Cloud Security Alliance CCSK Certificate of Cloud Security Knowledge (CCSK v5.0) Exam Practice Test

IAM failures are a leading cause of cloud-native breaches, often due to misconfigurations or inadequate access control mechanisms. Reference: [Security Guidance v5, Domain 5 - IAM]

Encrypting all objects in the repository ensures that data is protected at rest, reducing the risk of unauthorized access or data exposure. Reference: [Security Guidance v5, Domain 9 - Data Security]

Cloud telemetry provides detailed insights and visibility into security events and system behaviors in cloud environments, which helps detect and respond to threats. Reference: [Security Guidance v5, Domain 6 - Security Monitoring]

Multiple independent deployments help isolate workloads, reducing the potential impact of a breach by confining it to a single deployment environment. Reference: [Security Guidance v5, Domain 7 - Infrastructure & Networking]

The Continuous Delivery and Deployment phase emphasizes deploying applications securely, ensuring infrastructure security is prioritized during deployment. Reference: [CCSK v5 Curriculum, Domain 10 - Secure Development Lifecycle]

Behavioral detection for IAM and management plane activities is essential for identifying unusual or suspicious actions by compromised identities, especially in environments where attackers use automated tactics. Reference: [CCSK v5 Curriculum, Domain 5 - IAM]

Snapshots serve as recovery points, enabling quick rollback to previous states if issues arise during updates or changes. This is crucial for VM lifecycle management. Reference: [Security Guidance v5, Domain 7 - Infrastructure & Networking]

Aligning CSP policies with security and regulatory objectives is essential for ensuring compliance and robust security measures. Reference: [Security Guidance v5, Domain 3 - Risk, Compliance, and Governance]

Object storage is highly scalable and suitable for cloud-native applications that require durability and efficient storage of unstructured data. Reference: [CCSK Study Guide, Domain 9 - Data Storage Types]

Real-time visibility allows for monitoring container behavior during runtime, helping to identify and respond to security incidents as they occur. Reference: [Security Guidance v5, Domain 8 - Cloud Workload Security]

SASE reduces latency and enhances performance by filtering traffic closer to the user, avoiding the need to backhaul traffic to a central data center. Reference: [Security Guidance v5, Domain 7 - Network Security]

A Service Registry lists approved services, making it easy for teams to find and integrate compliant services. Reference: [CCSK Knowledge Guide, Domain 3 - Risk and Compliance Tools]

Context-aware IAM enables access decisions that account for real-time conditions, enhancing security by adapting to changes in user and resource status. Reference: [CCSK Study Guide, Domain 5 - IAM]

Cloud computing is adopted mainly for its cost-effectiveness and the ability to accelerate time-to-market, enhancing business agility. Reference: [Security Guidance v5, Domain 1 - Cloud Benefits]

Cloud customers are responsible for assessing the security and compliance of SaaS applications, ensuring these align with internal policies and regulations. Reference: [CCSK v5 Overview, Shared Responsibility Model]

The Shared Security Responsibility Model clarifies which security responsibilities are managed by the CSP and which by the CSC, based on the service model. Reference: [CCSK Study Guide, Domain 1 - Cloud Security Models][16†source].

DevOps aims to improve collaboration and integration between development and operations teams, streamlining delivery and enhancing software quality. Reference: [CCSK Study Guide, Domain 10 - DevOps & DevSecOps]

The Detection and Analysis phase involves identifying incidents and determining their impact. It is crucial to validate events to understand if they constitute a security incident. Reference: [Security Guidance v5, Domain 11 - Incident Response]

Cloud sprawl leads to the distribution of assets across multiple locations, making it challenging to maintain visibility and security control over all resources. Reference: [Security Guidance v5, Domain 4 - Organization Management]

Secrets management focuses on securely storing and managing sensitive information, such as API keys and passwords, to prevent unauthorized access. Reference: [Security Guidance v5, Domain 8 - Secrets Management]

Cloud governance establishes controls and policies that align with the organization’s goals for security, compliance, and efficient management in the cloud. Reference: [Security Guidance v5, Domain 2 - Cloud Governance]

Implementing these controls supports data governance and compliance by providing visibility into data handling and potential exposures. Reference: [Security Guidance v5, Domain 9 - Data Security]

Compliance in cybersecurity involves following internal policies, as well as external regulations, standards, and best practices, to ensure legal and security requirements are met. Reference: [CCSK v5 Curriculum, Domain 3 - Compliance]

Serverless environments are vulnerable to misconfigurations, which can expose sensitive data and resources, making security configurations critical. Reference: [Security Guidance v5, Domain 8 - Cloud Workload Security][16†source].

