Understanding Cloud Taxonomies and Security

OWASP AppSec DC 2009 had a compelling session that defined cloud taxonomies and the security implications associated with the cloud computing.  The three taxonomies that have become part of our vernacular are:

1. Infrastructure as a Service (IaaS):  Set of virtualized components that can be assembled to build a application.  Amazon EC2, Rackspace, Opsource, and GoGrid are examples of IaaS where you can rent "virtual" hardware and software as a "pay-as-you-go" services.  If you need 5 Linux servers running MySQL Database for 3 months, you'd subscribe to an IaaS provider and using their REST or Web service-based API (or command line if you're too cool) to provision, de-provision and monitor your instance.
2. Platform as a Service (PaaS): A runtime environment for application developer to deploy their applications in their desired programming environments with production issues such as scalability, security and reliability already addressed by the Platform.  Google App Engine, the support Java and Python is a good example of PaaS. Using PaaS developers can code applications locally on developer machines and push them to the cloud.  The developed applications can automatically scale to millions of invocations and thousands of users.  The developers do not have to concern themselves with managing threading, concurrency and load balancing issues for such almost unbound scalability.
3. Software as a Service (SaaS): Fully functional application with potentially and API for external application integration.  SugrarCRM, Netsuite and Salesforce.com are classic examples of SaaS in the CRM space.  SugarCRM can be used as an fully functional enterprise CRM systems and can also be accessed through Web services APIs for integrating on-premise application.  See for example:  Web services Testing SugarCRM.

For more details on Cloud Taxonomies and Security, see Understanding Implication of Clouds on Application Security.