Security around the use of Pega BYOK and AWS KMS
In order to have control over the encryption of data within Pega Cloud we have been pointed at the BYOK capability available with Pega Cloud and AWS. In order to implement this we will have to design an AWS tenancy and appropriate security controls in that tenancy. We therefore require detailed explanations/documentation on how BYOK works and the security controls implemented within Pega Cloud so that this can be passed in front of security architects and accreditors along with infrastructure architects responsible for our cloud tenancies. We have read the available documentation online but it does not provide sufficient explanation of the following question areas The process of encryption and decryption of data The concept of master keys and data keys e.g. Do we assume that the “CDKs are stored in encrypted format” statement means that Pega makes a call to our KMS to encrypt this Pega generated key using the provided KMS Key ARN? The storage of keys, storage of decrypted keys The frequency of encryption of data and of keys What minimum set of permissions are required to be given to the Pega account. How far reaching is the pega account (e.g. how many customers, how many staff have access to that account) What IAM controls do Pega Cloud then apply to ensure that only SSCL application servers have access to be able to call the decrypt API What controls are in place to control who can amend the IAM policies controlling this What objects are encrypted and what are not
In order to have control over the encryption of data within Pega Cloud we have been pointed at the BYOK capability available with Pega Cloud and AWS. In order to implement this we will have to design an AWS tenancy and appropriate security controls in that tenancy. We therefore require detailed explanations/documentation on how BYOK works and the security controls implemented within Pega Cloud so that this can be passed in front of security architects and accreditors along with infrastructure architects responsible for our cloud tenancies. We have read the available documentation online but it does not provide sufficient explanation of the following question areas The process of encryption and decryption of data The concept of master keys and data keys e.g. Do we assume that the “CDKs are stored in encrypted format” statement means that Pega makes a call to our KMS to encrypt this Pega generated key using the provided KMS Key ARN? The storage of keys, storage of decrypted keys The frequency of encryption of data and of keys What minimum set of permissions are required to be given to the Pega account. How far reaching is the pega account (e.g. how many customers, how many staff have access to that account) What IAM controls do Pega Cloud then apply to ensure that only SSCL application servers have access to be able to call the decrypt API What controls are in place to control who can amend the IAM policies controlling this What objects are encrypted and what are not Are any credentials required to be shared between Pega Cloud team and SSCL or vica versa. What processes are used for sharing such confidential information. Security controls surrounding this? How does key rotation occur? What processes have to be performed by SSCL teams (In Pega and in AWS)? What frequencies are available. We are currently planning for annual rotation of AWS keys How does AWS KMS auto rotation of keys get used.