The cybersecurity lifecycle: how to put security first at every step

Axis Communications’ Steven Kenny explains how to build trust and confidence through a rigorous programme of security-first product management.

The scale and severity of the cybersecurity threat has never been greater than it is today. Ransomware-as-a-service puts dangerous tools in the hands of those without the technical knowledge to develop them, allowing a new generation of malicious actors to lock down critical systems. Potential attackers have grown from individuals and hacking groups to geopolitical entities, targeting national infrastructure or seeking access to critical secrets. For businesses of all sizes an attack could have serious ramifications, resulting in everything from operational disruption and reputational damage to severe financial consequences.

Though the world’s awareness of cybersecurity threats has grown, the increasing number of innovative and difficult-to-defend attack vectors means its defences have not kept pace. 93% of local company network perimeters can be breached within two days – and in 100% of cases, an insider with credentials could gain full control over that network. Simply installing a device that is deemed to be cybersecure does not constitute a fully cybersecure approach. A device with soft defences is an easy target for attack.

Axis believes the correct approach to cybersecurity involves rigorous policies, processes and a level of transparency and clarity which helps protect against the danger of the human element. It’s about employing the correct tools in the right places, taking a 360-degree view of lifecycle management which ensures secure is the default and trust is more than a word. Providing customers with honest information about our internal policies and processes will ultimately reassure them of our organisational commitment to cybersecurity.

Forging an unbreakable chain

Security is the primary focus in every single network-attached product we design and develop. Weaknesses in the development chain could leave it open to vulnerabilities at any point, which is why Axis’ approach puts security first at every stage of deployment. Our core framework, the Axis security development model (ASDM), defines those crucial secure steps; ASDM covers everything from rigorous testing and analysis to stringent governance, ensuring all parties involved are aware of – and assessed on – their knowledge of potential threats. This forms the basis of every step of the product lifecycle.

Learn more: Watch Axis’ Cybersecurity online event, which took place on 23 September to discover more about the company’s approach to creating easy-to-manage, robust network video, access control and audio solutions. Register for the webinar to on-demand after the event, here.

Without secure development, exploitable holes in software or firmware can slip through the net. The US government’s National Vulnerability Database published over 8,000 vulnerabilities in Q1 of 2022 alone, a slight increase year-on-year, and every one of those could allow an attacker in. Scrambling to release a patch isn’t enough – ensuring a company and its vendors follow a defined framework like ASDM helps ensure that underlying software is secure by design and secure by default.

Protecting suppliers

Safeguarding the supply chain may be even more important. Your product being taken out of your hands, however briefly, means additional opportunities for subterfuge. Rogue agents could add compromised components or tampered hardware to the final product; even the distribution stage offers attackers the opportunity to install modified or malicious firmware which could compromise any security efforts made in the software development phase.

At Axis we combat this in two ways: our vendors deliver detailed information on their supply chain practices and provide verification that our released software has not been tampered with, and we secure our devices at the hardware level. Secure boot prevents the possibility of tampered firmware launching on deployed devices. Even if an attacker were able to install a malicious update, we ensure that our hardware can be rolled back to a trusted state.

Axis devices include our Edge Vault, which securely identifies new devices during installation and protects each device’s digital certificates and unique identifiers. As of 2022 we are introducing signed video, which verifies each video frame with a cryptographic checksum signed by the device’s unique ID. Putting security first in hardware design – using elements like TPM modules to store certificates and keys – makes for a difficult time for potential attackers.

Security’s holistic whole

We know that on-device security is not enough, so our solution necessarily goes beyond. Axis takes a proactive approach, working with our endpoint administrators to verify that hardware is deployed and maintained in the most secure way possible. Partly this is through the Axis Hardening Guide, which establishes both a solid baseline configuration and best practices for a hardened device management strategy that can keep pace with the evolving nature of cybersecurity threats. Our Device Manager tool is designed to be a one-stop shop for administrators which makes installation and maintenance easy – a single, easy-to-use tool makes the path to robust management straightforward. Transparent communication about known vulnerabilities is equally important.

Devices must obviously be maintained, and the vendor must play its part. A mature strategy of firmware development and deployment means listening to one’s customers and knowing their needs. Axis publishes quality-of-life and feature updates five or six times per year, but upgrading with that frequency (and changing the feature set) is neither desirable nor practical for many large organisations. Our long-term support tracks cut out feature additions and focus entirely on security and stability upgrades, rolling out twice a year at most – and, critically, helping our users retain third-party integrations by keeping the feature set of devices intact.

All devices inevitably reach end-of-life or end-of-support. When they do, users need to know – and they also need to know what to do next. They need clear communication on potential vulnerabilities which exist and will no longer be patched, and they need to know how to sanitise and properly decommission their hardware – something Axis transparently provides. This clear communication is a vital final part of the trust equation: an administrator left in the dark is neither secure nor happy.

Learn more: Watch Axis’ Cybersecurity online event, which took place on 23 September to discover more about the company’s approach to creating easy-to-manage, robust network video, access control and audio solutions. Register for the webinar to on-demand after the event, here.

Free Download: The Video Surveillance Report 2023

Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!

Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.

Download The Video Surveillance Report