Skip to main content

Keeping AXIS OS devices secure from deployment to decommission

Keeping AXIS OS devices secure from deployment to decommission

As cyber threats become more common and sophisticated, it’s increasingly important for you to prioritize cybersecurity. A successful cyberattack could cripple your network and operations, costing you time and resources to rectify, not to mention the lost revenue due to the disruption. Although networked devices have become critical to improving business operations, they represent a potential access point for malicious actors. It is important to maintain the security of your Axis devices, which means keeping up with the regularly scheduled updates that we provide through our Linux-based operating system, AXIS OS.

In this article, we take a behind-the-scenes look at AXIS OS, examining how we proactively discover and manage vulnerabilities and embed security during our development, helping you to keep your operations and valuable data safe.

A closer look at AXIS OS

Before diving into the different options for ensuring the security of devices, it is useful to discuss AXIS OS in more detail. AXIS OS has come a long way. Since 2016, we transformed development from being ‘per product-based firmware’ into a software platform that is the foundation for a wide variety of devices in the Axis product portfolio. Having AXIS OS as a common platform enables scalable maintenance, efficient product development, and allows partners to easily integrate the Axis portfolio into their solutions.

AXIS OS core software composition consists of a strong base of third-party open-source components. This starts with the Linux kernel as a base operating system all the way up to the application layer, where we have Apache, OpenSSL, and other components handling major functionalities.

The open-source approach involves joint community work, shared maintenance, and public source code reviews. This is very much in line with how Axis aims to build long-term, viable cybersecurity through transparency and collaboration, instead of a false sense of security through closed systems that obfuscate or even encrypt the software composition.

On top of our strong open-source foundation, AXIS OS consists of a broad set of functionalities that are developed by our in-house R&D team to fulfil the use cases and needs of our customers. As these needs change, new functionalities can be added and are guided by the Axis Security Development Model (ASDM). ASDM ensures security is an integrated part of Axis software development. It aims to minimize security-related business risks for customers and avoid potential vulnerabilities through threat-modelling, risk assessment, static code analysis, internal and external penetration testing, and other established secure software development techniques. 

Keeping your AXIS OS device secure

Although security is baked in during the development phase, the single most important step that you can take is to upgrade your device to the latest available version of AXIS OS. We provide two options to keep AXIS OS up to date: the active track and the long-term support (LTS) track.

In the active track, AXIS OS is continually updated with new features and security patches, and older, less secure technology is removed. In some cases, features could be removed or disabled to increase the security of the device. This means that on the active track, the cybersecurity level is continuously increasing until the device reaches its end of life and moves to its final LTS track.

In contrast, the LTS track is focused on ensuring compatibility and robustness towards third-party systems. The updates are limited to security patches of existing functionality, which include updating software components with known vulnerabilities.

As time progresses, the overall cybersecurity level of the device and its AXIS OS operating system is higher on the active track compared with the LTS track. This is because it has an evolving feature set compared to the static feature set of the LTS. To read more about AXIS OS tracks visit the AXIS OS Portal.

 For secure, easy, and reliable upgrades of AXIS OS we recommend using our tools, AXIS Device Manager or AXIS Device Manager Extend.

End of AXIS OS maintenance for a product

Eventually all products will stop getting AXIS OS active track upgrades and will only be supported on a LTS track. When the support for the last supported LTS track has expired, software maintenance for the product will end and no further upgrades will be released. We recommend that devices that are no longer supported be removed from operation; if not, a full risk analysis should be performed before implementing compensating controls or countermeasures; for instance, implementing additional network access control mechanisms.

Managing vulnerabilities effectively

Even with the most diligent update schedule, it’s important to remember that devices will never be completely secure and, therefore, free from vulnerabilities. The management of vulnerabilities is acritical, continuous effort, and it is our responsibility to provide patches for our products. Becoming an approved Common Vulnerability and Exposure (CVE) Numbering Authority (CNA) to interface with external researchers and organizations ensures we follow industry best-practices and guidelines for managing and disclosing vulnerabilities.

Cybersecurity needs continuous vigilance and care

Although we are committed to ensuring the highest standard of cybersecurity on our devices through AXIS OS, cybercriminals will dedicate time and resources to infiltrating networks. In the face of such a serious threat, a culture of monitoring and vigilance is key to ensuring that devices are assessed and updated regularly with the latest security software through its lifetime. In this way, end users can continue to keep their valuable and sensitive data secure.

Click here to find out more about AXIS OS
To top