Ask the Expert

Two-tier distributed systems vs. three-tier distributed systems

Can you compare and contrast two-tier and three-tier distributed systems as they are related to information security?

    Requires Free Membership to View

In a two-tier application, there is a thick client communicating directly with the data store -- the application logic runs within the thick client. Think Lotus Notes or old PowerBuilder applications. This is the original architecture that drove "client-server" back in the early 90's.

Three-tier systems add a middle tier to provide much of that application logic. So you are, in effect, separating the application logic from the presentation, which can now run within a thin client, like a Web browser. This is the dominant application type nowadays.

Of course, the pendulum always swings back and forth and now we are seeing hybrid models, which include technologies like AJAX, to add more functionality within the browser to mimic the capabilities achieved with fat-client applications. Is that muddled enough?

Relative to information security, a three-tier environment tends to be easier to control because the application servers (the middle tier) are centralized and can be more easily managed. To put some numbers behind that statement, let's say vulnerabilities are discovered in an application. In a three-tier model, maybe 100 application servers will be patched. If you have fat clients all over the place, maybe 10,000 patches will be needed to apply the fix.

Blocking and tackling to secure both applications and architectures is similar. The application and the data need to be protected, so making sure there aren't vulnerabilities in your application code is important. Also make sure only authorized parties are accessing the data in the database.

Given the overarching regulatory environment, it's important to not only monitor what's happening within applications, but also to store log data and make sure you could recover from an attack.

The bottom line is that there are lots of reasons why three-tier architecture is prevalent now. Security is not really one of them, but security does benefit from this trend.

For more information:

  • Michael Cobb examines how an application vulnerability scanner can be a valuable part of an enterprise's development strategy.
  • In this tip, security expert Joel Dubin explains why PCI DSS Section 6 requirements are important and offers advice on how an enterprise can comply.
  • This was first published in March 2008

    There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: