Comment by kenjackson

Breaking into the data center is NOT outside of the threat model. We spend considerable amount of time detailing what can be done With physical access and various levels of physical access (for example, can I open the box versus being at the terminal vs having access to ports).

If you’re not doing that with your data centers then you are not even close to doing security right. And if you think it is close to feasible to completely lock down a server then you’re probably not being realistic.