A lifecycle approach to cybersecurity

Cybersecurity risks exist at every stage of a product’s lifecycle from the production, distribution, implementation, and in-service phases, to decommissioning. That's why Axis takes a lifecycle approach to addressing cybersecurity. From start to end, we're taking and providing measures to help you mitigate risks and maintain a secure operation.

lifecycle management cybersecurity

What's at stake?

Confidentiality, integrity, availability even lost business. There’s plenty at risk if your system is compromised. As IP-based products are potential pathways to your network, it’s important to protect them from threats like unauthorized access, tampered software and exploitation of vulnerabilities. Together, we can put safeguards in place to make it harder for cyber incidents to occur. 

In the sections below, you can learn about the elements underpinning the security of Axis' offerings, and what we do, provide and recommend to mitigate cybersecurity risks over the course of a product's lifecycle.

Doing our part to mitigate risks

Long before you purchase an Axis product, we’re working hard to ensure high standards for cybersecurity.

Security foundation

ISMS, ASDM and AXIS OS
Maintaining the integrity of the systems that support the delivery of our offerings is key. The foundation starts with an information security management system (ISMS) that complies with ISO/IEC 27001. The system includes our Axis Security Development Model (ASDM). ASDM defines the methodology applied to reduce the risk of having vulnerabilities in software such as video management software and AXIS OS, the operating system that powers most Axis devices. AXIS OS is also a platform that enables quick and efficient release of security features and patches across a great number of products.

ARTPEC-8 system on chip

Axis Edge Vault
Another key element built into our devices is Axis Edge Vault. It's a hardware-based platform rooted in cryptographic computing modules like secure element, TPM and system-on-chip security (TEE). The platform supports a host of Edge Vault security features. The Axis device ID, for instance, provides proof the device is from Axis; and secure keystore allows for the secure storage of the Axis device ID and customer-loaded cryptographic keys. Other features include signed firmware, which validates that the operating system is from Axis; and secure boot, which ensures the device boots only genuine AXIS OS. Edge Vault also encrypts the device's file system.

Two people in front of a computer screen, one of them pointing at it.

Transparency
Equally important is having transparency essential to building trust. As a Common Vulnerabilities and Exposures (CVE) Numbering Authority [EN] (CNA), Axis issues notifications about newly discovered vulnerabilities so customers can take timely action to update software. We also publish a software bill of materials [EN] (SBOM) for AXIS OS. And we state the end-of-support date for the device software so customers can better plan when to decommission and replace a product.

assembly line

Production and distribution phases

During these phases, it's important to mitigate the risks of having compromised components. It's why we implement supply chain controls. We procure critical components directly from strategic suppliers. We closely monitor production processes and ensure transparency to better assess and mitigate potential security risks.

To help counter software tampering after a product leaves Axis, features like signed firmware and secure boot, together with making a factory default on the device, offer supply chain protection. Encryption on a device's file system also protects saved data from extraction when a product is in transit or not in use.

Helping you do your part

When you’re ready to implement our products, we offer guidance on how to harden them. You’ll be able to take advantage of technologies that the products support to mitigate risks. And you’ll be able to use tools that make it easier to maintain the security of the products, from deployment right through to decommissioning.
factory default

Implementation phase

When you're ready to connect an Axis device to your network, we recommend that you first perform a factory default on the device. This, together with signed firmware and secure boot, ensures the device is free of unauthorized software modifications. You should also go to the Axis website and download the latest AXIS OS for your device, which will include up-to-date security patches and bug fixes. For efficient configuration and management of Axis devices locally, AXIS Device Manager enables batch processing of security tasks, such as managing device credentials, deploying certificates, disabling unused services, and upgrading AXIS OS.

Built-in security features
Device features like signed firmware and secure boot ensure only genuine Axis operating systems are used, while secure keystore enables secure storage of the cryptographic keys used to encrypt data. Secure communication via HTTPS is enabled by default on Axis devices and video management software. The latest versions of AXIS OS also support technologies that make zero-trust networking easier. They include IEEE 802.1X, together with IEEE 802.1AR-compliant Axis device IDs, for automated and secure onboarding of devices to an IEEE 802.1X network, and IEEE 802.1AE MACsec for automatic encryption of data communications.

Applying controls
Consult various hardening guides to configure Axis products for your security needs. You should set strong passwords; use only HTTPS for encrypted communication between the device and client; and disable unused services and functions to reduce unnecessary risks. It’s also important to set the date and time on the device correctly to enable accurate system logs and ensure that digital certificates – which services such as HTTPS and IEEE 802.1X rely on – can be validated and used. On supported cameras, you can enable the signed video feature to allow users to check that exported video is free of tampering.

AXIS Companion firmware upgrades

In-service phase

It's important to keep all software including the operating systems of your devices up to date to ensure newly discovered vulnerabilities are promptly patched. New AXIS OS releases for connected devices are highlighted on AXIS Companion, AXIS Camera Station, and partner video management software like Milestone XProtect®  and Genetec™ Security Center, as well as tools like AXIS Device Manager and AXIS Device Manager Extend, to make it easier for you to implement the updates. You can also sign up to receive security notifications from Axis. If your network is breached, the AXIS OS Forensic Guide helps you conduct a forensic analysis of Axis devices.

Decommissioning phase

Knowing when it’s time to decommission your networked devices is just as important as keeping them up to date and secure while in use. Product pages on the Axis website, as well as tools like AXIS Device Manager Extend, show the end-of-support date for a device's operating system. It allows you to decommission and replace a device in a timely manner, and avoid the risk of operating a device with unpatched vulnerabilities. Removing data on a decommissioned device is also important. By performing a factory default, you can quickly erase all configurations and data from the device. See details on decommissioning products.

Related resources

You may also be interested in
Lifecycle management

Device lifecycle flyer

This four-page flyer packs in details about Axis' lifecycle approach to cybersecurity. 

cybersecurity e-book

Cybersecurity e-brochure

The e-brochure covers topics such as cyberthreats, procurement considerations, the Axis device lifecycle approach, and compliance.

cybersecurity phone lock

Cybersecurity course

This free online e-learning course introduces the Axis approach to cybersecurity.

cybersec_axis_office_2208_hi-4-3Mediawithtext

Cybersecurity portal

Access a wide range of information on cybersecurity and how Axis supports it.

To top