Application and data security are major concerns of information technology organizations today. Inadequate security can prevent your application from being deployed. Security failures in deployment can expose your organization to severe consequences, from loss of customers and of your organization’s reputation to legal and financial penalties.
Pega® Platform provides powerful capabilities for implementing security in your applications, especially when you deploy guardrail-compliant applications. The Pega Platform model-driven architecture allows you to secure applications in most cases by configuring built-in features, and you do not need to rely on custom code built by developers who are not security experts.
However, you still have responsibilities that are critical to deploying secure applications, including the following actions:
- Review Pegasystems' best practices for secure application development and deployment:
- The Security checklist for deploying applications provides guidance for verifying whether you have followed best practices.
- Understand the Pega Platform features that help you define and configure security within your application. For more information, see:
Pega Platform security features
The goal of security is to prevent loss of confidentiality (access to systems or data by unauthorized individuals), integrity (modifications to systems or data by unauthorized individuals), and availability (unacceptable delays in access to systems or data by authorized individuals). This goal is primarily accomplished by implementing authentication, authorization, and auditing:
- Authentication – The most typical example of authentication is when a user logs in to your application and supplies a valid user ID and password to begin a session. However, there are times when requests for a resource, or service must be verified, such as when connectors call out from the Pega Platform to external systems. Pega Platform refers to all these cases, including application users running interactive sessions, as requestors. Various protocols can be used to authenticate requestors, and requestors’ credentials can be stored in the Pega database or in external stores. After the initial authentication, session management features ensure that requests for continued access to the system and data still come from authenticated requestors. For more information, see Authentication in Pega Platform.
- Authorization or access control – Most authenticated requestors should not be allowed complete access to all parts of the user interface, to all application functions and activities, and should not be allowed to view or change all data. Authorization features ensure that users and requestors are only allowed to access user interfaces and perform functions for which they are authorized, and only see and change data required for them to perform those functions. Pega Platform offers two complementary sets of authorization features:
- Role-based access control (RBAC) that is based on privileges
- Attribute-based access control (ABAC) that is based on comparing user information to data in cases on a row-by-row and column-by-column basis
For more information, see Authorization models in Pega Platform.
- Auditing or accountability – Pega Platform lets you configure the level of auditing for security events triggered by requestors. These security events include almost any action performed by a user, a developer, or any other requestor who accesses the application, accesses or changes data, changes security policies or security-related rules or landing pages, and so on. For more information, see Auditing in Pega Platform.
In addition to features that explicitly accomplish authentication, authorization, and auditing, other Pega Platform components represent important policies, assets, and safeguards to use with these features such as:
- Certificate, key, and token management – The management of these important assets is critical to the secure functioning of other security features.
- Confidentiality and encryption – The confidentiality of your sensitive data at rest, in transit, and in use is extremely important. Pega Platform uses state-of-the-art encryption features that allow you to secure sensitive information at any point in a business process.
- Virus checking – Pega Platform allows your application to link to a (third-party) virus checking program before processing any email or attachment.
- Content security policies (CSP) – Use CSP to lock down your applications in various ways to mitigate the risk of content injection vulnerabilities such as cross-site scripting, and reduce the privileges required to run your application. For more information, see Content Security Policy.