Security objectives

Security policies and standards are the framework that is used to define the requirements and controls used to secure applications and data. Pega Platform must comply to prevent unauthorized access to systems and mitigate attacks that negatively impact the confidentiality, integrity, and availability of client environments. These types of events cost our clients time, money, and brand integrity.

The components of the Pega security framework include:

Policies

The ground level requirements for relevant, in scope functions.

Standards

Detailed requirements for relevant, in scope functions.

Procedures

Documented guidelines and instructions to maintain compliance with the policies and standards.

Pega operates a broad policy stack where corporate functions like HR, legal, IT, and other relevant groups that support the entire company maintain policies and standards that are applicable to the entire workforce and relevant subcontractors. Business groups then use these policies and standards to build additional requirements based on regulatory or contractual obligations in support of the business outcomes, however these requirements cannot be defined in any less restrictive way than the corporate function policies.

Successful implementation of and compliance with the Pega security framework provides the following advantages:

Access control

Prevention of unauthorized access to systems and data.

Availability control

Prevention of attacks on systems that degrade the confidentiality, integrity, or availability of Pega Platform environments.

Audit management

Avoidance of costly and time-consuming audits to determine the source or impact of a security event.

Confidentiality, integrity, and availability triad

Confidentiality, integrity, and availability (CIA) triad, is a model that is designed to guide policies for information security within an organization. The elements of the CIA triad are considered the three classical components of security:

Confidentiality

Refers to protected personal data, and to the way in which all information or data should be secured to never share that information with third or unauthorized parties.

Integrity

Refers to the fact that the service or system is setup in such a way that no information or data can be altered without detection.

Availability

Refers to the services or parts of the systems that, regardless of circumstances, should be up and running and should always respond.

Security features

Pega Platform provides:

• A broad range of security capabilities to prevent malicious use of, and access to, an application.
• Powerful capabilities for implementing security in your applications, especially when you deploy guardrail-compliant software.

You can use the Pega Platform model-driven architecture to secure applications in most cases by configuring built-in features, without relying on custom code that is built by developers who are not security experts.

Authentication

Pega Platform supports multiple types of authentication, including the most common authentication protocols that are performed external to Pega Platform. To perform critical application functions, you must be in an authenticated session. Passwords or other sensitive information between the client and the application are not exchanged other than during the initial sign-on request. Failure messages do not contain sensitive information. Supported authentication protocols include:

• SAML 2.0
• OpenID Connect
• Basic credentials
• Token credentials
• Anonymous
• Custom
• Kerberos

You can also configure multi-factor authentication (MFA).

The built-in authentication capabilities of Pega Platform provide support for the definition of a security policy that covers a range of options. The options that are available while configuring a security policy include:

• Minimum password lengths
• Minimum numeric, alphabetic, and special characters required in the password
• Minimum and maximum password age
• Maximum unique historical passwords
• Number of failed login attempts before lockout
• Initial lockout penalty in seconds
• CAPTCHA authentication settings
• Inactivity disablement

For more information, see Authentication.

Authorization

The authorization model in Pega Platform includes role-based, attribute-based, and client-based access controls. Permission to access data objects and application functions is determined dynamically by the roles and attributes of the user.

You can apply access controls to an entire class of data objects or focus on a particular field in a record. Pega Platform provides tools for the security administrator to ensure that the configuration meets requirements, for example, by running access control simulations.

For more information, see Authorization.

Session management

Pega Platform allocates a session object on behalf of the user by using a randomly generated, unique session value to identify the session object. The session ID contains sufficient entropy (greater than 128 bits) to prevent collisions and successful guessing by attackers.

Data validation

Request processing come standard with several layers of protection against malicious attacks, which often target and attach to input and output data. Pega Platform provides continuous protections at the server level in addition to any that are enforced by the client:

• During input processing, request data is typically assigned to application properties, which are specified to contain well-defined data types. These data types trigger server-side data validation whenever a value is assigned to a property. Some examples of data types include: integer, decimal, double, DateTime, TimeOfDay, Date, and TrueFalse.
• Enforced length limits are applied.
• You can configure free text input values for validation against a list of valid entries. For example, you can predefine the list during application development, or you can evaluate the list dynamically by using a database lookup at run time.
• Several validation rule types are available to configure on-site custom validation logic where necessary.
• A cross-site scripting filter is used during input and output processing.
• Validation of the session identifier, content encoding, content type, and other content headers is performed.

Cryptography

Cryptography facilities for Pega Platform are based on the Java Cryptography Extensions API. These facilities rely on cryptography providers, such as those supplied by the Java JDK vendor or the Bouncy Castle JCE, that is included with Pega Platform.

Cryptography facilities provide encryption of sensitive data at rest and protection against unauthorized access.

Note: Pegasystems does not directly implement the cryptographic algorithm logic.

For more information, see Encryption.

Auditing

Pega Platform audits a complete list of actions, including both successful and unsuccessful attempts to access and modify data. You can also define custom auditing rules. Aggregate the logged data to detect patterns of suspicious behavior. Some of the auditing features include:

• Rule changes
• Security policy changes
• Login failures and successes
• Invalid data access attempts

For more information, see Auditing.

Security alerts

Pega Platform logs security alerts whenever it detects a condition that represents a possible security incident, which includes:

• User-switching attempts
• Access to a restricted activity, stream, or report
• Unauthorized data access
• Session hijacking
• Cross-site request forgery (CSRF) attacks
• Injection attacks
• Content Security Policy violations

For more information, see Tracking and auditing actions by developers and users.