In today's threat landscape, where the average global cost of a data breach reached $4.88 million in 2024 (a 10% year-over-year increase), security is no longer optional. It's a core feature of your operational model. On December 11, 2025, our Pega-as-a-Service Expert Circle convened for an essential discussion on network configuration, focusing on a significant security enhancement: the deny-by-default policy for inbound access control.
The webinar brought together three industry experts to explore how clients, partners, and consulting teams can leverage new self-service network configuration to enhance security while maintaining operational flexibility.
Watch the full recording here: https://community.pega.com/event/network-configuration-pega-service
Check out the Q&A and ask any additional questions here: https://community.pega.com/conversations/pega-as-a-service/post-webinar-q%26amp%3Ba%3A-network-configuration-on-pega-as-a-service
The Security Imperative
Jakub Stando, Director of Product Management, opened the session with a sobering statistic. According to IBM's Cost of Data Breach Report, 70% of organizations say breaches caused significant or very significant disruptions to their business. This isn't just an IT incident; it's a business incident affecting reputation, trust, talent, and momentum.
This reality underscores why Pega Cloud operates on a secure-by-design architecture. When you run Pega-as-a-Service, you inherit a comprehensive security foundation including hardened environments, continuous threat detection and response, regular penetration testing, antivirus and malware scanning, vulnerability management, and encryption both in transit and at rest.
Security is a Team Sport
While Pega secures the cloud infrastructure and platform, clients secure their use of the cloud. This shared responsibility model requires critical decisions about who should have access to your environments, from where they can access (office networks, VPNs, partners, or public internet), and how they should connect.
These decisions should be made early in your implementation journey, not as last-minute tickets after go-live. That's exactly why Pega introduced the new inbound access configuration capability in MyPegaCloud.
Deny-by-Default: A Paradigm Shift
All new Pega environments are now provisioned with inbound deny-by-default policy—a fundamental shift aligning with the principle of least privilege.
The most significant announcement from the webinar: all new Pega environments are now provisioned with an inbound deny-by-default policy. This means that to access a new Pega environment, clients must explicitly allow that access. This represents a fundamental security posture shift, aligning with the principle of least privilege.
Dara Brosseau, Director of Networking Delivery, explained that older Pega environments can achieve the same deny-by-default posture using the same tooling. The capability supports two primary approaches:
CIDR-based IP allow lists provide broad, powerful control when you can identify specific source IP address ranges. This is ideal when traffic originates from known networks like corporate offices, data centers, or managed cloud access providers.
Path-based allow lists offer more granular protection, either layered on top of CIDR-based lists or used independently when source IPs aren't stable. You can restrict access to specific application paths, ensuring that even users on the open internet can only reach designated portions of your environment.
Self-Service Through My Pega Cloud
The new capability lives directly in My Pega Cloud, your client control center for Pega-as-a-Service. From this single portal, available 24/7, your security and operations teams can manage environments, run restarts, check logs, request updates, schedule maintenance, and now configure inbound access without waiting for support tickets.
During the live demonstration, Jakub walked through a practical scenario: granting EMEA developers access to a specific Claims application via their office VPN. The interface provides validation to prevent incorrect values, supports multiple IP ranges with flexible CIDR notation, and distinguishes between public internet access and private connectivity through Pega Cloud Secure Connect.
The Security Center tab, released just days before the webinar, displays security alerts assigned to specific environments. Wide-open access configurations trigger persistent alerts, providing ongoing reminders to review and tighten security postures.
Best Practices for Implementation
The panel emphasized several best practices. First, leverage Pega Cloud Secure Connect offerings like AWS PrivateLink to establish known source networks and avoid public internet exposure for mission-critical workloads. Second, regularly review your inbound allow lists using the self-service visibility now at your fingertips. Third, expose only the minimum required access and adjust as business needs evolve.
When exceptions are necessary, document them thoroughly. The self-service interface includes fields for references or notes, which you can use to link to your internal ticketing system and create an auditable trail. The audit log tracks who executed changes and when, supporting governance requirements across organizations with multiple teams and partners.
Compatibility and Availability
An important clarification: this capability has no dependency on your Pega Infinity version. Whether you're running version 25.1 or 24.2 or earlier, you can leverage inbound access configuration. For Pega Cloud for Government (FedRAMP), the capability is available through support tickets, with MyPegaCloud self-service coming in the future.
The features are rolling out gradually across different Pega environment types and configurations to ensure seamless operation. If you don't see all capabilities in your MyPegaCloud instance yet, you can request early adopter access or submit a support ticket to implement access restrictions immediately.
Your Next Steps
Security shouldn't feel like introducing unwanted complexity. As Dara emphasized, this is worthwhile complexity that can be implemented in phases and layers. Start with your development environment, test configurations, and iterate toward production.
Log into MyPegaCloud today to review your current access configuration and identify security alerts. Implement access restrictions that align with your business requirements and explore Pega Cloud Secure Connect if you're not using it already. If you encounter challenges, reach out to Pega's networking SMEs and operations teams for guidance.
The deny-by-default policy represents more than a technical change; it's a fundamental commitment to protecting your business from the ever-evolving threat landscape. By taking control of inbound access configuration, you're not just securing your Pega environments but safeguarding your reputation, customer trust, and business momentum.
Recommended resources:
- Dive into documentation: https://docs.pega.com/bundle/pega-cloud/page/pega-cloud/pc/managing-inbound-allow-lists-for-environments-created-after-october-28-2025.html
- Watch the webinar recording: https://community.pega.com/event/network-configuration-pega-service
- Review the Q&A discussion for additional insights: https://community.pega.com/conversations/pega-as-a-service/post-webinar-q%26amp%3Ba%3A-network-configuration-on-pega-as-a-service
- Explore Pega's Trust Center for certifications and controls: https://www.pega.com/trust
Don't Forget
- JOIN THE CONVERSATION on Pega-as-a-Service Expert Circle
- FOLLOW @PegaDeveloper on X
