2. Executive Summary
The purpose of this white paper is to describe how the different aspects of system security, reliability, and
secure integrations are implemented for the Pega Cloud. In particular, we will focus on how the Pega Cloud
has addressed the data privacy concerns of the financial services, healthcare, insurance and other heavily
regulated industries.
Data Security Architecture
Figure 1:
There are multiple layers of security built into the fabric of the Pega Cloud as depicted in Figure 1. At its base
the Pega Cloud is built on a virtualization layer. On this virtualization layer Pega provisions each customers
its own Private Virtual Infrastructure (PVI). In addition to the firewall protecting the physical servers, each
customers PVI has its own configurable software firewall. Additionally, the Pega Cloud provides each
customer’s PVI encryption at the OS level, the DB level and the web server level via HTTPS. We also offer the
option to secure data traffic with the Pega Cloud Secure VPN.
3. Lastly, to better support our customer’s security and compliance needs Pega has
invested in attaining compliance accreditations and partnered exclusively with
firms that have the appropriate security credentials and process rigor. The Pega
Cloud infrastructure and physical server support procedures have passed a SAS 70
Type II audit, and Pega.com has received the seal of approval from VeriSign.
The subsequent sections of this paper will delve further into how the Pega Cloud
data security architecture addresses the requirements of common data privacy
concerns and regulations and makes integration between the cloud and the client
data center easier.
Data Privacy Regulations
To achieve compliance with data privacy regulations, companies must define,
develop and implement a set of controls and procedures as required by the
applicable regulations. Some common regulations that affect Pega’s customers are
listed in Table 1.
Name Acronym
Payment Card Industry Data Security Standards PCI DSS
Health Insurance Portability and Accountability Act HIPAA
EU Data Protection Directive 95/46/EC
Gramm–Leach–Bliley Act GLBA
Massachusetts Data Protection Act 201 CMR 17.00
Table 1
Data privacy regulations prescribe similar controls and measures. We have listed
four common elements we identified from our research and discussions with
customers in Table 2.
Measure / Control Name Description
Privacy Controls Data traveling over public networks needs to be
encrypted during transmission (“in-flight”) and while
stored (“at-rest”)
Security Controls Access control processes need to be in place to restrict
access to “in-flight” and “at-rest” data
Audit Controls Data access needs to be tracked, logged, and stored for
extended periods of time in case of an audit
Backups and Disaster
Recovery Measures
Companies must have a data back-up and disaster
recovery plan in place to ensure continuity of business
operations
Table 2
Pegasystems’ 25 years of
working with Fortune
1000 enterprises to
deliver leading-edge
BPM and rules automation
solutions provides
the experience for
understanding and
optimizing performance in
complex, high-volume
mission-critical
environments.
1
4. Encryption of Data “In-Flight”
There are three main types of communication between a customer’s PVI and its
data center:
� User traffic
� Administrator traffic
� Integration traffic
User traffic is all passed via HTTPS, with a minimum of 128-bit SSL encryption of
all traffic passing over the internet. All administrator traffic is encrypted through
the Pega Cloud’s Secure VPN. Integration traffic is also passed through the
Pega Cloud’s Secure VPN, which encrypts not only the data within the packets,
but the packet headers as well. This prevents not just eavesdropping, but even
information disclosure about the services and networks being accessed within
your enterprise datacenter.
Encryption of Data “At-Rest”
Sensitive data handled by Pega Cloud applications is encrypted whenever it is
stored in persisted memory. When it is accessed by a user in the course of using
the application, file system encryption ensures that access to the physical disk
could not expose any sensitive data. Further, database records are encrypted with
the Blowfish, Triple-DES, or AES algorithm using 256-bit keys.
Intrusion Detection
Pega Cloud systems include host-based intrusion detection (HIDS) that monitor
unauthorized access attempts, suspicious activity, and unexpected behavior of
each server within the the Pega Cloud system. HIDS alerts are monitored 24x7 by
security personnel and archived for review and troubleshooting purposes for at
least three years.
