Nord Security 彙整 - 第 9 頁，總計 10 頁

Projections of Zero Trust security

Recent years took cybersecurity to a new level — digital transformation, migration to the cloud environments, and remote work became the synonyms of technological business evolution. The new approach pushed such tech terms as VPN (Virtual Private Network), S(A)SE (Secure (Access) Service Edge), MFA (Multi-Factor Authentication), and many more that turned into essential modern cybersecurity elements.

Zero Trust is one of those most critical terms that already live rent-free in IT managers’ heads. It’s way past the emerging buzzword stage — now, Zero Trust is a security model that dictates organizational cybersecurity strategies and general security approaches.

But how influential is the Zero Trust model? What’s its role in the near future and its place in a broader picture of cybersecurity? Let’s take a look at what trends to expect in the Zero Trust department.

Password is dead; long live Zero Trust?!

The new cybersecurity era will likely be marked by another iconic moment in the digital age. Rumor has it that we will be done with the passwords in 2023. Hard to say if it’s true, but passwords as single-factor authentication are outdated in the context of the current cybersecurity landscape.

Lost or stolen credentials surge black markets imposing risk to data security. A glance at the high numbers of the latest data breaches of 2022:

Slash Next reports 255 million phishing-related attacks in 6 months — a 61% increase compared to 2021.
According to Verizon, weak or stolen passwords contributed to 81% of hacking-related data breaches. 82% of breaches were triggered by human error (including social engineering attacks).
Nvidia suffered an attack and lost the credentials (email addresses and Windows password hashes) of 71,000 employees.

Keeping in mind that 73% of employees recycle the same personal passwords for work-related accounts – NordLayer’s research about bad cybersecurity habits concluded weak passwords as one of the top vulnerabilities of organization security – the number of leaked personal credentials is a huge red flag for organizations.

Despite education and targeted reminders of password hygiene, more than half (59%) of workers tend to reuse passwords while being familiar with existing risks.

The remaining high data breach statistics only confirm the insufficiency of current actions regarding securing credentials and company data accordingly.

The Zero Trust mindset to ‘trust none; verify all’ is a straightforward change for companies to dismiss careless passwords from their systems and elevate security levels effectively.

A quick recap: ZT, ZTA, and ZTNA

Zero Trust (ZT) is a trust algorithm that ensures resources within specific networks can be accessed only by verified endpoints — devices or users. Yet when discussing cybersecurity, additional concepts of Zero Trust Architecture (ZTA) and Zero Trust Network Access (ZTNA) emerge — what’s the difference?

overlaping charts showing differences between cybersec solutions

An easy way to differentiate Zero Trust, Zero Trust Architecture, and ZTNA is to define Zero Trust as the driving idea, model, or mindset that puts the theoretical foundation for the application of the method.

The Zero Trust principle turns attention to the main focus points:

Make sure to check and verify every endpoint connection request to the network.
Solely job-mandatory access rights must be granted to perform role objectives.
Plan for the maximum constraint of user movement in the network in case of a breach.

Zero Trust Architecture is a practical application of the Zero Trust approach when building security policies and IT infrastructure as if there was no traditional perimeter. ZTA combines and implements solutions for:

Endpoint verification
Network supervision.

ZTNA is a segment of Zero Trust Architecture that provides a solution to trusted-only application access. ZTNA is integral to the SASE and SSE frameworks for establishing security in remote cloud environments.

What changes does Zero Trust employ: ZTNA’s focus

Instead of discussing Zero Trust at theoretical levels, it’s beneficial to investigate ZTNA to understand what changes it suggests and how companies apply them.

According to Statista, the most common solution organizations used to enable Zero Trust segmentation in 2021 was ZTNA. Identity, Credential, and Access Management followed it.

The popularity of ZTNA comes from its adoption as a more efficient identity- and context-supported solution for controlling increasing attack surfaces in hybrid environments.

As ZK Research indicates, VPN was a go-to solution to manage and protect companies’ IT perimeters. However, VPN performance and security fallbacks brought by backhauling network traffic and open network access make it refer to VPN as a remote work solution only as a temporary one.

Therefore, to secure and connect remote workers while managing distributed endpoint, user, and application networks under the organization’s scope, companies turned to secure network access (SaaS, cloud, and edge) solutions, including ZTNA.

Shrinking the attack surface – limiting the threat actor’s activity in the network by requesting additional authentication or assigned permits to access internal applications – is the key feature of the ZTNA solution.

Prospects of Zero Trust in cybersecurity

Cyberattacks continuously challenge everyone, from consumers to federal agencies, hitting the weakest link — passwords. Attacks are disrupting business operations from intelligence businesses to manufacturers — any company with internet-connected systems and networks is vulnerable.

The Zero Trust approach can mitigate hardly controllable external and internal factors that might lead to a breach. ZTNA enables IT administrators to monitor, manage and interact with connections between endpoints and ultimately conclude whether the connection should be approved or denied.

Driving factors of ZTNA adoption

The peak of ZTNA matched with hybrid and remote work developments globally introduced by the COVID-19 pandemic. Although opinions tend to clash, remote work is here to stay, and ZTNA maintains its importance to business network security.

To securely return to old ways of working – the static office-contained perimeter, which is the least challenging to maintain and control – all of the workforce should come back to their corporate desks.

Migration to the cloud is gaining momentum as it offers more flexibility and reduces the complexity of traditional IT perimeter.

The password more often causes security issues than prevents it and needs to be reconsidered and redesigned to move to more sustainable solutions.

Evolved understanding of a workplace with WFA (Work From Anywhere) quickly showed the comforts of working from home or cafe, answering work emails from a personal phone, or watching TV series on a corporate laptop after working hours. Yet these blurred lines stretch the reach of unapproved applications and devices blending into the company network.

Although the digital landscape and new modern habits might be alarming, going backward seems unrealistic. Thus ZTNA helps manage current cybersecurity challenges in this technological evolution.

State of remote work

There’s no denying that companies will have to accept the turned tables — employees now consider not how many days they will decide to work from home but how often they are willing to show up in the office.

If the workforce is not to return to the office full-time, ZTNA naturally cannot be discarded from the company’s cybersecurity strategy.

According to ZK Research 2022 Work-from-Anywhere Study, just one – or even less – out of 10 employees consider 100% work on-site, leaving most of the workforce a risk factor to data and application security.

How do companies adopt Zero Trust?

Zero Trust is dominant in creating security strategies. Statista survey revealed that one-third of polled companies, as of January 2022, already had a formal strategy actively embracing a Zero Trust policy. Only 20 percent of respondents had no Zero Trust strategy as of 2022.

Statista also concluded that almost one-fifth of respondent organizations completely discard the Zero Trust model as a cloud security strategy while the vast majority (81%) fully or partially embrace Zero Trust model guidelines for building internal security policies.

It’s safe to say that Zero Trust has been assigned an important and influential role in shaping the security infrastructure face. The mindset combines Zero Trust backed practices of accountability, consistency, dependability, and transparency to activities and processes within the organization network.

How to transition to Zero Trust?

