Enterprises that host services in the cloud need to protect their cloud resources using network services such as firewalls and deep packet inspection systems. While middleboxeshave typically been used to implement such network functions in traditional enterprisenetworks, their use in cloud environments by cloud tenants is problematic due to the boundary between cloud providers and cloud tenants. Insteadwe argue that network function virtualization is a natural fit in cloud environments, where the cloud provider can implement Network Functions as a Service using virtualizednetwork functions running on cloud servers, and enterprise cloud tenants can employ theseservices to implement security and performance optimizations for their cloud resources. In this paper, we focus on placement issues in the design of a NFaaS cloud and presenttwo placement strategies - tenant-centric and service-centric - for deploying virtualized network services in multi-tenant settings. We discuss several tradeoffs of these two strategies. We implement a prototype NFaaS testbed and conduct a series of experiments to quantify the benefits and drawbacks of our two strategies. Our results suggest that the tenant-centric placement provides lower latencies while service-centric approach is more flexible for reconfiguration and capacity scaling.