DNS logs capture information on domain name resolution, while Flow logs capture details about network traffic, including source, destination, and protocol. Reference: [CCSK Study Guide, Domain 7 - Infrastructure & Networking]

Integrating testing early helps identify security vulnerabilities and configuration issues before they reach production, reducing remediation costs and time. Reference: [Security Guidance v5, Domain 10 - Application Security]

PBAC enables highly specific access control based on multiple attributes, enhancing flexibility and security in cloud environments. Reference: [CCSK v5 Curriculum, Domain 5 - IAM][16†source].

Fine-grained permissions enable specific control over who can access certain resources, thus enforcing the least privilege principle. Reference: [Security Guidance v5, Domain 5 - IAM]

Each cloud provider may use different IAM protocols and configurations, increasing complexity and requiring customized integration for each cloud environment. Reference: [CCSK Study Guide, Domain 5 - Identity and Access Management]

CI/CD pipelines integrate security into the DevOps process, ensuring that security is automated at every stage of the software development lifecycle (SDLC).

Why CI/CD Pipelines Enhance Cloud Security?

Automates Security Scans & Compliance Checks

CI/CD pipelines integrate Static Application Security Testing (SAST) & Dynamic Application Security Testing (DAST).

Infrastructure as Code (IaC) security scans prevent misconfigurations in cloud deployments.

Reduces Human Errors in Security Configurations

Automates security best practices (e.g., enforcing HTTPS, setting least privilege IAM roles).

Reduces risk of manual security misconfigurations.

Speeds Up Secure Deployments

Automatically tests for vulnerabilities before production releases.

Ensures that security patches are rapidly deployed without breaking functionality.

Shifts Security Left in DevSecOps

CI/CD enables early vulnerability detection in the development phase, reducing costs and risks.

Cloud-native CI/CD tools like AWS CodePipeline, GitHub Actions, and Jenkins integrate security automation.

This aligns with:

CCSK v5 - Security Guidance v4.0, Domain 10 (Application Security)

DevSecOps and Cloud Security Best Practices (Cloud Security Alliance - DevSecOps Working Group)​.

Access policies are a critical component of security frameworks that specify and enforce the permitted actions that users or systems can perform on resources, such as files, applications, or services. These policies help ensure that only authorized individuals or systems have access to certain resources and that they can only perform authorized actions, such as reading, writing, or modifying the resources. Access policies are fundamental in managing security and preventing unauthorized access, misuse, or attacks.

Access policies encrypt sensitive data is incorrect because encryption of sensitive data is typically handled by encryption policies, not access policies. Access policies determine where data can be stored is more related to data management policies rather than access control. Access policies scan systems for malware is related to security measures such as antivirus or anti-malware tools, not the scope of access control policies.

The primary benefit of implementing micro-segmentation within a Zero Trust Architecture is that it enhances security by isolating workloads from each other. Micro-segmentation involves dividing the network into smaller, isolated segments, so that even if an attacker gains access to one part of the network, they cannot easily move laterally to other parts. This is crucial in a Zero Trust model, which assumes that threats may exist both inside and outside the network, and security is enforced at a granular level for each workload.

Simplifying network design is not a benefit of micro-segmentation; in fact, it can add complexity due to the increased number of network segments. Increased network performance is not a primary outcome of micro-segmentation, which may introduce overhead. Reducing the need for encryption is incorrect because micro-segmentation doesn't eliminate the need for encryption; it works alongside encryption to provide better security.

One of the primary advantages of including Static Application Security Testing (SAST) in Continuous Integration (CI) pipelines is that it allows developers to identify code vulnerabilities early in the development process. By scanning the source code for potential security issues as it is being written and integrated into the pipeline, SAST helps to catch vulnerabilities before they make it to later stages of development or production, improving overall security and reducing the cost and effort of fixing issues later.

While SAST does not directly impact the speed of deployment, runtime performance, or user interface, its early identification of security flaws contributes to better code quality and a more secure application.

Identity management at the organizational level is a key aspect of cybersecurity because it ensures that only authorized users can access specific resources, systems, or data. By controlling and managing user identities, roles, and permissions, identity management helps enforce security policies, preventing unauthorized access and potential breaches. This is a fundamental practice in maintaining confidentiality, integrity, and availability within an organization.

An authoritative source in the context of identity management refers to a trusted system that contains accurate identity information. This system is considered the source of truth for identities, and other systems or services within the organization rely on it for the most up-to-date and verified identity details, such as usernames, attributes, roles, and permissions.

A list of permissions assigned to different users represents access control data but is not considered the authoritative source of identity. A network resource that handles authorization requests refers to authorization mechanisms but is not the authoritative source for identity. A database containing all entitlements could be part of an identity management system but is not necessarily the authoritative source for identity itself; it focuses more on access rights and entitlements.

A Web Application Firewall (WAF) is primarily used to filter and monitor HTTP requests to protect web applications from various types of attacks, including SQL injection and cross-site scripting (XSS). WAFs work by analyzing incoming traffic and blocking malicious requests based on predefined rules or patterns, thus preventing attackers from exploiting vulnerabilities in web applications.

CSP firewall is more focused on general network security, not specifically on application layer attacks like SQL injection or XSS. Virtual Appliance refers to a virtualized instance of a security appliance, but it is not specifically designed for protecting against SQL injection and XSS attacks like a WAF. Intrusion Detection System (IDS) is used for detecting suspicious network activity and potential intrusions, but it is not focused on filtering web application traffic like a WAF.

Management Plane Logs are indispensable for security monitoring because they track administrative activities related to the management of cloud resources. These logs capture actions such as user logins, configuration changes, access control modifications, and resource provisioning or decommissioning. By monitoring these logs, organizations can detect unauthorized or suspicious administrative actions, ensuring that only authorized personnel are making changes to critical cloud resources. This helps prevent configuration errors, privilege escalation, and potential attacks targeting the management plane.

Other options refer to different aspects of security monitoring but are not specifically related to the role of Management Plane Logs.

Infrastructure as a Service (IaaS) primarily provides users with storage, computing resources, and networking capabilities. In the IaaS model, cloud providers offer virtualized computing resources over the internet. Users can rent servers, storage, and networking equipment without needing to manage the physical hardware themselves. This allows for flexible scaling and resource management according to the users' needs.

FaaS focuses on serverless computing where users run code in response to events. PaaS provides a platform that allows users to develop, run, and manage applications without worrying about the underlying infrastructure. SaaS delivers fully managed applications over the internet, where users access software without managing the infrastructure.

The correct answer is B. Implementation of robust IAM and network security practices.

A hybrid cloud environment involves integrating private and public cloud infrastructures. This setup requires enhanced security practices to manage the complexity and diverse security requirements of both environments.

Key Aspects:

Identity and Access Management (IAM): Ensures secure authentication and authorization across both private and public clouds.

Network Security: Includes securing data in transit, implementing network segmentation, and protecting communication between cloud environments.

Unified Security Policies: Establishing consistent policies and access controls across both environments.

Visibility and Monitoring: Continuous monitoring of network traffic and access logs to detect potential threats.

Why Other Options Are Incorrect:

A. Encryption for data at rest: Important but not the most comprehensive security measure for hybrid environments.

C. Software updates and patch management: While essential, these practices alone do not address the complex challenges of a hybrid setup.

D. Multi-factor authentication only: MFA enhances authentication security but does not cover the broader security requirements of a hybrid cloud.

Real-World Context:

Organizations using services like AWS Direct Connect or Azure ExpressRoute to integrate on-premises environments with the public cloud must implement robust IAM and network security practices to maintain secure and compliant data flows.

Endpoint Detection and Response (EDR) is a critical security tool for cloud environments that monitors, detects, and responds to endpoint threats.

Why EDR is Essential for Cloud Security?

Real-Time Threat Detection & Response

EDR continuously monitors endpoint activity (e.g., cloud VMs, servers, containers).

Detects anomalous behavior, malware, and unauthorized access attempts.

Automated Remediation & Forensics

Uses Machine Learning (ML) & AI to analyze cloud endpoint telemetry.

Supports automated response actions (isolating infected endpoints, rolling back malicious changes).

Cloud-Native Security Integration

Works with Cloud Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR).

Enables proactive threat hunting in hybrid and multi-cloud environments.

