Security policies on Pega Platform
To limit unauthorized access to your applications, configure the settings on the Security Policies tab of the Authentication landing page. In Dev Studio, open the menu and select Org & Security > Authentication > Security Policies to view and update the security policies for the entire Pega Platform™ server.
Caution: Settings on the Authentication landing page may be overridden by settings for a specific authentication service.
After you update a setting, clickat the bottom of the page to record an update. Changes to security policies become active immediately on form submission.
Note: Applying appropriate security policies is only one aspect of securing an application. For a complete list of security leading practices, consult the Security Checklist awareness module and the Security Checklist for Pega Platform deployment.
Frequently required policies
The settings in the Security Policies tab allow you to implement policies for password strength, limits on incorrect guesses, and logging levels for login attempts. The section is divided into four parts.section of the
- Password policies govern the strength of user passwords.
- CAPTCHA policies test whether a person entered the password.
- Lockout policies define system behavior when a user enters an incorrect password.
- Audit policy determines the amount of detail written to the system log for a security issue.
The settings in the Security Policies tab allow you to implement multi-factor authentication and disable access for unused user accounts.section of the
Tip: For a detailed explanation of the settings for each type of policy, including minimum and maximum allowed values, see the help topic Security policies settings.
Use the Password policies section to customize requirements for password length, complexity, and predictability.
Caution: Unlike length and complexity, which can be managed well through the policies in this section, predictability depends in part upon sound judgment by users.
In the following image, click the + icons to learn more about the available settings.
CAPTCHA and lockout policies
To stop or slow a brute-force attack, limit the number of failed login attempts. For example, you can require that after a third failed attempt, further attempts are blocked for 15 minutes. Two approaches to limiting users after too many incorrect guesses are CAPTCHAs and lockouts.
A CAPTCHA is a challenge-response test to determine whether a user is human. A CAPTCHA typically presents the user with one or more images and asks the user to identify a specified detail. For example, a CAPTCHA may present the user with an image of a sequence of letters and numbers, which the user must type into a text field. The image may stretch or skew the characters to increase the difficulty of reading the characters using automated character recognition techniques. The following image shows Pega Platform prompting a user with a CAPTCHA.
Use the CAPTCHA policies section to enable and configure a CAPTCHA to challenge login attempts. When enabled, you can:
- Choose between the default implementation or a custom implementation.
- Enable the use of a CAPTCHA on the initial login.
- Set the likelihood that a user receives a CAPTCHA after a failed login.
Lockouts enforce a waiting period after the user attempts a specified number of failed login attempts to prevent another login attempt until the waiting period ends. Lockouts can slow or prevent a brute-force attack.
Use the Lockout policies section to customize when and for how long a user must wait after a failed login attempt. The options listed depend on whether the lockout policy is enabled or disabled. When a lockout penalty is enabled, you can:
- Set a threshold value for failed login attempts.
- Set the initial lockout penalty period, in seconds. Repeated login failures increase the penalty period automatically.
- Maintain a log of login failures for a specified number of minutes.
When a lockout policy is disabled, you can:
- Set the number of allowed failed login attempts before an account is locked.
- Set the time in minutes for which the user's account is locked.
In the center of the following image, slide the vertical line to compare enabled and disabled lockout policies.
Use the Audit policy section to customize the level of detail captured for login attempts. To record login failures only, set the logging level to Basic. To record both failed and successful attempts, set the logging level to Advanced.
Multi-factor authentication policies
Passwords represent one way to authenticate a user. To increase security, enable multi-factor authentication to authenticate users. With multi-factor authentication, a user gains access only after providing multiple factors, or pieces of evidence, to verify their identity.
- Knowledge – Something that only the user knows, such as a password
- Possession – Something that only the user has, such as a mobile device
- Inheritance – Something that represents a characteristic of the user, such as their location
Note: Two-factor authentication is a subset of multi-factor authentication, in which the user provides two pieces of evidence at login.
Pega Platform provides a default multi-factor authentication feature that sends a one-time password to a user by either email or SMS text message. To complete the login process, the user must enter the one-time password within the time allowed. Use the Multi-factor authentication policies (using one-time password) section to configure the settings for this one-time password.
In the following image, click the + icons to learn more about multi-factor authentication settings.
Operator disablement policy
Use the Operator disablement policy section to automatically disable access for users who are inactive for the specified number of days. To prevent the system from disabling access for a user, add the operator ID record for the user to the Exclusion list of operator IDs list.