Australia's superannuation industry is a robust and essential part of the national economy, with total assets exceeding $3.9 trillion as of March 2024. 

This comprehensive system, designed to secure Australians' retirement, includes industry funds, retail funds, public sector funds, and self-managed super funds (SMSFs). Industry funds are particularly significant, holding $1,349 billion, which accounts for 35% of the total superannuation assets, highlighting their critical role in the financial landscape.

Active Super is a prominent player within this thriving sector, known for its strong performance and member-focused approach. With a substantial share of the market, Active Super has consistently delivered competitive returns and innovative investment options. Its commitment to sustainability and ethical investment practices sets it apart, aligning with the growing trend towards responsible investing in the industry. Active Super's strategic initiatives and robust management continue to enhance its position as a leading super fund in Australia.

Active Super, like most Australian Super Funds, is regulated by Australia’s prudential supervisor - APRA - which is tasked with ensuring that our financial system is stable, competitive and efficient. This places a number of obligations onto Active Super, including having certain information always available online for customers to access.

In late 2022, Deepend observed an increasing number of cyber incidents focused on Active Super, including distributed denial of service (DDoS) attacks. A successful DDoS attack has the potential to take the Active Super site offline, resulting in a breach of APRA regulations. In response to this, Deepend conducted a review of Active Supers’ Azure architecture and proposed that a high-availability, multi-region hosting solution based on Azure Front Door be implemented to provide additional DDoS protection to ensure that Active Super remains APRA compliant.

In response to a deteriorating threat landscape, Deepend proposed that a multi-region infrastructure architecture be implemented to provide Active Super with the highest level of security and availability. We implemented Azure Front door (premium) in order to provide the highest level of scalability without having to use third party products such as “Cloudflare” for DDoS (distributed denial of service attacks) mitigation.

The solution was designed to complement the existing web application firewall and VNET security, and involved the addition of:

1. Azure Front Door to manage traffic between region 1 and region 2.
2. A Health Probe to continually monitors the health of region 1, allowing traffic to be diverted to region 2 if an issue is detected with region 1.
3. Database replication to ensure that the website database in region 2 always has a copy of the latest content from region 1.

This solution provides the highest level of availability without having to use third party products such as “Cloudflare” for DDoS (distributed denial of service attacks) mitigation.

Results

Active Supers new hosting solution received its first test in August 2023 when the Australia East data centre suffered a cooling system fault that interrupted service for some customers, including Active Super.

In days gone by this type of fault could have resulted in a lengthy site outage for Active Super and may have caused a breach of APRA regulations.

In this case the health probe detected the outage in region 1 immediately, and Front Door began routing traffic to region 2, which remained active until normal operations were restored (~12 hours later).

Our multi-region hosting solution allowed Active Super to withstand a significant data centre outage with no site downtime, and to maintain APRA compliance – a great result!