That's a pretty nice challenge... I did some work on that already as a part of my MSc. Thesis, and I started working to publish a full article on that in a journal when I finished my MSc. I'm more than 60% done with the article already. We can share ideas about it if you don't mind, as a form of collaboration, and I'll credit you as a co-Author when I publish the research...
Security point of View, the difference between SaaS and IaaS are;
SaaS: In SaaS, the Cloud Customers will use Software as a Solution for their Business process,here Customer wont be having any control over it, the Cloud Service Provider will have ultimate control so it directly rises the issue of Security.
IaaS:In Infrastructure as a Solution, the Cloud User will be having control over application,software and on some platform but the data process and storage takes place out of the organisational infrastructure, wherefore it involves data protection and other security threats like Cyber attack.
There is a lot of resource crunch over cloud security . However there were some organisations which work towards finding best practices and providing advocacy to professionals , organisations and industry .
There were Top 10 Risks Published on cloud security from OWASP (Formerly popular for web app security).
A "hot topic" in IaaS clouds is trust: How can the cloud customer trust the cloud provider? The easy - in my opinion solved - "problem" is: confidentiality of DATA sent to STORAGE clouds -> solution: just encrypt the data at the customer's site; then send it. Same with integrity of data sent to storage clouds: just add a default integrity technology (MAC oder digital signature): check it after receiving back the data from the cloud.
The real problem (and thus) the hot topic is: How can the cloud customer trust the cloud provider when sending CODE to the cloud. We cannot just encrypt the code at the customer site. The provider must decrypt the code on his site -> the problem is: the provider has full insight (and control) of code sent to the cloud. This scenario is the normal scenario in many cloud environments: sending code (=virtual machines) to the provider or hosting (private) virtual machines that belong to the customer at the provider site. If you are interested in this topic see the slides of my talk I gave at ECCWS2014 and my paper.