Is Pelican secure?


Pelican works extremely hard to create a secure solution for their customers. Here are a few examples of our security practices.

AES 128-bit encryption

Pelican uses 128-bit AES end-to-end encryption between server and gateway data transfers.

Outbound Only connection

Pelican does NOT require any Inbound firewall connections.

Note: Outbound versus Inbound connections describe how two devices are able to communicate from inside a building across the Internet to an external device.

Outbound connections are similar to how your computer reaches a website from inside the business. The computer creates a connection to a website (by you putting the websites URL into your browser). The website has no record of where you are located, because you made the connection. This is extremely secure because firewall’s do not care if internal devices are connecting to websites.

Inbound connections are similar to taking your computer home and having IT setup an allowance for you to use your computer to connect back into the business’s internal private network. The computer, at your home, needs to know how to find the business’s network. This also means that the business network’s firewall needs to allow external computers to connect into the internal private network.

Both of these connection approaches can be setup to be extremely secure. But, an Inbound connection requires IT support and special firewall configurations. Even with Inbound connections being secure, every Inbound allowance is considered a potential security risk.

Pelican’s goal is to eliminate all unnecessary security risks.

Allows for HTTPS connections only.

The Outbound connection between the Pelican gateway and its associated cloud server is always an HTTPS connection. This stands for Hypertext Transfer Protocol Secure. The important part is “Secure” because the HTTPS connection uses the Secure Socket Layer (SSL)/Transport Layer Security (TLS) protocol, which is basically a private point-to-point connection between two devices over the Internet. 

Simply, an HTTPS connection makes it so no external devices are able to track the end-to-end connection points across the Internet, because they are secured using Public Key transfer.

Pelican uses a combination of Private/Public Key exchanges.

Although Pelican has no access to nor stores any critical data, by using a combination of Public/Private key exchanges, the only devices that can communicate with Pelican devices and Pelican cloud serves are Pelican products. 

While at the same time the encrypted data sent over the Internet is secured through multi-level Digital Signature Algorithms (DSA), which means at no time during the data communication process is any information at risk of being compromised.

100% Isolated communication network

Although a Pelican gateway is physically connected to your facilities Internet router or switch, it is not actually part of your facilities private business network (nor do we want to be). This means Pelican is 100% isolated from your private business network.

We will also note that the Pelican gateway is NOT a server. It does not have a standard release operating system running on it and it doesn’t even have enough memory or processing speed to be used as a security threat. It is simply acts as a bridge between the Internet and your Pelican wireless network.

Being isolated from your private network is also more secure than any secured connection to your private network.  Why? Because if you aren’t part of the network, then there is no security risk.

Some of our customers install the Pelican gateway before the firewall to add one more layer of security. You can do this since Pelican is not at all part of your private business network and is only used for Pelican related data communication.

100% Isolated wireless network

All Pelican devices installed in your facility communicate over Pelican’s wireless mesh network. This network is designed to co-exist with WiFi networks, but not be able to interact with them. Because the wireless network is stand-alone, it means no third-party devices are able to see it or communicate with it. And there is no need to enter your enterprise WiFi network’s WPA or WPA2 password into Pelican.

Being isolated from the WiFi network is also more secure than any secured connection to the WiFi network.  Why? Because if you aren’t part of the network, then there is no security risk.

100% Isolated cloud servers

Every Pelican customer is provided their own private virtual cloud server, so no data between one customer is sitting on the same virtual server as another.

This is different than Amazon, Google, or Azure cloud servers because many times the systems that run on these cloud providers have data sitting in the same memory partitions of the servers. Pelican manages their own servers and, although we do not collect any critical information from our customers, we opted to keep each customer’s data stored separate partitions (virtual servers) to enhance the security aspect of our solution.

Pelican only uses servers in SOC I and SOC II facilities located in your country.

Pelican has their server in multiple locations across the US and Canada. The server location for your Pelican solution will be a server local to your general geographical area. This helps keep data speeds high between the Pelican devices at your facility and your cloud server.

We only US servers for US customers and Canadian servers for Canadian customers.

No critical data storage

The Pelican solution does not track or store any critical data. In fact, your Pelican solution does not store or have access to anything that can be used to create a relationship between you and the data stored by Pelican.

What does Pelican track?

  1. The name chosen for the Pelican site (web-app). This name is normally related too, but is not directly correlated with the actual business’s name.
  2. The site zip code. No address is allowed to be added or stored in Pelican.
  3. Temperature data. This data is associated to each Pelican devices recording that temperature and their associated device name.
  4. Device configurations. This is stored both for functional purposes and as a back-up incase they need to be restored.
  5. Device sequences. IE: Did a thermostat turn on cooling? How long did it run? Was the fan enabled?
  6. If a configuration, temperature, or schedule was changed through the web-app (manually or by a schedule).
  7. If a change was made at the thermostat.

When you login to your Pelican site, you don't actually connect to the Pelican gateway.

This might seem strange, but its by design. A Pelican gateway is just a bridge between the Internet and the Pelican wireless network used to communicate with the Pelican devices inside your facility. 

When you login to your Pelican web-app, you are actually logging into your Pelican virtual server. All changes you make are then encrypted and pushed from this server, across the Internet, routed through the gateway and directly to the device that needs to make change. That device then unencrypted the command.

Why is this important?

Because it means you can securely access your Pelican web-app from any Internet enabled device, without having to configure that device to create a special connection to your business’s private network. That means that your business’s private network retains a greater security when you use Pelican as your climate management solution.