Re: "they also add new potential attack surfaces"
This takes is full circle. The point of the "Cloud" is that you don't have to manage loads of layers, that is the responsibility of the provider. Unsurprisingly they are going to use all sorts of tools to make that as easy (and cheap) as possible.
A cloud provider can use whatever tools they want, including anything the develop themselves. That they are use their own custom tools is again, no surprise, it is cheaper and history has repeatedly shown us that a commercial product does not automatically make it secure. The technologies that are used to support and manage their could are always going to be a closely guarded secret as this is the area were competitive advantage will come in.
What does the author and RSA conference expect?