CROSS INDUSTRY

Pega CloudSecurity and Reliability White Paper

Executive Summary

The purpose of this white paper is to describe how the different aspects of system security, reliability, and secure integrations are implemented for the Pega Cloud. In particular, we will focus on how the Pega Cloud has addressed the data privacy concerns of the financial services, healthcare, insurance and other heavily regulated industries.

Data Security Architecture

Figure 1:There are multiple layers of security built into the fabric of the Pega Cloud as depicted in Figure 1. At its base the Pega Cloud is built on a virtualization layer. On this virtualization layer Pega provisions each customers its own Private Virtual Infrastructure (PVI). In addition to the firewall protecting the physical servers, each customers PVI has its own configurable software firewall. Additionally, the Pega Cloud provides each customer’s PVI encryption at the OS level, the DB level and the web server level via HTTPS. We also offer the option to secure data traffic with the Pega Cloud Secure VPN.

Lastly, to better support our customer’s security and compliance needs Pega has invested in attaining compliance accreditations and partnered exclusively with firms that have the appropriate security credentials and process rigor. The Pega Cloud infrastructure and physical server support procedures have passed a SAS 70 Type II audit, and Pega.com has received the seal of approval from VeriSign.

The subsequent sections of this paper will delve further into how the Pega Cloud data security architecture addresses the requirements of common data privacy concerns and regulations and makes integration between the cloud and the client data center easier.

Data Privacy RegulationsTo achieve compliance with data privacy regulations, companies must define, develop and implement a set of controls and procedures as required by the applicable regulations. Some common regulations that affect Pega’s customers are listed in Table 1.

Name Acronym

Payment Card Industry Data Security Standards PCI DSS

Health Insurance Portability and Accountability Act HIPAA

EU Data Protection Directive 95/46/EC

Gramm–Leach–Bliley Act GLBA

Massachusetts Data Protection Act 201 CMR 17.00

Table 1

Data privacy regulations prescribe similar controls and measures. We have listed four common elements we identified from our research and discussions with customers in Table 2.

Measure / Control Name Description

Privacy Controls Data traveling over public networks needs to be encrypted during transmission (“in-flight”) and while stored (“at-rest”)

Security Controls Access control processes need to be in place to restrict access to “in-flight” and “at-rest” data

Audit Controls Data access needs to be tracked, logged, and stored for extended periods of time in case of an audit

Backups and Disaster Recovery Measures

Companies must have a data back-up and disaster recovery plan in place to ensure continuity of business operations

Table 2

Pegasystems’ 25 years ofworking with Fortune

1000 enterprises to deliver leading-edge

BPM and rules automation solutions provides the experience for understanding and

optimizing performance in complex, high-volume

mission-critical environments.

1

Encryption of Data “In-Flight”There are three main types of communication between a customer’s PVI and its data center:

� User traffic

� Administrator traffic

� Integration traffic

User traffic is all passed via HTTPS, with a minimum of 128-bit SSL encryption of all traffic passing over the internet. All administrator traffic is encrypted through the Pega Cloud’s Secure VPN. Integration traffic is also passed through the Pega Cloud’s Secure VPN, which encrypts not only the data within the packets, but the packet headers as well. This prevents not just eavesdropping, but even information disclosure about the services and networks being accessed within your enterprise datacenter.

Encryption of Data “At-Rest”Sensitive data handled by Pega Cloud applications is encrypted whenever it is stored in persisted memory. When it is accessed by a user in the course of using the application, file system encryption ensures that access to the physical disk could not expose any sensitive data. Further, database records are encrypted with the Blowfish, Triple-DES, or AES algorithm using 256-bit keys.

Intrusion DetectionPega Cloud systems include host-based intrusion detection (HIDS) that monitor unauthorized access attempts, suspicious activity, and unexpected behavior of each server within the the Pega Cloud system. HIDS alerts are monitored 24x7 by security personnel and archived for review and troubleshooting purposes for at least three years.

2

Privacy Controls

The Pega Cloud is the most popular way to

develop BPM solutions on the cloud. With

over 1,000 instances provisioned securely and

reliably for the world’s leading financial services, insurance and healthcare

institutions, the Pega Cloud is now the gold

standard on the cloud.

