Certified Information Security Manager (CISM) — Question 648

In which cloud model does the cloud service buyer assume the MOST security responsibility?

Answer options

• A. Infrastructure as a Service (IaaS)
• B. Software as a Service (SaaS)
• C. Disaster Recovery as a Service (DRaaS)
• D. Platform as a Service (PaaS)

Correct answer: A

Explanation

In the Infrastructure as a Service (IaaS) model, the customer is responsible for managing the operating system, applications, and data security, which means they assume the most security responsibility. In contrast, Software as a Service (SaaS) and Platform as a Service (PaaS) offer more managed services, where the provider handles a larger portion of the security. Disaster Recovery as a Service (DRaaS) focuses on backup and recovery, which does not require the same level of security management by the customer.