Pega Cloud provides industry-leading infrastructure, enterprise-grade services, and operational excellence for the Pega 7 Platform and strategic applications in the cloud. Pega Cloud provides Pega 7 Platform environments that are provisioned, monitored, and maintained for individual customers. In addition, Pega Cloud maintains industry-standard security controls that protect customer cloud environments and data. These standards create and utilize a shared security model that inherits controls up through the stack from Pega Cloud suppliers, through Pega Cloud technology and operations, and shares controls with customers.
Customers assume responsibility for the development, management, and implementation of the Pega 7 Platform application security controls as they build and operate their Pega-based applications. For more information, see PDN articles about Pega 7 Platform application development guardrails and deployment of application security controls.
Pega Cloud uses Amazon Web Services (AWS) for cloud infrastructure and services. For information related to AWS security and compliance, see the following resources:
The following image depicts the Pega Cloud shared security model. Information about primary security controls and standards provided by Pega Cloud are outlined below.
Pega Cloud is responsible for the management, security, and monitoring of our customer environments from the infrastructure up through the deployed Pega 7 Platform and applications. This infrastructure includes the hardware, software, networking, and facilities that support the Pega Cloud service catalog. Pega Cloud manages these services on behalf of each customer, from initial provisioning to final decommissioning. Several of our controls are outlined in the next sections.
Customers are responsible for the development, maintenance, and security of their application beyond the default platform. Several of these responsibilities include, but are not limited to, application and workflow development, data classification, and user administration and entitlement management.
Physical and environmental controls
Pega Cloud uses Amazon Web Services (AWS) as its Infrastructure-as-a-Service (IaaS) provider, which hosts Pega Cloud in state-of-the-art, large-scale, secure data centers.
- Amazon Web Services (AWS) provides the physical and environmental security controls for the cloud infrastructure. Pega Cloud inherits these controls as part of the shared security model (shown in the preceding image). For a discussion of these controls, see Amazon Cloud Security.
- Pega Cloud provides Network Operations Centers (NOCs), with current locations in Cambridge, Massachusetts, and Bangalore, India, from which the Pega Cloud service is monitored and maintained.
- Access to the Pega Cloud NOCs is restricted to authorized personnel only. Additionally, Pega Cloud provides the following access controls:
- Maintains a list of personnel with authorized access
- Reviews and approves physical access lists
- Removes personnel who no longer require physical access
Network and infrastructure controls
The Pega Cloud network architecture provides a level of security that allows each customer to effectively operate the Pega 7 Platform. Pega Cloud manages and provides each customer with:
- Virtual network devices to establish the boundaries, network rulesets, and access controls to govern inbound and outbound traffic in any customer environment.
- Network security controls that limit access from untrusted sources.
- Network architecture that limits the effects of distributed denial-of-service (DDoS) attacks.
- An HTTP/HTTPS Internet gateway that provides access for customers who want connectivity to their virtual private cloud (VPC) environment directly from the Internet.
- A secure IPsec virtual private network (VPN) connection that provides access between the customer location and the customer’s virtual private cloud (VPC) environment.
- Authentication controls for Pega Cloud support personnel supporting customer infrastructure. Authorized Pega Cloud engineers are required to authenticate to Pega Cloud Management tools by using unique user identification credentials and replay-resistant two-factor authentication tokens prior to being granted secure access to the Pega Cloud network.
- Continuous monitoring of the infrastructure components in each customer environment.
- Pega Cloud provides 256-bit AES encryption of data-at-rest.
- Pega Cloud deploys anti-malware software on all systems.
- Pega Cloud deploys host-based malware services, scans, and signature updates that cannot be disabled or altered by users.
Pega Cloud security and compliance teams conduct regular audits and risk assessments of the Pega Cloud service offering to maintain adequate governance over the entire environment. In addition:
- Pega Cloud provides vulnerability and security management for Pega Cloud-delivered environments and the Pega Cloud service management systems.
- Customer-led, application-level vulnerability assessment requests and other security reviews can be accommodated according to the Pega Cloud penetration testing policy.
- At least once per year or when significant changes to the networks are made, Pega Cloud conducts an information security risk assessment on current information security controls that affect the confidentiality, integrity, and availability of customer data.
Customer privacy and security responsibilities
One of the design principles of Pega Cloud is that customers maintain certain controls in their Pega Cloud environments. These controls complement those in Pega Cloud and include these customer responsibilities:
- The customer is responsible for adhering to the Pega Cloud Acceptable Use Policy.
- The customer is responsible for establishing, managing, monitoring, and otherwise controlling all application user accounts and privileges within their developed applications.
- The customer is responsible for the accuracy, classification, quality, integrity, and legality of the customer’s applications, content, and stored data, and for the quality, configuration, and performance of the customer applications.
- The customer is responsible for notifying Pega Cloud management of specific data domiciling or regulatory requirements such as U.S. or EU-only data storage or Business Associate Agreements.
- The customer is responsible for the classification and use of the data they collect, including:
- Data minimization and retention
- Data use limitation
- Data quality and content integrity
- The customer must make reasonable efforts to prevent unauthorized access to or use of the subscription and notify Pegasystems promptly of any such unauthorized access or use.
- The customer is responsible for reporting issues and incidents to Pega Cloud, and for following up on the status of those issues to ensure that they are resolved.
- The customer is responsible for reviewing and signing off on all changes presented to them by Pega Cloud.
- The customer monitors the security of the developed application by using Pega 7 Platform tools.
Amazon Web Services and the “Powered by Amazon Web Services” logo are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries.