Eugene Grygo, Chief Content Editor, FTF News
The FIX Trading Community, the standards body behind the Financial Information eXchange electronic trading protocol, is taking on cybersecurity via the release of the FIX-over- the Transport Layer Security (TLS) (FIXS) standard and guidelines.
The effort is to help users of the FIX Protocol meet security requirements “as it introduces a basic level of security and standard options for interoperability,” according to the FIX Trading Community.
“We believe FIXS will make it easier for FIX participants to employ TLS, and hope that this will help to improve security across the industry,” according to the FIXS draft standard documentation, “FIX-over-TLS (FIXS) Technical Specification,” put out by the standards body.
“TLS is a rich protocol with many features and options. The protocol, for example, allows for new security functions to be added and vulnerable functions to be dropped. Additionally, information security is wide and varied,” according to the draft documentation. “Understanding the TLS protocol features and options is complex and time consuming, and incorrect configuration or management of TLS can result in insecure linkage or no security at all. The FIXS standard therefore aims to make employing TLS simpler, and further provides guidance and best practice that is valid at the time of writing.”
The 34-page white paper covers a wide range of specifications and implementation issues such as how FIXS:
- Has a primary focus on “how to use TLS reliably with a minimum level of standardization across the FIX community. The standard first concentrates on possible methods to authenticate the parties connecting to one another. It then goes into the different aspects of each authentication method as well as the different protocol options and what is recommended. This includes the different available cipher suites as well as certificate properties and validation.”
- Includes “authentication of clients as part of the FIX session. This is termed using FIX User Authentication (FIXUA) and it can be used to authenticate FIX clients at the FIX session level rather than authenticating clients at the TLS level.”
- Allows the use of “additional security controls. FIXS defines a minimum set of requirements, which are needed for common use cases and interoperability. Participants may choose to use security controls beyond what is specified in FIXS for extra security or to address the latest vulnerabilities.”
The FIXS effort will take into account performance issues and “compatibility with out-of-band monitoring solutions,” according to the documentation. “We therefore try to balance security with the needs of performance and compatibility, in order to keep FIXS suitable for trading and other activities within banking and finance.”
To help with these issues, the FIX Cybersecurity Working Group was created years ago “to facilitate industry collaboration against the background of a deteriorating cybersecurity landscape,” says Michael Cooper, chief technology officer (CTO) for Radianz, BT Global Banking and Financial Markets, and chair of the working group, in a prepared statement. “As part of these efforts, the FIXS Sub-group was established; they have researched and are now publishing guidelines for extending the security of FIX communications and thereby augmenting the security of trading operations.”
Charles Kilkenny, CEO Actuare, is the chair of the FIXS Sub-group, and says that FIXS is intended as a starting point securing FIX with TLS.
“I would ask firms and especially vendors to look at adopting FIXS and provide us with their feedback,” Kilkenny says. “We need this dialogue to continually improve what we have and to stay one step ahead. I would also like to take this opportunity to thank everyone involved in the FIXS Sub-group for their hard work and contributions, without which we would not be able to do this.”
The authors of the white paper are also asking for constructive feedback as FIXS is a work in progress. “This is the first publication of FIXS and we are still learning. As always, we welcome your feedback and hope that you will share your views with us,” according to the white paper.
More about the draft is available here.
Need a Reprint?