CISSP · Question #1261
An organization is considering partnering with a third-party supplier of cloud services. The organization will only be providing the data and the third-party supplier will be providing the security co
The correct answer is C. Software as a Service (SaaS). This question tests understanding of cloud service models and the division of security responsibilities between the customer and provider. In SaaS, the provider manages virtually all security controls while the customer only supplies and manages their data.
Question
Options
- APlatform as a Service (PaaS)
- BInfrastructure as a Service (IaaS)
- CSoftware as a Service (SaaS)
- DAnything as a Service (XaaS)
How the community answered
(49 responses)- A2% (1)
- C94% (46)
- D4% (2)
Why each option
This question tests understanding of cloud service models and the division of security responsibilities between the customer and provider. In SaaS, the provider manages virtually all security controls while the customer only supplies and manages their data.
Platform as a Service (PaaS) requires the customer to manage their own applications and data security, meaning the organization would share more security responsibility than just providing data.
Infrastructure as a Service (IaaS) places the most security responsibility on the customer, who must manage the OS, middleware, applications, and data security - far more than just supplying data.
Software as a Service (SaaS) is the cloud model where the third-party provider is responsible for managing the infrastructure, platform, application, and nearly all security controls, leaving the customer responsible only for their data and user access management. This aligns exactly with the scenario described, where the organization only provides data while the supplier handles all security. Examples include Microsoft 365 or Salesforce, where the vendor controls patching, encryption, and physical security.
Anything as a Service (XaaS) is a broad umbrella term referring to the delivery of any IT function over the internet, not a specific service model that defines the responsibility split described in the scenario.
Concept tested: Cloud service models and shared responsibility division
Source: https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility
Topics
Community Discussion
No community discussion yet for this question.