As vice president of quality assurance for the Philadelphia Stock Exchange, Bernard Donnelly is responsible for the security and availability of a network that approaches 100 Gbps and 500,000 quotes per second. To add to the complexity, the exchange recently implemented a wireless trading network that relies on handhelds and demands ironclad security and unquestioned availability.
Why did you move to a wireless trading system given all of the security issues that it can create? Two years ago we made the strategic decision that we couldn't be floor-based anymore. It was just too chaotic. We came up with the handheld trading system, which monitors the markets to generate quotes on behalf of the traders. The member firms have the same capability on a larger scale, but we had to do it in order to stay ahead of what everyone else is doing.
What special measures did you take to secure the wireless trading network? First off, nobody comes directly into our network. They have to go through a variety of authentication and authorization mechanisms and several other hops. We only have icons on the handhelds--just the things you need to get the presentation layer to the trader. All of the traffic is encrypted. We had this on an 802.11 network, but the amount of data was too much for it.
What's the extent of your disaster planning? We just spent $10 million on a fiber network from here to New Jersey so that we can get a five millisecond response time. We're going to own the fiber and we'll become our own carrier. And we just built a data center in Philadelphia, so we have two here and a colocation facility in New York. Uptime is paramount for us; a 30-second outage is devastating. We might see one every two years, but that's too many. I also oversee all of the change controls, which is a sort of disaster prevention. It's one of our strong points as an organization, and it pays because systems don't break until you change something. We act as an auditing department, and I have the final determination on all of the security packages.
Financial services has more than its share of regulations already, so why did you decide to comply with Sarbanes-Oxley voluntarily? For a lot of companies that are going public, they're doing things they've never done before [to comply with Sarbanes-Oxley]. But it is a carbon copy of what the SEC has required us to do for years. I'd recommend it for other companies, too. It's a good best-practice and will lead you to find things you wouldn't find otherwise.
Read the full version of this interview with Bernard Donnelly at searchsecurity.com/ismag.