A lot of time and columns are spent discussing securing a server from outside attacks. This is perfectly valid because it's easier for an attacker to use the Internet to break your server than it is for them to gain physical access.
However, some IT professionals gloss over the importance of physical server security. Many, if not most, of the most egregious breaches of security are performed from inside the organization.
- How do you protect your servers from users with on-site access who have no need to access the server or server room itself?
Is it just next to the IT manager's desk in a cubicle, or locked behind several doors with electronic card and biometric access?
Once someone has physical access to the servers, what protections are in place that prevent, or at least log, access to sensitive data they have no reasonable need to see?
Of course this will vary from organization to organization, and business need to business need, but even print servers have access to sensitive data (contracts and employee information) being printed, so there's more to this than might appear at first glance.
Best Answer
All our production servers are stored on the other side of the world in a solid data center. Man traps, biometric scanners, the whole box and dice.
For the machines that are in our office, they live in the server room, accessible only via swipe card. Only the sysadmins have swipe cards that can access that area.
In short, if someone physically has their hands on your kit, then your data is theirs. If this is a sufficient concern then pgp'ing anything of value and decrypting it on the fly is a heavy handed but necessary requirement.
edit: you could extend this to questions of physical security of your backup media. What good is solid physical security if your offsites are not as or more secure?