Two-tier distributed systems vs. three-tier distributed systems

BROWSE BY TAG Application and Platform Security,   Securing Productivity Applications,   Expert Archive: Security Management,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Securing Productivity Applications How to secure a .pdf file How do hackers bypass a code signing procedure to inject malware Quiz: How to build secure applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Expert Archive: Security Management What is the GISP certification and how does it compare to the CISSP certification? Using a QSA to write up a PCI DSS report on compliance (ROC) How can gap analysis be applied to the security SDLC? Comparing cheap security products and appliances to costly appliances What are some tips on protecting my security budget in a poor economy? What value do research firms provide to their subscribing enterprises? What certificate offers the best ROI for an IT project manager? Is insider activity or outsider activity a bigger enterprise threat? How does information security prevent fraud in the enterprise? Differences between an SAS 70 data center and a Tier III data center

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary sheepdip  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

In a two-tier application, there is a thick client communicating directly with the data store -- the application logic runs within the thick client. Think Lotus Notes or old PowerBuilder applications. This is the original architecture that drove "client-server" back in the early 90's.

Three-tier systems add a middle tier to provide much of that application logic. So you are, in effect, separating the application logic from the presentation, which can now run within a thin client, like a Web browser. This is the dominant application type nowadays.

Of course, the pendulum always swings back and forth and now we are seeing hybrid models, which include technologies like AJAX, to add more functionality within the browser to mimic the capabilities achieved with fat-client applications. Is that muddled enough?

Relative to information security, a three-tier environment tends to be easier to control because the application servers (the middle tier) are centralized and can be more easily managed. To put some numbers behind that statement, let's say vulnerabilities are discovered in an application. In a three-tier model, maybe 100 application servers will be patched. If you have fat clients all over the place, maybe 10,000 patches will be needed to apply the fix.

Blocking and tackling to secure both applications and architectures is similar. The application and the data need to be protected, so making sure there aren't vulnerabilities in your application code is important. Also make sure only authorized parties are accessing the data in the database.

Given the overarching regulatory environment, it's important to not only monitor what's happening within applications, but also to store log data and make sure you could recover from an attack.

The bottom line is that there are lots of reasons why three-tier architecture is prevalent now. Security is not really one of them, but security does benefit from this trend.

For more information: