Which statement about cloud responsibility is true?

Cloud security is governed by a shared responsibility model, where who handles which controls depends on the service model you’re using. In IaaS, the provider takes care of the base hardware, physical security, networking, and virtualization; you manage the guest operating system, installed applications, data, and access controls, including patching at the OS/app level. In PaaS, the provider covers more of the stack (runtime, middleware, OS) while you still handle data, encryption keys, and how your applications are configured and accessed. In SaaS, the provider handles most security controls, but you remain responsible for data governance, user access management, and how you use the service. This allocation is what makes the described statement true: security controls are assigned to either provider or customer depending on the service model. Other options don’t fit because they overlook this division of responsibility. Patch hardware firmware is primarily a provider task, not a concept you use to describe the overall model. Relying on a disaster recovery plan alone doesn’t address all security controls. And saying security controls aren’t needed for SaaS ignores the ongoing access management and data protection responsibilities that still fall on the user side.