Because PaaS is inherently based upon the notion of shared resources, security and isolation concerns must be addressed. For example, PaaS Tenants should most likely not have shell access to the servers running their instances (even when virtualized)- as this can lead to issues if configurations are changed. It might even be wise to restrict Tenant access to container administration facilities like WebLogic Console or WLST. Careful consideration should be given before access is provided to the underlying infrastructure hosting a PaaS instance. In enterprises this may have less to do with malicious behavior and more to do with efficient cost control; it takes time and effort to "undo" Tenant-related "fixes" to their environments.
Another aspect of security to consider are the entitlements offered by the PaaS platform. Should each instance have its own notion of user-level entitlements? Should the instances share a common entitlement framework with common policies that will be needed across the applications deployed on the PaaS? In tandem with the cost benefits of PaaS, there are efficiencies to be gained when considering PaaS as a way to enforce common entitlements across all applications in an enterprise.