A lot of time and columns are spent discussing securing a server from outside attacks. This is perfectly valid because it's easier for an attacker to use the Internet to break your server than it is for them to gain physical access.
However, some IT professionals gloss over the importance of physical server security. Many, if not most, of the most egregious breaches of security are performed from inside the organization.
- How do you protect your servers from users with on-site access who have no need to access the server or server room itself?
Is it just next to the IT manager's desk in a cubicle, or locked behind several doors with electronic card and biometric access?
Once someone has physical access to the servers, what protections are in place that prevent, or at least log, access to sensitive data they have no reasonable need to see?
Of course this will vary from organization to organization, and business need to business need, but even print servers have access to sensitive data (contracts and employee information) being printed, so there's more to this than might appear at first glance.
All our production servers are stored on the other side of the world in a solid data center. Man traps, biometric scanners, the whole box and dice.
For the machines that are in our office, they live in the server room, accessible only via swipe card. Only the sysadmins have swipe cards that can access that area.
In short, if someone physically has their hands on your kit, then your data is theirs. If this is a sufficient concern then pgp'ing anything of value and decrypting it on the fly is a heavy handed but necessary requirement.
edit: you could extend this to questions of physical security of your backup media. What good is solid physical security if your offsites are not as or more secure?
The amount of physical security you need depends on the nature and size of your business, IT staff, etc. For most smaller companies, a locked door and inexpensive security camera will do the trick.
Securing access to the electrical closet is important, too. Throwing a breaker goes a long way toward shutting down computer systems.
All manners of physical security can be taken with smart card access, prox sensors, heavy doors, kick plates, cameras, strong passwords, biometrics..
The problem is when electricians needed to do wiring, prop the door open with a brick and head off to lunch without notifying anyone. It had happened once. Luckily I came in moments later. Funny how a brick can circumvent $10k+ of security.
Another thing. Beware of non-technical users and their stupidity.
Our production servers were safe at colocation center, but development ones in the office. Once the cleaning lady couldn't find free power outlet, and plugged the vacuum cleaner to the servers' UPS. Luckily it had quite loud overload alarm, so we could react promptly.
Other case (don't know how much real or urban legend it is), there where mysterious downtimes of one of the servers every day early in the morning. No one could identify the problem. Resulted, that the security guard at the start of his shift would unplug one of the servers, and plug in the coffee maker. He though that "no one would notice, it was only 3 minutes".
Our building used to be a bank, so we keep our servers in the vault. Cooling isn't great, but we only have half a dozen, and none of them are hugely powerful, so it's not really an issue.
This one's part urban legend, part truth.
UL: A company was having a new computer room built and the IT admin was showing off the security measures (man-trap, swipe cards, etc.) to one of his friends. The friend nodded his head seeming to be very impressed. A few minutes later the two are talking just outside the door when the friend gets an idea. He turns his back to the wall and gives it a good kick, breaking a good size hole in the wall. Needless to say, the admin had the walls reinforced before moving in.
Truth: Small company leasing space in a multi-tenant building. Card keys, etc. Over a weekend someone punched a hole in the drywall next to the door and stole 20 computers (including the server with all the license keys)
We have a layer of metal under the drywall of our computer room.
Our server room is protected via keycard. Only IT personnel have keycards that will open the door, and only the Security department has control over your keycard's access permissions.
Once inside the server room, all the servers are held in enclosed racks. The front and rear doors of each rack are locked, and only IT personnel are given rack keys.
We also keep the networking closets on all floors locked, and only members of the Facilities team has keys for these doors.
If it's small-to-medium company, probably will have it's servers in colocation center, if it's big corporation, will have it's own.
This usually provide physical security means you've mentioned. What you didn't mention is electromagnetic shielding, preventing eavesdropping (there are commercially available products capable of eavesdropping twisted-pair Ethernet from distance of hundred feet or so). In case of banks, these are bunker-like structures, that would even withstand EMP attacks.
It's also typical for data center, to have at least two physical locations, to have backup in case of some type of natural disaster (flood, fire, whatever). Of course it's own power supply, not only UPS, but also generators.
Have your IT staff (and if possible, a police officer/reservist friend or someone in the security field) sit in a room some day. Watch Sneakers, Mission Impossible and Oceans 11.
Then come up with every scenario where someone would break into the room. Under the floor, through the walls, defeating the door lock, through the ceiling, through the vents.
Then, layer your security.
Use doors, locks, concrete and metal bars/grates to make the room as impervious as possible.
Then, assume that your first line of security is breached.
Motion sensors, silent alarms, audible alarms are all good.
Locks on all the racks keep people out (or slow them down).
A few cameras (outside the door and in the server room) which log to a separate room/site is an excellent deterrent.
As a side note, don't forget about securing the backups.
My work revolves around something that is, ah, not as critical...so security isn't as tight as "Iron Mountain" or somesuch. However...
The server room is on the second floor of a building that uses 6" concrete slab walls. The initial entry point outside requires a key (and getting past front-counter employees). The second entry point requires a different key. The third entry point requires a third key, and the door employs wire-mesh glass to prevent casual attacks, although I guess someone with a chainsaw, blowtorch, or other noisy/obtrusive/obvious means of attack would get through. The entire facility is covered with cameras running on DVRs that record movement 24/7, and the DVRs themselves are secured in a similar manner.
Backups are stored in the server room in a media-rated fire safe insert, which is then placed inside an additional fire safe. Offsite backups are taken directly by the IT Manager, who lives in an alarmed house (and I'm sure has an on-site safe as well).
No, I did not design the physical security, nor do I determine the policy on physical security. The place sells boxes of cabbage and oranges and whatnot, so it's not like we're in the business of handling military or state secrets...