Which statement about cloud responsibility is true?

• A. It defines how to patch hardware firmware in data centers.
• B. The DRP is sufficient to cover all security needs in cloud deployments.
• C. A shared responsibility model assigns security controls to either provider or customer depending on the service model.
• D. Security controls are not needed for SaaS.

Answer: (C)

Cloud security is governed by a shared responsibility model, where who handles which controls depends on the service model you’re using. In IaaS, the provider takes care of the base hardware, physical security, networking, and virtualization; you manage the guest operating system, installed applications, data, and access controls, including patching at the OS/app level. In PaaS, the provider covers more of the stack (runtime, middleware, OS) while you still handle data, encryption keys, and how your applications are configured and accessed. In SaaS, the provider handles most security controls, but you remain responsible for data governance, user access management, and how you use the service. This allocation is what makes the described statement true: security controls are assigned to either provider or customer depending on the service model.

Other options don’t fit because they overlook this division of responsibility. Patch hardware firmware is primarily a provider task, not a concept you use to describe the overall model. Relying on a disaster recovery plan alone doesn’t address all security controls. And saying security controls aren’t needed for SaaS ignores the ongoing access management and data protection responsibilities that still fall on the user side.