Open source nuclear bunker guards finance data

The taxi driver is amazed there is a nuclear bunker tucked away near his house.

"I've been driving around here for 20 years," he tells me, "and I never knew about this place."

Somewhere outside a remote village in Kent, we pull up to a gate smothered in barbed wire and CCTV cameras. The former Ministry of Defence site, now owned by data-hosting and resilience company The Bunker is a relic of the Cold War.

The bunker is electromagnetic pulse- and nuclear bomb-proofed. The underground building has a fully-meshed telecoms infrastructure and is wired up to two electricity grids.

It's the ultimate place for the just-in-case scenario. It has airlocks, diesel tanks for 770,000 litres of weeks' worth of fuel and ex-military personnel patrolling the site. Police still use the ground for training and disaster scenarios.

Most of The Bunker's customers are financial firms, including Scottish Widows and Moneybookers, some of whom also use the resilience service with a sister bunker in Newbury.

The security guard checks my identity, asks me to sign in and follows me to the waiting room, where he hovers until my contact Paul Lightfoot arrives.

Lightfoot, operations director at The Bunker, says: "We build managed, high availability mission-critical systems so that can be disaster recovery or for online systems. We are outside London and high-risk areas. We can give digital, physical and a human security too."

The Bunker's success partly relies on its focus on open source software. Two of the founders of the company, brothers Ben and Adam Laurie, developed the Apache SSL web server.

The Bunker team build open source systems for clients, attempting to embed security from the bottom up.

Earlier this year, a Bunker spokesman told silicon : "We don't use [firewalls] because open source is already secure. Some customers do have requirements for them, so we put open source firewalls in. But, by and large, the majority of customers do not need firewalls. That's the big difference between open source and the Windows world."

Lightfoot adds: "Open source is very high on our agenda. We can keep the platform and build open source from scratch. Open source is at the core of the building."

Lightfoot says financial firms have also been able to prove lower risks to compliance regulators, as the requirement for disaster recovery (DR) is 'overkill'.

"A lot of companies use us for compliance. Having their stuff in our facilities gives them that credibility."

The Bunker is one of the more exotic places the firms can turn to for disaster recovery, a subject which has been taking up a lot of time for CIOs recently.

This year has already seen more than its fair share of disasters - and yet research from the London Chamber of Commerce found a high number (55 per cent) of firms still had no contingency plans in place in the event of a natural disaster or terrorist attack.

And according to the government website London Prepared, 80 per cent of businesses affected by a major incident shut down within 18 months. As many as 90 per cent that lose data from a disaster are forced to close within two years.

But it's the knock-on effects of a disaster that cause the most bother. Mark Kobayashi-Hillary, global research director for Commonwealth Business Council Technologies, says that while the majority of firms have DR plans and facilities, most are ill-prepared for a complete mobile working scenario.

He says: "I don't think they are ready for real remote working. If you had to shut down an equity floor then traders wouldn't be able to trade from home. The technology is out there but they are not doing it. Most are in a site in a remote location with minimum amount of desks."

Gary Edwards, CIO of Barclaycard, argues the biggest problem with disaster recovery is convincing head honchos of its importance.

"The greatest challenge in disaster recovery," says Edwards, "is ensuring the strategy is aligned and understood by the business, so they understand the impact on end-to-end recovery time. With this in mind can the business accept this elapsed time."

And real business continuity is about much more than IT, he says: "What is critical is end-to-end testing of business continuity of which IT disaster recovery is a small part. IT disaster recovery is now quite a mature industry in the services and products to support it."