In the shared security responsibility model for IaaS, which two layers of the stack are the customer responsible for? (Choose two.)