NordVPN is a VPN of its word. NordVPN promised five major security updates at the end of October 2019, and the company has been working on them non-stop. The security updates are offshoots of a reported incident involving NordVPN and a third-party datacenter. NordVPN has to take measures that will make its security to the next level, ensuring that nothing like that will ever happen again.
NordVPN’s plans are focused on the future. Some of those steps have always been part of NordVPN, but after the reported breach, they want to make them even stronger. Other measures are new features that will help the company go the extra mile in ensuring that they earn the trust of the public, the end-users, and the cybersecurity community.
NordVPN announced a partnership with VerSprite, a leader in operational risk management and security advisory services. VerSprite enables businesses to improve the protection of critical assets to ensure compliance and manage risk. The company helps clients chart a course that brings security and business together.
The partnership with VerSprite was an offshoot of news about a datacenter hack related to a single NordVPN’s server in Finland. It is essential to mention that no customer data was affected or accessed during the incident. While NordVPN’s applications remain as trustworthy as ever, the development left a negative impression on users, which led to the set of measures to improve its security.
The partnership between NordVPN and VerSprite focuses on penetration testing, intrusion handling, vendor risk assessment, and source code analysis.
Penetration testers play a crucial role in NordVPN’s security efforts. Their job is to prod the infrastructure for weaknesses and mitigate their vulnerabilities. This goal results in a long-term strategic partnership with VerSprite. VerSprite will work with Nord’s in-house team of penetration testers that will challenge the infrastructure to ensure the security of customers. VerSprite will help form an independent cybersecurity advisory committee.
NordVPN is also in contact with other big names in cybersecurity to work out better and cost-effective security practices and better business outcomes.
2. Bug Bounty Program
NordVPN announced a security plan that will make the company more secure than ever for 2020 and beyond. Any bugs in the NordVPN’s system are now wanted dead or alive, with the company launching its bug bounty program.
NordVPN has just increased the size of its penetration testing team to potentially the entire cybersecurity community. Nord encourages in-house penetration testers who are talented white-hat hackers who work hard to keep NordVPN one of the most secure VPNs in the world. However, in-house penetration testers are very limited in number.
NordVPN opens its doors to enterprising cybersecurity pros around the world who can now search the company’s system for any flaw large or small and get paid for it. Bug hunters rewarded for anything that will impact the company’s service – from minor bugs to critical flaws. The reward system allows grey or black-hat hackers who find any weaknesses in the Nord’s systems to notify them for an easy payday instead of exploiting those flaws. The bug bounty program will have a profound effect on ensuring the quality and security of NordVPN’s service.
3. Infrastructure Security Audit
NordVPN plans to complete a full-scale third-party independent security audit in 2020. After selecting an independent vendor, the third will conduct a review that will cover VPN software, infrastructure hardware, backend architecture, backend code, and internal procedures.
The 2020 security audit is not the first time for NordVPN. NordVPN follows the examples of other VPN providers by having its servers audited to reassure users that its servers are secure.
The infrastructure security audit, conducted by one of the big four auditing firms, showed that NordVPN does not store personal IP addresses and does not keep a log of internet activities of its subscribers.
Independent audits have become popular among VPN providers, including NordVPN.
4. Vendor Security Assessment and Higher Security Standards
NordVPN is in the middle of assessing the datacenters they work with after increasing the security standard their current providers have to meet. NordVPN is planning to build out a network of wholly-owned collocated servers and is now reviewing its infrastructure to ensure that there are existing and exploitable vulnerabilities.
NordVPN is currently on the finishing stages of its infrastructure review to eliminate exploitable vulnerabilities left by third-party service providers.
The aim is to make every part of NordVPN faster, stronger, and more secure, from the infrastructure and code to its teams and partners.
5. Diskless Servers
NordVPN has upgraded a part of their servers to RAM servers and will continue doing so until they reach 100% diskless servers. A diskless server is crucial because it becomes immune to physical seizure. When removed from the physical location, a RAM server is just nothing but an empty box.
NordVPN also plans to upgrade its more than 5,100 servers to RAM servers that will create a centrally controlled network with nothing locally stored, including the operating system, to ensure that if an attacker seizes a server, no local data will be found.
On December 11, 2019, NordVPN became a founding member of the VPN Trust Initiative (VTI). VTI is a coalition of leading VPN providers that speaks with one voice on the US internet and cybersecurity policy and keeps lawmakers informed. NordVPN firmly believes that cybersecurity-literate lawmakers are key and partners to freer and more secure internet, with VPNs becoming a considerable part of that picture.
The VTI aims to institute change getting in touch with the three key groups: technologists, legislators, and end-users. The aim is to achieve a self-regulatory industry and change the trajectory of VPN discourse through the creation, advocacy, and validation of policies that aim to strengthen trust and transparency while, at the same time, mitigating risk for end-users.