Hoff wrote a nice post about some noise being generated about "The Cloud" being more secure than running things at home. He briefly pointed to one reason, the cloud is not just SaaS. Remember there are several different offers from different layers (from applications to virtualized OS environments) considered as "The Cloud", so you'll have to "fill the security blank" when buying those lower layer services. If you are running your application, written by your developers, using some of your middleware components, on the cloud,  you still need to deal with the security aspects of them, as your provider is taking care of the layers he is responsible for only. So, if there isn't a SaaS offering that exactly matches your application needs, you'll still need to worry about secure development if you decide to build it yourself or about patch management, secure configuration and all the other fun stuff if you buy it off-the-shelf and run it in the cloud. Same problems here.Even when you are relying mostly on SaaS, it may have a impact on your security posture. If you are a small or medium enterprise, for example, you will automatically get your threat level increased (and a lot) by using things like Salesforce. All that attention that you would not drawn by your organization business will be drawn by your fellow cloud neighbours. The question is (and I always come back to risk assessment methodologies!), how can we measure these things to compare the risk of those two options?  Where (and how) can we get reliable and compatible data on threat level and exposure?