Axis Communications recently announced its commitment to cybersecurity by signing onto the U.S. Cybersecurity & Infrastructure Security Agency's (CISA) Secure by Design initiative.
This pledge encourages companies to prioritize customer security and address seven essential cybersecurity components. As part of this agreement, Axis aims to enhance transparency regarding the security measures embedded within its products.
Key Aspects of the Secure by Design Pledge
The Secure by Design initiative, led by CISA, is a voluntary program designed to integrate customer security into the core practices of manufacturers.
It targets seven key areas including multi-factor authentication, reducing default passwords, minimizing vulnerabilities, simplifying security patch installations, and promoting transparency in vulnerability reporting. The initiative also seeks to enable customers to gather evidence of potential cybersecurity threats affecting the products.
Axis Products and Commitment to Security
Axis addresses these principles via its portfolio, which includes AXIS OS-based network products
Chief Technology Officer Johan Paulsson highlighted that the CISA pledge aligns with Axis's overarching goal of integrating cybersecurity into its offerings.
Axis addresses these principles through its portfolio, which includes AXIS OS-based network products, video management software, and services such as Axis Cloud Connect.
Security in Axis's Software Development
Axis integrates robust security measures throughout its software development process to minimize software vulnerabilities. Following the Axis Security Development Model (ASDM), developers address potential security risks comprehensively.
The company also runs bug bounty programs and welcomes external reporting of security issues to its Product Security Team.
Vulnerability Management and Compliance
Axis operates as a CNA, which allows it to manage and disclose vulnerabilities effectively
Axis operates as a CVE Numbering Authority (CNA), which allows it to manage and disclose vulnerabilities effectively.
The Axis Trust Center provides detailed information on cybersecurity practices and compliance for AXIS OS-based products and aims to eventually encompass other company offerings.
Advanced Security Features in AXIS OS
The AXIS OS powers a wide range of network devices, including cameras and access control products. Designed without default passwords, these devices support multi-factor authentication and zero-trust networking.
They offer secure authentication through IEEE standards and advanced encryption via MACsec. Additionally, the devices incorporate hardware-based secure key storage certified to FIPS 140-3 Level 3 standards.
Video Management Software
Axis's video management software, such as AXIS Camera Station Pro and Edge, secures communication between devices and customers using 256-bit AES encryption.
With features like multiple user access levels and alarm logs, these tools enhance accountability and secure system activities.
Comprehensive Device Management Solutions
Axis provides a suite of software for managing edge devices across vast networks
Axis provides a suite of software for managing edge devices across vast networks, including AXIS Device Manager and its variants.
These applications assist users in performing updates, managing configurations, and securing devices across multiple endpoints efficiently.
Innovative Cloud Solutions
Axis Cloud Connect offers an open hybrid cloud platform allowing for seamless management of its devices. The platform ensures secure connectivity through protocols like HTTPS and WebRTC, supports multi-factor authentication, and facilitates automatic incident detection and logging.
Through its adherence to the CISA Secure by Design pledge, Axis demonstrates its dedication to maintaining a strong cybersecurity posture, empowering customers with the assurance and tools they need to remain secure.
Axis Communications, a industry pioneer in video surveillance, announces it has signed the U.S. Cybersecurity & Infrastructure Security Agency’s (CISA) Secure by Design pledge to transparently communicate about the cybersecurity posture of Axis products.
The voluntary Secure by Design pledge of the U.S. government agency, CISA, calls on manufacturers to make the security of customers a core business requirement by addressing seven key aspects of security:
- Use of multi-factor authentication
- Reduce default passwords
- Reduce classes of vulnerabilities
- Enable customers to easily install security patches
- Publish a vulnerability disclosure policy
- Demonstrate transparency in vulnerability reporting
- Demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products
AXIS OS-based network products
“CISA’s Secure by Design pledge aligns well with our goal of making cybersecurity a core part of what we offer,” says Johan Paulsson, Chief Technology Officer, Axis. “By making this pledge, we affirm our continuous commitment to helping customers follow cybersecurity best practices and drive greater accountability in the physical security industry.”
