Table of Contents
Advertisement
AXIS M5000 PTZ Camera
Learn more
Cybersecurity
Axis Edge Vault
Axis Edge Vault provides a hardware-based cybersecurity platform that safeguards the Axis device. It offers features to guarantee the
device's identity and integrity and to protect your sensitive information from unauthorized access. It builds on a strong foundation of
cryptographic computing modules (secure element and TPM) and SoC security (TEE and secure boot), combined with expertise in
edge device security.
Signed firmware
Signed firmware is implemented by the software vendor signing the firmware image with a private key. When a firmware has this
signature attached to it, a device will validate the firmware before accepting to install it. If the device detects that the firmware
integrity is compromised, the firmware upgrade will be rejected.
Secure boot
Secure boot is a boot process that consists of an unbroken chain of cryptographically validated software, starting in immutable
memory (boot ROM). Being based on the use of signed firmware, secure boot ensures that a device can boot only with authorized
firmware.
Secure keystore
A tamper-protected environment for the protection of private keys and secure execution of cryptographic operations. It prevents
unauthorized access and malicious extraction in the event of a security breach. Depending on security requirements, an Axis device
can have either one or multiple hardware-based cryptographic computing modules, which provide a hardware-protected secure
keystore. Depending on security requirements, an Axis device can have either one or multiple hardware-based cryptographic
computing modules, like a TPM 2.0 (Trusted Platform Module) or a secure element, and/or a TEE (Trusted Execution Environment),
which provide a hardware-protected secure keystore. Furthermore, selected Axis products feature a FIPS 140-2 Level 2-certified
secure keystore.
Axis device ID
Being able to verify the origin of the device is key to establishing trust in the device identity. During production, devices with
Axis Edge Vault are assigned a unique, factory-provisioned, and IEEE 802.1AR-compliant Axis device ID certificate. This works
like a passport to prove the origin of the device. The device ID is securely and permanently stored in the secure keystore as a
certificate signed by Axis root certificate. The device ID can be leveraged by the customer's IT infrastructure for automated secure
device onboarding and secure device identification
Signed video
Signed video ensures that video evidence can be verified as untampered without proving the chain of custody of the video file. Each
camera uses its unique video signing key, which is securely stored in the secure keystore, to add a signature into the video stream.
When the video is played, the file player shows whether the video is intact. Signed video makes it possible to trace the video back to
the camera origin and verifies that the video has not been tampered with after it left the camera.
Encrypted file system
The secure keystore prevents the malicious exfiltration of information and prevents configuration tampering by enforcing strong
encryption upon the file system. This ensures no data stored in the file system can be extracted or tampered with when the device is
not in use, unauthenticated access to the device is achieved and/or the Axis device is stolen. During the secure boot process, the
read-write filesystem is decrypted and can be mounted and used by the Axis device.
To learn more about Axis Edge Vault and cybersecurity features in Axis devices, go to axis.com/learning/white-papers and search for
cybersecurity.
55
Advertisement
Table of Contents
