Exactly- nicely articulated. I don’t think we as members should be micro-managing the NCC. Surely people have enough on their plates with their own businesses? Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 I have sent this email at a time that is convenient for me. I do not expect you to respond to it outside of your usual working hours. From: Nick Hilliard (Network Ability Ltd) <nick@netability.ie> Date: Tuesday, 12 November 2024 at 15:14 To: Michele Neylon - Blacknight <michele@blacknight.com> Cc: Felipe Silveira <fvictolla@ripe.net>, Timo Hilbrink <timoh@freedomnet.nl>, members-discuss@ripe.net <members-discuss@ripe.net> Subject: Re: [members-discuss] Re: Serious concerns about the RIPE NCC Cloud Technology Status [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Agreed - this all looks fine to me. And speaking as a member, what's important is that all these areas have received explicit consideration in terms of the balance between cost, convenience and security. We pay the RIPE NCC to carry out a specific set of mandates and it's good to see that they do it. The fact that as members, we have visibility right down to this level of granularity is a bonus in terms of seeing what we're paying them to do. In the more general case of security risk management, there are plenty of cases out there where it would be appropriate to assign a high or critical risk rating to using US based cloud providers, as a result of the US Cloud Act. In those cases for sure, in-house might be an option, or a cloud provider in a gdpr-based jurisdiction, or data-at-rest encryption, or whatever style of risk mitigation was appropriate for the case in hand. But I can't see that the RIPE NCC falls into this category in general, and specifically not in relation to the categories of data that Felipe said that the RIPE NCC stored on AWS. Nick Michele Neylon - Blacknight via members-discuss wrote on 12/11/2024 13:55: Felipe This all seems logical and sane. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 I have sent this email at a time that is convenient for me. I do not expect you to respond to it outside of your usual working hours. From: Felipe Silveira <fvictolla@ripe.net><mailto:fvictolla@ripe.net> Date: Tuesday, 5 November 2024 at 18:26 To: Timo Hilbrink <timoh@freedomnet.nl><mailto:timoh@freedomnet.nl> Cc: members-discuss@ripe.net<mailto:members-discuss@ripe.net> <members-discuss@ripe.net><mailto:members-discuss@ripe.net> Subject: [members-discuss] Re: Serious concerns about the RIPE NCC Cloud Technology Status [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Dear Timo, all, First off, I want to let you know that documents containing potential confidential member information - company registration papers, network plans, any document sent to the NCC in order to justify additional resources, etc. - are stored on premises in our Document Management System (Alfresco). Registry information - including the history of all Internet Number Resources, plus all current and historical information about our members (legal address, company registration number, etc.) - is stored on our in-house-developed software, running on premises. Ticketed communication with members is stored in Zendesk, which runs in the cloud using AWS infrastructure. No documents are stored directly in Zendesk, and any documents sent as attachments are automatically removed and stored in Alfresco. For copies of IDs and passports, we use a third party (iDenfy) to identify our members. We don’t store any copies of IDs as part of this process, and IDs are deleted after 14 days. For staff email we do use Gmail, and I note that copies of some Zendesk tickets might end up on staff email accounts. This came from an internal decision to fully use Google Workspace, which we were already using for other productivity tools. We also recently stopped paying for licenses for Zoom and now use Google Meet for video conferencing. Using Gmail for staff brings several benefits for us, including better spam and malware filtering as well as integration for staff with the rest of the Google Workspace tools. As has been noted here, these decisions are largely cost- and resource-driven. We have undertaken serious efforts to reduce costs on the technology side of the organisation over the past two years, and this has resulted in some of the compromises that have been noted on this thread. An example of this is our recent efforts to reduce our data centre footprint, which have focused on providing quality services in a cost-effective way [1]. However, it's important to note that for most email we do in fact run our email infrastructure, including MTAs, community and membership mailing lists, and the ASO and NRO email systems. We operate on-premise MX servers, which handle all emails directed to ripe.net<http://ripe.net> and route them accordingly. Emails sent to staff and role accounts are forwarded to Gmail, while those intended for support go to Zendesk. Emails directed to mailing lists are routed to our on-premise Mailman instances. For outgoing emails, we use various services: Gmail for staff emails, Zendesk for support, AFAS for invoicing, and Brevo for some announcements. Any remaining emails, such as those from mailing lists and NCC services (like RIPE Database updates, RIPE Atlas, etc.), are sent through an on-premise mail server. It is difficult to run our operations if we have to speculate on what governments can and cannot do. Instead, we apply a risk-based approach, paying close attention to the contracts we sign with these providers and ensuring that the obligations described in them give the highest possible level of privacy and security for our members. Kind regards, Felipe Victolla Silveira Chief Technology Officer RIPE NCC [1] https://labs.ripe.net/author/felipe_victolla_silveira/reducing-the-ripe-nccs... On Mon, 4 Nov 2024 at 13:33, Timo Hilbrink via members-discuss <members-discuss@ripe.net<mailto:members-discuss@ripe.net>> wrote: Hi all, As we have seen in the past several Information Services updates from Felipe, the RIPE NCC has been moving a lot of services to the cloud, this now also includes things like RIPE NCC email, calendars, chat and video conferencing. The follwoing page gives a helpful overview of these services and the relevant cloud platforms: https://www.ripe.net/publications/documentation/cloud-technology-status/ The page states that "all services pass an internal process of strict legal, information security, technology and privacy reviews". That all sounds very reassuring, doesn't it? However.. Even though the "Data Residency" column states "EU" for all these services, these cloud providers are a U.S. legal entity (or a foreign entity with an office in the U.S.), so the data stored on these platforms completely falls under U.S. legislation, such as the CLOUD act and numerous related acts and laws. It is completely irrelevant where this data is stored geographically. This also means that the data stored on these platforms can be subject to U.S. law enforcement warrants and subpoenas. As a concerned and privacy aware citizen, i find it very worrying that basically all my interactions with the RIPE NCC in some way end up in the hands of U.S. based cloud providers. But i can imagine that these concerns are much more serious for RIPE members in countries that have a less favourable relation with the U.S. (there are quite a number of those countries within the RIPE service region) What do other members think about this, and has the RIPE NCC taken these consequences into account when they decided to move all this data and services to U.S. based hyperscalers? Thanks for your thoughts, Timo Hilbrink Freedom Internet ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/ ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/