Cloud security basics

Cloud security in Pega Platform™ is based on established security models and leading practices that help protect applications, data, and users across distributed, cloud-native environments. These principles guide how security controls are designed, implemented, and enforced in Pega Cloud, and help architects make consistent, risk aware security decisions.

Two foundational security concepts underpin Pega Cloud security:

• The confidentiality, integrity, and availability (CIA) triad
• The Zero Trust security model

Together, these concepts ensure that security is built into both the platform, and the applications deployed on it, rather than treated as an afterthought.

Confidentiality, integrity, and availability (CIA)

All Pega Cloud security controls align with the CIA triad, a widely adopted security framework that defines the core objectives of information security:

• Confidentiality – Prevent unauthorized access to data
• Integrity – Prevent unauthorized modification of data
• Availability – Ensure systems remain accessible to authorized users

Pega Platform has built-in features for authentication, authorization, encryption, and auditing, to help achieve these objectives across applications and environments.

Zero Trust security model

Pega Cloud environments follow Zero Trust security principles, which remove implicit trust from the network and require continuous evaluation of access based on identity, context, and policy, rather than network location.

In a Zero Trust security model, every access decision is evaluated dynamically, based on the following principles:

• No user, system, or network is trusted by default.
• Every access request is authenticated and authorized.
• Least privilege access is enforced.
• Security controls are continuously monitored.

As an architect, you must design Pega applications assuming that every access request must be authenticated, authorized, and audited, regardless of where the request originates.

For more information, see Security foundations and Pega Cloud and Zero Trust Architecture

Protecting data is a core aspect of cloud security and spans the entire lifecycle of data as it moves through, resides within, and is presented by applications. In Pega Cloud, data security is addressed through a layered approach that applies controls at multiple stages to help ensure confidentiality, integrity, and appropriate access.

From an architectural perspective, Pega Cloud considers data security across three primary states: data in transit, data at rest, and data at display. Each state introduces different risks and therefore requires distinct but complementary security controls at the platform and application levels.

Data in transit

Data in transit refers to data as it moves between users, applications, and integrated systems. In Pega Cloud, data in transit is protected using the following platform- level security controls:

• Pega Cloud uses TLS based encryption for browser access and service to service communication.
• Integrations use authentication profiles and secure protocols such as OAuth.
• Certificate lifecycle management is handled by Pega Cloud; applications should avoid certificate pinning, and rely on trusted certificate authorities.

Data at rest

Data at rest refers to data stored within databases and persistent storage. In Pega Cloud, data at rest is protected using the following platform-level security controls:

• Pega Cloud encrypts all data at rest using AES 256 encryption.
• Pega Platform supports encryption of specific properties and BLOB data.
• Clients can apply additional application-level encryption based on data classification needs.

Data at display

Data at display refers to how data is presented to users within applications. In Pega Cloud, data at display is protected using the following application-level and platform-enforced security controls:

• Access to data is controlled using role-based access control (RBAC) and attribute-based access control (ABAC).
• Display logic must never replace authorization rules.
• Sensitive data should be masked or restricted based on user privileges and context.

The Pega Security Checklist is a platform-provided framework that defines mandatory and recommended security tasks required to securely design, develop, and deploy Pega applications.

For applications deployed on Pega Cloud, the Security Checklist includes additional cloud-specific security considerations beyond standard on premises requirements.

Key focus areas include:

• Encryption of application data, including BLOB and sensitive properties
• Secure authentication for users, connectors, and services
• Protection of APIs exposed by the Pega application
• Proper handling of certificates and secure transport
• Validation of access groups, roles, and privileges using least privilege principles

The Security Checklist is integrated into Pega Platform and tracks completion of security tasks throughout the application lifecycle. When Deployment Manager is used, incomplete checklist items can block production deployment, reinforcing security accountability.

Using the Security Checklist throughout development helps ensure that cloud deployed Pega applications meet both platform security standards and enterprise security expectations.

For more information, see the Security Checklist topic on the Pega Documentation site.
 

Check your knowledge with the following interaction: