In Annex B's security model, which statement about cloud services is true?

In Annex B, security responsibility is shared between the cloud provider and the customer, with who handles which controls varying by the service model. The statement that is true captures this division and the need to follow a shared responsibility model across cloud services. The provider typically secures the underlying infrastructure—physical data centers, networking, virtualization—while the customer handles things like data protection, access control, identity management, and the configuration of software running in the cloud. In IaaS, the split is more on the customer for the guest OS and applications, while the provider secures the base infrastructure; in PaaS and SaaS, the provider takes on more of the security burden, but the customer still owns security controls related to data and access. This understanding prevents gaps that would occur if one party tried to take on everything. Statements that imply the customer bears all responsibility, or that the model applies only to on-premises, or that providers handle everything with no customer involvement, don’t reflect how the shared responsibility model works in cloud environments.