Data encryption is a process that securely encodes data and is used to protect sensitive data from unauthorized access within the organization and outside it. Data encryption is a two-way process, meaning that an authorized user can decrypt encrypted data.
Note: Data encryption is only one aspect of securing an application. For a complete list of security leading practices, consult the Security Checklist awareness module and the Security Checklist for Pega Platform deployment.
Some examples of data that are typically encrypted include Social Security/Taxpayer Identification Numbers, credit card numbers, and account numbers.
Note: User passwords are stored in properties that use the password property type and are protected by default, through a different, irreversible process called hashing.
How data encryption works
Data encryption uses a cipher, which is the algorithm that performs the encryption and decryption, to turn readable text into an unreadable format. The cipher uses a key, which is a character string, to generate a unique encryption result. Each organization uses a custom key to encrypt their data in Pega Platform. By using custom keys, different organizations can leverage the same cipher to generate a unique encryption result.
Note: To increase security, you can configure automatic key rotation, which is an advanced configuration. For more information, see Forcing data key rotation in the platform cipher.
In the following diagram, click the + icons to learn more about data encryption and decryption.
Data encryption approaches
The two main data encryption approaches are the encryption of entire class instances and the encryption of specific properties. Consider the needs of your application and the amount of data that needs to be encrypted before selecting a data encryption approach. It might be appropriate for you to apply a combination of class-level and property-level encryption.
|Class-level||Efficient method to encrypt an entire case or data record stored as a Binary Large Object (BLOB) in the database.||Does not encrypt data outside of the BLOB in the database. For example, properties that are exposed as columns for reporting, stored on the clipboard when you open a case, or stored in secondary data stores are not encrypted.|
|Property-level||Encrypts properties in and outside the database. (Specifically, in the clipboard, logs, search indexes, and reports.) You can encrypt properties that are optimized for reporting if the property type is Text.||Can be time-consuming to individually encrypt and decrypt a large number of individual properties.|
Class-level (BLOB) encryption
In some cases, you want to encrypt at the class level. For example, you encrypt a class associated with a Tax Return case type, which contains sensitive tax return data. Class-level encryption occurs when Pega Platform saves a class instance to the database. Decryption occurs when Pega Platform retrieves and opens an instance.
With class-level encryption, you encrypt the entire BLOB column for rows in the Pega Platform database that correspond to specific classes.
In some cases, you want to encrypt individual properties. In the Tax Return case type example, in addition to encrypting the Tax Return object, you decide to provide additional protection for properties that store uniquely identifying data. You encrypt the properties that store the customer's bank account number and Social Security number to protect the associated data in and outside the database.
With property-level encryption, you configure a PropertyEncrypt access control policy and list the properties you want to encrypt in the PropertyEncrypt control policy.
Caution: The use of the TextEncrypt property type is deprecated in favor of encryption through a PropertyEncrypt access control policy.
Check your knowledge with the following interaction.