In most cloud service models, except for Infrastructure as a Service (IaaS), the responsibility for securing the application layer falls to the customer, not the cloud service provider. For example, in Platform as a Service (PaaS) and Software as a Service (SaaS), while the provider maintains the infrastructure, the customer is responsible for the application itself. With IaaS, customers are even responsible for managing the operating system, storage, and deployed applications. Therefore, stating that the responsibility is always with the provider is incorrect as it varies depending on the service model and the shared responsibility agreement.