Benefits for businesses that adopt ZTNA to enhance the security of their network. Deploying Zero Trust-based features establishes secure cloud access and allows network segmentation for least privileged access to resources.

The model reduces insider threat by protecting internal applications and lowering the potential of account breach risk. Overall, ZTNA adoption supports the company’s journey to achieving compliance requirements.

ztna quote from internal expert at NordLayer

Zero Trust Network Access is a predominant framework of any setup that deals with hybrid work as an alternative to VPN. NordLayer solution makes implementation of ZTNA easy and integrable despite the existing infrastructure in your company. Reach out to learn more about securing your business network with ZTNA within minutes.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

VPN vs. proxy: which should your business choose?

Are you worried about employees leaking private information as they browse the web? If so, you’re probably considering setting up a Virtual Private Network (VPN) or proxy server.

Both technologies mask traffic and conceal your location. But there are significant differences between proxies and VPNs that users need to know. Let’s explore the VPN vs proxy contest in more detail and help you find the ideal privacy solution.

What is a VPN and how does it work?

VPNs are networks that route traffic through private servers before sending it to its destination. When users log onto their VPN client, the service uses special protocols to create a “tunnel” connecting data sources and destinations.

VPNs offer a couple of important security and privacy services:

Anonymization. Traffic routed through Virtual Private Network servers is assigned a new IP address. This anonymizes the data source, making it hard for outsiders to track online activity. Outside observers may know you’re using a VPN connection, but your original IP address will be inaccessible.
Encryption. VPNs encrypt data from the user device to the virtual private gateway. Any web traffic passing through a remote access VPN server is basically unreadable to outside observers while it is encrypted. Users can still browse the web or access streaming content. But their information and activity will remain private. This is very useful when dealing with financial data.

VPNs are usually paid services. A third-party VPN provider will maintain servers around the world and manage encryption. Users log on via clients, which can be integrated into web browsers if desired.

VPNs also work at the operating system level. This means they cover all traffic leaving or entering a network. They are not restricted to single apps.

What is a proxy and how does it work?

Proxies also use external servers. These proxy servers route traffic from user devices and give each data packet a new IP address. As far as outsiders are concerned, user traffic comes from the proxy’s remote server. This is a major benefit when accessing geo-restricted web content.

On the downside, proxies do not feature data encryption. They can anonymize the identity of a user but not the data they send. Sensitive data remains exposed to attackers, making proxies unsuitable for a business internet connection.

Proxies also tend to be associated with individual applications. They process traffic from web browsers or streaming games. But proxies do not provide all-around privacy at an operating system level.

Understanding the main proxy types

There are various different types of proxy servers, and each has its own use cases:

HTTP proxies. Designed to work with web pages and browsers. You can configure Chrome or Edge to route all HTTP traffic through a proxy, or just assign proxy routing to specific websites.
SOCKS5 proxies. SOCKS proxies work on the application level and route traffic from specific apps. For example, a SOCKS5 proxy could be assigned to route Skype conversations securely. SOCKS5 proxies are flexible but tend to be slower than HTTP versions.
Transparent proxies. Generally invisible to network users. A transparent proxy can filter web traffic and monitor activity. This makes them useful in settings like schools and libraries. Parents could also use them to filter the content available to children.
Private proxies. Private proxies provide a dedicated IP address for each user. This does not provide as much privacy as VPNs. However, it can help unblock geo-restricted websites and improve proxy speeds.

Key differences between proxy and VPN

We now know the main features of proxies and VPNs. But here’s the all-important question. How do VPNs and proxies differ, and which one should you choose?

1. VPNs provide encryption

Encryption is the most important difference between VPNs and proxies and probably the key consideration for business users. When you use a VPN, all of your internet traffic is encrypted.

The best paid providers use AES-256 encryption that has no known weaknesses. Encrypted data will be off-limits to thieves, limiting the risk of leaking commercial data. A remote work VPN will also lock down connections between home workers and central offices. So you can establish a secure connection between workloads and user devices.

Proxies never encrypt traffic. All they do is re-route packets and provide IP address anonymization. That can be useful when accessing blocked web pages. But data security will be relatively weak.

2. VPNs handle all traffic, proxies work with individual apps

VPNs function at the operating system layer. They apply encryption and anonymization to all data passing across network boundaries. Businesses do not have to install software on individual apps or configure settings for each service. Privacy controls apply over-the-top – a more convenient solution.

Because they work on the application level, proxies are used with specific software or services. They won’t cover all network connections, potentially leaving security gaps.

3. Proxies may be faster

Proxies don’t need to encrypt data as they route it worldwide. VPNs do. This imposes extra bandwidth overheads. VPNs may be slower, as a result, sometimes making them unworkable for streaming tasks.

However, the best VPNs match proxies in terms of speed. Free proxies generally use cheaper, less extensive infrastructure. So while they use more basic technology, they may be slower than VPN alternatives.

4. You’ll usually pay for VPNs

Proxies have low maintenance costs for providers and are usually free for users. At least, they are free at the point of use. As with most free services, proxy customers are the product. Expect your data to be stored and sold to third parties for marketing purposes.

There are free VPNs as well. However, paid services are recommended for business customers. Paid VPNs charge small fees and provide higher-quality encryption, speed, reliability, and anonymization. They also have stricter anti-logging policies. Your data should remain private and won’t be resold.

Unlike most proxies, good VPNs combine these services with customer support. All-in-all, they deliver much better online privacy for high-end users.

5. VPNs are more reliable

As a general rule, VPNs are more reliable. Your connection will drop less frequently. Speeds will be more regular. A host server around the world should be available at all times.

Proxies can be very reliable but do not have such a strong reputation. Expect connections to drop every now and then, especially when using free proxy services.

VPNs also offer more reliable DNS leak protection. Poor-quality proxies will likely leak DNS information to your internet service provider or the websites you visit. This completely compromises the privacy service.

Similarities between proxies and VPNs

As you can see, there are plenty of divergences between VPNs and proxies. But it’s important to remember the similarities as well.

Both proxies and VPNs allow anonymous web browsing. Customers use them to change their IP address. This enables access to previously blocked online services.
VPNs and proxies use third-party routers. While you can set up an in-house VPN server or proxy, both services are generally sourced from external partners.
Both can be used to control network access. Proxies are often used to block access for employees to certain websites. VPNs can also blacklist websites.
Neither represents a complete privacy solution. VPNs are more effective when anonymizing network traffic but are not completely watertight. Both proxies and VPNs can have technical flaws that expose your location. They may collect data to share with commercial partners or governments.

When should you use VPN and when proxy?

A basic rule is that VPNs should be used wherever users need security and privacy. VPNs combine reliable IP anonymization with encryption. This means company data will be protected twice as it passes over the internet. Proxies provide very little protection at all.

VPN connections can be used to enable secure remote work. Employees can install VPN clients on work devices at home and use an encrypted tunnel to join the central company network. Without VPN protection, any data sent from workers to the network will be exposed to attackers.

Site-to-Site VPNs can connect different work locations securely. They extend the main network to other sites, allowing every department or branch to access data safely.

