Which statement about cloud responsibility is true?

Cloud security relies on a shared responsibility model, where the allocation of security controls between provider and customer shifts based on the service model. In IaaS, the provider secures the underlying infrastructure, networking, and the virtualization layer, while you protect the guest operating system, installed applications, data, and access controls. In PaaS, the provider takes on more of the stack, including runtime and middleware, leaving you to manage your applications, data, and who can access them. In SaaS, the provider handles most layers, and you’re mainly responsible for your data, user access management, and compliance requirements. This division means security controls are assigned to either party depending on the service model. Statements that the customer is always responsible for all controls or that the provider handles everything with no customer involvement miss this nuance, and the idea that security controls are optional is simply incorrect.