Axis Communications has signed the United States Cybersecurity & Infrastructure Security Agency’s (CISA) Secure by Design pledge, signalling its commitment to upholding and transparently communicating the cybersecurity posture of its products.
A voluntary pledge that focuses on enterprise software products and services and complements existing software security best practices, the pledge calls on manufacturers to enshrine security as a core business requirement and address seven key security aspects.
These include multi-factor authentication (MFA), reduced default passwords, reduced classes of vulnerability, security patches, vulnerability disclosure policies, transparency in vulnerability reporting, and sharing evidence of intrusions.
“CISA’s Secure by Design pledge aligns well with our goal of making cybersecurity a core part of what we offer. By making this pledge, we affirm our continuous commitment to helping customers follow cybersecurity best practices and drive greater accountability in the physical security industry,” says Johan Paulsson, chief technology officer at Axis Communications.
Axis addresses the Secure by Design Pledge across its solutions portfolio, which encompasses physical security and network surveillance hardware, OS-based network products, video and device management software, and service offerings such as Axis Cloud Connect.
Axis developers follow the Axis Security Development Model (ASDM) to mitigate security risks during the entire product lifecycle. The security framework uses several tools and processes, and further strengthens product security via external resources, including Axis’s bug bounty programmes and the ability for users to report bugs and vulnerabilities. Additionally, the Axis Trust Centre provides cybersecurity and compliance information for Axis as a company and AXIS OS-based network products.
Axis IP-network devices, including cameras, audio speakers, intercoms, and access control products, use AXIS OS, which is designed with no default passwords and supports MFA when users access the devices using centralised identity and access management (IAM). AXIS OS also enables zero-trust networking by default from the factory for secure device verification and onboarding, which allows products to automatically authenticate through IEEE 802.1X with their IEEE 802.1AR-compliant secure device identities.
Axis’s video management software (VMS), AXIS Camera Station Pro and AXIS Camera Station Edge, ensure secure external communications between devices and Axis network cameras through 256-bit AES encryption using Axis Secure Remote Access v2.
From a device management perspective, Axis offers several dedicated and easy-to-use solutions for managing edge devices. AXIS Device Manager, AXIS Device Manager Edge, and AXIS Device Manager Extend help customers cost-effectively perform device software updates and security hardening across thousands of Axis network devices.
Software-supported functions include automating the lifecycle of TLS certificate provisioning, providing simple device configuration backup and restore capabilities, and managing password changes, HTTPS, IEEE 802.1X, and other services on Axis devices.
Axis Cloud Connect, the company’s open hybrid cloud platform that enables end customers and integration partners to manage Axis devices, supports and protects products by applying new software updates that would include security patches. Additionally, the platform establishes connectivity through secure communication channels such as HTTPS and WebRTC with TLS 1.2/1.3, and supports single sign-on (SSO) and multi-factor authentication for My Axis accounts.
“Cybersecurity is not an add-on or standalone product feature divorced from design, development and manufacturing processes. Not only is it a critical component of securing our solutions, but it also holds us as a company accountable, thus strengthening the trust and certainty that customers expect when using our products. Security is also subject to innovation, and with each new advancement or refinement, or even regular security patch, we continue to set the standard in product, network and system resilience in our industry and around the world,” Johan adds.