Moving the VPN industry forward: a Q&A with NordVPN

Can you tell us more about the partnership agreement you have with VerSprite? How often will your server be audited? Will the audits include the source code and the hardware? Has the IPMI vulnerability that was the source of the October breach been fully fixed across your network? If not, when do you plan it to be done? If yes, has it been audited already? Will it be audited on a regular basis?

We started the strategic cooperation with VerSprite as an additional measure to improve our security and raise the overall quality of service to a new level. VerSprite audited our application security audit in the past. Now, they are taking care of comprehensive penetration testing, examining our intrusion handling, and assessing vendor risk. 

We took preventative measures to deal with potential IPMI vulnerabilities before the partnership with VerSprite. We performed a full VPN server network assessment and restricted IPMI access to only a handful of whitelisted IP addresses. On the same note, any unauthorized access through IPMI will be of no use, since all our servers will run from RAM soon. 

Your Linkedin profile mentions that you are the cofounder of NordSec and Tesonet as well as a shareholder of popular web hosting company, Hostinger. What is your corporate structure? Can you explain how all these companies are related?

Tesonet was founded in 2008. From day one, the company had been developing all kinds of more and less successful projects: from computer games to web hosting solutions. Now Tesonet is one of the biggest tech accelerators in the Baltics. It incubates and invests in internet and technology companies globally, provides operational support, and helps to build market-leading companies. 

Tesonet and us as individuals have invested in and helped grow over 50 different projects and ventures, including web hosting provider Hostinger, gaming platform Eneba, proxy infrastructure provider Oxylabs, and others. All of these companies are mature, independent and operate completely on their own. We also provided ProtonVPN with operational and HR support when they decided to open an office in Vilnius.

Contrary to all the myths and rumors, operations by different services have never been related to each other. The only common resources are the centralized HR and legal teams. We have strictly relied on this philosophy from the beginning in order to avoid any possible conflict of interest. 

NordVPN was one of the first major projects we took part in, and we’ve been working closely with its development from the earliest days. Incorporated in Panama, NordVPN provides all-around security and privacy protection to its customers and over the years became the leading VPN service in the world. 

At first, a decision was made to keep Nord’s corporate structure private — back then, we didn’t have enough resources and legal muscle power to deal with all kinds of scenarios that might occur when you run a no-logs VPN service. However, the industrial landscape has changed, we have grown a lot, more and more new VPN services have emerged, so transparency became more important than ever. It became clear that, as market leaders, we must cherish a trust-based relationship with our customers and be open about who we are and how we operate. That was one of the reasons why NordSec was created. 

NordSec is an umbrella name for all Nord family services. It is an independent, global, security- and privacy-focused organization with offices and operations in the United Kingdom, Cyprus, the USA, Lithuania, Switzerland, and Panama. NordSec is the place where advanced security solutions that share the Nord brand, values, and goals are built.

2019 has been, for NordVPN, nothing short of an annus horribilis. What lessons have you - on a personal - and your company learnt from it and how do you plan to bounce back?

While 2019 had its ups and downs, it was extremely productive and provided us with invaluable experience and lessons. 

Over last year, we launched three new products: NordLocker, a file encryption tool; NordPass, a robust password manager; and NordVPN Teams, a VPN solution for businesses. We also implemented NordLynx, a next-generation VPN technology built around the Wireguard® protocol. NordVPN underwent a third-party application security audit performed by VerSprite. Our social responsibility program took shape, now supporting over 40 different non-profit organizations all over the world. 

After the incident with one of our servers in Finland, we established a strategic partnership with VerSprite - a global leader in cybersecurity consulting and advisory services. And we put a huge amount of extra effort and resources towards improving our security. Everything that happened last year made NordVPN a better service, and we are not planning to stop.

The general trend we’re seeing in the VESPA market (VPN, Encryption, Security, Privacy, Anonymity) is a gradual shift to integrated solutions. With NordLocker and NordPass, NordSec is gradually moving towards an Office-365 structure. Many services, one fee. Do you have any imminent plans for NordLocker-type extras? What more general long-term ambitions do you have? What do you want NordVPN to become? 

We aim to create a security suite under Nord’s name, which could be easily used by anyone and cover the most sensitive aspects of people's digital lives. While NordLocker and NordPass are relatively young products, we are always innovating and exploring new possibilities. We have significantly expanded our R&D team, which focuses on the research of new technologies that could benefit online security and privacy.

NordVPN recently joined the i2Coalition (VPN Trust Initiative) which seeks to bring together like-minded businesses that seek to promote privacy globally. Why have you done this, what do you want to achieve, and then, how does it feel to work closely with some of your fiercest rivals?

The idea to form VPN Trust Initiative was born from realizing that the VPN industry is facing threats that are impossible to tackle single-handedly. We discussed these issues with other reputable names of the industry and realized that by joining forces we could do something about it. The i2Coalition was a perfect organization to help turn this plan into reality. 

So now, the VPN Trust Initiative is dedicated to serving as the voice of the VPN industry, strengthening public trust in VPNs, promoting appropriate guidelines, as well as advocating security and privacy. None of the members of VTI are trying to use the coalition to gain competitive advantage, and that helps us to work together successfully.

Earlier this year, NordVPN suggested that they’ve come up with an advanced solution that would dramatically increase the connection speed. Can you shed more light on this technology? How different is it from Anchorfree’s Hydra protocol?

We have developed a solution that significantly reduces the time required for TCP packets to travel between a client, a VPN server, and their ultimate destination (e.g, a website). It is especially noticeable in long-distance connections, e.g. from Europe to the US. We have a patent application pending for this technology, so at the moment I can’t give any more technical details. However, there will be more information released once the status on the application is updated.

How far are you with the integration with Wireguard? When will it be available? What have you learned from the tests so far, what’s good, what’s bad? What are the complications? What should we expect?

So far, NordLynx looks very promising, especially in terms of performance. Linux users have been using the protocol for some time already, and the other apps will receive an update within the upcoming months. We had a few bumps in the road when preparing the infrastructure for scaling, as processing overhead caused stability issues on our servers. Nevertheless, we found a way to fix that, and NordLynx will soon be available for all of our customers. 

NordVPN is rolling out diskless RAM servers, can you tell us when the roll out will be completed and how are your plans to beef up infrastructure security going on?

Everything is going according to plan. New RAM servers are added each week. Now, approximately half of our infrastructure has been moved to the diskless setup and, if everything goes as expected, the transition should be completed within 6 months. We are also very happy with the results of our bug bounty program — researchers from all over the world already helped us strengthen our service significantly. NordVPN is the first major VPN service provider with a transparent, public bug bounty program, and we hope that it will inspire others to join and make the industry better.