Inside Pega Enterprise Infrastructure: Security and Encryption

What keeps Pega applications secure behind the scenes? In this first article from the Pega Enterprise Infrastructure series, we begin with one of the most critical building blocks: Security and Encryption.

Security and Encryption refers to the integrated protective mechanisms that Pega Cloud uses to safeguard enterprise data and systems from unauthorized access, breaches, and attacks.

Key Components

  1. Allow List Management: Client-defined inbound IP allow lists to restrict access to Pega Cloud environments. Applicability: All Environments, all regions.
  2. Anti-Virus: Anti-virus scanning on all environments for case attachment uploads, SFTP uploads, Data Transfer Service, and Cloud File Storage. Quarantine on detection. Applicability: All Environments, all regions. Covers standard Pega upload flows only; custom upload flows not protected.
  3. DARE (Data-At-Rest Encryption): Data-At-Rest Encryption using 256-bit AES for all volumes, databases, and object storage. Keys rotated regularly, stored in FIPS 140-2 compliant KMS. Applicability: All Environments, all regions. Enabled by default.
  4. DDoS Protection: Multi-layered DDoS protection covering Layers 3-7 with auto-scaling edge resources, IPS, ACLs, and geographic isolation. Applicability: All Environments, all regions. Client may supplement with third-party DDoS provider for public-facing apps.
  5. Outbound ACL: Client-managed outbound access control - deny-by-default egress filtering per environment for data exfiltration protection. Applicability: Pega Cloud Advanced Networking add-on. Pega Cloud 3 only. All regions.
  6. Security Logs: 12-month retention of security audit logs with network and system-level access monitoring. Applicability: All Environments, all regions.
  7. TLS/HTTPS: Data-in-transit encryption via TLS and digital certificates for all web application traffic. Applicability: All Environments, all regions. Enabled by default.
  8. Vuln Testing: Client-authorized application vulnerability and penetration testing on pre-production and production environments per Pega’s testing policy. Applicability: All Environments, all regions. Requires Pega pre-authorization. Not permitted on trial environments.
  9. WAF (Web Application Firewall) providing Layer 7 application-level DDoS mitigation and traffic filtering. Applicability: All Environments, all regions.
  10. Zero Trust: Zero Trust Architecture support including SSO, MFA, RBAC/ABAC/CBAC, environment isolation, network segmentation, and WAF.Applicability: All Environments, all regions. Client configures identity provider integration.

These components work together to create a layered security model that protects your enterprise data at every stage — from authentication through storage to transit.

Next article will be focused on Allow List Management (as part of Security and Encryption).