I recently reviewed some articles on the Intel Premier IT Professional site reviewing the thick versus thin client (or as they called it, the rich versus thin client) debate. Their articles were talking more along the lines of laptops versus desktops, but I am always interested in this debate as my company offers a SaaS solution utilizing both thick and thin clients. Basically, there are two levels of users for our software, an Administrative user and a non-administrative user. The Administrative interface, in the strictest definition of the term, is a thick client. It is a compiled application that gets installed on your computer. The non-administrative users have a thin client, or web interface.
Being a SaaS provider, we often get questions about why we don’t offer everything in the thin client model. We thought about this long and hard when we made the decision several years ago and we decided to stay with the thick client model for the administrative interface mainly for the improved performance. All data is still stored on our servers, the thick client is useless if you don’t have an active internet connection, so in that sense it is kind of a mix between a thick and a thin client. However, being an installed application, we can download and cache a much larger amount of data at one time and allow the user to manipulate the data in many different ways and not send it back to the server until he or she is done. In other words, it greatly improves the speed at which setup and modification can occur.
The articles on the IPIP site were pointing out the pros and cons of both models from a security and risk management standpoint, and obviously came to the conclusion that both models have their benefits. In a thick client model, you can have a more distributed environment that is tolerable of outages and interruptions. If the server goes down, it doesn’t really matter because you have everything locally that you can continue to work on. Now, as I mentioned, this doesn’t really apply to our software since it’s more of a cross-bread, but in general, this is true. Of course, with this mobility and distributed nature, you sacrifice a little security and control.
On the other hand, in a thin client model, you have a higher level of security and control of the data, but you are also much more vulnerable to outages and interruptions. Lets say your application server falls prey to a denial of service attack, now all your users are down because they can’t get to the server. They also point out that, the thin client model is still very vulnerable to security breaches as people still have access to the data. The users, in the end, are really the weak link in the security. If a highly privileged user leaves his or her password laying around, then all the security in the world would not protect the data. Even using multi-factor authentication may not work since the same user that leaves his or her password sitting around is likely to leave a hardware token sitting right next to it. Maybe biometric authentication would help, kind of hard for that lazy user to leave his finger sitting with his password at his desk while he goes to get a cup of coffee.
So in the end, both models have their pros and cons and should both be evaluated without just dismissing one model over the other.