Which of the following statements BEST describes who is responsible for securing the application layer (for example, patching application code and mitigating application-level vulnerabilities) under the cloud shared-responsibility model?
In IaaS the provider secures applications, whereas in SaaS the customer does.
The customer is always responsible, regardless of the service model.
The cloud service provider is always responsible, no matter which service model is used.
Responsibility shifts by service model: customers secure the application layer in IaaS (and generally in PaaS), but the provider secures it in SaaS.
Under the shared-responsibility model, duties move up the stack as you transition from IaaS to SaaS:
IaaS: The customer controls and secures the guest OS and anything above it, including the application code.
PaaS: The provider secures the underlying OS and runtime, but the customer still secures any applications they develop and deploy on the platform.
SaaS: The provider operates and patches the application itself, while the customer focuses on data protection, identity, and configuration. Therefore, the most accurate statement is that responsibility varies by service model: the customer handles the application layer in IaaS and usually in PaaS, whereas the provider handles it in SaaS.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the different cloud service models, and how do they differ in terms of security responsibilities?
Open an interactive chat with Bash
What is a shared responsibility model in cloud security?
Open an interactive chat with Bash
Why is it important for customers to understand their responsibilities in cloud security?