Transfer of Personal Data Outside the Region or Country of OriginSome privacy controls restrict the movement of protected data. For example, the EU Data Protection Directive mandates that protected data be kept in the European Economic Area (EEA). Though there are exceptions to the EU DataProtection Directive for US based companies, such as Pega, based on the Safe Harbor Principles (a set of seven principles that US companies need to comply with in order to store protected EU originated data), in practice many European firms insist their data stays in the EU.

Fortunately, the Pega Cloud supports deploying data in specific geographic regions, and Pega guarantees this data will not move outside the originallydesignated region. For example, if a European bank wants to keep its data in the EU, Pega would provision the bank’s PVI in Ireland, which is a member of the EEA, and also guarantee that the European bank’s data would always be housed in Ireland. Figure 2 depicts all the regions the Pega Cloud can store your protected data.

3

Figure 2

4

Physical SecurityPega Cloud data centers are housed in nondescript facilities, and criticalfacilities have extensive setback and military grade perimeter control berms aswell as other natural boundary protection. Physical access is strictly controlledboth at the perimeter and at building ingress points by professional securitystaff utilizing video surveillance, state of the art intrusion detection systems,and other electronic means. Authorized staff must pass two-factorauthentication no fewer than three times to access data center floors. Allvisitors and contractors are required to present identification and are signed inand continually escorted by authorized staff.

Access ControlsIn addition to the physical security, Pega Cloud operations has implemented access control measures restricting access to applications, data, and software to only those entities that have a documented, current business need. Furthermore, all physical and electronic access to data centers by employees is logged and audited routinely.

These measures have been tailored to meet the requirements of the security policies required by Pega’s customers (HIPAA, SOX, and/or others as required). Access to Pega Cloud systems is locked down by subnet, port, protocol, server, role, and user to allow only the access required for the business function. Pega requires that all its employees and contractors who will be performing services for Pega undergo a background check, including screening of employment history, education confirmations and identifying criminal convictions.

Restricting Inbound Traffic with a Software FirewallThe concept of software firewall is two-fold:

� A software firewall can limit inbound traffic to Pega Cloud servers. In this capacity, its capabilities are analogous to the function of a firewall. Flows can be limited by port, protocol, and subnet to prevent unwanted access.

� A software firewall can group servers that reside on the Pega Cloud. Servers within a single software firewall can communicate freely with each other.

A side benefit of the software firewall construct is the limitation of access between instances that reside on the Pega Cloud. All traffic between virtual servers on the cloud is routed through the Xen Hypervisor layer and restricted by the software firewall. Virtual servers that are controlled by different customers are completely unable to access each other unless specifically allowed via the customers’ software firewall configurations.

Security Controls

User Authentication and ControlThe authorization of individuals, organizations, and roles to access applications, data, and software can be implemented via single sign-on integration with an enterprise’s existing identity management solution where one exists. This allows for centralized control of access to corporate resources and streamlines the provisioning and de-provisioning process.

User access is subject to automatic logout; robust password policy, including complexity, longevity, and reset process controls; and lockouts after five unsuccessful access attempts.

Administrative access to the servers used by the the Pega Cloud system is controlled by SSHv2 certificates. Administrative access to additional resources on the Pega Cloud, including the software firewall configuration and elasticity tuning, are controlled by the keys associated with the customer’s account.

5

Incremental backups of all application data are taken nightly and stored for three weeks trailing. In addition, full backups are taken weekly and stored for three months trailing. In addition, Pega Cloud production deployments employ a disaster recovery (DR) architecture that ensures that the disaster recovery point is less than 15 minutes, and disaster recovery time is under an hour. Figure 3 depicts the the Pega Cloud DR architecture.

Additionally, and as mentioned earlier, the Pega Cloud provides customers the flexibility to place instances within multiple geographic regions, and each region is divided into separate zones. Each zone is designed with fault separation. This means that zones are physically separated within a typical metropolitan region, on different flood plains, in seismically stable areas. In addition to discrete uninterruptable power source (UPS) and onsite backup generation facilities, they are each fed via different grids from independent utilities to further reduce single points of failure. They are all redundantly connected to multiple tier-1 transit providers.

6

Backups and Disaster Recovery Measures

Figure 3

7

AvailabilityDatacenters are designed to anticipate and tolerate failure while maintaining service levels. Datacenters are built in clusters in various global regions. All datacenters are online and serving traffic; no datacenter is “cold”.

