The Reserve Bank of Australia will establish a ‘data bunker’ to improve the resilience of its core systems after a high-profile data centre outage in 2018 pulled the country’s high-value settlement system offline.
The central bank on Tuesday approached the market for a system integrator to design and implement the data bunker to “sequester” or segment certain data in a bid to protect the payments system in the event of another outage.
It said “recent events [had] highlighted the risk of prolonged outages”, which can originate from the “extended loss of utilities or other essential services to the primary data store” or a denial of service attack and other “nefarious actions”.
Data “not being accessible due to corruption of the primary data centre store”, which is located at the bank's Sydney headquarters, was also identified as a key risk that threatens the resiliency of selected business applications.
While outages are a rare occurrence for the bank, an internal power supply failure at its headquarters and data centre in August 2018 pulled parts of its critical Reserve Bank information and transfer system (RITS) offline for three hours.
RITS - a central part of Australia’s payments system - is the country’s high-value settlement system that banks and other payments organisations use to settle payment obligations between each other.
The flow on effect of the outage was widespread, with government agencies like Services Australia, which uses the RBA as its transactional bank, almost forced to delay a welfare payments run.
Keen to avoid a repeat, the RBA expects that the data bunker will “enhance the resiliency of [its] key business technology services in the event of data loss or corruption” and, ultimately, “improve the resilience of the payment system”.
“The requirement for the provision of ‘continuously available’ and highly available’ externally facing technology services delivered by the Reserve Bank that support Australia’s payments systems highlights the necessity for extended resilience of key services,” it said.
The data bunker, which the RBA has begun developing and expects will be in operation by February 2021, is expected to “house standby online replicas and offline backups of data for a selected set of designated Reserve Bank services”.
It will be “physically and logically segregated from other data in the Reserve Bank environment and housed within a suitably secure facility for protected level information”, according to the request for tender.
The RBA expects the physical facility will be “independently resilient to disruption” (i.e at least a Tier 3 data centre) and “geographically located to allow timely updates to the data in the data bunker”.
It will also need to ensure that “the same interruption to service from either one of the Martin Place or Business Resumption Site (BRS) data centres does not impact the data bunker”.
The data is housed in a combination of Oracle Exadata databases and Microsoft SQL databases (soon to be SQL Server 2019), with both providing “synchronised copies of the data at each of the Reserve Bank’s Martin Place and BRS data centres”.
The RBA expects that equipment hosting the Oracle databases will be located in a colocation data centre sourced from the Digital Transformation Agency’s government data centre panel, while a protected-level public cloud will be used to host the SQL databases.
While the RBA has existing public cloud tenancies in Microsoft Azure and AWS, it does not have a secure public cloud instance that is “suitable for the purposes of the data bunker and appropriately integrated into the enterprise”.
As such, the RBA is banking on utilising the protected-level cloud service “for broader adoption of the cloud services … including transactional processing” and wants the service developed to permit this.
“The secure public cloud established for the purposes of the data bunker will include additional security and authentication services that are to be set up to the extent applicable,” the RBA said.
“The supporting cloud management framework configuration relevant to the selected cloud tenancy is to be uplifted as appropriate.”
The system integrator will be expected to develop, design and build a data bunker solution and its supporting components that confirms with the RBA’s requirements, as well as support the banks operation of the bunker for an initial 12 month period.
The RBA expects to award a contract to the successful system integrator in November. Submissions to the RFT will close July 17, with an industry briefing to be held on June 16.