Outlined below is how Axis addresses the Secure by Design pledge in its product portfolio, ranging from AXIS OS-based network products, video, and device management software, to service offerings like Axis Cloud Connect.
Implementing security in the Axis product portfolio
Reducing the risk of software vulnerabilities is an integral part of Axis software development. Axis developers follow the Axis Security Development Model (ASDM) in order to mitigate security risks throughout the product lifecycle. The security framework, involving processes and tools, also includes strengthening product security through external resources, namely through Axis’ bug bounty programs and enabling people to easily report bugs or vulnerabilities to the Axis Product Security Team.
Axis patches and discloses vulnerabilities as a CVE Numbering Authority (CNA), and the company’s published vulnerability management policy outlines what, when and how it works with vulnerability disclosures. The Axis Trust Center serves to provide cybersecurity and compliance information for Axis as a company and for AXIS OS-based network products, and will eventually cover other Axis products and services as well.
AXIS OS-based network products
Axis’ wide-ranging IP-based network devices, from cameras, intercoms, loudspeakers and access control products, are powered by the operating system, AXIS OS. AXIS OS is designed with no default passwords. It supports multi-factor authentication when customers access the devices using centralized identity and access management (IAM).
AXIS OS enables zero-trust networking by default from factory for secure device verification and onboarding. It allows Axis network products to automatically authenticate through IEEE 802.1X with their IEEE 802.1AR-compliant secure device identities. AXIS OS also supports powerful encryption through IEEE 802.1AE MACsec, protecting, at the fundamental level, network protocols like NTP and DHCP that do not offer native security, and double-encrypting secure protocols, such as HTTPS and other TLS-based protocols.
Additionally, AXIS OS-based devices feature hardware-based secure key storage functionality that is certified to FIPS 140-3 Level 3, together with Common Criteria EAL6+.
AXIS Camera Station
Axis’ video management software, AXIS Camera Station Pro and AXIS Camera Station Edge, ensure secure external communications between smartphone, tablet, browser, or PC client, and Axis network cameras through 256-bit AES encryption using Axis Secure Remote Access v2. Communication between client-servers and Axis devices, meanwhile, is secured using 256-bit AES encryption and TLS 1.2 or higher.
The software products support multiple user access levels and granular control of different functionalities. AXIS Camera Station Pro enables password protection of devices using local or Windows active directory domain users, while AXIS Camera Station Edge supports two-factor authentication. AXIS Camera Station Pro provides alarm, event, and audit logs, supporting real-time notifications and tracking of system activities, and ensuring accountability.
Axis device management software
Axis offers several dedicated, easy-to-use software for managing edge devices like cameras, audio products, and access control. The device management applications, AXIS Device Manager, AXIS Device Manager Edge, and AXIS Device Manager Extend, help customers cost-effectively perform device software updates and security hardening across thousands of Axis network devices.
Other supported functions include automating the lifecycle of TLS certificate provisioning; providing simple device configuration backup and restore capabilities that minimize human configuration error; and managing password changes, HTTPS, IEEE 802.1X and other services on Axis devices.
Axis Cloud Connect
Axis Cloud Connect is an open hybrid cloud platform that enables end customers and integration partners to manage Axis devices. It supports such activities as automatically applying new software updates that would include security patches for Axis network products. Device-to-cloud connectivity is established only through secure communication channels such as HTTPS and WebRTC with TLS 1.2/1.3.
It supports single sign-on (SSO) and multi-factor authentication for My Axis accounts, which are used to provide access to services hosted by Axis. Cloud Connect also supports evidence gathering and automatic detection of sensitive cybersecurity activity through automatic tooling and audit log monitoring.
As part of the CISA pledge, Axis is committed to regularly sharing insights and progress into the cybersecurity posture of its products. It enables customers to verify and hold the company accountable, and helps strengthen the trust that customers should have when using Axis products.
