domain 2.0 Security, Objective 2.1, you're expected to recognize these controls and explain what each one is meant to prevent. That matters in IT support because you often handle devices, server rooms, and front-desk areas where a simple access mistake can become a major incident.
In real workplaces like an office, clinic, school, or small business, physical risks show up fast. A stolen laptop can expose records, an open network closet can invite tampering, and an unsecured entrance can put staff at risk. Because of that, you need practical ways to reduce both opportunistic and targeted threats.
This article breaks physical controls into four common types: barriers, controlled entry, monitoring, and response. You'll see how fences and bollards deter vehicle and foot access, while door locks and equipment locks protect rooms and devices. Next, controlled entry tools like an access control vestibule and badge reader help verify who should enter. Finally, video surveillance, alarm systems, motion sensors, and security guards support detection and response when something goes wrong.
What's at Risk
In CompTIA A+ (220-1202), Domain 2.0 Security, Objective 2.1, physical security focuses on what you can touch and enter, not only what you can log into. That scope matters because physical access often becomes system access. Once someone reaches your devices, ports, or rooms, they can steal hardware, copy data, or disrupt operations quickly.
Physical security protects people first, then the tools and spaces that keep IT running. When controls fail, the impact is rarely limited to one device. A single missing laptop can trigger a data exposure, downtime, and a long recovery cycle.
The assets that matter most in a typical IT environment
Start with people, because safety and continuity depend on them. If an attacker can enter a workspace, they can intimidate staff, pressure employees for help, or cause panic that distracts from normal checks. Even a minor incident at reception can pull IT away from monitoring and response.
Next come devices. End-user gear such as laptops and tablets carry credentials, cached sessions, and local files. They are also high-value and easy to carry, which changes how you secure them. A server is expensive too, but it is harder to remove and easier to notice. In contrast, a laptop can disappear in seconds, especially in open offices or shared spaces.
Network and compute infrastructure deserves special attention. Switches, routers, firewalls, and servers may sit in a wiring closet that people treat like storage. If someone reaches a rack, they can unplug uplinks, reset gear, or insert a rogue device. Simple tampering can cause an outage that looks like "normal" instability.
Media often gets overlooked because it is small and quiet. Backup drives, USB media, and old disks can contain full system images, keys, or sensitive records. Since these items fit in a pocket, physical security should treat them like cash.
Finally, consider facilities. The server room, wiring closet, and even ceiling spaces that carry cabling are part of your attack surface. If these areas lack door locks or monitoring, a person can work undisturbed and leave few clues.
If an asset is both valuable and portable, assume it will be targeted first, then secure it accordingly.
Common physical attack paths you should recognize fast
Most physical incidents are simple. They succeed because people feel rushed, polite, or distracted. Recognizing common paths helps you respond early, before a loss becomes an investigation.
Here are realistic examples you can picture in a normal office:
- Tailgating at a secure door: Someone follows an employee through a badge-controlled entrance while carrying a box or coffee. The employee holds the door because it feels rude not to.
- Unsupervised third parties near equipment: A contractor gets left alone near a rack "for just a minute." That minute is enough to unplug a cable, press a reset button, or attach a small device.
- Opportunistic laptop theft: A thief grabs a laptop from a lobby, meeting room, or shared desk area while the owner steps away.
- Plugging into an open network jack: Someone connects a laptop to an exposed Ethernet port in a conference room. If the port is live, they may gain internal network access without any Wi-Fi credentials.
- A propped-open door: A door is left open for deliveries. Once it is open, anyone can slip inside, then blend in.
These paths share one theme: the attacker avoids "breaking in." Instead, they blend into normal activity. As a result, your controls must reduce silent access, not only forced entry.
The fastest wins often come from fixing "everyday" habits, such as propped doors and unattended visitors.
Why "layers" beat any single control
A single physical control can fail for boring reasons. A door lock works until someone props the door open. A badge reader works until an employee waves someone through. Cameras help until a blind spot appears. Because failure is normal over time, physical security works best as defense in depth, where each layer supports the others.
Think in layers that slow an intruder and raise the odds of detection. For example, a facility might use fences to define boundaries, bollards to stop vehicle access, and door locks to restrict entry. Inside, a badge reader or access control vestibule limits who reaches sensitive areas. Then video surveillance and motion sensors improve visibility, while alarm systems and security guards support response.
Each added layer increases three things:
- Time: The intruder needs longer to reach the target.
- Noise: More actions mean more chances to trigger alarms or attract attention.
- Risk: More checkpoints raise the chance someone notices and reports the behavior.
Layering also improves investigations. When an incident happens, logs, camera footage, and access events can narrow the timeline. In contrast, one failed control often leaves you with guesswork.
