Exam CAS-004 topic 1 question 88 discussion

If it's using IaaC, the company is managing their systems including the web portal. Why the CSP is responsible???

IaaS = Infrastructure as a Service. So the CSP provided the hardware. What the pharmaceutical company puts on that hardware is their business. The fact it was breached via SQL injection, i.e. software coding, means it's the web application was the point of ingress. Therefore, it's the onus of the Pharma company.

With an IaaS model, the customer is responsible for EVERYTHING barring the physical cloud-hosting hardware (which falls within the CSP's scope). Since the CSP's hardware has practically nothing to do with the SQLi vulnerability, the blame falls on the customer.

In the IaaS model, while the CSP ensures the infrastructure's security, the pharmaceutical company is responsible for securing its application, including protecting against SQL injection attacks

In the IaaS model, while the CSP ensures the infrastructure's security, the pharmaceutical company is responsible for securing its application, including protecting against SQL injection attacks

Customer Responsibilities: Application Security: The pharmaceutical company is responsible for securing its customer-facing web portal and the application code. This includes protecting against common vulnerabilities like SQL injection through proper input validation, parameterized queries, and other secure coding practices. Data Security: The security of customer information stored in the database is the responsibility of the customer. This includes implementing proper access controls, encryption, and ensuring data is not exposed due to vulnerabilities like SQL injection.

The data owner is responsible for the data. Also even more responsible than normal because the CSP only provides Infrastructure. All patching of systems and security is supposed to be conducted by the customer in a IaaS. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

IaaS means that the responsibility is passed onto the costumer this case the Pharma Company. Scenario also only indicates that the database is managed by the company but doesn't explain who controls the web page. When sql injection happens is due to poorly coded user interface in the web and not the database manager. I will say that the one at fault is the Web developer there fore they are responsible. I could also make the case that the company is responsible for hiring a bad Web developer. Can't decide if A or C

I agree. A is the correct answer.

In the Shared Responsibility model, this would fall under the company's responsibility.

The company is managing the DB.

I believe the pharmaceutical company is responsible for their own data in a IaaS model. https://www.techtarget.com/searchcloudcomputing/feature/The-cloud-shared-responsibility-model-for-IaaS-PaaS-and-SaaS https://www.techtarget.com/searchcloudcomputing/feature/The-cloud-shared-responsibility-model-for-IaaS-PaaS-and-SaaS