Pega Platform protects you against a wide variety of security risks, whether inadvertent or malicious. Use the platform features related to authentication, authorization, and auditing to protect and monitor the use of your application.
Security failures can expose your organization to severe consequences, such as a negative perception of your organization’s reputation, customer loss, lack of customer trust, and potential legal and financial penalties.
Goal of security
The goal of security is to maintain availability, integrity and confidentiality. This goal is primarily accomplished by implementing authentication, authorization, and auditing. When confidentiality is compromised, unauthorized individuals gain access to systems or data. When integrity is compromised, unauthorized individuals can modify systems or data. When availability is compromised, unauthorized individuals can cause disruption of application or web availability, affecting access timing and uninterrupted access.
The combination of an evolving regulatory environment and threat landscape have put a burden on customer engagement and digital process automation teams. Critical business systems have become more interconnected and need to maintain increasingly sensitive data as regulations expand.
Pega Platform security features
Pega Platform provides powerful capabilities for implementing security in your applications, especially when you deploy guardrail-compliant applications. The Pega Platform model-driven architecture helps you to secure applications in most cases by configuring built-in features, and you do not need to rely on custom code built by developers who are not security experts.
Other Pega Platform security components
In addition to features that explicitly accomplish authentication, authorization, and auditing, other Pega Platform components represent important policies, assets, and safeguards to use with these features.
- Certificate, key, and token management
- The management of these important assets is critical to the secure functioning of other security features.
- Confidentiality and encryption
- The confidentiality of your sensitive data at rest, in transit, and in use is extremely important. Pega Platform uses state-of-the-art encryption features that allow you to secure sensitive information at any point in a business process.
- Virus checking
- Pega Platform allows your application to link to a third-party virus checking program before processing any email or attachment.
- Content security policies (CSP)
- Use CSP to lock down your application to mitigate the risk of content injection vulnerabilities (such as cross-site scripting) and reduce the privileges required to run your application. Pega Platform only sends these headers on dynamic content requests, not static content requests.
- For more information, see:
- Security foundations
Security and privacy are concerns at the forefront of every organization. Understanding security foundations helps you to implement a comprehensive security solution. Secure your systems against attack to avoid negative customer perception and potential regulatory sanctions.
- Security Checklist
The Security Checklist provides Pega's leading practices for securely deploying applications. To assist you in tracking the completion of the tasks in the Security Checklist, Pega Platform™ shows the overall completion on the Dev Studio Home page, and built-in ways to track the status of each task.
Apply authentication methods to ensure that only users and systems with a verified identity can access your applications, web pages, APIs, and data. Authentication includes verifying user credentials, Pega Platform requests to external services, and external service requests to Pega Platform. You can also authenticate by using an external identity provider.
Authorization ensures that after logging in, users have access to only the features and data that they need for their work. Pega Platform offers three types of authorization: role-based access control, attribute-based access control, and client-based access control. You can use these authorization features together to provide the strictest level of control.
With Pega Platform, you can track many types of security events, such as failed logins, password changes, and changes to rules and data. By tracking all of these events, you can understand how your system functions and detect any potential problems.
- Mitigate common (OWASP Top 10) security vulnerabilities
Pega Platform offers policies on the Security Policies landing page, as well as additional security restrictions that control cross-site request forgery (CSRF), content security policies (CSP), cross-origin resource sharing (CORS), and other types of vulnerabilities. Use these features to ensure that your system is as secure as possible.
- Secure your application user interface
As a security administrator, you permit or restrict groups of users to access various actions in an application, such as having access to a case type, flow action, or button.
- Verify requests at the application layer
Pega Platform protects access to information in your application by using role-based settings and access control policies. Pega Platform provides additional request verification when you use autogenerated controls.
- Security operations
Beyond authentication, authorization, and auditing, Pega Platform offers many other configurable security features, such as encryption, HTTP response headers, and Web Service Security profiles. Use these features to ensure that your application is as secure as possible.
- Security in App Studio
To increase system usability and better accommodate multi-functional teams, some parts of the security framework are now available in App Studio.
Next topic Security foundations