Hi there wasnt sure were to post my recommendation for the governance document so I am posting here hope it is ok.
1. I suggest you number the pages so it referenceable.
2. Section 1.3.3 the last diagram has an error showing SaaSS rather than SaaS.
3. Section 1.3.5, I agree on the notion that SaaS provides a larger attack surface or having a "much higher" . I propose that attack surface for cloud application remains the same, for example a poorly developed app that is vulnerable to SQL injection will remain as such regardless of where it is hosted. Since the application and platform stacks are the same , then I propose that the attack surface is relatively the same.
4. What is different is the delineation of responsibilities, in the cloud all the consumer will worry about is access, but on premise the responsibility sits with the local IT team.
I am open for other views on the subject.
------------------------------
Nabeel Yousif
May 12, 2017 · Notified 40 people
------------------------------