VPNs are also used to transfer sensitive financial data. Companies can use them to make transactions or discuss commercial arrangements. Without encryption, using proxies for these tasks is extremely risky.

Proxies can play a role in some situations. Transparent proxies are often used to prevent access to undesirable websites. Companies could use HTTP proxies to wall off social media during working hours.

A proxy server may also be handy for researching content worldwide, assuming security concerns are secondary. You can use a proxy server to pose as a buyer from different countries and see how prices vary. Or you might access videos and bypass content restrictions.

VPN vs proxy: which is better for your business?

By now, you probably have an idea of which privacy solution to choose. Most businesses should opt for virtual private networks over proxies. A proxy server offers minimal security features. The service may be free of charge and fast, but data sent via a proxy server is always vulnerable.

By contrast, VPNs encrypt data – usually at levels that protect information from attackers. The best VPNs use military-grade encryption. Some offer add-ons like Double VPN protection that makes it hard to tell whether users are even employing a VPN.

VPNs come in business-friendly forms. You can set them up for remote workers, link departments, and integrate VPNs with cloud computing. If you choose a reliable provider, you can talk to support staff and optimize security and privacy. This just isn’t available with any proxies.

How can NordLayer help?

NordLayer can help you implement a secure, fast, and business-friendly VPN solution. Our software-based products include VPN services powered by the NordLynx protocol. This combines speed and cutting-edge encryption.

Create site-to-site setups to cover every workstation. Cater for remote workers, and implement Single Sign On that extends protection to all network assets. To find out more, get in touch with the NordLayer team today.

FAQ

Is a proxy server the same as a VPN?

No. Proxy and VPN servers both route internet traffic and assign anonymous IP addresses. VPNs add encryption to data transfers. They act at OSI layers 3 or 4, while proxies operate at layers 5 to 7.

Do you need a proxy server if you have a VPN?

Probably not. VPNs deliver the same services as proxy servers, with better security, performance, and support. In some cases, you could use a VPN to work around a transparent proxy if you use one to regulate internet activity. But this is relatively rare.

Are proxy servers safe?

Maybe, but how can you be sure? Free proxy services are notorious for leaking and selling data. Users should assume that someone is tracking their activity. A proxy server should never be used to send sensitive data.

Which is faster, VPN or proxy?

Proxies are often faster than VPNs as they do not require encryption. However, speeds also depend on the number of proxy server users, available servers, and the quality of those servers. In many cases, a well-managed VPN will be faster than a cheap, poorly run proxy.

Is Tor a VPN or a proxy server?

Neither. Tor is a network of nodes located around the world. These nodes are free to access. They act as a relay, bouncing traffic between nodes until it reaches its destination. It has some VPN features, such as encryption. However, Tor traffic can often be seen by volunteers, and its exit nodes are often blacklisted. Tor speeds also tend to be slower than proxies and VPNs.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

NordLayer Nord Security 2023

作為一名應用程序安全工程師而蒸蒸日上：在網絡安全領域工作的 6 個理由

Although the application security (app sec) role can seem the same in every industry, it’s not. Businesses operating in general industries offer fewer possibilities for comprehensive professional growth than security-focused companies. That was the case for Marvin Petzolt, a Senior Application Security Engineer at Nord Security, who jumped from an application security engineer role at a music-sharing business to a security-oriented company. Let Marvin tell us in his own words what factors make app sec professionals thrive at our company.

Marvin Petzolt, Senior Application Security Engineer at Nord Security

#1 You make an impact

Many people, including me, enjoy working at a place where you can make an impact. As an app security engineer at Nord, I can influence security design and the implementation of some of the greatest cybersecurity products in the industry – NordVPN, NordPass, NordLayer, and NordLocker. By ensuring high-security standards for each product, I contribute to building meaningful, user-friendly, and security-centric consumer solutions valued by millions of people and businesses worldwide.

However, having a tangible impact on security products is not the only way I can make a difference. My security recommendations and guidelines are also taken into account when improving business operations or team workflow. For example, when I joined the Application Security Team, we would be notified of upcoming Nord product updates mainly via our automatization and notification bots. However, this approach left us very little time between security testing of the upcoming feature and release to production, which naturally increased pressure on the team.

So I initiated the concept of security product owners, establishing a bi-directional exchange between a specific Nord product and the Application Security team. This concept allowed us to improve communication between developers, team leads, and the Application Security team.

We’re now notified about upcoming changes significantly earlier, leaving us enough time for all the necessary app security tests.

#2 You can reach your full professional potential

The truth is that being an application security specialist in the general industry doesn’t let you reach your full professional potential due to the limited app security cases and tasks you’re working on. This was one of the key reasons why I left a promising application security engineer role at one of the best-known music-sharing companies. There I was securing mainly one app, so the security issues that challenged me were limited.

I wanted to face different app security cases, advance my career, and concentrate more on technical work, security design, and cryptography – things I’m passionate about.

A security-focused company like Nord Security, with its wide range of applications and potential for different security cases, seemed like a natural solution to fulfill all these goals.

#3 You work with meaningful products and interesting challenges

At Nord Security, I’m contributing to building meaningful products – such as NordVPN, NordPass, NordLayer, and NordLocker – that secure people and businesses online.

Most of the time, I focus on cryptography, security architecture, and low-level, client-side implementations. I perform occasional design reviews, threat model sessions, pentesting of features and release candidates, and security code reviews.

Still, my tasks are pretty diverse and depend on what I want to work on. One day I might look into NordLocker’s architecture and how it will encrypt files in the future. The next day, I’ll focus on reviewing the code of NordVPN’s Meshnet feature, establishing a peer-to-peer connection between two endpoints to exchange data or route internet traffic to verify that it is implemented securely. I’ll sometimes also do a black-box security assessment on the NordPass Android release client.

#4 You work with an experienced team

Working in a security-centric company like Nord Security, you can be sure that you’ll always be guided by some of the best professionals in the cybersecurity field.

If you’re facing a challenging situation that is too difficult or complex for you to cope with on your own, the whole Application Security team comes in to help. The team member with the most experience assesses the issue based on severity and validity. If it’s valid, as a team, we determine how we can support in escalating this issue and jump in to help resolve it as fast as possible.

One of the most useful insights I have received from my team is that an app sec professional doesn’t have to know or be involved in all aspects of the team’s work. Application security has many subcategories and specializations, such as Windows Security, Linux Security, Android, and iOS security. It’s hard enough to keep up with one specialization, but keeping up with all of them is nearly impossible. So it’s OK not to be an expert in all of these technologies, and this is where you can rely on the other members of your team.

Another valuable tip – don’t over-complicate. Keep it user-friendly. The perfect security solution usually doesn’t exist or comes with a heavy impact on the user experience. Having a 32-character password requirement or providing your biometric authentication for every action you take on the app doesn’t help anybody. So it is important to focus on realistic threats and put minor theoretical risks aside for later.

Finally, my team taught me how important it is to keep the cryptographic systems simple. When designing a cryptographic system, the key is to keep it as simple as possible so that anybody can understand it and be able to securely extend this system. The more features and changes are added, the more complex the system becomes. That’s why it is necessary to redesign and realign the cryptographic design from the ground up to better fit the new requirements. If you don’t do that, you have a design that nobody understands. That makes it impossible to apply the necessary security and confidentiality measures.

