Here's the problem with these generalizations, even when some of the issues these people describe are actually reasonably good points:
But since people continue to attest to SaaS==Cloud, let me point out something relevant.
There are two classes of SaaS vendors: those that own the entire stack including the platform and underlying infrastructure and those those that don't. Those that have control/ownership over the entire stack naturally have the opportunity for much tighter control over the "security" of their offerings. Why? because they run their business and the datacenters and applications housed in them with the same level of diligence that an enterprise would.
They have context. They have visibility. They have control. They have ownership of the entire stack.
The HUGE difference is that in many cases, they only have to deal with supporting a limited number of applications. This reflects positively on those who say "Cloud SaaS providers are "more secure," mostly because they have less to secure.
Meanwhile those SaaS providers that simply run their appstack atop someone else's platform and infrastructure are, in turn, at the mercy of their providers. The information and applications are abstracted from the underlying platforms and infrastructure to the point that there is no unified telemetry or context between the two. Further, add in the multi-tenancy issue and we're now talking about trust boundaries that get very fuzzy and hard to define: who is responsible for securing what.
Just. Like. An. Enterprise. :(
Check out the Cloud model below which shows the demarcation between the various layers of the SPI model of which SaaS is but ONE:
The further up the offering stack you go, the more control you have over your information and the security thereof. Oh, and just one other thing. The notion that Cloud offerings diminish attack surfaces is in many cases a good thing for sophisticated attackers as much as it may act as a deterrent. Why? Because now they have a more clearly defined set of attack surfaces -- usually at the application layer -- that makes their job easier.
Next time one of these word monkeys makes a case for how much more secure The Cloud is and references a SaaS vendor like SalesForce.com (a single application) in comparison to an enterprise running (and securing) hundreds of applications, remind them about
this and
this, both Cloud providers. I wrote about this last year in an article humorously titled "
Cloud Providers Are Better At Securing Your Data Than You Are."
Like I said on Twitter this morning "I *love* the Cloud. I just don't trust it. Sort of like why I don't give my wife the keys to my motorcycles."
We done now?
/Hoff