simple three-tier application architecture that has the
following foundations:
Tier 1 (Presentation): This tier presents content to the end user
through a web user interface or a mobile app or via APIs. To present the
content, it is essential for this tier to interact with the other tiers. From
a security standpoint, it is very important that access be authorized,
timed, and encrypted and that the attack surface be minimized.
Tier 2 (Application): This is the middle tier of the architecture, and
it is where the business logic of the application runs. The components
of this tier typically run on one or more application servers; hence,
from a security standpoint, load balancing, limiting access, and
proxying help.
Tier 3 (Data): This is the lowest tier of this architecture, and it is
mainly concerned with the storage and retrieval of application data.
The application data is typically stored in a database server, a file
server, or any other device or media that supports data access logic and
provides the necessary steps to ensure that only the data is exposed,
without providing any access to the data storage and retrieval
mechanisms.Figure 14-2 Three-Tier Approach to Application
Security
To minimize risks, the following are some of the best
practices in the industry:
Keep software up-to-date: Install software patches so that attackers
cannot take advantage of known problems or vulnerabilities. Many
operating systems offer automatic updates.
Install end-user or device security: Install endpoint security
software on an end user’s device so that viruses and malware are kept
as far away as possible.
Use strong passwords: Using a strong password ensures that only
authorized users can access resources. With strong passwords, it
becomes hard to guess and hence decreases security risk.