One of my clients, a Southeast Asian leading unicorn wanted to launch a financial services application in Indonesia. They needed an OJK(Indonesia's Financial Services Regulator) compliant infrastructure with an uptime SLA of 99.95% and RTO/RPO of 4 hrs/1 hr. With that objective in mind I had to design and build a fault tolerant infrastructure inline with the OJK compliance guidelines.
In this article I will take you through this entire journey and share what I learnt about the key aspects of OJK data compliance, the challenges involved, the initiatives taken and the final outcomes achieved.
What is OJK Compliance?
The OJK stands for Otoritas Jasa Keuangan in Indonesian, the Financial Services Authority in Indonesia is an Indonesian government agency which regulates and supervises the financial services sector.
This agency helps in regulating and supervising the capital market and financial institutions, as well as that of Bank Indonesia in regulating and supervising banks, and to protect consumers of financial services industry.
That is why all financial institutions in Indonesia are required to be OJK compliant for them to be licensed to operate.
What is Data Localisation & Residency:
Data localisation & residency are laws to protect data of a country's citizens.
Data localisation or data residency law requires data about a nation's citizens or residents to be collected, processed, and/or stored inside the country, often before being transferred internationally.
Each country decides the scope of its data localisation law such as what kind of data would be considered as PII, which industry will fall under that etc.
For instance, In India data localisation law scope includes all Payment System Data.
In Australia its the health records.
In Indonesia public services companies must maintain data centers in country. The OJK, the Financial Services Authority in Indonesia requires data localisation for all PII (Personally Identifiable Information) data in a financial services organisation within the country.
Why an on-prem bare-metal DC/DRC for OJK?
This project came to me towards the end of 2019 , most cloud providers were not yet launched in Indonesia. Except for Alicloud which itself had just launched with minimal services around 4-5 months back. It had serious concerns regarding data localisation policies, there were management console interfaces which were hosted outside Indonesia.
As a matter of fact organisations which has strict regulatory requirements like banking, financial, healthcare etc always prefer that the datacenters of the hosting provider or clouds are certified by their respective compliances , which is this case was OJK. They do so because it becomes easier for them to answer during the audit and certification process. So its always better to go with a certified/proven cloud/datacenter provider if you have such requirement.
That is why, for this project, In absence on any OJK certified cloud provider at that time, the entire setup had to be on a traditional DR/DRC infrastructure where the DCs were physically located at least 40 kms away from each other so that we can also comply to the DR standard.
Challenges with an on-premise setup:
Lack of automation tools for bare metal virtualisation platforms needed for infrastructure provisioning which was necessary to achieve the SLA and RTO/RPO benchmarks.
Dynamic on demand disk allocation was impossible since it was all on hardware storage area networks.
To set up a fully automated containerisation platform on a bare metal hypervisor.
Real time data replication between two separate data centers.
Initiatives taken to achieve the desired objective:
Hardware planning and procurement inline with growth projection.
Dedicated Physical servers for hypervisor.
Designed network topology with segregated Vlans, client to site vpns and site to site vpn tunnels.
Infrastructure As Code for on-premise virtualized network , system and storage platforms as below
Vlans,
dhcp,
dns,
load balancer
VMs,
Containers
SANs,
virtual disk
Fully automated self managed kubernetes cluster with horizontal autoscaling, certificate management, and private dns on virtual machines.
Virtual Https Load balancer for kubernetes cluster services.
Final Outcomes: OJK Data Compliance
Fault tolerant Infrastructure and Platform inline with RTO/RPO guidelines
Secure and Seamless connectivity across intranet and internet.
The system is protected, both logically and physically, against unauthorised access.
Automated , modular and highly available environment on demand.
Centralised Role based access controlled authentication and authorisation for all systems and services.
Scheduled assessment of disaster recovery and rollback process
The 10factorinfra is a compilation of all these tried and tested methodologies, design patterns & best practices that I have learnt and implemented all these years in building secure, scalable & sustainable modern infrastructure for startups & enterprises.
If you like this article, I am sure you will find the 10-Factor Infrastructure even more useful. It compiles all these tried and tested methodologies, design patterns & best practices into a complete framework for building secure, scalable and resilient modern infrastructure.
Don’t let your best-selling product suffer due to an unstable, vulnerable & mutable infrastructure.
Thanks & Regards
Kamalika Majumder
Comments