#5 You are given opportunities to learn

If you’re just starting out in an app security position, coming from a slightly different field, such as web or cloud security, or simply want to learn more, even in a senior position, your team and the whole company will be there to help you grow.

If you’re a newbie, one member of your team will become your onboarding buddy, helping you to get up to speed with everything that is going on in the Application Security team. Additionally, you will be provided with a dedicated document leading you through your 30- and 90-day milestones and a checklist of all the tools and access you require to get started.

To keep our team performing at its best, we have knowledge-sharing sessions, pairing sessions, and daily standups. All this helps us stay updated on each other’s work, share best practices, and sharpen our skills in the app security field. As a team, we also have a Friday tradition of “self-allocated time” when we learn something new. What we choose to learn can be anything from technologies, reading blog posts, news articles, or methodologies. Did you ever want to learn how to develop iOS applications or do a CTF? Then self-allocated time is meant for that.

Collaboration with other teams also has a huge impact on advancing your expertise in app security. It improves your soft skills and teaches effective communication about the risks and severities of security issues. It also gives you a direct connection to developers, which means that they will come to you with questions and concerns during the development process. In turn, it gives you a unique inside look into the technical foundation of the developed software. Just like that, I learned new technologies and programming languages on the fly since they were required to understand the source code and implementation details.

At the company level, we have knowledge-sharing events. One such example is Tech Days, allowing our people to stay in tune with the latest tech and cybersecurity news, trends, and advancements.

Nord Security also offers a personal development budget that can be used for training or certifications, helping us improve in our field. Moreover, teams often visit various conferences, such as Black Hat, to keep a finger on the pulse of the latest in the field of information security.

Last but not least, everybody can have their own personal development plan. It helps me stay aligned with the overall goals of the security team and how my part might fit in the bigger picture. Personally, I would like to dive even deeper into security architecture and cryptography, so I have aligned this goal on my personal development plan in cooperation with my manager.

#6 You don’t have to convince everyone of the importance of security

As an app security specialist, you understand that security should be a top priority in every company. And if you ask a company about it, of course, they will indicate security is their number one priority but is this actually true? From my experience, you always end up arguing with product managers, product owners, and engineering managers about security improvements. Yet, in a company that has security as its main selling point, it becomes easier to motivate security changes and push people in the right direction.

All these reasons are why application security professionals thrive at Nord Security. If you also want to advance your career in this field, join the Application Security team in Lithuania, Germany, or remotely by applying HERE.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

2022 Nord Security

OpenTelemetry：現代可觀察性標準

In the first part of our blog series about observability, we covered the basic principles of observability and explained how it differs from the classical monitoring term. In this article, we’ll discuss OpenTelemetry and its instrumentation approaches.

OpenTelemetry

Please check out our first article on observability to gain a fuller context for the topic we’re about to discuss. OpenTelemetry is currently the most actively developed standard in the field of observability. It is being adopted as the Cloud Native Computing Foundation incubating project. Born primarily as a merging of former OpenTracing and OpenCensus standards, OpenTelemetry continues to gain popularity, with its supporters including representatives of Google, Microsoft, and Uber.

The goal of the OpenTelemetry project is to introduce a standardized open solution for any development team to enable a proper observability layer in its project. OpenTelemetry provides a standard protocol description for metrics, tracing, and logging collection. It also collects APIs under its nest instrumentation for different target languages and data infrastructure components.

Below is a visualization of the overall scope of OpenTelemetry (credits to CNCF):

The development of specifications and all related implementations is being run in an open way in Github, so anyone involved can propose changes.

Different instrumentation implementations for different languages are in development. The current state of readiness can always be found on a related page of official documentation (for example, PHP).

Logs

Logs are the oldest and best-known type of telemetry signals, and they have a significant legacy. Log collection and storage is a well-understood task, with many solutions being established and widely adopted to carry it out. For example, the infamous ELK (or EFK) stack, Splunk, and Grafana Labs recently introduced the Loki project, a lighter alternative to ElasticSearch.

The main problem is that logs are not integrated with other telemetry signals – no solutions offer an option to correlate a log record with a relative metric or trace. Having the opportunity to do this can form a very powerful introspection framework.

OpenTelemetry specifications try to solve this problem with a logging format standard proposal. It allows correlating logs via execution context metadata, timing, or a log emitter source.

However, right now the standard is at an experimental stage and under heavy development, so we won’t focus on it here. The current specifications can be found here.

Metrics

As discussed previously, metrics are numeric data aggregates representing the software system’s performance. Through aggregation, we can develop a combination of measurements into exact statistics during a time window.

The OpenTelemetry metrics system is flexible. It was designed to be like this to cover the existing metric systems without any loss of functionality. As a result, a move to OpenTelemetry is less painful than other alternatives.

The OpenTelemetry standard defines three metrics models:

Event model — metric creation by a developer on the application level.
Stream model — metric transportation.
Time Series model — metric storage.

The metrics standard defines three metric transformations that can happen in between the Event and Stream models:

Temporal reaggregation reduces the number of high frequency metrics being transmitted by changing the resolution of the data.
Spatial reaggregation reduces the number of high frequency metrics being transmitted by removing some unwanted attributes and data.
Delta-to-cumulative reduces the size of high frequency metrics being transmitted via a move from absolute numbers (cumulative) to changes between different values (delta).

We will talk about the Stream and Time Series models in the third part of our blog series, where we will discuss signal transportation and storage. For now, let’s focus on the Event model, which is related to instrumentation.

The process of creation for every metric in OpenTelemetry consists of three steps:

Creation of instruments that will generate measurements – particular data points that we evaluate.
Aggregation of measurements into a View – a representation of a metric to output from the instrumented software system.
Metric output – the transportation metrics to storage using a push or pull model.

The OpenTelemetry measurements model defines six types:

Counter – non-negative, continually increasing monotonic measurement that receives increments. For example, it may be a good fit for counting the overall number of requests the system has processed.
UpDownCounter – the same as the Counter, but non-monotonic, allowing negative values. It may be a good fit for reporting the amount of requests being currently processed by the system.
Histogram – multiple statistically relevant values distributed among a list of predefined buckets. For example, we may be interested not in particular response time but in the percentile of response time distribution, it falls into (a Histogram would be useful here).
Asynchronous Counter – the same as the Counter, but values are emitted via a registered callback function, not a synchronous function call.
Asynchronous UpDownCounter – the same as the UpDownCounter, but values are emitted via a registered callback function, not a synchronous function call.
Asynchronous Gauge – a specific type for values that should be reported as is, not summed. For example, it may be a good fit for reporting the usage of multiple CPU cores – in this case, you will likely want to have the maximum (or average) CPU usage, not summed usage.

Through Aggregations in OpenTelemetry, measurements are being aggregated into end metric values that afterward will be transported to storage. OpenTelemetry defines the following measurements as Aggregations:

Drop – full ignore of all measurements.
Sum – a sum of measurements.
Last Value – only the last measurement value.
Explicit Bucket Histogram – a collection of measurements into buckets with explicitly predefined bounds.
Exponential Histogram (optional) – the same as the Explicit Bucket Histogram but with an exponential formula defining bucket bounds.

