Just came across this video posted a few hours ago.
And I must say it doesn’t help alleviate my worries. Most of it is just a great way to promote Storj, but the sentence “Storj partners with datacenters and companies all around the world to put unused capacity to work” bothers me. What about us home node operators then? Besides, the video lists the current pricing for the public network, so which is this talking about?
This is exactly the kind of focus shift I was worried about and I think it’s also a little dishonest to customers to only mention datacenters and companies, despite storing a lot of data on consumer home systems. I understand that that might be an easier sell for some customers, but the combination between public network pricing and what seems like more a commercial network nodes description doesn’t sit quite right with me.
I suspect the rules for selecting nodes will be different. Given that you will need a formal contract for this commercial tier, it will be easy to replace the current /24 rule with a rule based on self-reported locations, as then the commercial contracts will require these reports to be accurate. Something you cannot enforce on a band of anonymous hippies like us.
I wonder how much will it cost for Storj Inc. to maintain certification. This is nontrivial work which they will need to spend time on. It may turn out that at low scales all additional profit will be eaten by certification costs.
I fully agree with the rest of your post.
Heh, frankly speaking, calling a whale someone who has 1 PB of storage sounds funny. That would be just an average Joe Random in the Chia world. I think this is more an offer to companies that already offer hundreds of petabytes of storage for commercial needs, and for whom Storj would be just an additional source of customers.
What I am trying to understand at which point Storj can be considered SOC2 compliant (or HIPAA or whatever else is out there). Is it enough for them to store their (encrypted) data in SOC compliant data centers. Do the data centers have to be SOC2 or the node operator? Or is it enough to run a server in a SOC2 compliant data center?
It would a bit hard to believe that storing the data in a compliant data center can make Storj magically SOC2 compliant without undergo an audit itself. And if they’re being audited anyway is the public network really the culprit that cannot be shaped into compliance?
I am just curious. Unfortunately Storj has never been really transparent about the efforts they make to reach the required compliancy. And now we have this.
What I like is that it is implemented on bucket level. In theory a company could use both networks. Let’s say the commercial network (is that really a good term? I don’t think so.) for hot and critical data, the public network for non-critical data. I am not convinced but at least in theory a company could save some mony storing at least non-critical date on the public network and ‘learn’ about its advantages by using it. But I don’t think that will happen at scale.
Maybe Storj needs to do some more rethinking about what incentives or penalties might work to support the public network. For example it should be dead easy for a company to move data from the ‘commercial’ network to the public network. Maybe this can be done by server side copy and without cost for the customer. If they have to pay large sums to move data between the different networks I don’t see a reason for them to do so.
Also maybe a free tier could be offered on the public network depending on how much they are storing on the commercial network? Store 100PB on the commercial network and get 100TB for free on the other network to try it out. Something like that maybe?
I definitely see the need to push the public network into the eyes of those obviously large enterprises with large datasets that want to move their data to Storj.
In a way the commercial network needs to be prohibitively expensive so that the choose the commercial network only if they really really require the compliance. And maybe only for those part of their data for which it is really necessary.
This is probably what is going to happen. They will run their machines on both networks.
I am wondering if the current whales would be able to get into that commercial network at all. If it means that the node operator has to be audited, then I don’t know how many of them are there?
Exactly.
The best way would have been to get the public network compliant.
But that’s exactly the wrong reason. Any suggestion that the commercial network is more reliable just undermines the reliability perception of the public network. And Storj themselves mention it would offer similar reliability. The differentiating factor is certifications, not reliability.
Not the way server side copy works now, which is essentially no more than a satellite side metadata update and no data is moved. Moving data from public to commercial or the other way around necessarily means moving all data to different nodes and with the graceful exit system moving away from direct piece transfers between nodes, the only viable way to do that is essentially repairing the data to the nodes on the target network, which would have Storj Labs incur all the cost of that transfer.
We can all dream, but this requires basically rewriting the laws of most countries around the world.