2
Privacy Controls
The Pega Cloud is the
most popular way to
develop BPM solutions
on the cloud. With
over 1,000 instances
provisioned securely and
reliably for the world’s
leading financial services,
insurance and healthcare
institutions, the Pega
Cloud is now the gold
standard on the cloud.
5. Transfer of Personal Data Outside the Region or Country of
Origin
Some privacy controls restrict the movement of protected data. For example,
the EU Data Protection Directive mandates that protected data be kept in the
European Economic Area (EEA). Though there are exceptions to the EU Data
Protection Directive for US based companies, such as Pega, based on the Safe
Harbor Principles (a set of seven principles that US companies need to comply
with in order to store protected EU originated data), in practice many European
firms insist their data stays in the EU.
Fortunately, the Pega Cloud supports deploying data in specific geographic
regions, and Pega guarantees this data will not move outside the originally
designated region. For example, if a European bank wants to keep its data in
the EU, Pega would provision the bank’s PVI in Ireland, which is a member of
the EEA, and also guarantee that the European bank’s data would always be
housed in Ireland. Figure 2 depicts all the regions the Pega Cloud can store your
protected data.
3
Figure 2
6. 4
Physical Security
Pega Cloud data centers are housed in nondescript facilities, and critical
facilities have extensive setback and military grade perimeter control berms as
well as other natural boundary protection. Physical access is strictly controlled
both at the perimeter and at building ingress points by professional security
staff utilizing video surveillance, state of the art intrusion detection systems,
and other electronic means. Authorized staff must pass two-factor
authentication no fewer than three times to access data center floors. All
visitors and contractors are required to present identification and are signed in
and continually escorted by authorized staff.
Access Controls
In addition to the physical security, Pega Cloud operations has implemented
access control measures restricting access to applications, data, and software to
only those entities that have a documented, current business need. Furthermore,
all physical and electronic access to data centers by employees is logged and
audited routinely.
These measures have been tailored to meet the requirements of the security
policies required by Pega’s customers (HIPAA, SOX, and/or others as required).
Access to Pega Cloud systems is locked down by subnet, port, protocol, server,
role, and user to allow only the access required for the business function. Pega
requires that all its employees and contractors who will be performing services
for Pega undergo a background check, including screening of employment
history, education confirmations and identifying criminal convictions.
Restricting Inbound Traffic with a Software Firewall
The concept of software firewall is two-fold:
� A software firewall can limit inbound traffic to Pega Cloud servers. In this
capacity, its capabilities are analogous to the function of a firewall. Flows
can be limited by port, protocol, and subnet to prevent unwanted access.
� A software firewall can group servers that reside on the Pega Cloud.
Servers within a single software firewall can communicate freely with
each other.
A side benefit of the software firewall construct is the limitation of access
between instances that reside on the Pega Cloud. All traffic between virtual
servers on the cloud is routed through the Xen Hypervisor layer and restricted by
the software firewall. Virtual servers that are controlled by different customers
are completely unable to access each other unless specifically allowed via the
customers’ software firewall configurations.
Security Controls
7. User Authentication and Control
The authorization of individuals, organizations, and roles to access applications,
data, and software can be implemented via single sign-on integration with an
enterprise’s existing identity management solution where one exists. This allows
for centralized control of access to corporate resources and streamlines the
provisioning and de-provisioning process.
User access is subject to automatic logout; robust password policy, including
complexity, longevity, and reset process controls; and lockouts after five
unsuccessful access attempts.
Administrative access to the servers used by the the Pega Cloud system is
controlled by SSHv2 certificates. Administrative access to additional resources
on the Pega Cloud, including the software firewall configuration and elasticity
tuning, are controlled by the keys associated with the customer’s account.
5
8. Incremental backups of all application data are taken nightly and stored for
three weeks trailing. In addition, full backups are taken weekly and stored for
three months trailing. In addition, Pega Cloud production deployments employ a
disaster recovery (DR) architecture that ensures that the disaster recovery point
is less than 15 minutes, and disaster recovery time is under an hour. Figure 3
depicts the the Pega Cloud DR architecture.
