The financial ROI of cloud security and compliance is judged by decision makers in end-user organisations by the same measures as is done for Cloud computing in general, i.e. by how much it cuts up-front capital expenditure and in-house manual maintenance cost. However, manually translating security policy into technical implementation is difficult, expensive, and error-prone (esp. for the application layer).

In order to reduce security related manual maintenance cost at the end-user organisation, security tools need to become more automated. With the emergence of cloud PaaS, it is therefore logical to move all or parts of the model-driven security architecture into the cloud to protect and audit cloud applications and mashups with maximal automation.

In particular, policies are provided as a cloud service to application development and deployment tools (i.e. “Policy as a Service”), and policy automation is embedded into cloud application deployment and runtime platforms (i.e …