The distributed nature of Storj is scary for a lot of potential customers because they don’t understand all the tech behind it, even if you break it down for them. To them, the thought that their data is on Billy’s hard drive in his bedroom sounds like a disaster waiting to happen. We all know that the data is safe and secure, but new customers aren’t as trusting with this.
Being able to tell the customer that their data is stored in commercial data storage facilities with certifications is more reassuring to them. It “feels” better to them and they are more apt to give it a try.
I think, the people concerned about Storj abandoning the public network in favor of data stored at data centers is overblown. We are reacting to what “some” customers want to move their data to the Storj system. For many customers the public network is fine and has a much larger distributed footprint and is obviously far more entrenched and proven out. I think when some of these new customers get used to Storj and how reliable it is, they will consider the public network for those advantages among others.
Yeah, I’d say this part is worth using in marketing as well then. It is and always will be more distributed than any datacenter based network can be. I’m just advocating for promoting the benefits of either network over just mentioning one.
Passing a SOC2 audit (typically needed every year) requires each entity, let’s say Storj in this case, to prove their processes are secure. It is not enough to use encryption. How do they manage keys? Where are the vulnerabilities? Is there code tested prior to release? Is their system penetration tested annually by a competent 3rd party? Do they do background checks on their employees? Do they publish, internally, an org chart and keep it up to date? (And many other controls which require evidence.) Are their hosting sites (for satellites) secure and have a SOC2 audit annually? Is the code Storj writes tamper proof (where ever it is stored)? Do Storj employees and contractors have secure laptops/machines? If Storj cannot pass annual SOC2 Type 2 audits then it is really pointless to require SNOs to be more secure.
It is definitely not enough to run a server in a secure data center. Think about it, if you have a super secure data center, but the application is connected to the Internet and there is no security (application is poorly written) then the system as a whole is insecure.
The same applies for an SNO, is your system patched and properly secured? Who has access to the server you run? Can a malicious actor put a sniffer/keystroke logger on your system and capture your keys or inject their own software into your system causing some compromise?
Frankly, I think the more vulnerable systems are less about the SNOs but rather the Storj systems and employees who have more ability to compromise the customer’s data.
I am not saying Storj should promote it as such. I was just stating that I think it is generally a good approach that a company can use both networks simultaneously. Based on the perception of the public network as @Knowledge has stated, this could lead to a usage, where a company stores critical data on the certified network while maybe some backups or website data on the public network and gets first hand knowledge about it by that. And maybe gains confidence in it as well.
Yes correct. But I think something should be done to boost the public network usage. It should be free and easy to move data from the commercial network to the public network.
The problem is that for the future I believe there will be more certification and compliance requirements not less. We see entire industry sectors like the health sector or the public sector possibly barred from using anything without certification. And that will not change for the better.
Give them an additional free tier on the public network when they use the commercial one so they can try it out. Entry barriers for using the public network should be as low as possible then. Incentivize them for using the public network.
Not if they are legally barred from using it. But even if they are not, Storj should give them a good reason (=incentive) to try it out.
If you are talking about actual enterprise customers, they are not going to be scared, they are going to want answers in order to discover and manage the risk of their data being exposed. As a former enterprise security architect who constantly did vendor security reviews, I would have less concerns about the data on SNO HDD’s, data that is sharded and encrypted the way it is advertised, and I would be more concerned about Storj the company that writes code and operates systems to assure the overall security. Since Storj is the key player in protecting my data, I want to see Storj’s annual SOC2 Type 2 report, and perhaps other standards such as NIST, ISO 27001, (and other certs based on the type of data I want to store). We often had smaller businesses tell us that they were using secure data centers with SOC2 reports, but n nothing beyond that, we knew they were clueless and were not suitable for storing our confidential data.
Very interesting, thanks.
So if an enterprise requires SOC2 compliant cloud storage Storj itself would need to become SOC2 compliant as well. This is how I understand it.
Just moving the data to SOC2 compliant data centers without getting audited itself is not sufficient for Storj become a SOC2 compliant provider.
