It’s the conversation I've had so many times over the years as both a security professional and as the security architect of financial market trading platforms.
In the world of financial markets, milliseconds, not seconds means the difference between making money and losing money. The need for speed and innovation in low latency trading solutions is only getting stronger. For many IT professionals, this race to see who can price and execute a trade is rarely seen apart from those who are tasked with solving this problem.
Even within the banking fraternity, many IT security professionals still see the approach required to securing trading systems (especially those that are internet facing) to be old, tried-and-proven multi-layered, multi-tiered, single choke point network security designs. You know the ones—where everything comes into your screening firewall (which is probably configured in layer-2 mode) and terminates at some form of presentation tier. If the application doesn't use this type of architecture, you'll probably force it through some sort of proxy that may or may not have any application awareness.
From here, it bounces through to the application tier. What security have you achieved? Defense in-depth you yell out? But what has been the cost to a business that is all about speed? “Dude your firewall is slowing me down,” causing the pricing engine to increase the spread, which makes us uncompetitive.
Several years ago I was having just such a conversation with the newly appointed head of e commerce for a major international bank. When talking about where our 'flow' (slang for trades) was going to come from, he said “80 percent from the internet, and 20 percent from wired counter parties”. Eighty percent of trades were going to come via the internet! A platform with inherent performance and security issues. Yet this is future—the internet—a platform where everyone is connected and can access your service—a revenue generating service. Increasingly, emerging markets and smaller enterprises opt to use the internet due to its cheap availability.
So do more firewalls really make you secure? Do they make you faster? What can you really do to achieve a reliable, secure trading system that performs over the internet? This was the challenge that I was faced with, and I was very vocal in reminding the security folks "dudes, your firewall is only slowing me down".
Whilst working on this problem, I realised I needed to push the security policy right out to the edge, near the user, and scale horizontally—not vertically. Your users are distributed, so why bring them all back into a central choke point where you need to scale up? Why not scale out?
John Ellis was responsible for developing the security services of the e-trading system for a major International bank. The e-trading system has since received several awards for innovative, fast and reliable trading services.