Security overview

Pega Platform security features provide several ways to safeguard guardrail-compliant applications.

The security features apply to the following areas:

• Authentication - Pega Platform checks the operator ID and password to ensure that access is provided only to known users and systems. For authentication, you can use the following features:
  • Single-factor and multifactor authentication allows you to require more than one form of identification during authentication.
  • Identity management stores lists of known and trusted users and systems either internally in the Pega database, or externally (in other identity management systems such as an LDAP directory).
  • Single sign-on (SSO) prevents repetitive requests for credentials when access to a system or application is controlled by tickets that are certified by third parties such as SAML or Kerberos.
  • Standard authentication protocols such as SAML or OAuth help you to manage authentication communication between systems.
  • Session management features ensure that requests for access to the system and data continue to come from authenticated requestors.
  • Security policies define and enforce user login security and password policies.
• Authorization or access control – Each access group has specifically assigned roles, privileges, and rulesets. Based on access control policies and the access group assignment, you can control read and edit rights to data. Pega Platform has two sets of authorization models that are quite different, but complementary:
  • Role-based access control (RBAC) is based on defined roles and privileges.
  • Attribute-based access control (ABAC) is based on access control policies.
• Auditing or accountability – Pega Platform provides a history of changes that are made by a requestor to data classes and rule types. You can audit changes made by developers and users to data, and audit their actions:
  • Auditing data – Field-level tracking for properties, and changes made in an instance of a rule are captured in the History- class.
  • Auditing user and developer actions – Log many types of security events, such as logins and logouts, all queries against data stores, changes to security assets such as credentials, access control policies, roles and privileges, changes to operators and access groups, changes to dynamic system settings, and so on. You can also define custom security events to be generated within your application.

Other security features add safeguards to authentication, authorization, and auditing:

• Session management defines policies to control session time-outs, automatically terminate sessions, deactivate operators after successive days of inactivity, and so on.
• Certificate, key, and token management secure the functioning of other security features and facilitate entity identification.
• Encryption is used to hash sensitive information during communication between systems and components. The Pega Cloud automatically encrypts data at rest wherever it is stored.
• Virus checking integrates with the third-party software of your choice to check incoming emails and attachments.
• Content security policies (CSP) lock down applications, mitigate the risk of content injection, and streamline the privileges required to run an application.
• Cross-origin resource sharing safely enables resource requests across domains and limits unsafe HTTP requests from external systems.

Open topic with navigation