Options surety: Case study
Recent growth and expansion into other business ventures mandated that MIAX expand its privileged access management capabilities to enterprise password management.
The MIAX Options Exchange needed more than a way to appease regulators, it also required security assurance. Greg Masters reports.Show me the money! Well, for the MIAX Options Exchange, it's all done electronically and under the supervision of a management team that includes several former top executives from Nasdaq and other exchanges.
The options trading exchange was approved by the SEC on December 3, 2012 and commenced operations four days later as the 11th U.S. equity derivatives market. But as part of the approval process to open as a national securities exchange, it had to satisfy a multitude of security criteria expected by regulators. Auditing and logging were two critical requirements. It needed a way to perform full keystroke logging of any activity on its critical systems while ensuring high availability and near-zero performance impact for the hosts.
The MIAX Options Exchange now accounts for more than eight percent of the national market share, and with a major equity rights deal early in 2015 with seven major firms, including Citadel Securities and Morgan Stanley, it is predicting to triple its market share. It now lists and trades options on more than 2,300 multi-listed classes and its system throughput is in excess of 38 million quotes per second with an average latency for a single quote being 15.89 microseconds.
The MIAX executive offices, technology development center and national operations center are all located in Princeton, N.J. Additional executive offices, as well as a multipurpose training, meeting and conference center are now being developed in a state-of-the-art facility in Miami, where it intends to locate its equities sales, membership, marketing and listing operations.
OUR EXPERTS: Password trust
John Masserini, CSO, MIAX Options Exchange
Brad Hibbert, CTO, BeyondTrust
Recent growth and expansion into other business ventures mandated that it expand its privileged access management capabilities to enterprise password management, says John Masserini, CSO at the MIAX Options Exchange. “We needed to provide regulatory assurance of total separation of the technical and operational environments. We also saw this as an opportunity to enhance the entire privileged access management process – and enable auditability for the separation of our technical and operational various environments.”
The exchange also needed true high availability across several geographic locations, with the ability to support full disaster recovery in any of its data centers, Masserini says.
There are approximately 100 people dedicated to technology services throughout MIAX. Masserini and his team evaluated all of the leading competitors in the privileged access management space and chose a subset to perform a proof-of concept (PoC) within the environment. Several selection requirements were used – including functionality, high-availability/disaster recovery approach, user interface and cost. After selecting solutions for the PoC, the MIAX team evaluated ancillary features as part of the overall value proposition and performed detailed, technical analysis while working with the various business representatives to ensure functionality throughout the enterprise and to determine which best satisfied the requirements. At the conclusion of the PoC evaluations, the team – along with the various business representatives and security management – made the final decision on selection.
The choice, says Masserini, was to deploy PowerBroker for Unix & Linux, a privileged access management solution from BeyondTrust. “PowerBroker for Unix & Linux enables us to delegate Unix and Linux privileges and authorization without disclosing passwords for root or other accounts,” Masserini says. The solution also records all privileged sessions for audits, including keystroke information. “As a result, we're able capture all admin activity, while gaining full forensic auditability across our critical IT infrastructure.”