The Bunker: an underground former Ministry of Defence command centre now holding companies’ data securely.
The Electronic Commerce Trading Exchange has secured its exchange servers at The Bunker. Charles Cowper of Guildford-based ECTX says the on-line brokerage service began looking for a secure host in May. He adds: ‘Our plan is never to put our mission critical systems in high profile places.’
<br><br>
From the outside, The Bunker has a military air – MoD fencing topped with barbed wire around anonymous and green acres of Kent. The Bunker looks military because it used to be RAF Ash, near Sandwich, a NATO air defence command centre, refitted in the 1990s put on the market by the government, and snapped up in 1998 by IT security figures Ben and Adam Laurie and Dominic Hawken. As The Bunker’s website points out (www.thebunker.net): ‘The use of encryption has safeguarded information as it travels from point to point, but the threat of subterfuge remains wherever data is decrypted and processed. At this point, the physical security of the server is of paramount importance – no software can prevent the loss of data due to theft, fire damage or terrorist attack.’ This secure hosting site has gained much broadsheet newspaper coverage – the mainstream media taken by the whiff of former Cold War secrecy and present security restrictions – clients of The Bunker cannot access their server rack without a one to one guard who stays with the client while he does any work, so that the client cannot have a roam around the underground rooms. If the client needs to replace the memory or a drive, The Bunker will do it for you. In the field of disaster recovery and business continuity, some feel that The Bunker offers unnecessarily high, even gimmicky protection … do you need to fork out for something 30m underground behind two tonne steel doors and three metres of concrete, in case of a thermonuclear explosion or chemical attack’ The Bunker’s riposte is that they have simply taken over (for an undisclosed cost) this site, designed to much higher specifications than your average commercial undertaking – so why take the specifications away’ The new e-commerce worlds of banking need security for their data, and yet it has to be available too. Similarly, The Bunker was built as a NATO base that had to work in hostile conditions and yet have accessible communications to the outside world. Ben Laurie says: ‘I often get asked the question, ‘if there is a nuclear war, why should I care about my servers’ The answer is that you shouldn’t and we certainly won’t! Our system administrators will not be running down in their radiation suits to make sure your credit card numbers are safe – they’ll be heading for the hills just like you and I! But this is not what The Bunker is about; it is about cost-effective secure hosting owned and run by people who know what they are doing.’ Prices for managing your server start at £250 per month per server. Customers include BT Cellnet and Richer Sounds. The Bunker points out that security breaches can come from anywhere, electronic or physical. What is the difference between physical theft of your servers, and an anti-capitalist protester entering your firm as a temp and carrying out a cyber-attack’ No difference, in that regardless of how long it takes to replace the physical servers or make good the electronic damage, the damage is done in the disruption to normal business, and customers’ lost confidence. The Bunker argues that companies need security to make sure they do not need to go into disaster recovery mode. Ben Laurie adds: ‘Most people are under the illusion that their applications are securely hosted, because their provider’s sales guy told them they were! Few people even check the validity of their host’s security claims until things go horrible wrong.’
<br><br>
Not overkill
<br><br>
Paul Lightfoot is Operations Manager at The Bunker. He says that prospective clients had The Bunker on their agenda for its physical security before September 11: ‘But a lot of people have put it higher up or top of their list. They always thought what we did was overkill whereas it has become quite apparent now that it is fairly well needed. All our systems are triple redundant.’ That means if there is a primary, a back-up and a spare for every system from the power to internet connectivity to the air-conditioning, to allow for routine maintenance. Main and standby systems are regularly swapped over to allow for maintenance, and to ensure that the standby systems will operate if they go ‘live’. Standard power during normal operation is provided from RAF days by an underground connection from the UK National Grid, not susceptible to storm damage. The Bunker has underground diesel tanks to keep the plant running for three months without refuelling, and dual UPS (uninterrupted power supply) systems, capable of running the entire server facility for 40 hours in the event of a power outage, to ensure there is no interruption to service during switchover.
<br><br>
About the system
<br><br>
In the main, The Bunker uses CCTV cameras from Axis. Much of their CCTV system is their own design, that can record digitally and to tape. To enter the site, clients have to report to the guardhouse, prove their identity and have an escort from then on. What of biometrics as a way of access control and verifying visitors’ Paul Lightfoot replies: ‘We have looked at biometrics and feel it doesn’t give any benefit over what we have already got.’ He describes the manned guarding as a mix of 75 per cent in-house and 25 per cent contract. ‘It works well because we have a private firm [Reliance Security] keeping an eye on our guards and we keep an eye on the private firm.’ Paul feels that an all in-house team can become complacent, simply because of human nature; whereas a contract firm is keen to win more business. ‘It keeps everybody on their toes. It gives us flexibility because the private firm have a wide range of guards with skills.’ The Bunker is able to tell Reliance whether or not it wants a contract guard that the contract firm sends. If the contract guard does become part of The Bunker team, he might not even wear the Reliance uniform, but the in-house one. The Bunker vets all staff, even the ones on contract. Paul’s background is military, namely secure IT in the RAF, so he is used to the need for secure physical surroundings as well as secure electronic networks.
<br><br>
Since September 11
<br><br>
The Bunker reports more interest since September 11 – international interest, too. Paul reports that US customers cannot find an ultra-secure facility in the States, at an affordable price, that is not owned by the military. Because of terrorist bombings as at Canary Wharf, London has had to make recovery plans for the sort of destruction that befell the World Trade Center in New York – that wiped out not only company staffs but the very data that the company used from minute to minute. If your company data is stored in The Bunker, monitored 24-7 and temperature-controlled (and protected against the likes of solar flares and electro-magnetic pulses), your disaster recovery becomes a question of connecting a PC to The Bunker.
