Can you compare and contrast two-tier and three-tier distributed systems as they are related to information se...
In a two-tier application, there is a thick client communicating directly with the data store -- the application logic runs within the thick client. Think Lotus Notes or old PowerBuilder applications. This is the original architecture that drove "client-server" back in the early 90's.
Three-tier systems add a middle tier to provide much of that application logic. So you are, in effect, separating the application logic from the presentation, which can now run within a thin client, like a Web browser. This is the dominant application type nowadays.
Of course, the pendulum always swings back and forth and now we are seeing hybrid models, which include technologies like AJAX, to add more functionality within the browser to mimic the capabilities achieved with fat-client applications. Is that muddled enough?
Relative to information security, a three-tier environment tends to be easier to control because the application servers (the middle tier) are centralized and can be more easily managed. To put some numbers behind that statement, let's say vulnerabilities are discovered in an application. In a three-tier model, maybe 100 application servers will be patched. If you have fat clients all over the place, maybe 10,000 patches will be needed to apply the fix.
Blocking and tackling to secure both applications and architectures is similar. The application and the data need to be protected, so making sure there aren't vulnerabilities in your application code is important. Also make sure only authorized parties are accessing the data in the database.
Given the overarching regulatory environment, it's important to not only monitor what's happening within applications, but also to store log data and make sure you could recover from an attack.
The bottom line is that there are lots of reasons why three-tier architecture is prevalent now. Security is not really one of them, but security does benefit from this trend.
For more information:
- Michael Cobb examines how an application vulnerability scanner can be a valuable part of an enterprise's development strategy.
- In this tip, security expert Joel Dubin explains why PCI DSS Section 6 requirements are important and offers advice on how an enterprise can comply.
Dig Deeper on Productivity apps and messaging security
Related Q&A from Mike Rothman
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
While liaison officer responsibilities vary depending on the company they work for, their strong organizational and communications skills make them ... Continue Reading
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading