Most VPN providers are able to offer thousands of servers in dozens of countries because they rent them. That’s a lot cheaper than buying the server hardware and then paying on top of that a fee to each datacentre where each server is located to give those servers mains power and a fast, reliable internet connection.
In principle, renting servers is fine as a VPN provider will install custom software, including the operating system, which only it can access.
However, with rented servers, datacentre staff still have some form of access to that server and no matter how secure the system is, there is always a small risk it could be hacked.
This actually happened to NordVPN back in March 2018, and the company stopped using that particular datacentre and changed its minimum security requirements for choosing datacentres in future. It also apologised for not encrypting the data on the hard disks in the servers, which is what allowed the hack to take place.
Since then, NordVPN has been reconfiguring its rented servers so they run in RAM and write no data (including encryption keys) to the hard drives which makes it almost impossible to steal those credentials. It’s still in the process of converting all 5000+ servers to be diskless.
On 6 October the company announced that it would begin to install its own servers at datacentres, wholly owned and managed by the company and with zero access to datacentre staff.
The rollout has started in Finland, and NordVPN says that more will be up and running in other locations before the end of 2020.
It calls these ‘colocated’ servers, and says they are just one step in heightening the security of the service.
Marijus Briedis, CTO of NordVPN, explained: “The greatest advantage of having colocated servers is their complete ownership, which guarantees access only by our authorized people. We run our VPN service from a remote location, while the servers are housed in a secure facility with continual power supply, strong internet connectivity, and maximum security.”
Few VPN services own and operate their own servers. VyprVPN has done this for a long while, and some of IPVanish’s network is wholly owned and managed by the US-based provider. On a smaller scale, Swedish VPN company Hidden24 also runs its own proprietary hardware.
NordVPN is certainly working hard to improve users’ trust in the service. Recently its no-logs policy was audited and found to work as stated by PwC Switzerland, and it is also one of the founding members of the VPN Trust Initiative.
Marijus Briedis, CTO of NordVPN, said: “The greatest advantage of having colocated servers is their complete ownership, which guarantees access only by our authorized people. We run our VPN service from a remote location, while the servers are housed in a secure facility with continual power supply, strong internet connectivity, and maximum security.”