In case of failure automated processes move traffic away from the affected area to another data center in the same region. Core applications are deployed to an N+1 standard, so that in the event of a datacenter failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.

Incident ResponseThe Pega Cloud incident management team employs industry-standard diagnosis to drive resolution during business-impacting events. Staff operators in the US and Europe provide 24 x 7 coverage to detect incidents and manage the impact and resolution. We have demonstrated experience in implementing around-the-clock war room management control for large-scale events.

Business ContinuityThe Pega Cloud business-continuity plan (BCP) drives our standard practices to support ongoing, worldwide business and the ability to scale to the increased scope of catastrophic events. Standard practices are supplemented with dedicated preparation for catastrophic events. The Pega Cloud team maintains current response plans for a series of disaster scenarios, and we test our response in production by simulating disasters. All these practices are subject to ongoing company-wide and executive review.

TestingThe Pega Cloud infrastructure’s critical systems are regularly tested under simulated conditions of catastrophic failure. Additionally, the Pega Cloud infrastructure is maintained at regular intervals.

Company-wide Executive ReviewInternal Audit periodically audits Business Continuity Plans. The business continuity plan is periodically reviewed by the senior executive team and by the audit committee of the Board of Directors.

8

Audit ControlsPega documents all of its security policies and procedures. For each customer of the Pega Cloud, documentation and audit trails are maintained for:

� Certification of the security of computer system(s) and network design(s)

� Applications and data criticality analysis

� A data backup plan

� A disaster recovery plan

� An emergency mode operation plan

� Testing and revision procedures

� Access authorization policies and procedures

� Access establishment policies and procedures

� Access modification policies and procedures

� Software installation

� Maintenance review and testing for security features

� Inventory procedures

� Security testing

� Virus checking

� Security incident report procedures

� Security incident response procedures

� Risk analysis

� Risk management

� Removal from access lists

� Removal of user account(s)

� Maintain access authorization records

� Insure that operating, and in some cases, maintenance personnel have proper access

� Personnel clearance procedures

� Personnel security policy/procedures

9

Assigned Security ResponsibilityThe responsibility of implementing, supervising, and maintaining the above security standards rests with a named individual or role within the the Pega Cloud service provider.

Integrations with your data center and internal systemsWith the Pega Cloud you can integrate with the systems housed on your existing network via the Pega Cloud Secure VPN.

We provision, monitor and manage the Pega Cloud Secure VPN to create an overlay network packaged to work between a customer’s corporate datacenter and its PVI. Not only does this ensure that all communication between your PVI and datacenter is encrypted, but it also allows your PVI to be part of your private subnet. Once your PVI is part of your private subnet your BPM application can integrate with backend enterprise systems using Pega BPM Services and Connectors - as simply and securely as if it resided within your corporate datacenter.

Lastly, you can leverage the Pega Cloud Secure VPN with your existing extranet infrastructure.

The Pega Cloud Secure VPN supports almost every IPSec data center extranet solution including Cisco ASA, Cisco Pix and Juniper Netscreen.

About Pegasystems

Pegasystems (NASDAQ: PEGA), the leader in Business Process Management, provides software to drive revenue growth, productivity and agility for the world’s most sophisticated organizations. Customers use our award-winning SmartBPM® suite to improve customer service, reach new markets and boost operational effectiveness.

Our patented SmartBPM® technology makes enterprise applications easy to build and change by directly capturing business objectives and eliminating manual programming. SmartBPM® unifies business rules and processes into composite applications that leverage existing systems — empowering businesspeople and IT staff to Build for Change®, deliver value quickly and outperform their competitors.

Pegasystems’ suite is complemented by best-practice frameworks designed for leaders in financial services, insurance, healthcare, government, life sciences, communications, manufacturing and other industries.

Headquartered in Cambridge, MA, Pegasystems has offices in North America, Europe and Asia. Visit us at www.pega.com.

Copyright © 2010 Pegasystems Inc. All rights reserved. PegaRules, Process Commander, SmartBPM and the Pegasystems logo are trademarks or registered trademarks of Pegasystems Inc. All other product names, logos and symbols may be registered trademarks of their respective owners.