Web based applications rely on web application services to process and persist user data. These services are hosted and managed within an environment that is typically outside of the user control. Such an environment may be under the control of an independent public application provider, referred to as public cloud. It may also be under the control of a private application provider representing an independent department within the same organization as the end user.
In both cases, private user data is exposed and controlled by an independent entity which introduces security risks. User data is by design exposed to the application provider software/hardware components. As a result, from the end-user's perspective, an additional security risk is introduced. At the same time, users have no choice but to delegate the security measures and controls to the application provider, which is an independent entity.
This is true even when data is transmitted through secure protocols such as HTTPS and stored in encrypted format by the application provider, since in all cases the clear-text user data is still available in memory to the application provider.
The problem is further exacerbated in cases where regulations in certain jurisdictions prohibit the use of public cloud applications residing in other jurisdictions, due to data privacy regulations.