PureComms Security

TLS 1.2 protocols, AES-256 encryption
Always protected with over the air patches
Validated by 3rd party audits
Robust end-user security tools
Redundant hosted software service

24/7 Security and Monitoring

PureComms Security comes standard on PureLine generators, offering analytics to prevent and predict maintenance on equipment, decreasing downtime. Using Samsara’s technical infrastructure, PureComms provides the business with relevant data and analytics for your PureLine generator. We outlines the technical details of the PureComms Security system, built on Samsara, below.

The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications.

AES-256, which has a key length of 256 bits, supports the largest bit size and is practically unbreakable by brute force based on current computing power, making it the strongest encryption standard.

These days we take it for granted that our smart-phone applications are updated, often automatically based on the rules we set. Those rules might be allowing updates to happen automatically when devices are connected to a Wi-Fi network for apps, and overnight when we are not using our mobile devices for OS updates. Over-the-Air (OTA) Updates does precisely that, with minimal impact.

As reports of security threats and data breaches rise, clients want added assurance that an organization can be trusted with their confidential information. As businesses strive to align with industry standards and best practices when it comes to security. Third party auditing ensures that security matches current best practices.

Our unit provides administrative tools to protect your organization’s data, including user management with email verification, authentication audit logs, and two factor authentication (via Google Apps). Moreover, we enforce robust user authentication, with data access requiring authentication via a third party.

Generator Data View

HP Generator Data View

Security In Depth

Hardened Cloud Infrastructure

Samsara’s cloud-hosted infrastructure is designed and managed in alignment with the best practices of multiple IT security standards. Samsara’s underlying infrastructure leverages Amazon AWS, which is ISO 27001 and SOC 1 Type II certified, and is rated as the leader in cloud security by research firm Forrester.

Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services.

ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic.

Samsara is built on a secure multi-tenant cloud architecture with logical data separation. Customer data is logically separated across distributed databases with required authentication checks for every application-layer and data-layer access made to any tenant’s data. The logical separation ensures that data is always associated with exactly one customer and required authentication checks at the application and data layers ensure that data is completely isolated by customer and accounts provisioned for that customer.

Samsara employs a Virtual Private Cloud to provide resource isolation and minimize attack surface area. Samsara services are protected by IP- and port-based firewalls. Administrative access to Samsara’s infrastructure is highly restricted and verified by public key (RSA). Distributed Denial of Service (DDoS) attacks are mitigated with elastic load balancing and highly available DNS services.

When a storage device containing customer data has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. Techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) are used to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.

Physical Device Protections

Samsara recognizes the importance of securing your data from the device to the dashboard. Our gateways are designed and tested to prevent unauthorized access and interference, including through the following safeguards:

Command Safe List

Samsara’s gateways allow only a pre-approved list of commands to be sent to the vehicle, blocking malicious or otherwise unwanted commands.

Hardware-Level Verification

Samsara gateways won’t operate if someone remotely tries to run malicious code on them, with built-in (asymmetric) cryptographic digital signatures using a public key for verification with on-device tamper protections.

Penetration Tests

Samsara includes its gateways as part of its annual penetration tests and triages, prioritizes, and remedies the results of those tests in a timely and appropriate manner.

No Default Passwords or Debug Modes

Samsara never ships vehicle gateways with standard passwords and disables all debug interfaces, preventing unauthorized access to or discovery of information about the state of the device through IoT search engines or similar methods.

Encryption

Data in Transit

All data transmitted between Samsara clients and the Samsara service use strong encryption protocols. Samsara supports the latest recommended secure protocols to secure all traffic in transit, including TLS 1.2, AES256 encryption, and signatures.

Data at Rest

Data at rest in Samsara’s production network is encrypted using FIPS 140-2 compliant encryption standards, which applies to data at rest within Samsara’s systems—relational databases, file stores, backups, etc. All encryption keys are stored in an industry standard, secure system based on AWS’s Key Management Service. Samsara has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.

SOC 2 Reporting

The Service and Organization Controls (SOC 2) is an industryrecognized attestation report given to a company after an audit of the company’s internal practices. Our report describes the controls and processes Samsara has in place to secure customer data and to ensure availability of our system.

Samsara’s SOC 2 Type 2 report includes a description of our software infrastructure and the processes we have in place to keep our customers’ data safe and available. Some of the processes covered in our report are employee on-boarding and termination processes; internal access controls to production environments; and disaster recovery, data backup, and incident response processes. Samsara’s SOC 2 Type 2 report was provided by Schellman & Company, a licensed and independent certified public accountant firm.

If you’re a current or prospective Samsara customer and wish to view the report, you can request a copy from your account representative.

24/7 x 365 Monitoring

Penetration Testing

In addition to our compliance audits, Samsara engages independent entities to conduct application-level, infrastructure-level, and hardware-level penetration tests at least annually. Results of these tests are shared with senior management and are triaged, prioritized, and remediated in a timely manner. Customers may receive executive summaries of these activities by requesting them from their account executive.

Bug Bounty Program

Samsara highly values and encourages a close relationship with security researchers. The work done by the security community improves the security of our product offerings and we encourage their participation in our responsible reporting process. To administer the bug bounty program, Samsara works with Bugcrowd.

Redundant, Highly Available Infrastructure

Samsara’s service is a distributed system designed to spread computation and data across multiple physical servers. Every customer’s data is replicated across multiple servers and storage appliances, so that hardware failure will not compromise service availability or customer data. Networks are multi- homed across a number of providers to achieve Internet access diversity.

Datacenters are equipped with advanced fire detection and suppression equipment, including protection by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems. The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.

Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

Samsara is designed for rapid failover in the event of a hardware failure or natural disaster. And Samsara sensors and gateways are equipped with on-board storage to save data locally in the event of a cloud service interruption and will automatically upload buffered data upon service resumption.

Security Tools for Administrators

Samsara provides administrative tools to protect your organization’s data, including user management with email verification, authentication audit logs, and two factor authentication (via Google Apps). Moreover, Samsara enforces robust user authentication, with data access requiring authentication via Samsara’s centralized server (no default passwords or shared secrets).

Internally, Samsara authorizes access to Customer Data based on the principles of least privilege and segregation of duties. Samsara uses role-based access privileges to assign access to key systems. In order to access the production environment, an authorized Samsara user must have a unique username and password, multi-factor authentication, and be connected to Samsara’s Virtual Private Network. Access is automatically deprovisioned for employees switching roles or leaving the company. Samsara uses a log monitoring system to track events for crucial systems in order to identify anomalous or unauthorized login, configuration, or security-group management events quickly.

Security Disclosure Policy

Samsara is dedicated to upholding the highest standards of security for our platform and openly working with the security community. Our vulnerability disclosure policy aims to provide a way for external researchers to report and remediate security issues. Samsara encourages security researchers to discover and report to Samsara any vulnerabilities they find in a responsible manner. Samsara expressly prohibits security researchers from performing actions that may negatively affect Samsara or its customers; accessing, destroying, corrupting (or attempting to access, destroy, or corrupt) data or information that does not belong to them; or social engineering any Samsara customer or employee.

Reporting security issues

If you have a security concern, use the form below with details about the vulnerability. We ask that you not share or publicize an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the Samsara security team will use reasonable efforts to respond in a timely manner via Bugcrowd, provide an estimated time frame for addressing the vulnerability, and notify you when the vulnerability has been fixed. Depending on the severity and impact of your submission, you may qualify for a reward via Bugcrowd.

Samsara Security Reporting Form

Contact Us to Learn More About PureComms Security

Fill out the contact form below, and one of our experts will be in contact with you shortly to answer your questions about the PureComms Security system.