When Forbes.com decided to run an article on the topic of cloud security recently, we weren’t surprised they turned to Ron Knode for input. Knode has been studying the issue since it, well, became an issue with the emergence of virtualization in enterprise technology.

In addition to holding the position of Director of Global Security Solutions at CSC, Knode is also a Leading Edge Forum (LEF) researcher who has penned plenty of his own articles — not to mention a series of posts here on our Enterprise Cloud Computing Guide. Knode is a regular presenter at industry events, including participation in this year’s Symantec Vision and Cloud Expo East events.

This most recent round of media interest (and it does seem to move in cycles in the cloud space) finds technology writer David F. Carr asking Ron about “Deciding Which Cloud Services To Trust” at Forbes.com.

The full article is worth reading for IT decision-makers, as it covers 3 sound pieces of advice:

1. Consult peers in your industry to see what experience they’ve had with particular cloud vendors and solutions. That’s as close as you’ll come to understanding the specific impact cloud computing can have on your business.
2. Don’t expect a secure service just because of the provider’s size or reputation — what Ron calls “presumptive security.” A well-known vendor does not necessarily equate to a 5-9 SLA (99.999% availability service level agreement).
3. Look for vendors that take a “business-first” approach, i.e. the vendors that move only the appropriate operations to a cloud solution, without increasing risk to critical operations or disrupting continuity.

A classic example of what this looks like in practice, says Knode, is the move to cloud-hosted email at Towson University, where he teaches. According to Knode, and described in his seminal paper “Digital Trust In The Cloud,” (PDF download) Towson administrators understood the pay-off of moving the school’s email service to Google — cost-savings and increased storage capacity at the top of the list. However, Towson officials were rightly concerned about the security of intellectual property contained in faculty emails and other such security issues. So, in a “business-first” approach, the university moved only student email to the Gmail platform while maintaining their comfort level with security for staff electronic communications.

With cloud providers making all sorts of claims, Knode also has been a champion of pushing enterprise IT developers and systems integrators to adopt protocols based on standards. Just as telecommunications and then the Internet forced adoption of common standards, cloud computing has presented a need to form consensus on language, frameworks, rights and expectations. Knode has worked intently with colleagues and the National Institute of Standards and Technology (NIST) cloud computing group to push toward a CloudTrust Protocol.

“The CTP extends the NIST and Department of Defense-sponsored Security Content Automation Protocol (SCAP) as a packaging and expression technique for some of the elements of transparency,” Knode says.

Transparency is his keyword. We’ll have more on that with Ron later today.