Problem solve Get help with specific problems with your technologies, process and projects.

Two-tier distributed systems vs. three-tier distributed systems

Mike Rothman discusses the pros and cons of using two-tier distribution systems vs. thee-tier distributed systems.

Can you compare and contrast two-tier and three-tier distributed systems as they are related to information se...


In a two-tier application, there is a thick client communicating directly with the data store -- the application logic runs within the thick client. Think Lotus Notes or old PowerBuilder applications. This is the original architecture that drove "client-server" back in the early 90's.

Three-tier systems add a middle tier to provide much of that application logic. So you are, in effect, separating the application logic from the presentation, which can now run within a thin client, like a Web browser. This is the dominant application type nowadays.

Of course, the pendulum always swings back and forth and now we are seeing hybrid models, which include technologies like AJAX, to add more functionality within the browser to mimic the capabilities achieved with fat-client applications. Is that muddled enough?

Relative to information security, a three-tier environment tends to be easier to control because the application servers (the middle tier) are centralized and can be more easily managed. To put some numbers behind that statement, let's say vulnerabilities are discovered in an application. In a three-tier model, maybe 100 application servers will be patched. If you have fat clients all over the place, maybe 10,000 patches will be needed to apply the fix.

Blocking and tackling to secure both applications and architectures is similar. The application and the data need to be protected, so making sure there aren't vulnerabilities in your application code is important. Also make sure only authorized parties are accessing the data in the database.

Given the overarching regulatory environment, it's important to not only monitor what's happening within applications, but also to store log data and make sure you could recover from an attack.

The bottom line is that there are lots of reasons why three-tier architecture is prevalent now. Security is not really one of them, but security does benefit from this trend.

For more information:

This was last published in March 2008

Dig Deeper on Productivity apps and messaging security