Complements Other Cloud Security Tools

WAF (Web Application Firewall) protects against web-based attacks (OWASP Top 10) but does not provide endpoint security.

UTM (Unified Threat Management) is more suited for traditional perimeter security (firewalls, IPS/IDS).

IDS (Intrusion Detection System) only detects threats, whereas EDR actively responds to them.

This aligns with:

CCSK v5 - Security Guidance v4.0, Domain 7 (Infrastructure Security)

Cloud Controls Matrix (CCM) - Endpoint Security Controls​.

In serverless computing models, the primary security concern is ensuring that secrets (such as API keys, database credentials, etc.) and configuration settings are handled securely. The principle of least privilege means that these secrets and configurations should only be accessible by the minimum set of functions or services that truly need them, reducing the attack surface. Proper management of secrets and configurations ensures that unauthorized access or misuse is prevented.

Disabling console access completely or using privileged access management is important for securing any environment, but it is not specifically tied to serverless models. Validating the underlying container security is more relevant to containerized environments rather than serverless computing, which abstracts away infrastructure management. Placing serverless components behind application load balancers is useful for routing traffic but is not specifically critical for securing the serverless model itself. Managing secrets and access controls is a more direct concern for securing serverless environments.

During the Detection and Analysis phase of incident response, the primary objective is to validate alerts to determine whether they represent a genuine security incident, and to estimate the scope of the incident to understand the potential impact on the organization. This phase involves analyzing evidence, confirming the nature of the incident, and gathering the necessary information to move forward with containment and remediation.

Developing and updating incident response policies is important but occurs more during the preparation phase, not during the detection and analysis of an active incident. Performing detailed forensic investigations typically takes place during later phases, such as Containment, Eradication, & Recovery or Post-Incident Analysis. Implementing network segmentation and isolation may be part of the Containment phase but is not the primary focus during the Detection and Analysis phase.

The use of third-party libraries in software development can introduce supply chain risks because these libraries might contain vulnerabilities that can be exploited. Since third-party libraries often come from external sources, they might not be thoroughly vetted or maintained with the same level of scrutiny as in-house code. Vulnerabilities in these libraries can lead to security breaches, data leaks, or other forms of exploitation if not properly managed and updated.

Although many third-party libraries are open-source, they still require proper vetting for security and compatibility. Integration issues, while a concern, are not directly related to the supply chain risks posed by vulnerabilities. While increased complexity is a challenge, it does not directly relate to security risks or supply chain concerns.

In federated identity management, the identity provider (IdP) is responsible for authenticating users and making assertions about their identity to the relying party (which could be a service or application that trusts the IdP). The IdP and the relying party establish a trust relationship in advance, which allows the IdP to assert that a user is authenticated, often in the form of security tokens or assertions like SAML or OpenID Connect.

The IdP that authenticates users and makes assertions, not the relying party. The relying party does not make assertions to the IdP; the relying party relies on assertions made by the IdP. The IdP and relying party do have a direct trust relationship in federated identity management.

In the context of Function as a Service (FaaS), trigger events are primarily defined in addition to the functions themselves. FaaS allows you to run individual functions in response to events, such as HTTP requests, file uploads, database changes, or messages in a queue. These trigger events initiate the execution of the serverless function, making them a core part of FaaS architecture.

Data storage is not directly defined by FaaS, as storage is typically managed separately (e.g., cloud storage or databases). Network configurations are not the main focus of FaaS, since cloud providers manage the underlying network infrastructure. User permissions may be relevant but are typically handled through identity and access management (IAM), not directly tied to the definition of a FaaS function.

The correct answer is D. Cloud Security Posture Management (CSPM).

Cloud Security Posture Management (CSPM) is a comprehensive tool designed to identify and remediate misconfigurations and compliance violations in cloud management planes. It helps organizations maintain secure and compliant cloud environments by continuously monitoring configurations against industry standards and best practices.

Key Functions of CSPM:

Configuration Management: Identifies misconfigurations and alerts administrators to fix them.

Compliance Monitoring: Continuously assesses cloud environments against compliance frameworks such as CIS, NIST, GDPR, and others.

Automated Remediation: Automatically fixes known configuration errors based on predefined policies.

Visibility: Provides a comprehensive view of security and compliance risks across multi-cloud environments.

Risk Assessment: Analyzes risks related to identity, data exposure, and network configurations.

