What best describes the shared responsibility model in cloud security?

• A. Cloud provider handles security of the cloud; the customer handles security of what they put in the cloud (data, access, config).
• B. Cloud provider handles all security, including customer data.
• C. Customer handles security of the cloud itself.
• D. No security responsibilities are shared.

Answer: (A)

The shared responsibility model splits security tasks between the cloud provider and the customer. The provider takes care of securing the cloud itself—the underlying infrastructure, hardware, network, and the foundational services. The customer is responsible for securing what they place in the cloud—their data, encryption keys, identities and access controls, configurations, and the applications or services they run on top. In practice, for infrastructure-as-a-service, the provider secures the physical and virtualization layers, while the customer handles the guest operating system, installed software, data, and how those resources are configured and accessed. For software-as-a-service, the provider handles more of the security of the application, but the customer still controls data and who has access. This depiction matches the idea that the cloud is secure by the provider, while the customer secures their own data and usage.