Updates on Test Data

Roxor · September 19, 2024, 7:28pm

Ouch… my broken heart

Mitsos · September 19, 2024, 7:44pm

You can still cancel the orders for those drives you’ve been waiting for. Or you can sell them at a discount to recoup some of the cost.

Next time listen to those screaming at the top of their lungs that the wolves aren’t coming, instead of rushing to herd your sheep.

ACarneiro · September 19, 2024, 7:50pm

It’s a gamble. You win some, you lose some

storaje · September 19, 2024, 10:19pm

At least the test data forced me to upgrade to more stable hardware (SAS card* and enclosure*). Now I can go back to ignoring my nodes for months at a time.

*Purchased used on eBay.

MarviBiene · September 19, 2024, 10:24pm

I upgraded my hardware too. Even moved to a different datacenter (From Frankfurt to Wolfsburg)
But at least I got a free 20GBITS Uplink

snorkel · September 19, 2024, 11:48pm

I believe this will be the trend from now on. Big customers test public network, and when they sign and migrate, they choose the select network. We only get bits and pieces, no PB overnight. But we are used to these bits amd pieces; is just how we ended up storing tens of TB starting from one dusty old drive.

Alexey · September 20, 2024, 4:08am

Unlikely. Storj Select is often offered as a last resort, but usually this is to cover SOC2 requirements. Because we all know that Storj Public is cheaper, faster and more durable.
Thankfully to these tests Storj Public become even faster, so I think it’s a good thing anyway.
We have many other customers which doesn’t require SOC2, so the Public network is best suited for them.

Ambifacient · September 20, 2024, 5:35am

Any of the Storj team members care to comment on if there are other large customers in the pipeline?

Alexey · September 20, 2024, 5:55am

I do not think so, that there would be updates or announcements. There are always large customers in the sales pipeline.
I doubt that we would post updates about each one.

You can track the stat though:

Also would recommend to subscribe to blogs and check the partners page on the site.

snorkel · September 20, 2024, 6:51am

I’m realy curious how could a network kept by untrusted/unknown individuals be certified in some way. I’m not familiar with SOC or any certification, but I imagine in order to certify an organism, all it’s parts should be known and easily identifiable, and if there are more parties than one, each one should somehow agree in writing to meet some requirements. I don’t see this happening in Storj public network. But you guys are more knowledgeable than me; I hope things work out.

pasatmalo · September 20, 2024, 7:54am

Doing a SOC2 certification on Storj for the storage network would definitely be tricky. To get SOC2 certified you are needed to comply with a series of requirements by having implemented security controls and procedures. Storj clearly already has security controls implemented in the storage network to satisfy a lot of these requirements, but if those controls are enough to satisfy both all of the SOC2 framework and the auditor will have to be seen.

The hardest part as you suggested is probably the fact that the network si kept by unkown individuals, which can make it hard to satisfy some of the requirements, but it may be possible to somehow workaround it via some of the other controls.

In any case, SOC2 certification is a long process (readiness stage can take months depending on the specific audit. Plus, depending on the timeframe Storj choses, anywhere between 3 to 12 months more to get audited), so we shouldnt expect updates for a while.

jammerdan · September 20, 2024, 8:00am

No, I don’t think this makes any sense for a customer.

But Storj should learn from this to be more transparent and clear about the different networks.
And Storj Sales should not wait until the last minute to clarify if a customer needs certified storage. This should be like the first question.

snorkel · September 20, 2024, 9:20am

Yeah, some miss comunication have taken place there, Storj didn’t bring the certification in discussion, the customer didn’t think of it, and it was a last minute thing, but something good came out of it anyway, for us too.
The network has been tested with more settings and adjustements and gave us the oportunity to impruve our setups, making us more future proof. I’m not so disappointed.

jammerdan · September 20, 2024, 10:00am

It is not just with this customer. It happened in the official communication sometimes too (sometimes not). I am too lazy to search right now but I think I have seen videos with Storj officials referring only to data centers as storage locations.

