Why do I want to physically separate/isolate corporate servers?

Posted on 2011-04-27
Last Modified: 2012-05-11
We're moving to a new building in less than a year and already I'm in a battle with those who would like to save money by co-locating the organization's "Admin" (think HR docs, Credit Card Info, Financial Docs) switches, routers, servers with a rack belonging to separate video/audio editing equipment (SANS perhaps, workstations, Digital editing gear etc.).  This means people in our Media departments will constantly be in physical proximity of our corporate (Admin) servers.  Sure, I can lock the racks with those flimsy locks they come with and I can lock the bezels on the fronts of servers but...  Something is telling me to push for ISO 2700x standards or separation by dry wall at the very least with a solid door, separate cooling vents and magnetic card access.  What would you do and WHY?  Points split across all useful responses.  Thanks.
Question by:LTWadmin
    LVL 18

    Accepted Solution

    Yes, I would push to have the network equipment and servers in a separate room from the media equipment. If it has to be in the same main room, the network equipment / servers could be in smaller room inside the main one with separate locks or card access as you described.

    You should always limit physical access to this type of equipment to only those that have a business need to be in there. Convenience is not a valid business reason. Anybody else with access is a major security hole. In fact it would be better if the administrators stayed out unless physical access is necessary. Something is powered off, or equipment is being replaced. They can administer the servers, switches, and routers remotely for the day to day stuff.
    LVL 18

    Expert Comment

    by:Jerry Miller
    "Always make sure that a computer is physically protected in a way that's consistent with its value—and remember that the value of a computer includes not only the value of the hardware itself, but the value of the data on it, and the value of the access to your network that a bad guy could gain. At a minimum, business-critical computers like domain controllers, database servers, and print/file servers should always be in a locked room that only people charged with administration and maintenance can access. But you may want to consider protecting other computers as well, and potentially using additional protective measures."

    Taken from 10 Immutable Laws of Security Law #3:
    LVL 57

    Assisted Solution

    Well, first if you have Credit Card data, you have to follow PCI-DSS.  Which has restrictions on physical access to the servers, at least for the servers that you can carry.

    However, video/audio editing equipment does NOT belong in a computer room.  End users equipment belongs in the office/location where the end user works.  NOT in a computer/server room.   And servers should not reside in the end users work area.

    Now the SAN and the servers that are used by the video/audio team should be in a comptuer room, assuming the users don't need physical access to the servers.  They should not need physical access to the SAN.
    LVL 32

    Assisted Solution

    No reason that the employees need physical access to servers and SANs or even network equipment to which they are attached.

    Physical access is treated as authorized access with many systems.  This is true of operating systems as well as routers and switches.  Get your hands on the drives, keyboard, or console port...and there's a back door.

    I administered an office with two networks: art department & front office.  The servers were kept in the same room, and the switches in the same rack.  Front office employees were not allowed in the server room.  Art department supervisor had a key for changing backup tapes, inserting archive tapes, and access to the software locker.

    There was a certain amount of trust there.  Physical access to the equipment could have caused a lot of damage...but there was more immediate data/value in the art department network than the front office.

    I currently have logged keycard access to a data room and multiple CCTV cameras...and a certain level of basic trust.  It's not bulletproof by any means...but an admin with a grudge can walk into a data center with bona fide keys and credentials and do some "authorized" damage.

    Servers and network equipment shouldn't be in the same space as daily work, so I don't see how that's even an option.  The extreme noise and heat make them terrible roommates. And, without access control & monitoring, there is no security.

    Author Closing Comment

    Thanks to all

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now