• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 478
  • Last Modified:

Why do I want to physically separate/isolate corporate servers?

We're moving to a new building in less than a year and already I'm in a battle with those who would like to save money by co-locating the organization's "Admin" (think HR docs, Credit Card Info, Financial Docs) switches, routers, servers with a rack belonging to separate video/audio editing equipment (SANS perhaps, workstations, Digital editing gear etc.).  This means people in our Media departments will constantly be in physical proximity of our corporate (Admin) servers.  Sure, I can lock the racks with those flimsy locks they come with and I can lock the bezels on the fronts of servers but...  Something is telling me to push for ISO 2700x standards or separation by dry wall at the very least with a solid door, separate cooling vents and magnetic card access.  What would you do and WHY?  Points split across all useful responses.  Thanks.
0
LTWadmin
Asked:
LTWadmin
3 Solutions
 
Jerry MillerCommented:
Yes, I would push to have the network equipment and servers in a separate room from the media equipment. If it has to be in the same main room, the network equipment / servers could be in smaller room inside the main one with separate locks or card access as you described.

You should always limit physical access to this type of equipment to only those that have a business need to be in there. Convenience is not a valid business reason. Anybody else with access is a major security hole. In fact it would be better if the administrators stayed out unless physical access is necessary. Something is powered off, or equipment is being replaced. They can administer the servers, switches, and routers remotely for the day to day stuff.
0
 
Jerry MillerCommented:
"Always make sure that a computer is physically protected in a way that's consistent with its value—and remember that the value of a computer includes not only the value of the hardware itself, but the value of the data on it, and the value of the access to your network that a bad guy could gain. At a minimum, business-critical computers like domain controllers, database servers, and print/file servers should always be in a locked room that only people charged with administration and maintenance can access. But you may want to consider protecting other computers as well, and potentially using additional protective measures."

Taken from 10 Immutable Laws of Security Law #3:
http://technet.microsoft.com/en-us/library/cc722487.aspx
0
 
giltjrCommented:
Well, first if you have Credit Card data, you have to follow PCI-DSS.  Which has restrictions on physical access to the servers, at least for the servers that you can carry.

However, video/audio editing equipment does NOT belong in a computer room.  End users equipment belongs in the office/location where the end user works.  NOT in a computer/server room.   And servers should not reside in the end users work area.

Now the SAN and the servers that are used by the video/audio team should be in a comptuer room, assuming the users don't need physical access to the servers.  They should not need physical access to the SAN.
0
 
aleghartCommented:
No reason that the employees need physical access to servers and SANs or even network equipment to which they are attached.

Physical access is treated as authorized access with many systems.  This is true of operating systems as well as routers and switches.  Get your hands on the drives, keyboard, or console port...and there's a back door.

I administered an office with two networks: art department & front office.  The servers were kept in the same room, and the switches in the same rack.  Front office employees were not allowed in the server room.  Art department supervisor had a key for changing backup tapes, inserting archive tapes, and access to the software locker.

There was a certain amount of trust there.  Physical access to the equipment could have caused a lot of damage...but there was more immediate data/value in the art department network than the front office.

I currently have logged keycard access to a data room and multiple CCTV cameras...and a certain level of basic trust.  It's not bulletproof by any means...but an admin with a grudge can walk into a data center with bona fide keys and credentials and do some "authorized" damage.

Servers and network equipment shouldn't be in the same space as daily work, so I don't see how that's even an option.  The extreme noise and heat make them terrible roommates. And, without access control & monitoring, there is no security.
0
 
LTWadminAuthor Commented:
Thanks to all
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now