by Elizabeth M. Ferrarini

Once upon an Internet time, an upstart company climbed out on the leading ledge of ingenuity to shake a legacy industry to its core. In 1983, E*TRADE Financial completed its first consumer-based electronic trade via Compuserve, a dial-up, PC-based online service. A decade later, E*TRADE began offering brokerage services directly to individual investors through several online outlets. E*TRADE.com opened for business on the Web in 1996. Today. the site handles about 180,000 transactions between 9:30 and 4:00 p.m., and can have from 50 to 100,000,000 Web hits a day.

Because of the site's initial popularity with consumers, E*TRADE Financial's IT organization decided to nip two potential challenges in the bud: how to build an infrastructure to handle an infinite volume of financial transactions, and how to give customers assurance that their identify and assets would always be secure. Enterpriseleadership.org spoke with Greg Framke, CIO of E*TRADE Financial, about the adoption of open source software and the on-going search for better security tools and techniques. Prior to E*TRADE, Framke was director and COO for global equities technology at Deutsche Bank in London.

EL: Describe your IT infrastructure?

GF: To us, E*TRADE.com is one, big application, which serves as our storefront. We're a direct provider of financial products and technology to consumers. Our technology isn't any different from that of any other financial services company.

The infrastructure consists mainly of one- and two-U Intel-based machines running RedHat Linux. Our Web servers run Apache and our application servers run TomCat -- two Open Source products. We're finishing up a migration of BEA's Tuxedo, a transactional monitoring middle layer that is 90-percent Apache and 10-percent IP of our own. Our data warehouse runs on a distributed, clustered Linux DB2 installation. Our highly available, clustered databases run mostly on Sybase. We use it for replication as well.

EL: You've been running Linux since 2000. Can you talk about the  decision to move to it?

GF: From 1997 to 2000, we were a big user of very expensive Sun Microsystems's 4500 enterprise servers. Sun was the vendor of choice for companies plugged into the Internet, but several undercurrents were going on. Linux was maturing as a set of routines. Likewise, we were in touch with several large companies and were running production Linux or open BSD systems.

We analyzed what it would mean to deploy Linux, and were amazed to learn that we could save tens of millions of dollars a year if we did so. In late 2001, we ported some of E*TRADE.com to Linux as a trial. When Hewlett Packard and IBM announced their support for Linux, we had no trouble selling it to our CEO, and the following year, we started aggressively to deploy Linux throughout our enterprise. It not only enabled us to save money, but it performed better and is more stable than Sun. It's been an incredible win for us.

EL: What are some of the big things that stand out about going to  Linux?

GF: We average about 400,000 unique log-ins per day. Linux enables us to handle this volume better than Sun would have done. Before Linux, we had 10 and 12 CPU Sun machines. Now we deploy one- and two-U machines in a stack. Adding capacity consists of buying a stack of very inexpensive machines. When machines come off warranty, we don't bother to put them on maintenance. We just let them run until they fail.

EL: Are there any other areas where you're considering deploying  Linux and open source?

GF: We continue to deploy open source wherever it makes sense for us. Right now, we're testing some open source security products. They're pretty specific, and there's lots of them. We're also looking at open source databases.

EL: Have you experienced a security snafu?

GF: We don't publicly disclose security snafus. However, we perceive ourselves to be a leader in security. We're very public about what customers can do to protect themselves and what we do to help protect them. We have a track record of being out there in front and doing a good job of security. In January 2006, we came out with the complete protection guarantee. It will protect consumers from any security issues they may have. A month later, Charles Schwab introduced a similar program.

EL: You're in a highly regulated business. Are any of your compliance  solutions running on Linux?

GF: This is one of these niche technology areas that tend to come out first on Microsoft. A lot of vendors feel that many of their customers are better able to support Microsoft. I'd argue that Linux or UNIX is just as easy to write to, or port to.

EL: Database security is often overlooked. What are you doing about  it?

GF: We encrypt all of the data -- either electronically or physically -- that leaves the premises for any particular reason. We deploy a variety of techniques within the enterprise to encrypt data.

This is an area that has room for technology improvement. It's going to be an area of growth, just like the proliferation of technology solutions to consumers.

EL: In 2005, you made the RSA SecureID token technology available to your customers. Why did you select this technology, and how does it work?

GF: We started offering the RSA SecureID token to all of our customers in April 2005. The technology is great. It's a little piece of hardware about the size of a key chain with a display on it. The six-digit number on the display changes every 60 seconds. To log into our site, you need your ID, password, and the six-digit number. If you are missing one of those three pieces of information, you can't log in. This is the best defense on the marketplace against key logging and Trojans. If someone steals your identify -- either offline or online -- he or she would still need that token to get into your account.

EL: Why did you select RSA, and what has been the acceptance rate for  the SecureID token?

GF: We looked at a couple of other security vendors' products. The RSA solution fit well with our technology and our infrastructure.

Security and privacy have always been important to us. We knew that two-factor authentication wasn't going to be the best practice for long. In 2003, we began to study this issue and to look at what was in the marketplace, and we decided that the hardware-based token offered the most amount of protection, offered mature technology, and was the easiest to carry out. Our customers responded favorably to surveys about using this technology. In fact, the customer pilot went great.

The acceptance for tokens doubled month after month. We have a sizeable number of customers who log into E*TRADE.com using the token (we don't publish how many). According to our surveys, the token has made customers feel more secure about doing business with us. In fact, we've seen an increase in the number of assets customers hold with us. We think there is a direct correlation between the two findings.

EL: Since you are in such a technology-intensive business, how do you  distinguish yourselves from others in your space?

GF: It's a tough market right now. Self-directed investors are a demanding customer base. You have to meet that demand. To this end, we've always given our customers value. Our flexible technology has enabled us to get innovative products to market faster than our competitors. For example, we were the first to offer a two-second guarantee: If we don't execute and confirm your trade on E*TRADE.com within two seconds, you get a free trade.

--

Elizabeth M.  Ferrarini is a freelance writer from Boston, Massachusetts.