How Secure Are Your FIX Specifications?

In this article, I’d like to shine a light on an area of FIX that seems to be quite confused in people’s minds, and that is the “security” (or not) of FIX specifications.

Current Perspectives

email a PDF to a defined distribution list, and a further 24% said that they simply post a PDF onto their website. So we can simply conclude then that the vast majority of forms take a “traditional” method of distributing specs, based around a PDF. No surprises so far then.

We also asked the question of whether they would be interested in sharing their specifications through a secure portal if such a thing existed. Now 49% of respondents said that — yes — they would consider using such a portal, and a further 18% gave the stronger response that they would definitely use such a system. So we can conclude that the majority of respondents are at least open to the idea of distributing specs in a mo0re modern way.

The interesting insights here, however, lie in the free-text comments that people left in their response which explored some of their concerns or minimum requirements to adopt such a system. Three broad themes appeared:

1) Versioning: how do they make sure that their customers have the correct version?

2) Security: how do they know that nobody can hack into our servers and “steal” their specification?

3) Control: how do they know that customers that they send their spec it don’t forward it on to somebody who shouldn’t have it?

Scoring Distribution Approaches

Email Distribution

You can probably assume that the recipient will save the file onto a shared drive somewhere to allow his/her colleagues to access it. But who are they and can you trust them? You can see that you very quickly lose control over the document, which means that this mechanism scores very poorly on both security and control.

Email also scores poorly for versioning. Sure, the first version of the document may have made it to your contact, but what happens if they leave or go on holiday and the next version is lost or drops into spam or something?

Website Distribution

[As an aside, I would strongly challenge such a position which typically stems from the idea that competitors can “reverse engineer” their systems simply by reading their API documentation. This is simply not the case; the far bigger problem is that the same API documentation is likely to also contain detailed functional descriptions, and it is this information that can allow others to replicate their systems and not the pure API documentation.]

The only firms who typically post API documentation to their websites, then, are trading venues. The act of publicly posting the document implies that the idea of secrecy and control are not important factors for them. But what about versioning?

While we would love it if our customers checked our websites every day looking for an update, the obvious fact is that they don’t. And therefore posting it on the website doesn’t remove the need for an email notification at all, and so it scores no more highly than email distribution does on this criteria. The ability to withdraw old versions from your website gives little more than the illusion of version control, in fact — it doesn’t stop customers from saving a local copy.

Secure Portal Distribution

So how would it handle versioning? The app allows document authors to create and maintain multiple versions of as many specifications as they need, and to click to publish them whenever they are ready. The act of publishing a spec automatically notifies anybody who has previously received a copy of that specification, removing the need to separately maintain email distribution lists. Updates immediately arrive inside the workspace of the recipient, which makes the email notifications purely a notification; if they miss the email then they still get the update.

What about control? Because the specification lives inside the app, we can collect detailed information about when it is accessed; useful management reporting information that isn’t possible with PDFs. We can also restrict the ability for specifications from being forwarded on to other people, giving a much higher level of control than email-based mechanisms.

And finally, what about security? We find that unfortunately firms still become extremely concerned when you use the word “cloud” as if the cloud is inherently insecure. We’ve designed the system to be as secure as possible; every single specification on our server is encrypted with its own encryption key that rotates every 24 hours, meaning that in the unlikely event that somebody did manage to get hold of one of the keys (which is unlikely), they would have a very limited window to access just one document before that access was closed again. The encryption keys are on our server, of course, which means that we encrypt all of them too! So it is daily encrypted keys that are themselves encrypted and stored inside of a security-hardened server. Can your “pinky-swear” email mechanism do that?!

Summing It Up

The first is that our market research indicates that while most people are using “traditional” methods of distributing PDF-based specifications, but that respondents don’t appear to be wedded to this approach and A significant majority would at least consider moving to a secure portal if one was available.

The second is that moving to such a secure portal will directly address the top three considerations highlighted by respondents for spec distribution — versioning, security and control.

I hope that you have found this useful. Please check out my other articles on all-things-FIX here on Medium or our YouTube channel. For more information on our FIX specification app, please check out our website.

Founder @ FixSpec. One man, trying to make a difference.