We also had it here:

This lack of clarity has also been perpetuated in articles, such as the one on Blocks and Files:
Storj claims edge in reducing carbon footprint – Blocks and Files

Decentralized storage places data in multiple locations rather than in a single, centralized datacenter. The paper, titled “How Using Spare Capacity for Data Storage is Better for the Environment,” explains that datacenters over-provision disk capacity to cater for drive failures and future growth. Storj hires that capacity all around the globe and uses it to store distributed shards or slices of its erasure-coded data.

This can create false impressions among customers, who may assume that Storj’s storage capacity is certified and only ask for proof of certification after the storage deal has been signed.

I am not too disappointed too:

At least this potential customer has led to extensive testing again and has helped to resolve some issues that might not have been addressed otherwise.

Toyoo · September 20, 2024, 1:10pm

All certified organizations depend on non-certified suppliers at some point. For example if you are a software company you usually do not require certification from suppliers of laptops on which your employees work. It’s just that these types of dependencies are so common that the certification process already knows how to handle. Storj will have to do quite a bit of legwork to prove Storj’s dependency on uncertified node operators is sound.

Right now I work in a domain where some degree of industry-specific certification is useful. I’ve learned the process is quite flexible, and as long as you can show due diligence in the way odd cases are handled, it can be done in a non-trivial, but finite amount of time. I would assume SOC2 being a rather general framework applicable to many different types of organizations also needs to be so.

snorkel · September 20, 2024, 3:08pm

SOC = Storj Owns the Cloud

stuberman · September 20, 2024, 5:37pm

SOC2 is not a ‘certification’ it is an audit standard that provides regular reports from an accredited auditor. It is really part of a risk management process and not simply a list of certificates you have.

Only elements of the system that create risk for a customer are in scope including vendors. So having a vendor that sells you typing paper is not in scope. Having a vendor that provides a hosting service for your satellites, where physical access to your servers put the entire security of your service at risk is in scope.

Laptops used by employees that interact with highly sensitive data (private keys, PII, etc) maybe be required to have a F.A.R. certification and the OS meet certain standards as well as being patched and current.

The SOC-2 framework is always customized to a particular service based on an auditor’s recommendations. The auditor is the one on the hook once they deliver their report.

Toyoo · September 20, 2024, 5:51pm

This might be a language difference, but as far as I understand, a single successful audit results in some form of a statement that at the time the audit was performed, certain norms expected by auditors were upheld. This is what I had in mind: an auditor certified the norms were upheld. Does this statement have a better name?

That’s why I said “usually” (-:

pasatmalo · September 20, 2024, 6:13pm

The correct word is probably attestation. The difference is that a certification results in some body awarding the company a “seal of approval” that will be valid for a given amount of time after received. This is not the case with SOC audits.

A SOC (type 2) audit results in a SOC report, where the auditor will give an opinion on if the company has operated suitable and effective controls for the services under the scope of the audit for a specified period of time (e.g. you get a report in 2024 for Jan-Dec 2023).

In contrast, other frameworks like the ISO 27001 do certify a company “in the future”. Once a company completes an ISO audit, they will be ISO certified for the following 3 years.

It is not unusual for SOC to be refered to as a certification, but this can lead to misunderstandings.

stuberman · September 20, 2024, 7:13pm

Yes, ‘attestation’ or simply ‘auditor’s report’ are what I usually hear.

To be perfectly clear, with a SOC 2, the auditor will issue a report with either an “unqualified opinion” which means they did not find any problems. Or they will offer a “qualified opinion” which means there were problems. Those with serious or material deficiencies are the equivalent of a failed audit. At that point the audit firm will usually allow the audited organization an option to fix any problems and issue an updated report.

Bear in mind that the SOC 2 reports are extremely sensitive and these reports are not revealed publicly since they reveal where possible weaknesses lie and could be subject to attack. Some organizations will allow select customers to read their audit reports. Another option is to ask the auditor to produce a summary report which does not go into detail about the audit findings but does state the opinion of the auditor.

There is also another type of report which is the SOC 3, that is a general report based on SOC 2 that is meant to be shared with the public.