Storj Town Hall - November 14, 2024

Storj Town Hall - November 14, 2024

storj-town-hall-banner-1124

Learn about our latest achievements, highlights, and what to expect from Storj in the coming months.

We hold Town Hall sessions regularly throughout the year to keep our community up-to-date on all the latest from Storj, our token practices, and to give the Storj Community the opportunity to ask questions and learn more.

Follow our YouTube, Twitter and LinkedIn accounts for the latest Storj news, updates and events.

If you have questions about the November 14, 2024 Town Hall please ask them in the replies below.

3 Likes

Hello, how goes efforts for Public Network certification for SOC2 and what’s perspectives for it to happen. Clearly Without industry standard certification Public Network is in sort of stagnation, due to lack of serious heavy enterprise customers, those prefer to choose Select option. Asking as a loyal private SNO, who would like to regain a hope for sense of his existence. Thank You.

P.S.
did You saw this post on the matter:

Jammedan, found some auditor with experience in decentralized infrastructure: “Seal Storage Technology, a leading provider of blockchain-powered cloud storage, is proud to announce the successful completion of a System and Organization Controls (SOC) 2 audit conducted by the highly respected audit firm, Audit Peak.”

could be beneficial and time saving. Seal Storage Technology’s successful SOC2 audit by Audit Peak is a good example.

10 Likes

Appreciate the suggestion of Audit Peak as an auditor with experience in this space. I would also note that auditors in the AI space seem to be a bit more forward-leaning. Regardless, they tend to all audit on the standards “as they are”. Seal Storage is a Filecoin provider. Generally, filecoin providers are centralized data centers that provide that capacity to the decentralized marketplace which is Filecoin. Their blog post mentions Soc2 but omits Type1 or Type2, perhaps it’s just a readiness assessment, hard to tell. Given they are likely a centralized data center Soc2 type 1 or 2 would not be groundbreaking. I’ll reach out to Audit Peak and add them to our list of possible vendors.

One of the key sticking points in a distributed storage network is the concept of “control” specifically “control over the nodes” as nodes are defined in “Components of the system”. We have some creative ideas about passing this requirement with public nodes but have received some pushback from auditors/consultants in the research phase.

10 Likes

Hiya @Ruskiem

StorJ has undergone a tonne of changes in the last few months. Some are very relevant for StorJ’s customer base (like purchasing Valdi or joining forces with CunoFS), some for StorJ as a company (like the CEO swapparoo), and a few for Storagenode Operators (Like the fabled 10PB customer moving to StorJ Select).

As with all platform economies, these are the three legs - providers, customers and the platform itself - that make up the three legged StorJ-Stool, and the three legs that require coverage in Town Halls.

I’d additionally love to hear more about what kind of workloads/customers are in the pipeline, and if “we” are still in exponential growth :slight_smile:

3 Likes

My question is, what would happen to StorJ select if the Public network will receive SOC2 certification? As my understanding it is purely here, because it has the SOC2. Or does it provide other benefits too?

My question is – what prevents you from fixing the audio quality? My ears are bleeding. It’s not 1991, there is no need to limit yourselves to 5kbps bandwidth.

3 Likes

It seems @stuberman has some experience in this field and might be able to add something useful.

2 Likes

I have not had time to watch the townhall yet. I hoped for better audio quality :frowning:

I’ve passed your feedback on to the team. Thank you.

4 Likes

Think of the audit as serving the end customer who will be storing their data on your system. The auditors have a certain amount of leeway in how they interpret the controls. I found that technical people often overlook aspects of security, especially around governance, that are simply industry standards. Also realize that you need to think of the audit as evaluating the system, not just your corner of it, so there are the satellites, the SNO nodes and the data centers they are hosted at. Where are the possible vectors to compromise the confidentiality and integrity of the data? The auditor will help with scoping what is in scope for testing. An enterprise customer would reject a scope that is so narrow it leaves their data at risk. From my limited perspective as a SNO, I think the key areas are the satellites; the code running the system including access to the repos where the code is stored (including the ability of a hacker to insert malware into Storj code); annual penetration testing of components exposed to the Internet; general governance. It is not clear that the SNOs need to be in scope, especially if you pen test a node that is on the Internet and prove that either attacking it directly or physically having possession would in no way compromise customer data or lead to expose of the system such as encryption keys.
All of this would be part of the initial phase with the auditor to determine how the system functions and what needs to be in scope.

5 Likes

Just to quickly note, I believe that while SNOs themselves will not be part of the audit as you stated (because it is not necessary and is not feasable), the biggest point of focus will be data storage.

Outside of data storage, most of Storj’s structure is standard for a SOC audit, and of course the scope will cover a lot of parts: satellites, code development, HR (yes, some HR tasks are typically reviewed during SOC audits), etc.

Other than those, Storj will have to prove that the “limited” control they have over the storage media (as they do not physically have access to it) is enough to fulfill the common criteria defined in the SOC standard. I believe the effectiveness of these controls will probably be easier to prove, once they have been defined. And as you also said, the way they have to prove that they have this control, is through the satellites.

How hard this part is will depend on the audit team, as each team operates in different ways.

2 Likes

To also add a couple more points(for those following the conversation):

  1. Enterprises consider the reputation of quality auditors, tier one auditors like EY, PWC and BDO are simply more credible than some audit firm they are not familiar with.
  2. The difference between Type 1 and Type 2 audits is important, Type 1 is an audit of the system design, a one time snapshot. Type 2 is far more credible as it also covers the operations and tests that the controls work as designed.
2 Likes