nerdexam
(ISC)2

CISSP · Question #1261

An organization is considering partnering with a third-party supplier of cloud services. The organization will only be providing the data and the third-party supplier will be providing the security co

The correct answer is C. Software as a Service (SaaS). This question tests understanding of cloud service models and the division of security responsibilities between the customer and provider. In SaaS, the provider manages virtually all security controls while the customer only supplies and manages their data.

Submitted by diego_uy· Mar 5, 2026Security Architecture and Engineering

Question

An organization is considering partnering with a third-party supplier of cloud services. The organization will only be providing the data and the third-party supplier will be providing the security controls. Which of the following BEST describes this service offering?

Options

  • APlatform as a Service (PaaS)
  • BInfrastructure as a Service (IaaS)
  • CSoftware as a Service (SaaS)
  • DAnything as a Service (XaaS)

How the community answered

(49 responses)
  • A
    2% (1)
  • C
    94% (46)
  • D
    4% (2)

Why each option

This question tests understanding of cloud service models and the division of security responsibilities between the customer and provider. In SaaS, the provider manages virtually all security controls while the customer only supplies and manages their data.

APlatform as a Service (PaaS)

Platform as a Service (PaaS) requires the customer to manage their own applications and data security, meaning the organization would share more security responsibility than just providing data.

BInfrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS) places the most security responsibility on the customer, who must manage the OS, middleware, applications, and data security - far more than just supplying data.

CSoftware as a Service (SaaS)Correct

Software as a Service (SaaS) is the cloud model where the third-party provider is responsible for managing the infrastructure, platform, application, and nearly all security controls, leaving the customer responsible only for their data and user access management. This aligns exactly with the scenario described, where the organization only provides data while the supplier handles all security. Examples include Microsoft 365 or Salesforce, where the vendor controls patching, encryption, and physical security.

DAnything as a Service (XaaS)

Anything as a Service (XaaS) is a broad umbrella term referring to the delivery of any IT function over the internet, not a specific service model that defines the responsibility split described in the scenario.

Concept tested: Cloud service models and shared responsibility division

Source: https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility

Topics

#cloud service models#SaaS#shared responsibility model

Community Discussion

No community discussion yet for this question.

Full CISSP Practice