Meet Nord Security: The company behind NordVPN wants to be your one

NordSec's Tom Okman is working on a proof-of-concept that "might render antivirus systems useless." 

How the top VPNs compare: Plus, should you try a free VPN?

We tested the best VPN services -- focusing on the number of servers, ability to unlock streaming services, and more -- to determine a No. 1 overall. Plus, we tell you whether free VPNs are worth trying.

Read now

Welcome to our in-depth look at the folks behind NordVPN. As the company moves into a broader range of security products, we felt it was important to understand the company's offerings and, perhaps more important, the company's background and legal foundation. After all, Nord Security co-founder Tom Okman said if he delivers on his 2025 ambition, the company "will be a global synonym of digital privacy and cybersecurity."

Today, Okman oversees one of the most popular virtual private network services globally. NordVPN protects data transmitted to and from the internet for approximately 14 million consumers. Now, the people who make NordVPN want to store and protect all your passwords, your confidential files, and want to extend NordVPN's protections to small and large businesses.

The future of business is remote

Most every organization has been thrust into the future of work. What will determine failure or success in this brave new world?

Read now

Another name that often comes up when discussing NordVPN is Tefincom S.A. Tefincom has long been credited as the Panama-based operator of NordVPN. Interestingly, there's a Dun & Bradstreet record for Tefincom, listing the company as located on the island of Cyprus -- not Panama. While there are four D&B records for NordSec, none of them are for Okman's firm.

As it turns out, Tefincom owns the US trademark, registration number 5299477, for NordVPN. While the first use of the term NordVPN dates back in the filing to September 30, 2012, the trademark was filed on October 3, 2016, and was finally registered on October 3, 2017.

So now we have three countries: Panama, Cyprus, and Lithuania, and three companies: NordSec (now Nord Security), Tefincom, and Tesonet.

The best antivirus software and apps

A roundup of the best software and apps for Windows and Mac computers, as well as iOS and Android devices, to keep yourself safe from malware and viruses.

Read now

In 2019, the company reported a substantial security breach. Nord Security reported that they implemented remediation steps as well as introducing a bug bounty program as part of an extensive security overhaul.

Regarding that breach, Okman told us, "The security incident occurred in 2018. Our research indicates that it happened on or around March 5th on a single server in Sweden. Unsecure account was deleted by ISP on March 20th, making any unauthorized access to the server virtually impossible. We became aware about the incident a year later and immediately started an internal audit, and heavily upgraded the security of our infrastructure."

For years, I've been pushing VPN companies to commission independent audits. Because so much data runs through VPN services, it's essential to know how well data is being protected. In addition, many VPN providers claim that they keep no records, so if a government wants to examine customers' surfing history, there's no data to provide. For the safety of their at-risk customers, it's essential to get an independent review of whether anonymity is, in fact, protected.

To its credit, Nord Security has made a number of moves in this direction. 

Audit of no-logs claim:In 2018, NordSec retained PwC (PricewaterhouseCoopers) to conduct a comprehensive audit of their no-logs policy for their consumer VPN product. PwC is the second largest professional services firm in the world and is one of the Big Four accounting firms. The result was that PwC determined that NordSec's claims are valid. Given that Nord Security's data may be vulnerable to MLAT jurisdiction, it's all that much more important that no data be logged for security-conscious VPN users.

App security audit: In late 2019, NordSec commissioned a comprehensive app security audit of the NordVPN product. The audit was performed by cybersecurity consulting firm VerSprite, founded in 2007 and headquartered in Atlanta, Georgia. According to NordSec's report on the audit, VerSprite conducted penetration testing and looked for vulnerabilities and ways to gain access to confidential user data. The audit found some security vulnerabilities that were fixed. It's unclear whether this audit took place before or after the breach.

NordPass audit: Password managers are unique in that they're entrusted with all our most critical information: our logins, passwords, credit card numbers, and even bank account information. The success of a password manager revolves around maintaining customer trust. To that end, NordSec commissioned its third audit, this time by security firm Cure53, located in Berlin. Nine vulnerabilities, and eight other issues, were documented by the auditors and reported as fixed by NordSec.

To ensure customer confidence, we encourage Nord Security to conduct these audits on a yearly basis. It's been two years since the no-logs audit, and considering all the growth going on in the company, that's a long time.

And with that, let's look into each of Nord Security's offerings in detail.

NordVPN

First up is NordVPN, the product/service that started it all. Founded in 2012 by Okman and his partner, the VPN service is in use by millions of users across the world. In an exclusive report for PCMag  by analyst firm VPNpro.com , PCMag reported that NordVPN had the most Google interest of any VPN service, with 1.29M searches per month as of February 2019. 

We're not going to go into too much detail here, because we've covered NordVPN in-depth as part of our best of VPNs articles, my in-depth review, and even a profile Q&A with CMO Marty Kamden. If you're curious about the VPN product, go ahead and read those articles.