A developer can define their own aggregations, but in most cases, the default ones predefined for each type of measurement will suit the developer’s needs.

After all aggregations have been done, additional filtering or customization can be carried out on the View level. To summarize, an example of a simple metric creation is the following (in GoLang):

import “go.opentelemetry.io/otel/metric/instrument”
counter := Meter.SyncInt64().Counter(
“test.counter”,
instrument.WithUnit(“1”),
instrument.WithDescription(“Test Counter”),
)

// Synchronously increment the counter.
counter.Add(ctx, 1, attribute.String(“attribute_name”, “attribute_value”))

Here we create a simple metric consisting of one counter-measurement. As you can see, many details we discussed are hidden but can be exposed if the developer needs them.

In the next part of our blog series, we will talk about metrics transportation, storage, and visualization.

Traces and spans

As we discussed previously, traces represent an execution path inside a software system. The execution path itself is a series of operations. A unit of operation is represented in the form of a span. A span has a start time, duration, an operation name, and additional context attached to it. Spans are interconnected via context propagation and can be nested (one operation can consist of multiple smaller operations inside itself). The resulting hierarchical tree structure of spans represents the trace – an entire execution path inside a software system.

The internal span structure can be visualized like this:

Here is an example of the simplest span creation (in GoLang):

import “go.opentelemetry.io/otel/trace”

var tracer = otel.Tracer(“test_app”)

// Create a span
ctx, span := tracer.Start(ctx, “test-operation-name”,
trace.WithSpanKind(trace.SpanKindServer))

testOperation()

// Add attributes
if span.IsRecording() {
span.SetAttributes(
attribute.Int64(“test.key1”, 1),
attribute.String(“test.key2″,”2”),
)
}

// End the span
span.End()

Now we have our first trace.

A trace can be distributed through different software microservices. In this case, so as not to lose the interconnection, OpenTelemetry SDK can automatically propagate context through the network according to the protocol being used. One example is the W3C Trace Context HTTP headers definition. However, not all language SDKs support automatic context propagation, so you may have to instrument it manually depending on the language you use.

Detailed documentation about traces with format explanations can be found here.

Signal interconnections

The ability to interconnect different types of signals makes an observability framework powerful. For example, it allows you to identify a service response that took too long via metrics and, in one click, jump to the correlating trace of this response execution to identify what part of the system caused the slow processing.

Signals in OpenTelemetry can be interconnected in a couple of ways. One is the use of Exemplars – specific values supplied with trace, logs, and metrics. These consist of a particular record ID, time of observation, and optional filtered attributes specifically dedicated to allowing a direct connection between traces and metrics. Detailed documentation about Exemplars can be found here.

Another approach to signal interconnection is the association of the same metadata with the use of Baggage and Context. Baggage is a specific value supplied with traces, logs, and metrics that allows you to annotate it and consists of user-defined pairs of keys and values. By annotating corresponding metrics and traces with the same values in Baggage, the user can correlate them. Detailed documentation about Baggage can be found here.

Conclusion

We covered the pillars of OpenTelemetry and some details of application instrumentation. But we don’t just need to instrument our applications – we should also introduce tooling for the aggregation, storage, and visualization of the signals we supply. In the third part of this series, we will discuss tooling and the OpenTelemetry collector component in detail.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

2022 Nord Security

您的家用設備會對您構成威脅嗎？

Have you ever thought that your vacuum cleaner may not only sweep your floor but also listen to your conversations? Or that your home security cameras might be used by someone else to stalk you? Smart gadgets are making our lives easier, but they can also pose a serious risk to our property, privacy, and even life if they fall into the hands of hackers. If you don’t want to become their next cybercrime victim, let’s take a look at some of the potentially risky connected devices surrounding you and ways to protect your security.

Innocent-looking smart toys

AI-powered and internet-connected toys provide much more than just entertainment for children. They boost creativity and develop social, motor, problem-solving, and other skills that can significantly impact their future performance. However, buying smart toys can be a not-so-smart idea – along with bringing kids joy, they can also attract hackers and identity thieves.

Security flaws are common, even in toys from parents’ most-trusted toy brands. Mattel’s Wi-Fi-connected Barbie doll, My Friend Cayla, Fisher-Price’s Chatter Bluetooth telephone, VTech InnoTab Max, Furby Connect doll, and many other toys have been labeled by cybersecurity experts as spying devices. Because of their security gaps, hackers can turn their cameras and microphones on and use them to see and hear everything the toy sees and hears. Moreover, fraudsters can interact with your children, give them orders, extract secrets or collect data, and track their location. In addition, the data collected can be used for blackmail and ransom demands or sold on the dark web or to advertisers.

Spying webcams

The desire to protect your home space from burglars can backfire – you can find yourself being spied on by others. That’s exactly what happened to Amazon’s Ring and Google’s Nest security cameras when malicious actors hacked them to surveil, threaten, and insult people who own them.

In one case, a home’s Ring camera loudspeaker started playing a song that a girl heard, so she went to investigate. When she came into the room where the camera was located, a deep masculine voice spoke to her through the camera speaker, saying that he was Santa Claus and calling her racist slurs.

In another Ring hack case, the virtual intruder harassed a woman, calling her vulgar names and asking her to respond.

Similar situations have also occurred with Nest camera holders. A few families reported that hackers talked to them through these cameras and messed with house thermostats by cranking up the heat.

These are just a few examples of how you can unexpectedly become a victim of cybercrime, which in addition to home security cameras, can happen with baby monitors or even pet cams.

Risky home cleanliness

The truth is that robot vacuum cleaners make life much easier. You can mind your own business while a robot vacuum sweeps your house. Although it may seem that cleaning dust from the floor is its sole task, in the hands of fraudsters, it can have a wholly different purpose as a spying device that may make you a victim of cybercrime.

Researchers revealed that hackers who gained access to a robot vacuum cleaner could get a house map or its GPS as well as record people’s conversations by repurposing its LiDAR sensors to act as microphones. In addition, some robot vacuums can enable hackers to take control of the vacuum or even watch the live video feed produced by the device. All this collected data can be sold to advertisers or used by criminals to plan a robbery or other crimes.

Deadly medical devices

It is no longer surprising that we can become victims of cybercrime when our bank card details are stolen or our mobile devices or online accounts are hacked. All this is nothing compared to what can happen when malicious actors hack into medical devices such as pacemakers, implanted defibrillators, drug-infusion pumps, and other health tech gadgets, which can have fatal consequences.

In 2017, the FDA recalled 465,000 pacemakers after the security firm, MedSec, found security flaws that could allow hackers to reprogram the devices and put patients’ lives at risk. For the same reason, doctors replaced former U.S. Vice President Dick Cheney’s heart defibrillator so it couldn’t be hacked by terrorists who might try to kill him. Infusion pumps automating the delivery of medications and nutrients into patients’ bodies can also become deadly weapons if hackers increase the doses. Moreover, such hijacked healthcare devices can be used to steal personal or medical records or even urge victims to go to the hospital by sending them false messages about their medical condition, so they leave their houses unattended.

