Security and Compliance: A Shared Responsibility Model
Maintaining high security standards and staying compliant with regulations is a continuous focus for Postman. However, as an end user of Postman services, there are some aspects where you share responsibility for security and compliance of the data that you store with Postman.
Our responsibility is to ensure that Postman products and services are safe and secure to use, while yours is to ensure that you follow safe practices with the data you store within Postman. Here are a list of things that we expect our users to be aware of during regular product usage:
Protect your Postman Client app installation
Ensure you download the latest version of the Postman App and that you have adequate access protection to the systems (workstations) where Postman is used or accessed from. Postman app keeps a local copy of your data and as such it is recommended that the storage medium is encrypted and adequately protected from unauthorised access.
Protect access to your Postman account
Ensure you have a strong password for your Postman account. If you are using Google to sign in or have configured a single sign-on mechanism ensure you have adequate protection of those systems and accounts. Postman API Keys can access your data - ensure that api keys are safely stored, transmitted and protected from accidental exposure.
Segregate data access based on user roles
You choose who has access to your data, hence it is advised that you segregate workspaces and environments where PIIs or PHIs are stored and limit access to individuals eligible to access such data. Postman “admin” role must be used judiciously among a limited few who are aware of the responsibilities of administering Postman services.
Safely store sensitive information
Avoid storing sensitive information anywhere except within Postman Environment variables. Postman also facilitates restricting the syncing of sensitive information to Postman servers. Using “ Sessions”, you can choose to keep the sensitive information to within your local system.
Be aware of what you publish publicly
Postman services provides feature to share data outside organisation in form of published documentations, mock servers, etc. Ensure that PIIs or PHIs are redacted (as text or as image) before publishing.
Audit your Postman Account
Use the Postman audit logs to verify legitimate account access and be aware of any unusual activity. Ensure legitimate team members have access to your account and that unexpected changes have not been made to team settings.
Have an oversight on your outgoing data
Ensure email address that get notifications for monitor run failures and errors are authorised to receive such notifications.
Be aware of what PIIs and PHIs are carried by Postman as a conduit
PHI that you transmit through Postman must come from HIPAA compliant source and the same must be observed while sending to any service.
Do not share PII/PHI through any support medium
Postman support will never ask to share your personal information and neither should you. PIIs or PHIs of no individual should be shared through Postman support medium.
Usage of Postman Pro Integrations are not bound by security agreements
If you deal with PIIs and PHIs (or have signed BAA with us) do not use pro integrations without ensuring you have instituted security and compliance agreements directly with the integration service provider.
We also have a list of recommended best practices of designing and developing using Postman when dealing with PIIs and PHIs.
- Always make API calls over TLS (and other secure protocols.) and do not disable client-side SSL validations .
- Avoid disabling SSL certificate validations for Postman Monitors .
- Follow secure coding practices within scripts run as part of collections by not accidentally sending PIIs and PHIs to systems that are not supposed to receive them.
- Have a peer review process of critical collections and merge changes to such collection using Postman’s collection fork and merge feature .
- If you are on enterprise plan, enable SSO based login and disable password based login. Enable 2FA on your SSO identity provider.
- To test APIs behind a whitelisted restricted firewall, Postman provides the option to monitor APIs from a static IP address under its enterprise plan. Use it to additionally restrict access to your critical network connected systems that has PIIs or PHIs.
- If you suspect your account has been compromised, please remove the affected user account. If you suspect an API Key has been compromised, revoke access to the same from the dashboard.