What should you consider when selecting a cloud service model?

A. Your favorite vendor
B. Cost only
C. Compliance and data governance requirements
D. Aesthetic appeal

Answer: C. Compliance and data governance requirements
Explanation:

Cloud Selection Breakdown

• Compliance and Data Governance: This is the most critical factor because it involves legal and regulatory obligations (like GDPR, HIPAA, or PCI DSS). You must ensure that the cloud provider can meet your specific data residency, privacy, and auditability requirements. If a provider cannot guarantee where data is stored or how it's protected, the organization could face massive legal fines.

• Service Model Choice (IaaS, PaaS, SaaS): Selecting a model (Infrastructure, Platform, or Software as a Service) determines the Shared Responsibility Model. Each shift in model changes who is responsible for what security controls.

• Data Sovereignty: A key part of governance. This refers to the fact that data is subject to the laws of the country in which it is physically located. Choosing a service model or region without considering this can lead to "jurisdictional risk."

Why the other options are incorrect

• A. Your favorite vendor: "Vendor Lock-in" is actually a risk to be managed, not a selection criterion. Decisions must be based on objective security and business requirements, not brand loyalty.

• B. Cost only: While the "Cloud ROI" is important, saving money at the expense of security or compliance is a "false economy." A cheap provider that suffers a data breach will cost the company far more in the long run.

• D. Aesthetic appeal: The visual design of a cloud dashboard is irrelevant to the security posture, integrity of data, or the ability to maintain business continuity.

The "CISSP Rule of Thumb": In the cloud, you can delegate responsibility (the tasks), but you can never delegate accountability (the legal liability). If the data is breached, it's your organization's name in the headlines, not the cloud provider's.