InInfrastructure as a Service (IaaS), the customer has themost control and security responsibilitybecause:
The provider only secures physical infrastructure (data centers, networking, hardware).
Customers must configure and manage firewalls, network security, operating system patches, and IAM.
Data security, encryption, and application security are entirely the customer's responsibility.
In contrast:
PaaS (Platform as a Service)places some security responsibility on the provider (e.g., runtime environments, managed databases).
SaaS (Software as a Service)places most security responsibility on the provider, with customers mainly managingidentity and access controls.
This is extensively discussed in:
CCSK v5 - Security Guidance v4.0, Domain 1 (Cloud Computing Concepts and Architectures)
Cloud Controls Matrix (CCM) - Infrastructure and Application Security Controls.
Submit