How to protect

While some of the above-mentioned connected devices have no recorded cases of anyone maliciously hacking them, various investigations by cybersecurity experts have shown that the potential for problems exists. Therefore, security measures must be put in place to avoid any possible threats.

Don’t recycle passwords. Create complex and unique ones for all your connected devices and accounts.
Where it’s possible, set up multi-factor authentication (MFA).
Use secure Wi-Fi and make sure its password is hard to guess.
If you have a problem remembering different passwords for your accounts, use a password manager.
Always keep the software of your devices up to date. Updates patch potential security flaws.
When the device is not being used, for example, a vacuum robot or kid’s toy, unplug it or turn it off, so it stops collecting data.
If it’s possible to use the device without the internet, disconnect it.
Make sure that the smartphone you have connected to your devices is malware free.
Stay vigilant, and don’t provide your or your kid’s personally identifiable information if it’s not necessary. For example, children’s toys can be updated without knowing your kid’s age. However, be sure to provide the correct contact details so that developers can notify you of possible updates or security flaws.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

2022 Nord Security

2022 年網絡峰會關於引導您的業務的 4 條要點

Most startups aim to score a big round of venture capital funding and then focus on growing the company. In today’s economic climate, startups are keenly aware of how much money they have and, most importantly, how much they lack. But for some, the option of having outside financing is not the best option or may not be an option at all. In such cases, bootstrapping, or self-financing through personal funds or initial sales, comes into action.

Tom Okman, Co-founder of Nord Security Since the establishment of Nord Security and until this year, we have operated without external funding – and we have learned many lessons. Last week, I had the great honor of presenting our main takeaways from this bootstrapping journey on the stage of Web Summit. Here are the four main insights that I shared for founders focused on bootstrapping their business: #1 Perfect your company’s mission Your company’s mission is not just a catchy slogan you place on your “About” page and then forget about it. Your mission is the underlying DNA of every meeting and every creative solution, and it works in the background every time your people decline offers from other companies. When you raise funding, it’s easy to lose sight of why you started your company in the first place. But when you are bootstrapping, your mission and your customers guide your business path. So bootstrapping founders, instead of focusing on raising the next round of funding, look for innovative ways to turn their mission into a reality. They are also more receptive to what customers are saying to them. That feedback naturally helps polish and evolve your mission over time, which in turn helps improve your corporate and product strategies. And it comes with a bonus – the company develops a solid internal culture. #2 Build local, ship global Some entrepreneurs are wary of using local talent pools, especially if the business is starting outside established startup hubs like Silicon Valley or Israel. However, that was not the case in our story. In fact, we were fortunate to start our company in Lithuania. While funding was scarce when we started, the local ecosystem, partners, and infrastructure helped us immensely in getting our business off the ground. People in Lithuania are talented and keen to prove themselves to their international peers. So one of our best decisions early in the business was to tap into that talent pool and support from local associations and policymakers. Today, more than ever, talent and support for entrepreneurs are spread throughout Europe, both in traditional tech hubs and rising startup center’s. As a result, the startup world is getting flatter, so now is the best time to take advantage of building locally while shipping globally. #3 Focus on the customer Customers are royalty, especially when entrepreneurs operate without external funding. In such cases, customers become leading investors and the most sustainable source of financing, and startups must focus on them above all else. So to be successful, entrepreneurs have to build a product that their customers will love and want to pay for, meaning that creating a market fit for products becomes central to a startup’s survival. Unfortunately, you don’t have a large treasure chest on your side when you are bootstrapped, so the key is to be efficient in adapting to your customer’s feedback. #4 Take risks and be nimble The bootstrapping route empowers entrepreneurs to take charge of the big decisions when it comes to vision, hiring, operations, or finances. That gives self-funded startups an edge because they can be much more flexible, agile, and tenacious than other companies. But at the same time, not taking outside financing pushes entrepreneurs to be hungrier in finding ways to improve their business. Because knowing that customers are critical, you can’t simply spend your way out of problems. In Nord Security’s case, it usually meant taking risks and being the pioneer in educating the market and customers about a new use case, product feature, or upcoming challenges. While such a situation might sound precarious, in a way, it also means returning to what makes startup culture great – the ability and willingness to be inventive and take risks. But it is essential to be decisive when things need to be fixed and be bold in pivoting because inertia can sometimes be more dangerous than recklessness. This combination can prove extremely potent if entrepreneurs allow themselves to be guided by their leading investors – the customers – and their mission-driven culture. But only if founders are willing to lean into it fully.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

2022 Nord Security

為什麼我們選擇 Astro 作為我們的營銷網站

When you build a website, it’s essential that you’re using the right tools. With countless UI libraries, bundlers, and frameworks available, engineers have never had so many tools at their disposal. But which ones are right for large, traffic-heavy marketing websites? We chose Astro. Here’s why.

Problems with our existing stack

My team at Nord Security is responsible for building and maintaining websites for the fastest VPN in the world, NordVPN. We have multiple marketing sites built by different people at different times. Some were made with Gatsby, and others with WordPress and a home-grown React-based SSG (static-site generator).

Those websites served us well. However, rapid scaling has caused issues with website performance, which has a direct impact on sales and marketing. It’s a proven fact that a reduction in website performance (for example, slower load times) decreases sales. This has been demonstrated in studies from WPO Stats.

As the business scaled, my team had the challenging task of researching and proposing a tech stack to rebuild our websites and achieve optimal marketing potential.

A challenge

There was a lot of work to be done. We had more than 20 locales, 10 currencies, and thousands of pages. Personalization had to be considered, and A/B testing implemented. Supporting an ever-expanding list of requirements while still achieving optimal performance felt like an impossible goal.

We tried different frameworks — Next.js, Preact, SvelteKit, and Elder.js — and even tried building server-side rendering and island architecture with Svelte. We had to find the best systems to satisfy the needs of content editors, data analysts, and engineers.

Of course, it’s not every day that a team gets a chance to rebuild their websites from scratch. We knew we could create something great, so we wanted to make the most of this opportunity.

Enter: Astro

As our research continued, it became clear that Astro, an all-in-one web framework, ticked all our boxes. We had initially ruled out Astro because it didn’t offer server-side rendering, but when this feature was added in 2022, we knew that we’d found our framework.

Astro is not a mainstream framework, of course, and when we were considering it, the framework was still in beta. Going down this route was a risk, but it was one we were willing to take. Why? Because not only did it fulfill almost all of our requirements, but it already had a vibrant and active community and a responsive developer team. New features are planned, implemented, and delivered several times a week.

Along with server-side rendering, Astro’s developers had added Node.js support and edge deployment. These factors facilitate streamlined continuous deployment and enhance the power of a globally deployed content delivery network, allowing for unmatched performance. Edge deployment with Cloudflare, Vercel, and Netlify involves only a few simple steps, but the impact is huge.

