Security and privacy are concerns at the forefront of every organization. Understanding security foundations helps you to implement a comprehensive security solution. Secure your systems against attack to avoid negative customer perception and potential regulatory sanctions.
Security policies and standards are the framework that is used to define the requirements and controls used to secure applications and data. Pega Platform must comply to prevent unauthorized access to systems and mitigate attacks that negatively impact the confidentiality, integrity, and availability of client environments. These types of events cost our clients time, money, and brand integrity.
The components of the Pega security framework include:
- The ground level requirements for relevant, in scope functions.
- Detailed requirements for relevant, in scope functions.
- Documented guidelines and instructions to maintain compliance with the policies and standards.
Pega operates a broad policy stack where corporate functions like HR, legal, IT, and other relevant groups that support the entire company maintain policies and standards that are applicable to the entire workforce and relevant subcontractors. Business groups then use these policies and standards to build additional requirements based on regulatory or contractual obligations in support of the business outcomes, however these requirements cannot be defined in any less restrictive way than the corporate function policies.
Successful implementation of and compliance with the Pega security framework provides the following advantages:
- Access control
- Prevention of unauthorized access to systems and data.
- Availability control
- Prevention of attacks on systems that degrade the confidentiality, integrity, or availability of Pega Platform environments.
- Audit management
- Avoidance of costly and time-consuming audits to determine the source or impact of a security event.
Confidentiality, integrity, and availability triad
Confidentiality, integrity, and availability (CIA) triad, is a model that is designed to guide policies for information security within an organization. The elements of the CIA triad are considered the three classical components of security:
- Refers to protected personal data, and to the way in which all information or data should be secured to never share that information with third or unauthorized parties.
- Refers to the fact that the service or system is setup in such a way that no information or data can be altered without detection.
- Refers to the services or parts of the systems that, regardless of circumstances, should be up and running and should always respond.
Pega Platform provides:
- A broad range of security capabilities to prevent malicious use of, and access to, an application.
- Powerful capabilities for implementing security in your applications, especially when you deploy guardrail-compliant software.
You can use the Pega Platform model-driven architecture to secure applications in most cases by configuring built-in features, without relying on custom code that is built by developers who are not security experts.
Pega Platform supports multiple types of authentication, including the most common authentication protocols that are performed external to Pega Platform. To perform critical application functions, you must be in an authenticated session. Passwords or other sensitive information between the client and the application are not exchanged other than during the initial sign-on request. Failure messages do not contain sensitive information. Supported authentication protocols include:
- SAML 2.0
- OpenID Connect
- Basic credentials
- Token credentials
- You can also configure multi-factor authentication (MFA).
- The built-in authentication capabilities of Pega Platform
provide support for the definition of a security policy that covers a range
of options. The options that are available while configuring a security
- Minimum password lengths
- Minimum numeric, alphabetic, and special characters required in the password
- Minimum and maximum password age
- Maximum unique historical passwords
- Number of failed login attempts before lockout
- Initial lockout penalty in seconds
- CAPTCHA authentication settings
- Inactivity disablement
- For more information, see Authentication.
- The authorization model in Pega Platform includes role-based, attribute-based, and client-based access controls. Permission to access data objects and application functions is determined dynamically by the roles and attributes of the user.
- You can apply access controls to an entire class of data objects or focus on a particular field in a record. Pega Platform provides tools for the security administrator to ensure that the configuration meets requirements, for example, by running access control simulations.
- For more information, see Authorization.
- Session management
- Pega Platform allocates a session object on behalf of the user by using a randomly generated, unique session value to identify the session object. The session ID contains sufficient entropy (greater than 128 bits) to prevent collisions and successful guessing by attackers.
- Data validation
- Request processing come standard with several layers of protection against
malicious attacks, which often target and attach to input and output data.
Pega Platform provides continuous protections at the
server level in addition to any that are enforced by the client:
- During input processing, request data is typically assigned to application properties, which are specified to contain well-defined data types. These data types trigger server-side data validation whenever a value is assigned to a property. Some examples of data types include: integer, decimal, double, DateTime, TimeOfDay, Date, and TrueFalse.
- Enforced length limits are applied.
- You can configure free text input values for validation against a list of valid entries. For example, you can predefine the list during application development, or you can evaluate the list dynamically by using a database lookup at run time.
- Several validation rule types are available to configure on-site custom validation logic where necessary.
- A cross-site scripting filter is used during input and output processing.
- Validation of the session identifier, content encoding, content type, and other content headers is performed.
- Cryptography facilities for Pega Platform are based on the Java Cryptography Extensions API. These facilities rely on cryptography providers, such as those supplied by the Java JDK vendor or the Bouncy Castle JCE, that is included with Pega Platform.
- Cryptography facilities provide encryption of sensitive data at rest and
protection against unauthorized access.
Note: Pegasystems does not directly implement the cryptographic algorithm logic.
- For more information, see Encryption.
- Pega Platform audits a complete list of actions,
including both successful and unsuccessful attempts to access and modify
data. You can also define custom auditing rules. Aggregate the logged data
to detect patterns of suspicious behavior. Some of the auditing features
- Rule changes
- Security policy changes
- Login failures and successes
- Invalid data access attempts
- For more information, see Auditing.
- Security alerts
- Pega Platform logs security alerts whenever it detects a
condition that represents a possible security incident, which includes:
- User-switching attempts
- Access to a restricted activity, stream, or report
- Unauthorized data access
- Session hijacking
- Cross-site request forgery (CSRF) attacks
- Injection attacks
- Content Security Policy violations
- For more information, see Tracking and auditing actions by developers and users.