What keeps Pega applications secure behind the scenes? In this first article from the Pega Enterprise Infrastructure series, we begin with one of the most critical building blocks: Security and Encryption.
Security and Encryption refers to the integrated protective mechanisms that Pega Cloud uses to safeguard enterprise data and systems from unauthorized access, breaches, and attacks.
Key Components
- Allow List Management: Client-defined inbound IP allow lists to restrict access to Pega Cloud environments. Applicability: All Environments, all regions.
- Anti-Virus: Anti-virus scanning on all environments for case attachment uploads, SFTP uploads, Data Transfer Service, and Cloud File Storage. Quarantine on detection. Applicability: All Environments, all regions. Covers standard Pega upload flows only; custom upload flows not protected.
- DARE (Data-At-Rest Encryption): Data-At-Rest Encryption using 256-bit AES for all volumes, databases, and object storage. Keys rotated regularly, stored in FIPS 140-2 compliant KMS. Applicability: All Environments, all regions. Enabled by default.
- DDoS Protection: Multi-layered DDoS protection covering Layers 3-7 with auto-scaling edge resources, IPS, ACLs, and geographic isolation. Applicability: All Environments, all regions. Client may supplement with third-party DDoS provider for public-facing apps.
- Outbound ACL: Client-managed outbound access control - deny-by-default egress filtering per environment for data exfiltration protection. Applicability: Pega Cloud Advanced Networking add-on. Pega Cloud 3 only. All regions.
- Security Logs: 12-month retention of security audit logs with network and system-level access monitoring. Applicability: All Environments, all regions.
- TLS/HTTPS: Data-in-transit encryption via TLS and digital certificates for all web application traffic. Applicability: All Environments, all regions. Enabled by default.
- Vuln Testing: Client-authorized application vulnerability and penetration testing on pre-production and production environments per Pega’s testing policy. Applicability: All Environments, all regions. Requires Pega pre-authorization. Not permitted on trial environments.
- WAF (Web Application Firewall) providing Layer 7 application-level DDoS mitigation and traffic filtering. Applicability: All Environments, all regions.
- Zero Trust: Zero Trust Architecture support including SSO, MFA, RBAC/ABAC/CBAC, environment isolation, network segmentation, and WAF.Applicability: All Environments, all regions. Client configures identity provider integration.
These components work together to create a layered security model that protects your enterprise data at every stage — from authentication through storage to transit.
Next article will be focused on Allow List Management (as part of Security and Encryption).
