Zero Trust architecture
Zero Trust Architecture is a foundational security model that eliminates implicit trust. It enforces continuous authentication, authorization, and validation across users, devices, and processes. This model replaces traditional perimeter-based security with a “never trust, always verify” approach to reduce insider threats and lateral movement risks.
Traditional perimeter-based security is insufficient for cloud-native, distributed, and AI-driven enterprise applications. Zero Trust mitigates risks from compromised credentials, insider threats, and lateral movement attacks.
Comparison of security models
The following table compares perimeter-based and Zero Trust security models:
| Traditional perimeter security | Zero Trust security |
|---|---|
| Trust is based on network location | Trust is never implicit; always verified |
| Flat network with broad access | Micro segmentation and least privilege |
| Authentication at the perimeter only | Authentication per resource and session |
| Limited visibility into internal traffic | Continuous monitoring and telemetry |
| Static access policies | Dynamic, context-aware policies |
Implementation of Zero Trust Architecture
Zero Trust Architecture is the core security pattern in Pega Infinity™ and is implemented across five layers, as shown in the following diagram:
Identity layer
Also referred to as the user and authentication layer. This layer identifies users through:
- Web-based single sign-on (SSO)
- Login security policies
- Workload Identity Federation (WIF)
Channel layer
Channel security ensures encrypted and verified communication across all environments. Pega Infinity™ enforces:
- TLS 1.2 and TLS 1.3 for all traffic.
- Private connectivity using AWS PrivateLink and GCP Private Service Connect.
- IP allow lists for controlled ingress.
- Session policies, DDoS protection, secure API gateways, and OAuth 2.0 scopes.
Application layer
Pega Infinity uses a model-driven architecture that supports secure application development. Zero Trust principles are enforced through:
- Role-based access control (RBAC) and attribute-based access control (ABAC) using Access Groups, Access Roles, and Access of Role to Object (ARO) Rules.
- The Security Checklist (pxApplicationSecurityChecklist) that validates compliance before deployment.
- Pega GenAI Blueprint™ for fine-grained access control tailored to each Persona.
- Run-time protection for APIs and integrations using OAuth 2.0, multifactor authentication (MFA), and JWT token validation.
Process layer
Process integrity is maintained through continuous validation and policy enforcement:
- Case Type-level authorization policies prevent unauthorized actions, including direct URL manipulation.
- Security-checking When Rules and Access When Rules (for example, pxRelatedToMe) restrict access to specific assignments or Cases.
- Deployment Manager pipelines include mandatory security reviews before production rollout.
- Built-in audit trails and field-level change tracking support compliance and anomaly detection.
Data & secrets layer
Data protection is central to Zero Trust in Pega Infinity:
- Encryption at rest and in transit using TLS, field-level encryption, and content security policies.
- Operator records and Access Groups enforce least privileged access.
- Pega Diagnostic Center (PDC) and Security Alerts provide real-time monitoring and threat detection.
- Data obfuscation and masking techniques prevent exposure of sensitive information.
Zero Trust in Pega Infinity is a foundational design principle. Each component (user, process, application, and Data Flow) undergoes verification, contextual authorization, and continuous monitoring. Case Types, Data Pages, and integration layers define security boundaries. Run-time decisions rely on real-time telemetry and access models specific to each Persona. This architecture enables proactive security that supports agility, compliance, and resilience.
Check your knowledge with the following interaction:
このトピックは、下記のモジュールにも含まれています。
トレーニングを実施中に問題が発生した場合は、Pega Academy Support FAQsをご確認ください。