Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Security foundations

Updated on June 30, 2021

Security and privacy are concerns at the forefront of every organization. Understanding security foundations helps you to implement a comprehensive security solution. Secure your systems against attack to avoid negative customer perception and potential regulatory sanctions.

Security objectives

Security policies and standards are the framework that is used to define the requirements and controls used to secure applications and data. Pega Platform must comply to prevent unauthorized access to systems and mitigate attacks that negatively impact the confidentiality, integrity, and availability of client environments. These types of events cost our clients time, money, and brand integrity.

The components of the Pega security framework include:

The ground level requirements for relevant, in scope functions.
Detailed requirements for relevant, in scope functions.
Documented guidelines and instructions to maintain compliance with the policies and standards.

Pega operates a broad policy stack where corporate functions like HR, legal, IT, and other relevant groups that support the entire company maintain policies and standards that are applicable to the entire workforce and relevant subcontractors. Business groups then use these policies and standards to build additional requirements based on regulatory or contractual obligations in support of the business outcomes, however these requirements cannot be defined in any less restrictive way than the corporate function policies.

Successful implementation of and compliance with the Pega security framework provides the following advantages:

Access control
Prevention of unauthorized access to systems and data.
Availability control
Prevention of attacks on systems that degrade the confidentiality, integrity, or availability of Pega Platform environments.
Audit management
Avoidance of costly and time-consuming audits to determine the source or impact of a security event.

Confidentiality, integrity, and availability triad

Confidentiality, integrity, and availability (CIA) triad, is a model that is designed to guide policies for information security within an organization. The elements of the CIA triad are considered the three classical components of security:

Refers to protected personal data, and to the way in which all information or data should be secured to never share that information with third or unauthorized parties.
Refers to the fact that the service or system is setup in such a way that no information or data can be altered without detection.
Refers to the services or parts of the systems that, regardless of circumstances, should be up and running and should always respond.

Security features

Pega Platform provides:

  • A broad range of security capabilities to prevent malicious use of, and access to, an application.
  • Powerful capabilities for implementing security in your applications, especially when you deploy guardrail-compliant software.

You can use the Pega Platform model-driven architecture to secure applications in most cases by configuring built-in features, without relying on custom code that is built by developers who are not security experts.


Pega Platform supports multiple types of authentication, including the most common authentication protocols that are performed external to Pega Platform. To perform critical application functions, you must be in an authenticated session. Passwords or other sensitive information between the client and the application are not exchanged other than during the initial sign-on request. Failure messages do not contain sensitive information. Supported authentication protocols include:

  • SAML 2.0
  • OpenID Connect
  • Basic credentials
  • Token credentials
  • Anonymous
  • Custom
  • Kerberos
You can also configure multi-factor authentication (MFA).
The built-in authentication capabilities of Pega Platform provide support for the definition of a security policy that covers a range of options. The options that are available while configuring a security policy include:
  • Minimum password lengths
  • Minimum numeric, alphabetic, and special characters required in the password
  • Minimum and maximum password age
  • Maximum unique historical passwords
  • Number of failed login attempts before lockout
  • Initial lockout penalty in seconds
  • CAPTCHA authentication settings
  • Inactivity disablement
For more information, see Authentication.
The authorization model in Pega Platform includes role-based, attribute-based, and client-based access controls. Permission to access data objects and application functions is determined dynamically by the roles and attributes of the user.
You can apply access controls to an entire class of data objects or focus on a particular field in a record. Pega Platform provides tools for the security administrator to ensure that the configuration meets requirements, for example, by running access control simulations.
For more information, see Authorization.
Session management
Pega Platform allocates a session object on behalf of the user by using a randomly generated, unique session value to identify the session object. The session ID contains sufficient entropy (greater than 128 bits) to prevent collisions and successful guessing by attackers.
Data validation
Request processing come standard with several layers of protection against malicious attacks, which often target and attach to input and output data. Pega Platform provides continuous protections at the server level in addition to any that are enforced by the client:
  • During input processing, request data is typically assigned to application properties, which are specified to contain well-defined data types. These data types trigger server-side data validation whenever a value is assigned to a property. Some examples of data types include: integer, decimal, double, DateTime, TimeOfDay, Date, and TrueFalse.
  • Enforced length limits are applied.
  • You can configure free text input values for validation against a list of valid entries. For example, you can predefine the list during application development, or you can evaluate the list dynamically by using a database lookup at run time.
  • Several validation rule types are available to configure on-site custom validation logic where necessary.
  • A cross-site scripting filter is used during input and output processing.
  • Validation of the session identifier, content encoding, content type, and other content headers is performed.
Cryptography facilities for Pega Platform are based on the Java Cryptography Extensions API. These facilities rely on cryptography providers, such as those supplied by the Java JDK vendor or the Bouncy Castle JCE, that is included with Pega Platform.
Cryptography facilities provide encryption of sensitive data at rest and protection against unauthorized access.
Note: Pegasystems does not directly implement the cryptographic algorithm logic.
For more information, see Encryption.
Pega Platform audits a complete list of actions, including both successful and unsuccessful attempts to access and modify data. You can also define custom auditing rules. Aggregate the logged data to detect patterns of suspicious behavior. Some of the auditing features include:
  • Rule changes
  • Security policy changes
  • Login failures and successes
  • Invalid data access attempts
For more information, see Auditing.
Security alerts
Pega Platform logs security alerts whenever it detects a condition that represents a possible security incident, which includes:
  • User-switching attempts
  • Access to a restricted activity, stream, or report
  • Unauthorized data access
  • Session hijacking
  • Cross-site request forgery (CSRF) attacks
  • Injection attacks
  • Content Security Policy violations
For more information, see Tracking and auditing actions by developers and users.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us