Axis Signs CISA’s Secure by Design Pledge for Cybersecurity
Axis Communications, a global industry leader in video surveillance, announces it has signed the U.S. Cybersecurity & Infrastructure Security Agency’s (CISA) Secure by Design pledge to transparently communicate about the cybersecurity posture of Axis products.
The voluntary Secure by Design pledge of the U.S. government agency, CISA, calls on manufacturers to make the security of customers a core business requirement by addressing seven key aspects of security:
- Use of multi-factor authentication
- Reduce default passwords
- Reduce classes of vulnerabilities
- Enable customers to easily install security patches
- Publish a vulnerability disclosure policy
- Demonstrate transparency in vulnerability reporting
- Demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products
“CISA’s Secure by Design pledge aligns well with our goal of making cybersecurity a core part of what we offer,” says Johan Paulsson, Chief Technology Officer, Axis. “By making this pledge, we affirm our continuous commitment to helping customers follow cybersecurity best practices and drive greater accountability in the physical security industry.”
Outlined below is how Axis addresses the Secure by Design pledge in its product portfolio, ranging from AXIS OS-based network products, video, and device management software, to service offerings like Axis Cloud Connect.
Implementing security in Axis product portfolio
Reducing the risk of software vulnerabilities is an integral part of Axis software development. Axis developers follow the Axis Security Development Model (ASDM) in order to mitigate security risks throughout the product lifecycle. The security framework, involving processes and tools, also includes strengthening product security through external resources, namely through Axis’ bug bounty programs and enabling people to easily report bugs or vulnerabilities to the Axis Product Security Team. Axis patches and discloses vulnerabilities as a CVE Numbering Authority (CNA), and the company’s published vulnerability management policy outlines what, when and how it works with vulnerability disclosures. The Axis Trust Center serves to provide cybersecurity and compliance information for Axis as a company and for AXIS OS-based network products, and will eventually cover other Axis products and services as well.
AXIS OS-based network products
Axis’ wide-ranging IP-based network devices, from cameras, intercoms, loudspeakers and access control products, are powered by the operating system, AXIS OS. AXIS OS is designed with no default passwords. It supports multi-factor authentication when customers access the devices using centralized identity and access management (IAM).
AXIS OS enables zero-trust networking by default from factory for secure device verification and onboarding. It allows Axis network products to automatically authenticate through IEEE 802.1X with their IEEE 802.1AR-compliant secure device identities. AXIS OS also supports powerful encryption through IEEE 802.1AE MACsec, protecting, at the fundamental level, network protocols like NTP and DHCP that do not offer native security, and double-encrypting secure protocols, such as HTTPS and other TLS-based protocols.
Additionally, AXIS OS-based devices feature hardware-based secure key storage functionality that is certified to FIPS 140-3 Level 3, together with Common Criteria EAL6+.
AXIS Camera Station
Axis’ video management software, AXIS Camera Station Pro and AXIS Camera Station Edge, ensure secure external communications between smartphone, tablet, browser, or PC client, and Axis network cameras through 256-bit AES encryption using Axis Secure Remote Access v2. Communication between client-servers and Axis devices, meanwhile, is secured using 256-bit AES encryption and TLS 1.2 or higher. The software products support multiple user access levels and granular control of different functionalities. AXIS Camera Station Pro enables password protection of devices using local or Windows active directory domain users, while AXIS Camera Station Edge supports two-factor authentication. AXIS Camera Station Pro provides alarm, event, and audit logs, supporting real-time notifications and tracking of system activities, and ensuring accountability.
Axis device management software
Axis offers several dedicated, easy-to-use software for managing edge devices like cameras, audio products, and access control. The device management applications, AXIS Device Manager, AXIS Device Manager Edge, and AXIS Device Manager Extend, help customers cost-effectively perform device software updates and security hardening across thousands of Axis network devices. Other supported functions include automating the lifecycle of TLS certificate provisioning; providing simple device configuration backup and restore capabilities that minimize human configuration error; and managing password changes, HTTPS, IEEE 802.1X and other services on Axis devices.
Axis Cloud Connect
Axis Cloud Connect is an open hybrid cloud platform that enables end customers and integration partners to manage Axis devices. It supports such activities as automatically applying new software updates that would include security patches for Axis network products. Device-to-cloud connectivity is established only through secure communication channels such as HTTPS and WebRTC with TLS 1.2/1.3. It supports single sign-on (SSO) and multi-factor authentication for My Axis accounts, which are used to provide access to services hosted by Axis. Cloud Connect also supports evidence gathering and automatic detection of sensitive cybersecurity activity through automatic tooling and audit log monitoring.
As part of the CISA pledge, Axis is committed to regularly sharing insights and progress into the cybersecurity posture of its products. It enables customers to verify and hold the company accountable, and helps strengthen the trust that customers should have when using Axis products.