• Inside a VPN service: How NordVPN conducts the business of Internet privacy

• NordVPN review: Revamping security practices, but still useful

NordVPN Teams

Launched in 2019, NordVPN Teams is Nord Security's first push into SMB and enterprise offerings. The company's goal, according to Okman, was to create a competitive B2B VPN service that would keep all the best characteristics of business VPNs, but at the same time would be cloud-based, and easy to configure and use. 

He contends that what separates NordVPN Teams from traditional B2B VPN services is that it does not require a separate IT department to set up the service. He promises that employees of all backgrounds can learn how to get the most out of it in minutes.

The product is sold in three tiers: basic, advanced, and enterprise. The basic tier offers centralized billing and license transferability, along with the usual VPN features. The slightly more expensive advanced tier offers a dedicated account manager, dedicated servers, custom gateways, and reporting and logs. This latter might be problematic for some VPN users who are loath to have any records kept by anyone.

Finally, at the enterprise level, Nord Security is offering enterprise-centric features like centralized configuration and management, LDAP and Active Directory, API access, site-to-site VPN, and custom branding.

Nord Security also offers a special plan for NGOs (non-government organizations, typically nonprofits). 

Given the move to remote work in the COVID-19 pandemic, NordVPN Teams could find more of a receptive audience than it would have otherwise. 

NordLynx

When it comes to tracking where Nord Security is going in the VPN market, we have to discuss the company's adoption of WireGuard technology.

ZDNETRecommends

The best password manager: Business and personal use

Everyone needs a password manager. If you're willing to pay a monthly or annual fee, these options are worth it.

Read now

Probably the best way to understand WireGuard is how it compares to OpenVPN, one of the most popular VPN security implementations. Compared to OpenVPN, WireGuard uses only 4% of the number of lines of code. This is important, because the more complex a software project is, the harder it is to manage. When it comes to a security implementation, the bigger codebase makes it far harder to find problems and far more likely that a vulnerability is hidden somewhere in the code.

The 4,000 lines of code in WireGuard compared to 100,000 in OpenVPN inspire glowing praise. Even the legendarily curmudgeonly Linux creator, Linux Torvalds, waxed poetic. On the Linux Kernel Mailing List he wrote, "Can I just once again state my love for it?" He continues, "Compared to the horrors that are OpenVPN and IPSec, it's a work of art."

That brings us to NordLynx, Nord Security's next-generation tunneling solution built on top of WireGuard. WireGuard provides the advanced cryptography and lean implementation but lacks server-side capabilities that a VPN provider needs for widespread deployment.

According to Okman, "so around a year ago, we came up with a technological solution to the privacy problem, called it NordLynx, and launched it as an option for our Linux users."

He says coding took almost a year of polishing, testing and patching until the technology was ready to scale, but the company has been able to release it for all of its platforms. Okman says, "so far, the feedback exceeds our expectations. We knew from our tests that NordLynx is fast, but we didn't expect such a positive response from our users."

The speed tests he's referring to were 256,886 field performance measurements by the company. They performed nearly 8,200 tests every day for a month. While the distance between a VPN server and the content server has the greatest impact on users' perceived performance, NordLynx was able to double the performance over OpenVPN and IKEv2.

There are three net positives from the development and adoption of the NordLynx protocol:

1. The underlying cryptographic technology is far more robust and easier to maintain than the OpenVPN implementation.

2. Cryptographic technologies such as the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, and HKD are much more secure and up-to-date than those of previous implementations.

3. Any speed improvement is a win. Doubling performance is always something appreciated by users.

With NordLynx, the company has been able to leverage a cutting-edge open source technology and adapt it to fit their product and service needs.

NordPass

With NordPass, the company aims to take on market leaders like LastPass and 1Password in the password manager wars. 

Also: Best password managers for business in 2020: 1Password, Keeper, LastPass, and more

It's a big step into a very crowded and entrenched market. Not only are there a great many contenders, but the nature of the product also provides a natural form of lock-in. Even though the amount of data stored is low compared to, say, cloud file storage services like Dropbox, data migration isn't particularly easy or reliable.

That said, Nord Security does have two advantages with NordPass. First, it has an enormous and generally satisfied privacy-minded installed base using its NordVPN service. This gives it a lot of potential customers to tap. Second, the company has implemented .csv (comma-separated values) import templates for many of the top password managers and browser password caches.

8 habits of highly secure remote workers How to find and remove spyware from your phone The best VPN services: How do the top 5 compare? How to find out if you are involved in a data breach -- and what to do next 8 habits of highly secure remote workers

How to find and remove spyware from your phone

The best VPN services: How do the top 5 compare?

How to find out if you are involved in a data breach -- and what to do next

Editorial standards Show Comments