Building a bunker mentality

E-security is now so important that it comes covered in concrete and clay. John Charlton reports from five yards beneath the...

E-security is now so important that it comes covered in concrete and clay. John Charlton reports from five yards beneath the ground in Hampshire

Imagine a cross between Teletubby land and an underground military command bunker, and you will have a picture of Britain's latest e-security facility, where trust comes encased in concrete and Hampshire turf.

If you looked through the perimeter fence at Chubb Information Security's Commercial Certificate Authority, you would see the humpback profile of the bunker complex which, were it not for the absence of thespians leaping about in Teletubby suits, looks very much like the location for the kids' TV series.

CIS now hopes that Twyford will become synonymous with trusted security services for the e-business sector, and has made a "multi-million pound" investment in renovating and equipping an underground facility for what it believes will be a huge market for e-security services.

The bunker houses a range of Compaq servers which power and host a range of services, plus one machine, housed in one of Chubb's top-of-the-range Raffles-proof safes, which contains the root key. This gives the this division its authority. Thus, in theory, any third party that uses Chubb e-security services can rest assured that documents related to e-business transactions can only be accessed by those authorised to do so - a cornerstone for e-business transactions.

Meaningful market

Chubb is taking an expensive punt on there being a meaningful market for outsourced, or managed, e-security services, including firewall management and intruder detection.

As chief executive offer Andy Burton said at the opening of the bunker, "Security is a major threat to e-business; failing to identify and implement the correct strategies will damage brand credibility, reduce customer confidence and ultimately affect share price. Our new business aims to mitigate these risks in an efficient and affordable manner."

Chubb is working with "several key partners" in developing the bunker-based facilities and offerings. These include: Baltimore Technologies, Compaq, Network Associates, Vordel, IB Net and DespatchBox.

The first service to be launched from the bunker is Chubb Mail. This, the company says, is a secure e-mail service, using a Baltimore product, which encrypts the contents of messages. There is also an electronic courier service which, claims Chubb, "manages delivery to a named recipient. It is one of the first Internet courier-type services which uses PKI [public key infrastructure] technology to ensure both complete integrity and proof of delivery so as to achieve the legal admissibility of the documents being sent."

Chubb spokesman Sean Feast says, "It is not envisaged that anyone should sleep at the bunker, although facilities do exist if required."

No one would want to be stuck in the bunker for any length of time though. A former underground water reservoir, then a nuclear-proof command post, it comprises several arched chambers, none of which give the feeling of space needed for psychological comfort.

Renovation work

Chubb took six months to carry out the structural renovation work, and further work continues to make it the e-security bunker par excellence. Of course, concrete walls alone do not make a bunker, so access control is all-important. The company has set in place various complex procedures, such as air locks and electronic pass cards, to ensure that none but the trusted get inside the complex.

"No one is allowed to visit the site without prior authorisation and authentication. If a visit has been authorised, the identity of each visitor is verified both locally and remotely." says a wary spokesperson.

The bunker is staffed 365 days a year, seven days a week, 24 hours a day, so this level of e-security does not come cheap. For such a service back-up, continuity and recovery are essential, and Chubb says slave systems on-site and "complete" redundancy off-site will suffice. Those who worry about the grid going down will be comforted to know that the bunker has its own generator and support systems.

Even so, it's not for those who like the light. One who seems to have seen the light is Tory shadow trade and industry minister Alan Duncan, who opened the bunker formally. "Businesses must become more responsible about online security," he opined. "Those who embrace the services of companies like Chubb will be those best placed to exploit the e-commerce revolution."

Duncan surely meant e-business, but we will forgive him.

Cynics voiced their views that the bunker was little more than a public relations stunt and the facilities and services housed there could have been, well, just about anywhere.

Certainly, Paola Bassanese, an e-security expert working for London-based IT consultancy Ovum, is of this persuasion. "I was not impressed with the bunker and the fact that it is so easy to locate. Physical security is important for any organisation, but relying on physical security only is not sufficient."

Predictably, Chubb is convinced of the value of the bunker. "Yes, it is the case that the bunker could be virtually anywhere," a spokesman said. "But the choice of a bunker is not a stunt. The bunker concept (sic) is to combine the best in physical security with the best in information security, to demonstrate we are as secure from malicious attack, or indeed the damage caused by electrical storms and floods as it is possible to be."

Services like these will not come cheap, and it is only likely to be organisations for whom e-security is key to core business activities that will go for the Chubb option.

Top 10 tips for e-security

Good security need not mean digging a hole in the ground, dumping your servers in it and covering it over again. Here are some more practical tips on ensuring the integrity of your data and transactions from Ovum.

  • Run an overall security assessment. A security consultant or a systems integrator can do this

  • Decide what data needs to be protected, and assess how valuable it is. Confidential data should be stored in the de-militarised zone (behind a firewall), and no sensitive information in the de-militarised zone

  • Update your anti-virus software. It is better to choose a tool that updates automatically

  • Ensure you always get technical support either internally or externally to avoid running the risk of being caught unawares by a security breach

  • Encrypt confidential e-mail messages and files to be archived. Encryption tools are widely available and protect against interception

  • Choose an intrusion detection tool. It will alert for irregular activities

  • Always check the audit logs. It is boring but it is also a good way to prevent breaches of confidentiality, leaks of information or exchanges of offensive material

  • Install content filtering software. Some tools can protect from both offensive material and active code

  • Never assume you are safe. Security is a constant battle against an invisible enemy, so ensure you perform a risk assessment on a regular basis, and deploy the right countermeasures

  • Restrict the access rights of mobile devices to the minimum level consistent with operational efficiency. Investment in security for mobile devices across an organisation is a major expense

  • Anti-virus protection (about $40 (£25) per workstation and $2,500 per gateway

  • Firewall (between $10,000-$100,000, but usually $20,000 per gateway, depends on the level of fault tolerance required)

  • Strong authentication for dial-up connections ($100 per user)

  • Virtual private network (about $150 per user and $5,000 per link)

  • User certificates (about $100 per user)

  • Audit log tools (about $2,000 per system)

  • Intrusion detection tools (about $5,000-$100,000)

  • Desktop encryption (about $100 per user)

  • Single sign-on (about $1,000 per user)

  • A PKI system (from $25,000)

  • Vulnerability analysis (about $25,000)

  • Smartcard authentication (about $150 per user)

    Source: Ovum - The cost of e-business security tools, 2000

  • Read more on Antivirus, firewall and IDS products