Protecting physical data, networks, and systems has become difficult, increasingly costly, and tougher to manage as technology and environments become more complex and dynamic. This paper presents a theoretical foundation for physical information technology (IT) security by developing a logical description based on a flow-based model. Within this model, a security machine is defined as a sequence of stages in which flow is identified and blocked in a multilevel blockage machine. The main focusses of the paper are the importance of having appropriate physical security in place, discussed with so-called onion/garlic models, and the notion of physical containment. The proposed representation is applied to an actual security plan for an IT department of a government ministry. The results suggest a viable approach to designing physical security strategies.