In a shared responsibility model for cloud services, which statement is true?

• A. The provider handles all controls in all models.
• B. The customer is responsible for all configuration in IaaS, while provider handles everything else.
• C. Responsibility depends on service model; both provider and customer share controls.
• D. Security controls are irrelevant in cloud deployments.

Answer: (C)

The key idea is that security duties are shared between the cloud provider and the customer, and who handles what shifts with the service model. In IaaS, the customer is responsible for the guest operating system, applications, data, and configuration, while the provider takes care of the underlying infrastructure, virtualization, and physical security. As you move to PaaS, the provider handles more of the platform and runtime security, leaving the customer primarily responsible for data and access management. In SaaS, the provider takes on most controls, and the customer focuses on data governance and user access. So, the true statement is that responsibility depends on the service model and both provider and customer share controls accordingly.

The idea that the provider handles all controls in all models isn’t accurate, because customers retain responsibilities—especially around data and access—in any cloud service. The notion that the customer is responsible for all configuration in IaaS isn’t correct, since the provider still secures the underlying infrastructure and platform layers. And security controls aren’t irrelevant in cloud deployments—security remains essential, just distributed differently between provider and customer.