Additionally, and as mentioned earlier, the Pega Cloud provides customers the
flexibility to place instances within multiple geographic regions, and each region
is divided into separate zones. Each zone is designed with fault separation. This
means that zones are physically separated within a typical metropolitan region,
on different flood plains, in seismically stable areas. In addition to discrete
uninterruptable power source (UPS) and onsite backup generation facilities, they
are each fed via different grids from independent utilities to further reduce single
points of failure. They are all redundantly connected to multiple tier-1 transit
providers.
6
Backups and Disaster Recovery Measures
Figure 3
9. 7
Availability
Datacenters are designed to anticipate and tolerate failure while maintaining
service levels. Datacenters are built in clusters in various global regions. All
datacenters are online and serving traffic; no datacenter is “cold”.
In case of failure automated processes move traffic away from the affected area
to another data center in the same region. Core applications are deployed to
an N+1 standard, so that in the event of a datacenter failure, there is sufficient
capacity to enable traffic to be load-balanced to the remaining sites.
Incident Response
The Pega Cloud incident management team employs industry-standard diagnosis
to drive resolution during business-impacting events. Staff operators in the US
and Europe provide 24 x 7 coverage to detect incidents and manage the impact
and resolution. We have demonstrated experience in implementing around-the-
clock war room management control for large-scale events.
Business Continuity
The Pega Cloud business-continuity plan (BCP) drives our standard practices
to support ongoing, worldwide business and the ability to scale to the increased
scope of catastrophic events. Standard practices are supplemented with
dedicated preparation for catastrophic events. The Pega Cloud team maintains
current response plans for a series of disaster scenarios, and we test our
response in production by simulating disasters. All these practices are subject to
ongoing company-wide and executive review.
Testing
The Pega Cloud infrastructure’s critical systems are regularly tested under
simulated conditions of catastrophic failure. Additionally, the Pega Cloud
infrastructure is maintained at regular intervals.
Company-wide Executive Review
Internal Audit periodically audits Business Continuity Plans. The business
continuity plan is periodically reviewed by the senior executive team and by the
audit committee of the Board of Directors.
10. 8
Audit Controls
Pega documents all of its security policies and procedures. For each customer of
the Pega Cloud, documentation and audit trails are maintained for:
� Certification of the security of computer system(s) and network design(s)
� Applications and data criticality analysis
� A data backup plan
� A disaster recovery plan
� An emergency mode operation plan
� Testing and revision procedures
� Access authorization policies and procedures
� Access establishment policies and procedures
� Access modification policies and procedures
� Software installation
� Maintenance review and testing for security features
� Inventory procedures
� Security testing
� Virus checking
� Security incident report procedures
� Security incident response procedures
� Risk analysis
� Risk management
� Removal from access lists
� Removal of user account(s)
� Maintain access authorization records
� Insure that operating, and in some cases, maintenance personnel have
proper access
� Personnel clearance procedures
� Personnel security policy/procedures
11. 9
Assigned Security Responsibility
The responsibility of implementing, supervising, and maintaining the above
security standards rests with a named individual or role within the the Pega
Cloud service provider.
Integrations with your data center and internal systems
With the Pega Cloud you can integrate with the systems housed on your existing
network via the Pega Cloud Secure VPN.
We provision, monitor and manage the Pega Cloud Secure VPN to create an
overlay network packaged to work between a customer’s corporate datacenter
and its PVI. Not only does this ensure that all communication between your
PVI and datacenter is encrypted, but it also allows your PVI to be part of your
private subnet. Once your PVI is part of your private subnet your BPM application
can integrate with backend enterprise systems using Pega BPM Services
and Connectors - as simply and securely as if it resided within your corporate
datacenter.
Lastly, you can leverage the Pega Cloud Secure VPN with your existing extranet
infrastructure.
The Pega Cloud Secure VPN supports almost every IPSec data center extranet
solution including Cisco ASA, Cisco Pix and Juniper Netscreen.