Select is a premium tier of service… so it makes sense that Storj can earn greater margins from it. Though in this case the 10PB customer would have custom pricing… so they may not pay a penny more switching to Select.
In my previous job I’ve been part of similar attempts at attracting customers, I know a lot about these last-minute requirements. Tough luck! Thank you for communicating this change so transparently!
Storj has more to offer than just a public network. Storj Select is just one of these special treatment approaches. It’s good for Storj to have a way to attract those customers, because then it will be easier for them to consider the public network having all integrations and most of political decisions already done. I.e., the do you want fries with this? approach.
Besides, IIRC Storj has better margins on the select network.
That’s not something I haven’t seen personally…
The SOC2 doesn’t prevent wooden data centers. It only makes sure storage customers can learn (if they ask explicitly!) it’s built out of wood, and so does not allow the storage consumer tell their end users they did not know.
The chain is: the end user requires SOC2, because they want to be able to just blame storage consumer in case something goes wrong. Then the storage consumer requires SOC2 from the storage supplier, so that they can pass the blame if they can prove they did due research. The end result is that if something goes south, the end user still loses data, but at least they know whom to sue. That’s the value of SOC2—it’s a perverse version of a regular warranty.
Any company that has a substantial presence of lawyers in their procurement department will want this kind of warranty.
Funny funny stuff.
I remember some ppl wanted to sue Binance, and they F’n COULDN’T, because of complex offshore structure, that they didn’t even knew where to send claims.
Yea, so Either one understands the product features and advantages, or he is clueless price driven and willing to sue left and right, pick one. Storj gotto find a way to mark itself as a Standard above all certs.
Indeed. I’ve worked on the supplier side with several procurement departments, and it was always very clear from the way requirements were formulated whether a given company consults laywers, engineers, or both (rare!) in the process.
I have a Node in a datacenter. So is it able to get soc2? Or what are the requirements? Every link I found lead to a 404 page. (Maybe I searched wrong?)
Is it only available in the us?
So many questions about select, where I just find 404 links.
Here are some basic facts about SOC2 that most people do not understand.
SOC2 is a US audit standard that supersedes the old SAS70 standard by the American Institute of Certified Professional Accountants (AICPA)
If focuses primarily on governance and not on product design.
When a business wants to obtain a SOC 2 report they contact an audit firm which then works with the business to determine what should be ‘in scope’, that is to say what parts of the service being offered to customers needs to be audited. Businesses can ‘carve out’ parts they want to exclude, but the auditor or the end customer may find that to be inadequate.
Different legal entities that are in scope need to have their own SOC 2 reports. We call this chaining reports. So if Storj uses a data center to host their satellites then the data centers are in scope and must have their own SOC 2.
There are two types of SOC 2: Type I (design only) and Type II (design and operations) - most enterprises will require a Type II since it proves that the service continues to operate according to best practices.
The audits are extensive - usually requiring 150 or more controls for the basic (required) ‘security principle’ and months of evidence that the controls are effective.
Controls will cover things like employee org chart being kept up to date, job descriptions, separation of duties (AP/AR), risk management and many other controls. Most CISOs will fully understand this. Most startups will never pass.
Basic security practices are required such as annual penetration testing, vulnerability management, patch management, code reviews, etc.
If I were a potential customer, I would expect that Storj has a SOC 2 Type II and that the code repository is protected from malicious access (including 2FA), code and system review with detailed threat model analysis, etc from a well respected audit firm. I would also expect that the Enterprise SNO have a SOC 2 Type II and their hosted datacenter have one as well, and each one of these have an annual pen test as well.
It is very hard for me to imagine how an independent (individual) SNO could possibly afford a SOC 2.
It is conceivable that an independent SNO could be considered ‘secure enough’ if the architecture of Storj was such that a individual’s node was ‘fool proof’, that no matter what they could screw up, the node could never put at risk the Storj system or any customer data. In this way an auditor might be able to legitimately ‘carve out’ the node such that it is out of scope.
Best for Storj to first contact a good auditor to clarify the roadmap and value of a SOC 2. Then talk to a few enterprise customers to see what they value. There are several optional ‘trust principles’ that make up SOC 2, but few businesses opt for them, especially privacy.
After the data migration, could you share some numbers, like how long the transfer took from client’s servers to Storj select network, how much data, the median and maximum tranfer speed, etc., how these speeds compare to the ones achieved on public network, etc.?
Could you allocate some resources to separate the info for public network from the select network on the storjstats.info page?
Thanks!
Lol such a disappointing news. I was so excited hearing a 10PB customer is coming. But yeah, Select network. You guys use the public network for benchmarking and get customers then use your Select network to get the profit while our SNOs nodes keep shinking day by day. Seem good?
This feels like the only reasonable way forward. Storj was designed to cope with Byzantine nodes and data is encrypted end to end — and that’s kind of the main point: the replaceable and individually unimportant nodes can be unreliable and malicious and the network is still reliable, with mathematical proof.
It works without trusting the node — let alone certifying anything. It just needs a good justification certification committee will understand.
You might want to read the annoncement more carefully. The customer decided last minute that the public network doesn’t work for them. We even explained to them that storj select is running the same code so there is no difference. I can say in this instance we did our best to push them using the public network but their response was no way we need storj select or we have to bail out.
You guys should have been tougher. This is setting a bad precedent, who will choose public network from now on? This is a public forum that everybody(includes the customers) can read.
I already explained that storj select has some drawbacks. It doesn’t work for all customers. We are just lucky that it does work for this 10 PB usecase.
Awesome. I fail to see what would be bad on getting more customers.
It’s possible, but first we need to obtain a SOC2 certificate which will include Storj public network.
We have customers who already use Storj Select, it wouldn’t be too easy to migrate them. I would guess it could be possible only with costly repairs. But at least new customers with SOC2 requirements would be able to use Storj Public.