Skip to main content

Security Checklist when deploying on Pega Cloud

Suggest edit Updated on March 15, 2022

For applications deployed on Pega Cloud services, there are additional considerations you should address when completing the Security Checklist.

For applications deployed on Pega Cloud services, you should perform these actions:

Set up connectivity in your Pega Cloud Environments
Set up connectivity methods such as VPN, AWS Direct Connect, and Virtual Private Cloud (VPC) Peering connections for your environment, as appropriate.

For more information, see Requesting a virtual private cloud (VPC) peering connection.

Request a custom domain name
Set up a custom domain name (or “vanity” URL) that conforms to your enterprise standards, and obscures your environment server addresses.

For more information, see:

Follow security leading practices for development and testing

The following recommendations are proposed around data used for testing:

  • Select test data carefully to ensure that it is protected and controlled through your application authorization and access controls.
  • Be mindful of the data you elect to import into sandbox environments (for development and testing purposes).
  • Recognize that developers and testers commonly have elevated privileges in “lower” (sandbox) environments and that your users, not Pega, grant and maintain the application privileges.
  • If you elect to persist sensitive data to sandbox environments, consider log file implications and check that they do not expose sensitive data.
  • Ideally, create test data in a generic form with no relation to live system data. In the exception where live data is needed to perform accurate testing, the live data should be:
    • Anonymized as far as possible.
    • Carefully selected and secured for the period of testing.
    • Securely deleted after you complete your testing.
  • Alternatively, you may also consider:
    • Using a production mirror sandbox, which provides an architectural replica of a your scaled production environment (rules and data) and which can be used for production staging and testing, scale benchmark testing, and load performance testing.
    • Performing a Pega product file export/import operation to build a production-like equivalent of your current applications. This will not transfer any of your data but will transfer all rules and schema – and will effectively duplicate your service without including production data.
  • Ensure that your developers are informed of and adhere to your organization’s internal security practices pertaining to protecting or masking sensitive data used within your Pega application.

If you are not deploying on Pega Cloud, see Security Checklist when not deploying on Pega Cloud.

Did you find this content helpful? YesNo

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us