Can you compare and contrast two-tier and three-tier distributed systems as they are related to information security?
In a two-tier application, there is a thick client communicating directly with the data store -- the application logic runs within the thick client. Think Lotus Notes or old PowerBuilder applications. This is the original architecture that drove "client-server" back in the early 90's.
Three-tier systems add a middle tier to provide much of that application logic. So you are, in effect, separating the application logic from the presentation, which can now run within a thin client, like a Web browser. This is the dominant application type nowadays.
Of course, the pendulum always swings back and forth and now we are seeing hybrid models, which include technologies like AJAX, to add more functionality within the browser to mimic the capabilities achieved with fat-client applications. Is that muddled enough?
Relative to information security, a three-tier environment tends to be easier to control because the application servers (the middle tier) are centralized and can be more easily managed. To put some numbers behind that statement, let's say vulnerabilities are discovered in an application. In a three-tier model, maybe 100 application servers will be patched. If you have fat clients all over the place, maybe 10,000 patches will be needed to apply the fix.
Blocking and tackling to secure both applications and architectures is similar. The application and the data need to be protected, so making sure there aren't vulnerabilities in your application code is important. Also make sure only authorized parties are accessing the data in the database.
Given the overarching regulatory environment, it's important to not only monitor what's happening within applications, but also to store log data and make sure you could recover from an attack.
The bottom line is that there are lots of reasons why three-tier architecture is prevalent now. Security is not really one of them, but security does benefit from this trend.
For more information:
- Michael Cobb examines how an application vulnerability scanner can be a valuable part of an enterprise's development strategy.
- In this tip, security expert Joel Dubin explains why PCI DSS Section 6 requirements are important and offers advice on how an enterprise can comply.
Dig Deeper on Securing Productivity Applications
Related Q&A from Mike Rothman, Contributor
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.