Understanding security basics
Pega Platform™ provides robust protection against a wide range of security risks, whether those risks arise from accidental causes or result from malicious intent. Use Pega Platform features for authentication, authorization, encryption, and auditing to secure and monitor your application.
Information technology teams prioritize application and data security. Security breaches can damage your organization's reputation, reduce customer trust, and lead to customer loss, legal issues, and financial penalties.
As a Lead System Architect (LSA), your architectural decisions directly impact the security posture of the applications you design. You need a strong understanding of security to fulfill your professional responsibilities.
The Confidentiality, Integrity, and Availability (CIA) triad defines the primary objective of security. These principles work together to create a resilient and comprehensive security framework.
- Confidentiality ensures that only authorized individuals can access sensitive information. Pega Platform helps maintain confidentiality through authentication mechanisms that verify user identity and authorization controls that restrict access to specific data and functionality. A breach of confidentiality can expose systems or data to unauthorized individuals, which results in data leaks, regulatory violations, and loss of customer trust.
- Integrity protects data and systems from unauthorized changes so that information remains accurate and trustworthy. Pega Platform maintains integrity through access controls, audit trails, and validation rules. A breach of integrity can lead to corrupted records, fraudulent transactions, and unreliable business decisions.
- Availability ensures that authorized users can access systems and resources when needed. Pega Platform protects availability by helping to prevent denial-of-service attacks, maintaining system redundancy, and planning for capacity. A breach of availability can disrupt access for legitimate users, resulting in revenue loss, customer dissatisfaction, and reputational harm.
Application security levels in Pega Platform
Application security in Pega Platform is structured across three critical layers:
- Data in transit
- Data at rest
- Data on display
Each layer addresses distinct vulnerabilities and applies targeted protection strategies. Understanding these layers helps you design applications that maintain confidentiality, integrity, and availability across all stages of data handling
Data in transit
Data in transit refers to information that moves across networks, such as between browsers, Pega Platform™ servers, external systems, or different components of the Pega architecture. You must secure this data to protect sensitive enterprise information. Use the following mechanisms to safeguard data in transit:
Transport Layer Security
Transport Layer Security (TLS) encrypts data during transmission and establishes a secure tunnel between the client and server. TLS protects against interception during transit but does not secure data at endpoints. TLS is mandatory for browser-based sessions.
Application-level security
TLS secures the channel, while application-level security protects the data itself. Use application-level encryption to maintain end-to-end protection, especially when data flows through multiple systems or must remain secure after delivery.
XML signatures
XML signatures verify sender identity and message integrity. For example, in an insurance claim integration, XML signatures confirm that the claim data is authentic and untampered, even across intermediaries.
Authentication Profiles
Authentication Profiles secure connector-based communications such as REST and SOAP. These profiles define credentials and authentication methods for accessing external systems. You must configure them correctly when designing integrations.
Implementation guidance for LSA
- Enable TLS in all production environments.
- Use application-level encryption for sensitive or multi-hop data flows.
- Configure Authentication Profiles for all external services.
- Document security requirements in integration specifications.
Data at rest
Data at rest refers to information stored in databases, file systems, backups, or archives. You protect this data using encryption mechanisms provided by database vendors such as Oracle, SQL Server, and PostgreSQL. Pega Platform also supports column-level encryption using Advanced Encryption Standard (AES) to secure specific sensitive fields.
Use the following encryption strategies:
Database-level encryption
You can use vendor solutions such as Oracle TDE or SQL Server TDE to encrypt entire databases or tablespaces. These solutions offer broad protection with minimal configuration and rely on the database engine to handle encryption efficiently.
Column-level encryption in Pega Platform
You can selectively encrypt sensitive fields such as Social Security numbers or credit card numbers by using AES. Pega Platform encrypts the data before storage and decrypts it for authorized users.
AES implementation
AES is a symmetric algorithm that uses the same key for encryption and decryption. You must manage keys securely, rotate them regularly, and store them separately from the encrypted data.
Implementation guidance for Lead System Architects
- Identify sensitive data fields.
- Choose between broad (database-level) or selective (column-level) encryption.
- Configure column encryption through property rules in Designer Studio.
- Establish secure key management policies.
- Consider performance impacts because encrypted columns cannot be used for sorting or pattern matching.
Data on display
Data on display refers to information presented to users in the application interface, including Case forms, reports, dashboards, and other user interface components. Security for data on display determines who can view specific information and who can perform actions. Use the following methods to secure data on display:
Role-based access control
Grant access based on user roles by configuring Access Groups, roles, and privileges.
Attribute-based access control
Determine access using user, resource, and context attributes.
Implementation guidance for LSAs
Apply these best practices to manage visibility and protect sensitive data in the user interface:
- Use role-based access control (RBAC) for general access management.
- Apply attribute-based access control (ABAC) for sensitive data that requires fine-grained, context-aware protection.
- Consider a hybrid approach; use RBAC for features and attribute-based access control for data fields.
- Evaluate access strategies based on data sensitivity, compliance requirements, and organizational complexity.
Check your knowledge with the following interaction: