Cloud computing is actually defined as three types of services: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastrcture as a Service (IaaS). A large VMWare farm for one company is not cloud computing.

Each of the models has their pro’s and cons.

Model 1: Software as a Service (SaaS) – Alex Stamos

With SaaS in stead of running and building your own applications, you are using web applications provided to you by the SaaS provider. This might actually be a good idea because SaaS companies generally know about application security.

Unfortunately using SaaS means that your data will actually reside on the vendor’s location. Also some SaaS vendors use a password recovery mechanism that will make your datacenter admin password as secure as his email account.

Most SaaS vendors do not provide the audit logs needed for an enterprise. That is why it is probably a bad idea to put regulated data into SaaS.

Some allow you to address password and auditing issues by allowing you to use SAML authentication. It takes away some the benefits from SaaS, but you can do things like dual factor authentication, have control over password policies, provide an internal password reset, do auditing and anomaly detection or even restrict the login page behind a VPN.

SaaS does bring large legal concerns because the contracts exclude all the important stuff, e.g. liability and support in case of compromise. Most vendors prevent you from executing penetration test on their services in their EULAs. Exceptions: Amazon, Google, Salesforce.com

SaaS provides far less protection again search en seizure. In the US a hard drive in you house is protected by the US constitution, a hard drive in a service providers datacenter isn’t.

Model 2: Platform as a service (Paas) – Nathan Wilcox

With PaaS you get provided with a development framework that you can use to develop you own service. Examples are:

• Google AppEngine
• SalesForce.com Platform as a Server, Force.com
• Windows Azure

In order to see if applications developed in this way are more or less secure, Nathan did a simple investigation to see how easy/hard is was to get/avoid common issues like CSRF, XSS and SQL Injection as a developer.

CSRF can be mitigated transparently by all the three platforms. But is requires some action on the developer it is easy to forget.  Force.com is an exception, all controls are enabled by default.

Cross Site Scripting prevention requires more developer awareness then CSRF prevention. In cloud computing this is not different from tradition methodologies.

SQL Injection is easier to prevent in PaaS then it is in classic frameworks

Model 3: Infrastructure as a Service (IaaS) – Andres Brecherer

With IaaS you get control over everything above the hypervisor. Because hundreds of machines gets cloned, there are issues here with the Psuedo Random Number Generator (PRNG). This can lead to SSH key compromises.