Question 18
UnclassifiedWhen using a SaaS solution, who is responsible for application security?
Correct answer: A
Explanation
In a SaaS model, the provider operates and secures the application layer, so application security falls to the cloud service provider. This follows the shared responsibility model, where the customer manages data and access, while the provider is responsible for the SaaS application itself.
Why each option is right or wrong
A. The cloud service provider only
Under the shared responsibility model for SaaS, the provider is responsible for the application stack it delivers, including patching, hardening, and securing the application layer; the customer does not administer the underlying app. This is the standard allocation described in cloud security guidance such as NIST SP 800-144, which distinguishes provider control of the service from customer control of data and user access, so the application-security duty sits with the cloud service provider alone.
B. The cloud service consumer only
C. Both cloud consumer and the enterprise
D. Both cloud provider and the consumer