Since we released the Tyk open-source gateway in 2014, it’s found a natural home with highly regulated organisations. Whether handling tax affairs or healthcare for national governments or powering consumer and back-end services for some of the world’s best-known banks and investment firms, the Tyk open-source gateway has enabled the most security-conscious of organisations to design, secure, control and manage their APIs.
As an open-source project, the gateway is fully auditable and under the complete control of the user. With no “black box” to install, and complete surety of the supply chain through signed packages, the transparency and small attack surface of the Tyk gateway mean it’s become a default choice where security and compliance are essential.
The fact that Tyk can be configured to securely control access, as well as provide audit trails over all of the platform’s activity, means that when deployed into a client’s infrastructure, Tyk forms the basis of a PCI Compliant platform for a number of our clients. PCI compliance requires the organisation to be audited, not just the software that’s in use, and for the reasons described in this post, Tyk can be a key part in enabling that certification.
Of course, secure software is just the foundational requirement of working with highly regulated industries. As important as the software, is the organisation supplying and supporting it must also demonstrate a security-conscious approach. To evidence the rigorous security processes, systems and culture at Tyk, we’ve worked with a number of external specialists to provide audits, testing and certification, so that all users of Tyk can be confident in our ability to support their team in achieving the security standards they seek.
Pen Testing and Bug Bounties
We have some very smart engineers in our team, however, it’s sometimes hard to see the wood for the trees. Even the best engineer should have their work inspected, critiqued and tested to the limit. As part of our ongoing development process, we have an open bug bounty and responsible disclosure programme, encouraging submissions and testing by the security community. We also engage leading security researchers to engage in penetration testing of our software, if you would like to see the latest pentest report, please ask your account manager for a copy.
Tyk is in production with healthcare providers and public sector patient services across the globe. Few industries have such a sharp focus on security and audit as healthcare. Under HIPAA, certain information about a person’s health or health care services is classified as Protected Health Information (PHI). For those of our customers subject to HIPAA, we’re able to provide product and support services that comply with the rigorous standards demanded by the Health Insurance Portability and Accountability Act.
PCI compliance is a requirement for those working in the payments industry. The regular assessment and accreditation focus is on the organisation and the services, systems and processes it uses. Tyk has been a part of PCI compliant organisations for a number of years now, the transparency and audit functionality of Tyk has made it a straightforward choice for those building PCI compliant platforms or teams.
This is the global information security standard, Tyk is regularly audited by external consultants and holds accreditation for the ISO 27001 standard. This is very similar to the SOC2 standard that is typically used in the USA, though we don’t currently hold a certification for this. For further detail on our compliance with ISO 27001 or a request to comply with SOC2, please contact your account manager.
Patches and Alerts
Our Support SLA service includes a pro-active approach to security, with fast and robust processes in place to ensure clients are quickly alerted of potential issues and that patches and updates are delivered, implemented and supported as quickly as possible.
Technology, Process, Audit and Certification are all important, but we’d encourage you to speak with our clients to get a sense for the way in which we can satisfy your security requirements. From collaborating over security feature requests, to pro-active security alerts and patches, we’ve many years of experience leading in API security for the worlds highly regulated organisations.