I felt compelled to respond after reading Chris Hoff’s “Cloud: Security Doesn’t Matter (Or, In Cloud, Nobody Can Hear You Scream),” at his blog Rational Survivability. This post originally appeared as a comment to his post.

I am working with Hoff as a member of the A6 (Automated Audit, Assertion, Assessment, and Assurance API) group working on cloud security interoperability standards.

Hoff’s point is well said. It’s a forceful (and entertaining) echo in the cloud of earlier discoveries and comments about the ultimate importance of “trust” versus other words often intended to characterize related aspects (e.g., security, privacy), but which do not represent the real need, and so should never be confused as synonyms.

This commentary could be used almost “as is” for earlier IT delivery schemes. Think of it! We needed “trust” in the web (not just “security”), “trust” in software development (not just “security”), “trust” in SOA (not just “security”), and on and on and on. The distinction comes down to the ability to create new enterprise value (”trust” can do that), versus merely the incremental improvement in the protection of enterprise value we’ve already got (that’s what “security” does).

Compliance, on the other hand, is the (reliable) satisfaction of a set of security/integrity/availability conditions that have been declared to be “acceptable” by an authority with some governance responsibility. While this is no place to delve into the psychological and sociological constituents of trust, it is clear that there is a (strictly) technological contributor to trust (often called “digital trust“) and that’s what we’re talking about here.

In my research, the key ingredient to digital trust generation is visibility into the system as designed and at work. The greater the transparency of operation, the more digital trust is generated, and the more opportunity for enterprise value creation is presented. It’s amazing how this works. And, at the same time, such transparency also contributes to control mechanism validation, making compliance more achievable as well.

So, heed the words of trust in the cloud. For greater explanation of the linkage between transparency and digital trust generation, see my research paper, “Digital Trust In The Cloud” or related articles produced at the Leading Edge Forum.

This is not the “Zhu Zhu Pet of the day” for the cloud. The power of trust (including digital trust) is enduring, as long as transparency is reclaimed and reported reliably.

One of the aims of the A6 group is to explore techniques for cloud security claims and assurances, and making them standard (or at least interoperable).

Seems like more than a worthy objective to me.

Ron Knode is Director of Global Security Solutions at CSC and a Research Associate with the Leading Edge Forum.