Why CSPM is Most Effective:

Cloud environments are dynamic, and maintaining secure configurations is challenging. CSPM solutions like AWS Config, Azure Security Center, and Google Cloud Security Command Center automate the process of checking for security policy violations and configuration drift.

Why Other Options Are Incorrect:

A. Data Security Posture Management (DSPM): Focuses on data security, data loss prevention, and data governance, rather than configuration and compliance management.

B. SaaS Security Posture Management (SSPM): Specifically targets SaaS applications, managing security settings and compliance of cloud-based software rather than infrastructure.

C. Cloud Detection and Response (CDR): Focuses on threat detection and incident response rather than configuration management and compliance.

Real-World Example:

A CSPM tool like Palo Alto Prisma Cloud or AWS Config can automatically detect if IAM policies are overly permissive or if S3 buckets are publicly accessible, helping to maintain compliance and reduce attack surfaces.

The key outcomes of implementing robust cloud risk management practices focus on ensuring the security and resilience of cloud environments. This involves identifying, assessing, and mitigating risks associated with the use of cloud services, such as security threats, data privacy issues, and service availability concerns. By adopting strong risk management practices, organizations can better protect their data, ensure business continuity, and maintain compliance with regulations, which ultimately strengthens the overall security and reliability of their cloud environments.

Negotiating shared responsibilities is an important aspect of cloud security but is not the direct outcome of risk management practices. It's about clarifying roles between the customer and provider. Transferring compliance to the cloud service provider via inheritance is not the complete picture. While cloud service providers may help with compliance, the responsibility for compliance and risk management is still shared. Reducing the need for compliance with regulatory requirements is incorrect. Robust risk management practices help ensure compliance with regulatory requirements, not reduce the need for them.

In a cloud computing incident, the initial focus of analysis should be on the management plane activity logs due to the ephemeral nature of resources and centralized control mechanisms in cloud environments. The management plane controls and monitors the overall cloud infrastructure, and its activity logs provide crucial information about changes to configurations, access controls, resource provisioning, and administrative actions that can help identify the root cause of an incident.

Network perimeter monitoring and endpoint protection status are also important, but in cloud environments where resources can be rapidly provisioned and decommissioned, the management plane logs provide the most immediate insight into administrative actions and the overall state of the cloud environment.

Physical hardware access is generally the responsibility of the cloud provider and less relevant in the initial stages of a cloud incident analysis, especially when focusing on virtualized and managed resources.

The management plane is used for governing and configuring cloud resources and is considered a top priority in cloud security programs. It provides the tools and interfaces for administrators to manage, configure, and control cloud resources, such as virtual machines, storage, and networking. It is critical to secure the management plane because it often has access to sensitive configurations and the ability to modify cloud environments, making it a prime target for attacks.

Management Console is an interface that interacts with the management plane, but it is not the underlying system for governance and configuration. Orchestrators are used to automate the management and deployment of cloud resources but are not the primary component for governing and securing cloud environments. Abstraction layer refers to the layer that hides the complexity of underlying infrastructure, but it does not directly govern or configure cloud resources.

Cloud Infrastructure Entitlement Management (CIEM) is primarily designed to govern access to cloud resources. It addresses the challenges of managing user entitlements and permissions across multi-cloud and hybrid environments. CIEM solutions help organizations manage identity and access rights, particularly in complex cloud infrastructures where multiple services and user roles are involved.

The primary functions of CIEM include:

Access Governance: Ensuring that the right users have the appropriate level of access to cloud resources.

Least Privilege Enforcement: Automatically identifying and eliminating excessive permissions.

Access Monitoring and Auditing: Continuously tracking permission usage to detect unusual patterns or risks.

Identity Lifecycle Management: Managing the creation, modification, and revocation of identities and their associated permissions.

Why CIEM is Important:

As cloud environments scale, manual management of user roles and permissions becomes unmanageable and prone to errors. CIEM tools automate this process, providing visibility and control over cloud entitlements to minimize the risk of privilege escalation and unauthorized access.

Why Other Options Are Incorrect:

A. Monitoring network traffic: This falls under network security monitoring and is not related to entitlement management.

B. Deploying cloud services: This involves cloud orchestration and provisioning, not entitlement management.

D. Managing software licensing: CIEM is not concerned with license management, which is handled by software asset management tools.

