With the growing popularity of cloud computing, it is important to have guarantees on the quality of the protection. This is particularly true for infrastructure as a service (IaaS) and the need for protecting applications that are deployed in a cloud. Applications come with different levels of required protection and thus require different levels of protection at the infrastructure level. Quality of protection should be commensurate with the risks. In the cloud responsibility for protecting the application is split between the cloud user (the one who deploys the application) and the cloud provider that manages the infrastructure. The responsibility for securing the application is still in the hands of the cloud user. However the responsibility for securing the infrastructure on which the application runs is in the hands of the cloud provider. For the cloud user to be able to guarantee a given level of protection he must obtain some guarantees in quality of protection from the cloud infrastructure in which the application runs. This article describes and compares a client side (transparent) and a provider side (less transparent) model for specifying and monitoring quality of protection in IaaS, and discusses the benefits and pitfalls of the two models. The paper concludes by comparing these models to assess which one is the most adequate for IaaS. The contribution of this paper is to suggest the need for more transparent quality of protection management in clouds and to provide a method for moving from non-transparent quality of protection models to more transparent quality of protection models based on risk analysis of threats and the identification of the security controls to be monitored. The approach is illustrated with an example for monitoring VM/data location in a cloud.