Teamwork is one of the core engineering values here at Verkada. For me, it means stepping outside of your comfort zone and partnering with other parts of the company to get a project across the finish line. I most recently saw this value in action when I worked on Secure Boot: an essential security feature designed to prevent unverified firmware from running when a device is powered on or "booted."
This was a major initiative that was only possible with the support of multiple people and teams across the organization, all working toward the same ultimate goal of creating the most secure platform possible.
Understanding Secure Boot
Before jumping into the specifics, it's important to understand the foundation of Secure Boot, which consists of two critical processes:
First, when compiling firmware for our hardware devices, Verkada digitally signs it using a private cryptographic key.
Then, when a customer's system is starting up, their Verkada devices verify the digital signature and firmware's authenticity using the corresponding public key. If the firmware has been altered at any point, that device will not start up.
Secure Boot is one of many defenses our products have against the introduction of malicious code. Some other defenses include automatic software updates and using secure protocols such as Transport Layer Security (TLS) by default. Furthermore, we manage data and operations through a secure, authenticated link to our backend, ensuring robust security against cyber threats.
Secure Boot is an especially critical security feature because it was designed to prevent anything other than verified, authentic Verkada firmware from running right from the start. This means that even if all other defenses fail, the device will not boot inauthentic firmware — something that is particularly important because Verkada devices are installed in our customers' networks and facilities.
Bringing the Teams and Technology Together
We made hardware design changes to enable Secure Boot on Verkada devices, ensuring that when a device reaches a customer's hands, it's already booting authentic, signed firmware. Making these changes required close partnerships with even more teams across the company. For example, we worked closely with:
The hardware team to modify the electrical schematics for our devices.
The firmware team to design embedded software that could enforce the use of the Secure Boot firmware and block unverified firmware from loading.
The manufacturing partners to ensure our devices would be configured with the intended security settings during manufacturing.
Once these key pieces were in place, we needed to create a signing process that was designed to sign firmware releases quickly but also robust enough to protect the integrity of each build. To make this a reality, we worked with the device teams for each product line to build extensive automation around the signing procedure to make it fast, repeatable and reliable.
Protecting Verkada's Private Cryptographic Key
Here at Verkada, we also go to great lengths to protect and ensure the legitimate use of our private cryptographic key. To protect the key — even if our production infrastructure were ever compromised — we keep it offline, using an unconnected signing facility. This is where teamwork comes into play: the security team, where I sit, couldn't have built this facility alone. Through this process, we partnered with:
The facilities team on constructing, planning and evaluating the physical security mechanisms that protect the offline facility.
The finance team on the budget to build out the facility.
Vendors to acquire specialized security hardware that is purpose-built for maintaining cryptographic keys.
IT to build out the supporting infrastructure to run the cryptographic hardware.
"We are all laser-focused on the priorities in front of us, and collaborating with and relying upon our peers for input, feedback, and even motivation ultimately enables us to more effectively achieve our goals."
It would have been impossible to roll out Secure Boot without dozens of people across multiple teams — and, more importantly, a shared understanding that Secure Boot is a key component of how we enable our customers to protect their people and places in the most secure, privacy-respecting manner possible. This kind of teamwork is what I love about being part of Verkada. So many different parts of the company come together to not only do what we set out to accomplish but to make it even better than we could have imagined at the outset.
Are you interested in joining the team here at Verkada? If so, check out the open roles on our careers page. We're always on the lookout for talented and passionate individuals to help build innovative solutions that make people safer.