The Security Checklist
Inadequate security can prevent your application from being deployed.
- Most clients require approval from an IT security team who reviews the application security before the project team is allowed to move the application to production.
- Deployment Manager blocks applications from being deployed in production if the Security Checklist is not completed.
Below are the four critical security areas:
- Data Encryption protects sensitive data within your application without affecting the functionality of Pega Platform™. You can select the encryption type used in your application to encrypt and decrypt passwords, properties, and BLOBs. Encrypted data easily complies with privacy policies, regulatory requirements, and contractual obligations for handling private data.
- For example, encrypted data includes Social Security numbers, credit card numbers, account numbers, and addresses.
- Authentication ensures that only users and systems with verified identities can access your application. In Pega Platform, authentication includes user logins, platform requests to external services, and external service requests to the platform.
- For example, a user logs in to your application using single sign-on (SSO), or by entering a valid user ID and password to begin a session. You can also authenticate by using an external identity provider.
- Authorization, also called access control, ensures that after logging in, a user only has access to the allowed platform features, interfaces, or data. Pega Platform offers three types of authorization: role-based access control (RBAC), attribute-based access control (ABAC), and client-based access control (CBAC). You can use authorization features individually or collectively to provide the strictest level of control.
- Auditing, also called accountability, is a systematic evaluation of the security of company information systems. Security is measured by how well it conforms to a set of established criteria. Pega Platform tracks many types of security events such as failed logins and password changes. You can optionally track many other types of security events, as well as changes to rules and data. By tracking these changes, you can understand how your system is functioning and be alerted of any potential problems.
Security goals
Pega takes application and system security seriously. Security is a shared responsibility between Pega and our clients. This common goal ensures the AIC Triad – availability, integrity, and confidentiality of your application.
Unauthorized individuals cannot access or modify the application or the data it creates and stores. Authorized individuals, in turn, only have access to those application functions and data that are necessary to perform their jobs.
- Availability prevents delays for authorized individuals when accessing systems or data.
- Integrity prevents unauthorized individuals from modifying systems or data.
- Confidentiality prevents unauthorized individuals from accessing systems or data.
Security Checklist
The Security Checklist is a key feature of Pega Platform that assists clients in hardening their applications and systems. To assist in tracking the completion of the tasks in the checklist, Pega Platform automatically installs an application guideline Rule instance that includes the tasks in the Security Checklist for each version of your application.
The Security Checklist helps you secure your application by outlining your responsibilities alongside Pega leading practices, ensuring a secure deployment. It highlights critical tasks based on your deployment model and end user profile, and explains when each task should be completed, whether at the start of development, throughout the development process, or just before deployment.
By defining the appropriate timing for each task, the checklist helps prevent costly rework and late stage retesting. It also provides a way to track task status and overall completion, making progress more visible and manageable. Ultimately, the Security Checklist supports the protection of your application’s availability, integrity, and confidentiality in production.
Guardrail compliance
The most important security requirement for any Pega Platform application is to maintain guardrail compliance. Pega Platform security features are not always successfully enforced when using custom code.
To protect your application, use the built-in security configuration features in Pega Platform. Do not rely on custom code built by developers who are not security experts.
Security Checklist tasks
The Security Checklist tasks are organized by when each task is performed, and the key security area involved. Key areas include monitoring, authentication, authorization, auditing, and production testing. As you review the Security Checklist core tasks, it is important to understand the nature of the application, what Pega Platform features are used, how and to whom the application will be deployed.
Not all security tasks are required for all applications or releases. The tasks you use depend on many factors including the Pega Platform features your application uses, how much you customize a Pega application, and the amount of sensitive data created and stored within the application, to name a few.
Security is one of several special considerations for public-facing applications. For more information, see Basic requirements for deploying public-facing applications.
Check your knowledge with the following interaction: