The Philadelphia Stock Exchange flows 300 million stock quotes per day over an electronic trading system at rates that climb as high as 20,000 quotes per second during peak periods. The systems also churns out extremely sensitive trading reports packed with proprietary customer information that must be stringently guarded from outside attacks and unauthorized internal access.
And beefing up security isn't the only challenge facing IT executives at the PHLX. Stock-trading information must be accessible to customers at all times. Therefore, the PHLX streams stock quotes, a practice that requires technology officials to comb the system constantly for attacks. Security measures include alarms and triggers so sensitive that even benign cases of runaway streaming will mimic denial-of-service attacks and kick off a series of safeguards.
Like most other large organizations, the PHLX is armed with firewalls, intrusion-prevention systems (IPS) and elaborate audit trails. The goal is air-tight security -- and reaching that goal is a daunting challenge, considering the complex infrastructures that exist in most big organizations.
"We have placed layers and layers of multiple vendor products to surround our networks with so much protection that we have created a defence akin to the Castle Keep," says Bernard Donnelly, vice president of the PHLX's quality assurance group.
But those safeguards deal with only part of the threat. "Don't become so overly focused on keeping intruders out that you leave yourself vulnerable to internal threats," says Donnelly.
Employees can walk out the door with gigabytes of sensitive data on tiny removable storage devices. Often overlooked are everyday occurrences, such as loud mobile-phone conversations that reveal too much in public places like airports, says Eileen Hasson, president of IT services firm The Computer Company Inc.
Sadly, there's no one-size-fits-all model for protecting private information. The good news is that IT officials can learn from people in industries on the front lines of guarding precious customer information. "There are no guidelines for enterprises, except perhaps those being adopted by financial services and health care industries," says Hasson. Those industries are leading the way on privacy protection because the stakes are so high for them.
"Failing to comply with HIPAA mandates regarding protected health information has severe penalties and would not only compromise but cripple our business," says Gary D'Amato, systems manager at Health Access Solutions, a provider of IT services to the health care industry.
At Care New England Health System, compliance with the Health Insurance Portability and Accountability Act centred on an exhaustive gap analysis of the organization's computer network and major penetration testing -- an elaborate exercise that often frames corporate security plans, says IT security manager Larry Pesce.
Gap analyses entail top-to-bottom reviews of security policies and often wrap in all rules and regulations imposed on a particular organization. In Care New England's case, the analysis started with mapping HIPAA mandates to internal security policies and procedures. It soon became evident that the organization's security mechanisms fell short of HIPAA requirements. Security audits were in order, says Pesce.
"I knew the only way to get the audit results I needed would be to start performing regular penetration testing," says Pesce. "From my experience, I knew that would give me the most accurate view of the network and provide me with the precise audit information I would need."
However, Care New England's gap-analysis efforts proved onerous. "Manual testing placed a tremendous strain on my limited budget and resources," Pesce says. "It was time-consuming to write exploits, ensure they were safe to run, perform the attack, and update and manage the process." Finally, he eased these burdens by adopting Core Impact, an automated testing framework from Core Security Technologies in Boston.