The practical goal is not perfection. Instead, build overlapping controls so that a mistake in one place does not become a complete failure everywhere else.
Perimeter Controls
In CompTIA A+ Core 2 (220-1202), Domain 2.0 Security, Objective 2.1, perimeter and entry controls focus on stopping unwanted access before it reaches people, equipment, or sensitive rooms. These controls work best when they slow movement, guide visitors, and make entry points easy to monitor. If your building has unclear boundaries or weak doors, everything behind them becomes harder to protect.
Perimeter controls also reduce "casual" incidents. A thief rarely wants a dramatic break-in. Instead, they look for open gates, unlocked doors, and busy entrances where no one asks questions. Good entry design removes easy wins and forces a person to take actions that are easier to notice.
Strong perimeter and entry controls don't just block access, they create clear checkpoints where policy can work.
Bollards and fences, setting clear boundaries outside
Bollards are sturdy posts designed to stop or redirect vehicles. You often see them in front of storefronts, near building lobbies, and around pedestrian zones. Their job is simple: prevent a car or truck from reaching doors, windows, or crowds. In some sites, bollards also protect external equipment, such as generators, HVAC units, and utility connections.
Fences are physical barriers that mark property lines and limit where people can walk. A fence doesn't "secure" a site by itself, but it changes movement. It funnels visitors to gates, pushes foot traffic toward well-lit areas, and gives cameras a smaller set of routes to watch. That is why fences are common around data centers, loading docks, parking lots, and other areas where access should feel controlled.
Placement depends on what you're protecting:
- For storefronts, bollards reduce vehicle-ram risk near entrances.
- For data centers, fences define the perimeter and guide entry to guarded gates.
- For loading docks, fences and gates separate deliveries from employee entrances.
- For parking lots, fences limit shortcuts and reduce after-hours wandering.
Tradeoffs matter. Bollards can be expensive to install because they may need deep footings and site work. They also require inspection after impacts. Fences cost less per foot, but they still need upkeep (rust, weather damage, gate alignment). Most importantly, a fence slows an intruder but doesn't identify them. You still need lighting, cameras, badge checks, or guards to confirm who belongs.
Door locks and secure doors, your basic line of defense
Doors are the most common entry point, so small weaknesses add up fast. A strong lock helps, but the door and frame matter just as much. A cheap latch on a weak frame fails under pressure, even if the lock looks impressive. For that reason, pay attention to basics like solid doors, proper alignment, and a quality strike plate secured with long screws.
Most organizations mix lock types based on risk and traffic:
- Keyed locks: Common on offices, closets, and small server rooms. They're simple, but keys can be copied or lost.
- Keypad locks: Useful where many people need access. However, shared codes spread quickly unless you rotate them.
- Smart locks: Often use cards, phone apps, or centralized management. They can simplify changes when staff leave, but they need power and support.
Daily habits often matter more than the hardware. If people prop doors open, the lock becomes decoration. If a latch sticks, staff may stop closing the door fully. Those small failures create "quiet access" where no one forces entry.
Keep door control practical and auditable:
- Don't prop secure doors, even "just for a minute."
- Fix broken latches quickly, because staff will work around them.
- Control spare keys, store them securely, and track checkouts.
- Log who has access, then remove access when roles change.
When you treat access like a managed resource, you reduce risk and confusion at the same time.
Access control vestibules, controlling entry one step at a time
An access control vestibule (often called a "mantrap") uses two doors to control entry. A person enters the first door, then the system confirms authorization before opening the second door. Only one person should pass at a time, which helps stop tailgating (when someone follows closely behind an approved user). In simple terms, it's like an airlock for people, not for air.
This setup fits best where the stakes are high and traffic is predictable. Common locations include data center entrances, secure labs, and internal doors that protect network racks or sensitive records. Because the vestibule forces a pause, it also creates a clear moment for checks, such as badge verification and camera capture.
That said, a vestibule must follow safety rules. People need a safe way out during emergencies, and doors must support emergency egress. Fire and building requirements vary, so organizations typically coordinate with facilities staff and follow approved policies. The goal is controlled entry without trapping people or blocking evacuation routes.
A vestibule also works only when rules match the design. If staff hold doors for others, the control fails. If a site allows large deliveries through the vestibule, the workflow breaks down. Clear policy helps, such as requiring separate delivery entrances or scheduled escort procedures for vendors.
Security guards, the human layer that changes behavior
Security guards add a human layer that technology cannot copy. A visible guard presence deters many problems because it changes how people act. Most opportunistic intruders avoid places where someone will challenge them. Guards also support daily operations, such as managing visitors, checking doors, and responding when an alarm triggers.
Guards excel at tasks that require judgment. They can read body language, ask follow-up questions, and de-escalate tension. They also adapt when conditions change, such as during a busy event or a sudden evacuation.