With just a few lines of code, we now had server-side rendering enabled on our desired deployment server:

1

export default defineConfig({

2

output: ‘server’,

3

adapter: node(), // cloudflare(), vercel() …

4

});

Benefits of Astro

During the research phase, we noted that Svelte syntax, being a superset of HTML, was much easier to work with than React syntax. The same went for Astro. We have hundreds of different components to implement, most of which require little to no JavaScript, so being able to convert them to the HTML-style syntax of Astro made those components more readable.

The complex components that required client-side JavaScript and reactivity were another story. Our main requirement of reaching optimal website performance pushed us to try something new: SolidJS.

SolidJS is performant-reactive and simple for building user interfaces. It uses JSX syntax, works well for server-side rendering, and offers outstanding performance. It does all this with a fraction of the size of other libraries that usually come shipped with a browser.

Furthermore, both Astro and SolidJS share the concept of so-called vanishing components. Components exist to organize your code and not much else. What is shipped to the client is pure HTML and CSS.

Client-side JavaScript is an opt-in feature in Astro. Unless you specifically use one of the client directives, the component is shipped with 0kb of JavaScript. Of course, you also have the option to bundle global or local scripts straight from the component code.

SolidJS and other framework components are inserted into Astro files using the “islands architecture” pattern. The pattern was proposed by Katie Sylor-Miller in 2019 and is expanded in this post by Preact creator Jason Miller.

Here are the possible client directives for making “islands” interactive:

client:load — Loads JavaScript and hydrates the component on page load.
client:idle — Loads JavaScript and hydrates the component after page load once the main thread is idle.
client:visible — Embraces the power of Intersection Observer API and loads JavaScript only if the component becomes visible.
client:media — Useful in cases where certain components should be visible and interactive only on certain screen sizes.
client:only — Skips server-side rendering and runs the code on the client. Be careful with this one because it can push down your SEO scores.

Some parts of the page can be fully static, without any JavaScript needed, while other parts, or islands, may require JavaScript. The process of resolving the component state is called hydration.

Though the JavaScript community is still split over whether hydration is the right approach compared to resumability, it solves our current problems nicely. More information about the hydration topic can be found in this great article.

With Astro, islands come with another benefit: various component framework support. It offers flexibility when choosing a UI framework and has integrations to work with React, Svelte, SolidJS, and Vue. Of course, you won’t typically mix those, but it gives you flexibility and room to maneuver.

The results

To see how well it worked, check out the Lighthouse scores for one of our new websites:

The other projects integrated well with our Cloudflare Pages, and more will be built soon!

The pace of releases, weekly community calls, RFCs, the involvement of the core team, and its vibrant community all serve to confirm that we made the right choice with Astro.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

2022 Nord Security

在德國發起首個 NordVPN 360° 營銷活動

In August, we started our first-ever 360° marketing campaign in Germany for one of our cybersecurity solutions – NordVPN. The campaign was designed to raise personal cybersecurity awareness among the German population and involved all channels in spreading the key message that nothing is more important than the privacy of your personal data.

In this interview, we speak to Joanna Rusin-Rohrig, Germany country manager, and Ieva Račienė, brand manager – the two NordVPN insiders who made this campaign happen. Read their interviews and find out the full behind-the-scenes story of this 360° NordVPN branding campaign in Germany: from idea creation, planning, and development to the final results and lessons learned.

From campaign idea to execution

Could you briefly introduce the campaign you just launched?

Ieva: Yes, we call it the “Safely be you” campaign. It was a huge milestone for our organization because it was the first 360° branding campaign ever done at NordVPN when all channels were aligned and focused on one message:

Switch on privacy. Switch off trackers and viruses. Go Nord. Safely be you.

(Privatsphäre ein, Trackern und Viren aus. NordVPN. Ganz sicher du selbst.)

With this key message, we wanted to stress the importance of privacy and make a connection with the usage of our product. Unlike the general approach that focuses on risks and dangers by showing hoodie-wearing hackers in dark rooms trying to steal personal data, we concentrated on more modern and positive messaging emphasizing the emotional benefit of safety. NordVPN protects you and your daily actions online: private messages, social interactions, and transactions. Nothing can be more important than that.

This “Safely be you” campaign aimed to show that everyone’s digital life has the same or even more threats than their “real” lives.

Is it any different from the usual NordVPN campaigns? If yes, how?

Joanna: In fact, it was very different from the usual marketing activities, which are strictly driven by performance indicators. This was the first time NordVPN launched an awareness campaign and the first time we implemented one in Germany.

What did the development of the whole branding campaign look like? Could you give us a sense of the development and implementation stages?

Ieva: It took us eight months to get from idea approval to campaign launch. To tailor the campaign to the German market, we first started looking for external partners.

From day one, our media team, in cooperation with our long-term partner, The Specialist Works, started analyzing media opportunities and best practices in the country and working on an appropriate media plan to promote our creative approach. Meanwhile, our other partner – the team at Influence.vision – helped us find the best influencers. For designing our video ad, we chose a local creative agency, Jung Von Matt. Together, we developed a creative concept called “Safely be you.”

To sum up, not everything was done by our external partners – a large part of the visual design and creative copywriting was done in-house.

Joanna: To give you a feeling of how big the project was: we developed nine separate media plans, from out-of-home advertising to mobile influencer activation. It was a huge team effort to create and execute them on time. More than 100 people worked together internally and in external teams on the execution of the whole campaign.

And speaking of branding campaign promotion tools, what kind of marketing channels were used to launch this campaign? How did you select them?

Ieva: As it was a 360° campaign, it covered all possible marketing channels: TVC, radio, OOH, PR coverage, dedicated celebrity campaign, influencer integrations, social media, PPC, various mobile app ads with full digital scope, and more. We also leveraged high-reach and visibility placements, and our SEO team covered various content clusters.

Joanna: Our main KPI for the campaign is the improvement of the upper funnel metrics – awareness and consideration levels in the market. Therefore, we chose channels and platforms that index highly on reach and reliability in our target group for us to achieve maximum penetration in the market with the given budget.

How are you measuring the success of each marketing channel that was used?

Joanna: Apart from the overall awareness level increase, we defined separate KPIs, like a specific CPA for TV or a level of positive sentiment for influencer integrations. These are our pillars of measurement that allow us to establish whether or not we can regard a certain action as a success or failure.

Cybersecurity awareness in Germany

Your main goal is to raise awareness about personal cybersecurity among the German population. How aware are they of the threats they face online, and are they ready to embrace new technology for their cyber protection?

Joanna: According to our research data, Germans spend almost 25 years of their lives online. However, only 21% of them can say they are well aware of the different ways to secure their devices. Even though secure Wi-Fi is relevant to 69% of Germans, only 23% use a VPN to keep their connection safe at all times. This means that although people would like to browse the internet securely and privately, the burden of achieving this goal seems too big. With the campaign, we want to inform our relevant audiences how easy it is to be safe online.

Source: nordvpn.com

With the company in full swing now, how would you rate the first results in trying to achieve your main goal and increase NordVPN product usage in Germany?

