Layered security patterns
Modern enterprise environments face increasingly sophisticated threats that exploit vulnerabilities in identity management, API exposure, and internal application access. To counter these risks, security architectures must evolve beyond perimeter-based defenses toward models that continuously verify and enforce trust. Adopting a Zero Trust philosophy, where no entity is inherently trusted and every access request is continuously verified, is essential.
Layered security strategies such as Defense in Depth and API Security Patterns provide structured approaches for embedding resilient controls across Pega Infinity™ deployments. These patterns guide architects in implementing multi-tier safeguards that span authentication, authorization, input validation, gateway controls, and runtime monitoring to protect digital assets and integration points.
Defense in Depth (DiD) security pattern
Defense in Depth is a layered security strategy that distributes controls across infrastructure, network, host, application, data, and identity layers to minimize the impact of breaches. By creating containment zones, Defense in Depth ensures that the failure of one control does not compromise the entire application.
Key design principles
- Segmentation and isolation: Restrict lateral movement by segmenting networks and applications. In Pega Infinity, use Access Groups and Access Roles to define trust boundaries for Case Types and Data Objects.
- Least privilege access: Enforce granular permissions by using Role-Based Access Control (RBAC), and Attribute-Based Access Control (ABAC) by using Access of Role to Object (ARO) rules. Configure Case-level and data-level authorization policies to limit access to authorized personas.
- Continuous monitoring: Implement real-time anomaly detection by using Pega Diagnostic Center (PDC) and security alert rules to identify and respond to threats promptly.
API Security Patterns
APIs are critical integration points in Pega Infinity but pose significant risks, as outlined in the OWASP API Security Top 10 (for example, Broken Object Level Authorization, Excessive Data Exposure, Injection Attacks). Pega Infinity provides a layered API security model to mitigate these threats, encompassing authentication, authorization, input validation, and runtime monitoring.
Key design patterns
- Authentication: Secure access to REST services by using OAuth 2.0, JWT tokens, and Authentication Profiles in Service Packages. Verify identity for all API endpoints.
- Authorization: Enforce context-aware access control by using Access Groups, Access Roles, and ABAC. Restrict API access to specific personas based on roles and attributes.
- API gateway controls: Mitigate abuse and denial-of-service (DoS) attacks by implementing rate limiting, throttling, and IP restrictions through API Gateway integration.
- Input validation: Ensure payload integrity and prevent injection vulnerabilities by using Validate rules, Data Transforms, and JSON schema enforcement on REST connectors and services.
- Logging and auditing: Monitor API usage by using Pega Diagnostic Center (PDC) and security alert rules that support proactive threat detection and auditing.
By applying Defense in Depth and API Security Patterns, you can design resilient, secure systems that align with Zero Trust principles. These patterns use Pega Infinity constructs such as Access Groups, ARO rules, Service Packages, and PDC to enforce granular controls, validate inputs, and monitor threats. This approach ensures that Pega Infinity enterprise applications are secure by design, protecting against both targeted and opportunistic attacks and supporting enterprise compliance and resilience.
Check your knowledge with the following interaction:
This Topic is available in the following Module:
If you are having problems with your training, please review the Pega Academy Support FAQs.
Want to help us improve this content?