Axis Communications has committed to enhancing cybersecurity by signing the Secure by Design pledge initiated by the U.S. Cybersecurity & Infrastructure Security Agency (CISA).
This pledge advocates for transparency in cybersecurity matters associated with Axis products, aligning with the company’s aim to integrate security as a fundamental component of its offerings.
Core security requirements
The voluntary pledge from CISA encourages manufacturers to prioritise customer security by addressing seven critical areas, including implementing multi-factor authentication, reducing default passwords, and mitigating vulnerabilities.
It also covers simplifying the addition of security patches, establishing a vulnerability disclosure policy, ensuring transparency in vulnerability reporting, and enabling users to verify cybersecurity incidents involving the manufacturer’s products.
Commitment to cybersecurity
"CISA’s Secure by Design pledge aligns well with our goal of making cybersecurity a core part of what we offer," noted Johan Paulsson, Chief Technology Officer, Axis.
"By making this pledge, we affirm our continuous commitment to helping customers follow cybersecurity best practices and drive greater accountability in the physical security industry."
Security measures in Axis products
Axis incorporates vast security measures in its products, which include AXIS OS-based network
Axis incorporates comprehensive security measures in its products, which include AXIS OS-based network products, video, and device management software, as well as Axis Cloud Connect.
The company employs a dedicated Axis Security Development Model (ASDM) to mitigate security risks across the product lifecycle, complemented by bug bounty programs and a proactive vulnerability management policy.
Advanced security in AXIS OS
The AXIS OS used in various devices like cameras and access control products is engineered without default passwords and supports multi-factor authentication.
It facilitates zero-trust networking and employs robust encryption technologies such as IEEE 802.1AE MACsec, ensuring the secure operation of network protocols.
Secured video management software
The AXIS Camera Station software offers secure communication through 256-bit AES encryption
The AXIS Camera Station software offers secure communication through 256-bit AES encryption.
It supports variable user access levels and introduces features like two-factor authentication and activity monitoring logs to ensure system accountability and security. Additionally, it ensures password protection and offers granular control over device functionalities.
Device management capabilities
Axis provides several user-friendly device management solutions, including AXIS Device Manager and AXIS Device Manager Edge, to efficiently handle software updates and security configurations for numerous devices.
These tools facilitate tasks such as TLS certificate management and automated password updates, reducing human error risks.
Axis Cloud Connect platform
Axis Cloud Connect is a hybrid cloud platform designed to secure remotely managed Axis devices. It leverages secure channels like HTTPS and WebRTC with TLS encryption while integrating features such as single sign-on and multi-factor authentication to enhance security measures for My Axis accounts.
In fulfilling the CISA Secure by Design pledge, Axis remains dedicated to maintaining transparency with its customers by regularly sharing updates on the cybersecurity status of its products, thus fostering a trust-based relationship with users.
Axis Communications, a industry pioneer in video surveillance, announces it has signed the U.S. Cybersecurity & Infrastructure Security Agency’s (CISA) Secure by Design pledge to transparently communicate about the cybersecurity posture of Axis products.
The voluntary Secure by Design pledge of the U.S. government agency, CISA, calls on manufacturers to make the security of customers a core business requirement by addressing seven key aspects of security:
- Use of multi-factor authentication
- Reduce default passwords
- Reduce classes of vulnerabilities
- Enable customers to easily install security patches
- Publish a vulnerability disclosure policy
- Demonstrate transparency in vulnerability reporting
- Demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products
AXIS OS-based network products
“CISA’s Secure by Design pledge aligns well with our goal of making cybersecurity a core part of what we offer,” says Johan Paulsson, Chief Technology Officer, Axis. “By making this pledge, we affirm our continuous commitment to helping customers follow cybersecurity best practices and drive greater accountability in the physical security industry.”
Outlined below is how Axis addresses the Secure by Design pledge in its product portfolio, ranging from AXIS OS-based network products, video, and device management software, to service offerings like Axis Cloud Connect.
Implementing security in the Axis product portfolio
Reducing the risk of software vulnerabilities is an integral part of Axis software development. Axis developers follow the Axis Security Development Model (ASDM) in order to mitigate security risks throughout the product lifecycle. The security framework, involving processes and tools, also includes strengthening product security through external resources, namely through Axis’ bug bounty programs and enabling people to easily report bugs or vulnerabilities to the Axis Product Security Team.
Axis patches and discloses vulnerabilities as a CVE Numbering Authority (CNA), and the company’s published vulnerability management policy outlines what, when and how it works with vulnerability disclosures. The Axis Trust Centre serves to provide cybersecurity and compliance information for Axis as a company and for AXIS OS-based network products, and will eventually cover other Axis products and services as well.
AXIS OS-based network products
Axis’ wide-ranging IP-based network devices, from cameras, intercoms, loudspeakers and access control products, are powered by the operating system, AXIS OS. AXIS OS is designed with no default passwords. It supports multi-factor authentication when customers access the devices using centralised identity and access management (IAM).
AXIS OS enables zero-trust networking by default from factory for secure device verification and onboarding. It allows Axis network products to automatically authenticate through IEEE 802.1X with their IEEE 802.1AR-compliant secure device identities. AXIS OS also supports powerful encryption through IEEE 802.1AE MACsec, protecting, at the fundamental level, network protocols like NTP and DHCP that do not offer native security, and double-encrypting secure protocols, such as HTTPS and other TLS-based protocols.
Additionally, AXIS OS-based devices feature hardware-based secure key storage functionality that is certified to FIPS 140-3 Level 3, together with Common Criteria EAL6+.
AXIS Camera Station
Axis’ video management software, AXIS Camera Station Pro and AXIS Camera Station Edge, ensure secure external communications between smartphone, tablet, browser, or PC client, and Axis network cameras through 256-bit AES encryption using Axis Secure Remote Access v2. Communication between client-servers and Axis devices, meanwhile, is secured using 256-bit AES encryption and TLS 1.2 or higher.
The software products support multiple user access levels and granular control of different functionalities. AXIS Camera Station Pro enables password protection of devices using local or Windows active directory domain users, while AXIS Camera Station Edge supports two-factor authentication. AXIS Camera Station Pro provides alarm, event, and audit logs, supporting real-time notifications and tracking of system activities, and ensuring accountability.
Axis device management software
Axis offers several dedicated, easy-to-use software for managing edge devices like cameras, audio products, and access control. The device management applications, AXIS Device Manager, AXIS Device Manager Edge, and AXIS Device Manager Extend, help customers cost-effectively perform device software updates and security hardening across thousands of Axis network devices.
Other supported functions include automating the lifecycle of TLS certificate provisioning; providing simple device configuration backup and restore capabilities that minimise human configuration error; and managing password changes, HTTPS, IEEE 802.1X and other services on Axis devices.
Axis Cloud Connect
Axis Cloud Connect is an open hybrid cloud platform that enables end customers and integration partners to manage Axis devices. It supports such activities as automatically applying new software updates that would include security patches for Axis network products. Device-to-cloud connectivity is established only through secure communication channels such as HTTPS and WebRTC with TLS 1.2/1.3.
It supports single sign-on (SSO) and multi-factor authentication for My Axis accounts, which are used to provide access to services hosted by Axis. Cloud Connect also supports evidence gathering and automatic detection of sensitive cybersecurity activity through automatic tooling and audit log monitoring.
As part of the CISA pledge, Axis is committed to regularly sharing insights and progress into the cybersecurity posture of its products. It enables customers to verify and hold the company accountable, and helps strengthen the trust that customers should have when using Axis products.