Joanna: We definitely see a big interest in the topic, and search queries both for the VPN category and NordVPN are increasing significantly. With it, we see increased traffic numbers for our German website and prolonged time spent on the pages. We are waiting for comprehensive post-campaign research results to analyze more in-depth what influence the campaign had on all customer journey stages.

For you as a country manager, what was the most challenging part of running this campaign, and why?

Joanna: My role in this big project was to consult all teams to help them to achieve the best-localized approach. Another important part was to create a link between our headquarters and agencies operating for us in Germany.

Most people working on this campaign do not speak German, so my local team supported them on all language, copy, and influencer content-related tasks. With literally thousands of various marketing campaign design pieces and copy, keeping tabs on everything was challenging, but we managed to spot all mistakes on time.

Tips for a successful branding campaign

What is the most important thing to consider when launching such branding campaigns? Do you have any advice?

Ieva:

Form a team you can trust. This is the most crucial part of all projects. Whether it is your colleagues or external partners, I strongly suggest gathering a team you can trust 100%. And if the team consists of professional and dedicated people ready to go the extra mile, they’re destined to succeed.
Know your users or the people you are talking to. Understanding their needs and how we can help to solve their problems is the key success factor to being relevant.
Have the courage to do things that were never done before. In our case, having the first branding campaign focused on an emotional message might have been seen as a challenge at first, but we took the risk because the challenge might pay off massively.

Joanna:

Have your KPIs and measurement methods established before you start planning, and make sure that all the team members are on the same page.
Think of having regular check-ins with all the team members involved so no information gets lost on the way.
When you are done with all the project planning, go ahead and add an extra month to it. 🙂 Life happens, and this buffer will allow you to find solutions for challenges that arise on the go.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

2022 Nord Security

NORDTECH – 我們在柏林的第一次技術聚會

Last week, we launched our first-ever tech meetup in Berlin – NordTech, where we invited locals to meet our experts live and get some insights into PHP, cybersecurity, and software development practices at Nord Security. As we value innovation and shaping future tech, we’re always keen on sharing our ideas and findings with others. Learn more about what our experts and the Berlin tech community discussed during the event:

Tests are not useless!

With Pavlo Mikhailidi

Fuelled by a recent encounter with an anti-tester, our Senior PHP Developer, Pavlo, set out to prove that testing is a necessary practice for all developers—not just QA. He explained that good testing saves time and headaches and can even double as documentation. Increasingly complex codebase requires proper care, and modifying one part can break several others. In these cases, testing is your go-to remedy.

He went on to cover the attributes of good testing, shared below, and to debate the trade-offs between bad testing and no testing. Finally, Pavlo passed along some recommended resources for upping your testing game: Unit Testing Principles, Practices, and Patterns, Test-driven Development by Example, and The Art of Unit Testing.

Here are the attributes of a good test that he shared:

It protects against regression
It’s resistant to refactoring
You get fast feedback
The test is maintainable

Watch the full recording of Pavlo’s presentation here.

Scrum sucks

With Oleksii Ustenko

Our Senior Android Developer, Oleksii, explored how Scrum is often misunderstood and misused. All-in-all, he actually likes Scrum but understands why people might grumble about the rigidness of the structure. What’s important to remember is that Scrum should be people-centric at its core: humans working together to create value for other humans. And each ceremony exists to drive that goal forward. Like many things in life, Scrum works best when motivated individuals have the trust, support, and understanding they need to get the job done. And Scrum, understandably, goes wrong when management or bureaucratic processes steal ownership away from teams.

He concludes that Scrum is not the silver bullet some of us want it to be. If something isn’t working, each person involved is responsible for speaking up and proactively suggesting improvements—respectfully. Scrum worked well for the use it was invented for, but every team is different. Take the time to understand the context behind why certain ceremonies exist, learn from past mistakes, and find the process that fits your team best.

Watch the full recording of Oleksii’s presentation here.

Securing your API using Cryptography

With Dovydas Bespalovas

In this security deep-dive, Dovydas, our Guild Tech Lead, laid out the basics with different types of cryptography algorithms and functions: Hashing, Encryption, Digital signatures, Key derivation function, and Key exchange. He then explained the evolution of Secure Sockets Layer (SSL) to Transport Layer Security (TLS) and how it’s used and certified. Going one step further, Dovydas got into the differences between ‘Authorization’ and ‘Authentication’ and shared a step-by-step example of how both information security processes can be put into practice. After that, he concluded that such necessary security measures come with extra work and extra complexity.

Watch the full recording of Dovydas’ presentation here.

Future tech events in Berlin

If you’re interested in learning more, join our future NordTech events live in Berlin or watch them online. Follow us on meetup.com to stay up to date with upcoming knowledge sharing, networking, and other future events at Nord Security.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

2022 Nord Security

控制測試執行：自定義執行器

Test execution is the process of running tests to verify a specific functionality in a system. It’s a great way for us to find bugs in our applications, but over time we realized that we needed to improve the speed and efficiency of our test execution method. Here’s how we did it.

The story so far
After four years of automated test development, we now have a significant collection of tests we can run. These tests can be organized and executed on demand and provide us with valuable data about the current state of our system.

Most popular automated test development platforms offer us some level of control over test execution: parallel suites, for example, to reduce execution times. Some platforms even allow us to dynamically inject test cases during runtime, depending on the current system state.

But what if it’s not enough? What if we need even more control over execution? What if we want to use mixed-type pipelines and dynamically change test data or execution pool thread capabilities?

The problem
We execute tests from several different IPs because some of the functionality can be tested only while using a specific tunnel connection. This brings us to Cloudflare accessibility problems, request limit issues, and, occasionally, authentication errors.

Some more complex scenarios require the alteration of test data. This can only be done via microservice-based endpoints. Some of those endpoints are only accessible from an internal network. After a tunnel connection is established with an external server, a test execution bot can no longer reach the internal resources required for this test run.

Another problem is the number of requests being generated during test runs. For security purposes, all environments have strict request limits, but our test activity can easily reach those limits. Dynamic IPs prevent us from whitelisting IP addresses, and it becomes impossible to execute all test collections from one IP address.

The solution
After several solutions failed, we finally came up with a test strategy that involved modifying test data upfront.

If access cannot be gained from specific IP, we get access tokens before making the connection. If the alteration of test data via internal endpoints is needed, we execute this before the test run. We also bypassed request limits by switching IPs during the test run.

All of this would be impossible if we did not design a more sophisticated test executor.

The executor
We had to design a system that allowed full control of dynamic test execution. The project goal was to have control over the parallel and serial execution of tasks, bound with one executor.

First, data gathering and alteration happen via internal endpoints. A tunnel connection is established, and then parallel test execution takes place to minimize execution time.

Some test suites generate more requests than others, so we must be aware of how many requests are being made and how many suites are in parallel segments. At some point, the IP address has to change, and a new set of test suites are executed again in parallel. This pipeline continues until all tests have been executed.

The result
Thanks to this solution, we can take full control of the test execution pool and execution sequence. In practice, that means we are able to adapt to ever-changing security measures and still provide valuable test execution reports. Our tests allow us to identify bugs faster than ever, enhancing the security and efficiency of all our applications.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

2022 Nord Security