Security standards for Pega Cloud GCP Early Access Program

This article is part of the Pega CloudGCP Early Access Subscription Documentation.

Pegasystems and the client are both responsible for security in Pega Cloud:

• The client is responsible for the security of, and access to, the client Application at the application level.
• Pegasystems is responsible for the security of the client Application and environments at the infrastructure level. 

The Pegasystems Security Program outlined in the cloud agreement governs the infrastructure on which the client environment is built up through the deployed Pega Platform and Pegasystems applications.

• This Pegasystems Security Program infrastructure includes the hardware, software, networking, and facilities that support Pega Cloud.
• Pega Cloud manages these services on behalf of each client, from initial provisioning to final decommissioning. 

Technical and Organizational Controls

The technical and organizational measures implemented by Pegasystems include:

• Encryption of personal data:  Pegasystems encrypts all data at rest in an Environment using 256-bit AES encryption.  Pega Cloud-hosted web applications provide functionality for data in transit encryption with https (TLS) and digital certificates.  Within the Pega Platform, client can also use Dev Studio to configure secure TLS 1.2 connectivity to their external REST or SOAP services.  (Pseudonymisation or anonymization of personal data is the sole responsibility of the client.)
• Ability to restore availability and access to personal data:  Pegasystems shall maintain a commercially reasonable disaster recovery plan, including automatic failover to a like facility.
• Notification of incidents:  During the term of the Subscription Services, Pegasystems will notify clients without undue delay (unless otherwise required under applicable law) when Pegasystems confirms any actual security incident affecting the confidentiality, integrity or availability of client data at the infrastructure layer.  In the event of such a security incident, Pegasystems will cooperate with client in accordance with the law and regulations applicable to Pegasystems.

Pegasystems is also responsible for:

• Establishing security group configurations for secure client access.
• Protecting data in transit over the Internet.  This is in addition to data security protocols for which clients are responsible.
• Providing host-based virus protection services, scans, and signature updates.
• Monitoring the security of the infrastructure components in each Pega Cloud client environment.
• Managing the security of Pega Cloud -delivered environments and the Pega Cloud service management systems.
• Providing a dedicated security team that manages compliance, security monitoring, and security event response.
• Accommodating requests for client penetration testing of client applications, as permitted by the Vulnerability Testing Policy.
• Subjecting sandbox environments to hibernation to block threats and conserve energy after two hours of inactivity; environments automatically restart when users return.

Clients are responsible for the Client Data Rights and Responsibilities, as set forth in the applicable Subscription Documentation, including:

• The development, management, implementation, maintenance, and security of their Pega Platform applications as they build and operate their Pegasystems-Platform-based applications beyond the default platform. Several of these responsibilities include, but are not limited to, application and workflow development, data classification, and user administration and entitlement management.
• The security of data in transit between Pega Cloud and clients’ external systems using client-selected connectivity method(s).

Physical and environmental controls

Pega Cloud uses a third party as its Infrastructure-as-a-Service (IaaS) provider (Amazon Web Services [AWS] or Google Cloud Platform [GCP]) which hosts Pega Cloud environments in state-of-the-art, large-scale, secure data centers.

• The IaaS provides the physical and environmental security controls for the cloud infrastructure. Pega Cloud inherits these controls as part of the shared security model.  See the IaaS provider website for summary of controls with current IaaS provider (currently Amazon Cloud or Google Cloud Platform).
• Pega Cloud provides client support facilities replicated across the globe, from which Pega Cloud are monitored and maintained.
• Pega Cloud also provides security monitoring capabilities; our engineers proactively develop and implement industry-standard security practices.
• Access to the Pega Cloud support facilities is restricted to authorized personnel only.  Additionally, Pega Cloud provides access controls (detailed in clients’ contracts) as part of the Pega Cloud Security Program.

Access Controls

In addition to the physical security, Pega Cloud operations has implemented access control measures which:

• restrict access to clients' environments to only those Pega Cloud support personnel that have a documented, current business need
• maintain a list of personnel with authorized access
• review and approve access lists quarterly
• remove personnel who no longer require access

All access to data centers and client environments is logged and routinely audited.

All administration of our cloud environments is done through a control plane, using role-based access control with multi-factor authentication.

Network and infrastructure controls

The Pega Cloud network architecture provides a level of security that allows each client to effectively operate the Pega Platform. Pega Cloud manages and provides each client with:

• Virtual network devices to establish the boundaries, network rulesets, and access controls to govern inbound and outbound traffic in any client environment.
• Network security controls that limit access from untrusted sources.
• Protection against DDOS attacks
• Authentication controls for Pega Cloud support personnel supporting client infrastructure. Authorized Pega Cloud engineers are required to authenticate to Pega Cloud Management tools by using unique user identification credentials and replay-resistant two-factor authentication tokens prior to being granted secure access to the Pega Cloud network.
• Continuous monitoring of the infrastructure components in each client environment.

Malware protection

• Pega Cloud deploys anti-malware software on the Pegasystems infrastructure level.
• Pega Cloud deploys host-based malware services, scans, and signature updates that cannot be disabled or altered by users.

Risk management

Pega Cloud security and compliance teams conduct regular audits and risk assessments of the Pega Cloud offering to maintain adequate governance over the entire environment. In addition:

• Pega Cloud provides vulnerability and security management for Pega Cloud-delivered environments and the Pega Cloud management systems.
• Client-led, application-level vulnerability assessment requests and other security reviews related to the client applications can be accommodated according to the Vulnerability Testing Policy for applications on Pega Cloud.
• At least once per year or when significant changes to the networks are made, Pega Cloud conducts an information security risk assessment on current information security controls that affect the confidentiality, integrity, or availability of client data.