Compensating controls are implemented when the required controls for a cybersecurity framework cannot be met due to technical or practical limitations. These controls are alternative measures that provide similar protection or risk mitigation. Compensating controls help to ensure that the security posture remains strong even when the primary controls cannot be applied.

Detective controls focus on identifying security incidents after they occur but do not replace required controls. Preventive controls aim to prevent security incidents from occurring but may not always be possible or practical to implement in certain situations. Administrative controls include policies and procedures but do not address the need for compensating measures when technical controls cannot be met.

Access policies in cybersecurity are critical for managing and controlling how users and devices access resources within a network or cloud environment. These policies are primarily concerned with defining permissions and rules that govern access to resources. They help organizations implement role-based access control (RBAC) or attribute-based access control (ABAC), which specify who can access what resources and under what conditions.

In the context of cloud computing, access policies are typically enforced using Identity and Access Management (IAM) tools and services, which allow administrators to define and manage the permissions associated with user identities. Access policies include various rules that specify allowed or denied actions based on roles, user attributes, device types, or network conditions.

For example, in the AWS environment, access policies are written in JSON and define permissions for services like EC2, S3, or RDS. Similarly, Azure uses Role-Based Access Control (RBAC) to manage resource access policies.

Access policies are not concerned with real-time monitoring (option A), user authentication methods (option B), or encryption protocols (option C). Instead, they explicitly focus on defining access permissions and controlling how resources are utilized.

Enforcing the principle of least privilege is the practice of granting users and systems the minimum level of access necessary to perform their tasks. By limiting root or core access and restricting the creation of deployments to only those who absolutely need it, the risk of unauthorized access, misuse, or damage is minimized. This helps ensure that critical systems and sensitive data are protected by reducing the number of people or services with high-level access.

Trust and verify on demand is not a standard security practice and could create security gaps. Disabling multi-factor authentication is a poor security practice, as multi-factor authentication (MFA) enhances security by adding an additional layer of verification. Deploying applications with full access) contradicts the principle of least privilege and could expose the system to unnecessary risks.

Automating security and compliance checks helps minimize human error in long-running cloud workloads by continuously monitoring for security vulnerabilities, misconfigurations, or compliance issues without relying on manual intervention. This approach ensures consistent, repeatable security processes and can quickly identify and address potential risks, reducing the chances of oversight or mistakes that might occur with manual management.

Manual audits and restrictions can help but do not fully address the continuous nature of cloud workload security, which is why automation is critical for minimizing errors in long-running workloads.

In a cloud context, entitlement refers to the specific resources or services a user is granted permission to access based on their roles or permissions. This includes access to applications, data, or cloud services, and is typically managed through Identity and Access Management (IAM) systems, which define what users can do and what they can access within the cloud environment.

The Management plane in a network architecture is responsible for controlling all administrative actions, including configuration, management, monitoring, and maintenance of network devices and services. It provides the interface for administrators to interact with the network, perform system management tasks, and enforce policies.

The management plane typically includes functions such as:

Configuration management

Monitoring and logging

Administrative access control

Policy enforcement

In the context of cloud environments, the management plane also includes APIs and web-based consoles that allow administrators to manage virtual resources. Due to its critical role in controlling network and system settings, securing the management plane is of utmost importance to prevent unauthorized access and potential control over the entire network infrastructure.

Why Other Options Are Incorrect:

A. Forwarding plane: Responsible for the actual forwarding of data packets through the network based on predefined rules. It does not handle administrative functions.

C. Data plane: Responsible for data transmission and the forwarding of packets through the network but does not involve management tasks.

D. Application plane: This is not a commonly used term in network architecture, and it generally refers to application-specific functions rather than network administration.

In Infrastructure as a Service (IaaS), the customer has the most control and security responsibility because:

The provider only secures physical infrastructure (data centers, networking, hardware).

Customers must configure and manage firewalls, network security, operating system patches, and IAM.

Data security, encryption, and application security are entirely the customer's responsibility.

In contrast:

PaaS (Platform as a Service) places some security responsibility on the provider (e.g., runtime environments, managed databases).

SaaS (Software as a Service) places most security responsibility on the provider, with customers mainly managing identity and access controls.

This is extensively discussed in:

CCSK v5 - Security Guidance v4.0, Domain 1 (Cloud Computing Concepts and Architectures)

Cloud Controls Matrix (CCM) - Infrastructure and Application Security Controls​.