That would be my assessment. Now the audit report is always scoped by the one buying it, and you can ‘carve out’ things you don’t want reported on, however a competent auditor will include that in their notes. So if I am reviewing a vendor’s SOC2 report and the auditor says, well we looked at their server and operations, but the source of the system [Storj] was not in scope, I would walk away and find a better vendor. My legal department would also insist on that as well, since enterprise legal departments are very risk averse concerning corporate data. IT Security/risk managers will always tell you, it is not a question whether a system will be hacked, but when it will be hacked and what is the consequence.
It is a mistake for Storj to think that SNOs are the weak link in the chain. A secure data center for SNO’s will be good for availability (reduce the risk of systems going offline).
So if they need to get audited for full SOC2 compliancy anyway, why not expand the scope of the audit to the public network as well. I am reading you like this could be done and they might even pass.
Without Storj being audited the “certified” network is just a datacenter network without turning Storj into a SOC2 compliant provider.
Will that convince enterprises that require SOC2 compliant cloud storage?
This is something that I might consider. I currently have around 70 nodes and almost 200TB of hobby space so am fairly familiar with the system.
My day job however operates a medium sized data center in Stockholm (roughly 15k sqft and 2MW) that is in the process of being ISO-27001 certified with the target date of jan 2024.
What would be the actual requirements? We have a few ceph clusters that I can run rbd images and VMs on, and 100G+ internet access.
Thank you for your interest in joining the Commercial Node Operator Program. To discuss details about the requirements how to join, please click on Join the Program on this webpage.
the intention that Storj can attract new customers that need SOC2 or other compliances is good.
I would like to see the direction not be datacenters, but to evaluate what needs to be done to make Storj, Sattelites, GatewayMT and SNOs compliant.
If you are saying you make contracts with multiple datacenters and pay them less than the SNOs are getting, why not move all the data to datacenters?
When will there be a new payout proposal where SNOs get less than datacenters, or you just move all the data?
Also, your marketing right now is focused on enterprise and S3. Yes, that’s probably the easiest way to sell that some enterprises can save money by just moving their backups and editing some credentials.
Congratulations. Your competitors are now Wasabi, Backblaze and others. You no longer have an advantage over them.
I really liked the approach for marketing to developers and Uplink. There are endless possibilities for applications that would benefit from Uplink. Applications that may already exist, but would have a great advantage through decentralization.
People who don’t want to store their data with the big cloud providers no longer see an advantage.
Bandwidth, especially egress, is essentially free for SNOs. Try that with a data center.
So a customer wants to use S3. Your Sattelite and GatewayMT are in a Google datacenter and your data is in another datacenter. A customer wants their data back? You are now paying double. Once for transferring the data from the datacenter where the data is located to Google’s datacenter and now you are paying for the transfer from Google’s datacenter (GatewayMT) to the customer.
For a datacenter, you’re probably paying for what’s in the contract. Not just what you use.
Please look at your own website storj.io and tell me what selling points are no longer benefits.
I don’t think you’re going to get an official answer to this one, but it’s a great question!
The way I see it is that Storj token is useful in public because there are tens of thousands of SNO and it will be a nightmare from financial and legal perspective to use fiat.
Now for commercial, that’s different approach, more like B2B.
I don’t think that it will be that comercial SNO, not compared to the public network so I don’t see the benefit of using Storj when most probably there will be contracts signed between Storj Labs and commercial SNO. It might be an incentive to use it but I wouldn’t count on it
I would expect that Storj requires the public Internet to operate, so I would expect their satellites to be tested for survival on the Internet. Any public facing system requires a penetration test to meet enterprise requirements. If someone scopes these systems to only work in a private network, I would reject the report.
The public cloud will persist, so no disadvantages for the customers who doesn’t require SOC2 and want all features of Storj.
A few customers, who require SOC2 would have an own cloud.
So who wants a good CDN, and storage for people who do not want to store their data in data centers, etc. can use the public cloud as before.
GatewayMT is a distributed service, it is presented in different regions. However, nobody prevent you from using a native connection instead. And many customers prefer exactly a native connection, because it’s faster for them and allows CDN, not saying about the end-to-end encryption.
