Learn about our latest achievements, highlights, and what to expect from Storj in the coming months.
We hold Town Hall sessions regularly throughout the year to keep our community up-to-date on all the latest from Storj, our token practices, and to give the Storj Community the opportunity to ask questions and learn more.
Follow our YouTube, Twitter and LinkedIn accounts for the latest Storj news, updates and events.
If you have questions about the November 14, 2024 Town Hall please ask them in the replies below.
Hello, how goes efforts for Public Network certification for SOC2 and whatās perspectives for it to happen. Clearly Without industry standard certification Public Network is in sort of stagnation, due to lack of serious heavy enterprise customers, those prefer to choose Select option. Asking as a loyal private SNO, who would like to regain a hope for sense of his existence. Thank You.
P.S.
did You saw this post on the matter:
Jammedan, found some auditor with experience in decentralized infrastructure: āSeal Storage Technology, a leading provider of blockchain-powered cloud storage, is proud to announce the successful completion of a System and Organization Controls (SOC) 2 audit conducted by the highly respected audit firm, Audit Peak.ā
could be beneficial and time saving. Seal Storage Technologyās successful SOC2 audit by Audit Peak is a good example.
Appreciate the suggestion of Audit Peak as an auditor with experience in this space. I would also note that auditors in the AI space seem to be a bit more forward-leaning. Regardless, they tend to all audit on the standards āas they areā. Seal Storage is a Filecoin provider. Generally, filecoin providers are centralized data centers that provide that capacity to the decentralized marketplace which is Filecoin. Their blog post mentions Soc2 but omits Type1 or Type2, perhaps itās just a readiness assessment, hard to tell. Given they are likely a centralized data center Soc2 type 1 or 2 would not be groundbreaking. Iāll reach out to Audit Peak and add them to our list of possible vendors.
One of the key sticking points in a distributed storage network is the concept of ācontrolā specifically ācontrol over the nodesā as nodes are defined in āComponents of the systemā. We have some creative ideas about passing this requirement with public nodes but have received some pushback from auditors/consultants in the research phase.
StorJ has undergone a tonne of changes in the last few months. Some are very relevant for StorJās customer base (like purchasing Valdi or joining forces with CunoFS), some for StorJ as a company (like the CEO swapparoo), and a few for Storagenode Operators (Like the fabled 10PB customer moving to StorJ Select).
As with all platform economies, these are the three legs - providers, customers and the platform itself - that make up the three legged StorJ-Stool, and the three legs that require coverage in Town Halls.
Iād additionally love to hear more about what kind of workloads/customers are in the pipeline, and if āweā are still in exponential growth
My question is, what would happen to StorJ select if the Public network will receive SOC2 certification? As my understanding it is purely here, because it has the SOC2. Or does it provide other benefits too?
My question is ā what prevents you from fixing the audio quality? My ears are bleeding. Itās not 1991, there is no need to limit yourselves to 5kbps bandwidth.
Think of the audit as serving the end customer who will be storing their data on your system. The auditors have a certain amount of leeway in how they interpret the controls. I found that technical people often overlook aspects of security, especially around governance, that are simply industry standards. Also realize that you need to think of the audit as evaluating the system, not just your corner of it, so there are the satellites, the SNO nodes and the data centers they are hosted at. Where are the possible vectors to compromise the confidentiality and integrity of the data? The auditor will help with scoping what is in scope for testing. An enterprise customer would reject a scope that is so narrow it leaves their data at risk. From my limited perspective as a SNO, I think the key areas are the satellites; the code running the system including access to the repos where the code is stored (including the ability of a hacker to insert malware into Storj code); annual penetration testing of components exposed to the Internet; general governance. It is not clear that the SNOs need to be in scope, especially if you pen test a node that is on the Internet and prove that either attacking it directly or physically having possession would in no way compromise customer data or lead to expose of the system such as encryption keys.
All of this would be part of the initial phase with the auditor to determine how the system functions and what needs to be in scope.
Just to quickly note, I believe that while SNOs themselves will not be part of the audit as you stated (because it is not necessary and is not feasable), the biggest point of focus will be data storage.
Outside of data storage, most of Storjās structure is standard for a SOC audit, and of course the scope will cover a lot of parts: satellites, code development, HR (yes, some HR tasks are typically reviewed during SOC audits), etc.
Other than those, Storj will have to prove that the ālimitedā control they have over the storage media (as they do not physically have access to it) is enough to fulfill the common criteria defined in the SOC standard. I believe the effectiveness of these controls will probably be easier to prove, once they have been defined. And as you also said, the way they have to prove that they have this control, is through the satellites.
How hard this part is will depend on the audit team, as each team operates in different ways.
To also add a couple more points(for those following the conversation):
Enterprises consider the reputation of quality auditors, tier one auditors like EY, PWC and BDO are simply more credible than some audit firm they are not familiar with.
The difference between Type 1 and Type 2 audits is important, Type 1 is an audit of the system design, a one time snapshot. Type 2 is far more credible as it also covers the operations and tests that the controls work as designed.
HIPAA, CJIS, FERPA, GDPR & UK GDPR, TPN, SEC, FedRAMP
It may be that these compliance standards require SOC2 as some kind of underlying master standard. But maybe not. While of course it would be great to obtain SOC2 for the Storj Global network, 2 thoughts come into my mind: 1. Maybe the Storj Global network can obtain compliancy certification on the standards above without SOC2? 2. As the Storj Select has SOC2 compliance, it should seek compliance certification for all the other standards as well. Because they sound very interesting:
Trusted Partner Network (TPN)
The Trusted Partner Network is a global media and entertainment community network and security initiative operated by the Motion Picture Association (MPA).
Wasabi is Blue Shield certified and we continue to pursue all certifications necessary to remain compliant for organizations with varying multi-media and motion picture assets and requirements.
Federal Risk and Authorization Management Platform (FedRAMPĀ®)
The Federal Risk and Authorization Management Platform (FedRAMP) is managed by the FedRAMP Program Management Office (PMO). It is a government-wide program that promotes the adoption of secure cloud services across the federal government.
Criminal Justice Information Services (CJIS)
With Wasabi, you can store data compliantly with standards set for data privacy, security, durability, and protection for Criminal Justice Information (CJI) and other critical information, as required by CJIS
This sounds like a money grab for government. Each agency puts out its own standards just to grab more money for certification. Why not unite all of these requirements under one roof?
Anyways the most important thing of any data storage is security against unautorized access, and all of these certifications canāt prevent human error.
While there are plenty of standards around, the reason that SOC2 is usually the one that companies request is SOC2 certified companies must also use SOC2 certified providers (a bit of a simplification here).
Therefore, while Storj could attempt to be certified with a different standard, it would not be nearly as useful.
My suggestion has 2 sides. First is: Obtain the other standards where you cannot get SOC2 at this time (Global network).
Where you have SOC2 (Select network), get compliant with the other standards as well. to attract the customers that require those.
Appreciate the thoughts @jammerdan. FYI Storj does retain TPN Blue status as well as has statements of compliance to HIPAA, CJIS, and GDPR. This commonly comes up as part of a prospectās vetting of our services. We will continue to add frameworks/standards, all while completing our SOC2 Type2 report.
This is all going well, we are spending significant effort on it due to its importance.
Jurisdiction, and different use cases. Why would United States trust GDPR as defined by European Union and hope that EU will not change their mind in future? Why would, let say, privacy standards for medical data (HIPAA) be also enforced on just run-of-the-mill proprietary business information (often wanting SOC2) that is not related to any single person?
If you design a single standard to cover all use cases, it gets much more complex than just having a single-purpose standard.
Regulatory capture is a thing, but these standards are not it. For one, SOC2, the standard that seems the most desired here, is not even a government standard.
This is reductive, suggesting that standards are meaningless. No, they are meaningful in the sense of āI can prove I did all I could to prevent [certain types of] errorsā kind of thing: showing due diligency. As such, equating certified and non-certified services using an argument of āboth are at risk of human errorā would equate a garage company hosting data on thumb drives with Fort Knox. Sure, if suddenly all guards at Fort Knox are bribed, then you can steal all the gold. But itās quite a bit more difficult than using lead pipe diplomacy on a garage door to steal thumb drives.
Storj provides a way to select a group of certified storage nodes to meet your SOC, ISO, HIPAA, and GDPR needs.
Others like TPN or CJIS I did not see. Maybe it would be a good idea to make the statements available on the website or at least have a complete list which network is compliant to what standard. I think Wasabi does that very well on their compliance page https://wasabi.com/cloud-object-storage/compliance. If you have letās say TPN for the Global network, it might drive additional attention and customers to it, if this information is available. Also this could be something for the Ai bot on the page.
Additionally at some point a blog entry about standards might be a good idea. If you are unable to get the Global network successfully audited for standards like HIPAA, SOC2 or GDPR, a blog entry detailing that and why data is safe without certification, might be an idea as we know these standards did not really have distributed encrypted zero-knowledge systems in mind when they have been invented.
Also I am still holding up my suggestions made here: Discussion on Commercial Storage Node Operator Program - #34 by jammerdan where I suggested that Storj may try to become a member of those organizations and associations that create those standards or to influence them in other ways to be heard.
It looks like Wasabi is doing that with its cloud for the public sector: [link removed] and its GovCloud: [link removed]
meeting the FedRAMPĀ® compliance standards.
In the wake of the Russian attack against the Ukraine there was already discussion here, if something similar, e.g. protecting data from government and institutions, could be an interesting business opportunity for Storj:
