Topic 05

Security Principles That Recur

Principles

A handful of principles show up in every well-designed control, and naming them once means recognizing them everywhere after. Least privilege, defense in depth, fail-secure, complete mediation, and separation of duties are the load-bearing ideas; the rest of this book is these principles applied to specific technologies. Zero trust — "never trust, always verify" — is the modern packaging of several of them.

Read the coming chapters through this lens and they stop being a list of tools. Encryption, IAM, segmentation, and hardening are all the same few ideas wearing different clothes.

Least Privilege

Every user, service, and process gets exactly the access it needs and no more, so a compromised component can reach only a little. This single principle limits blast radius more than any other, and its slow death — temporary admin that becomes permanent, a service account granted "just in case" — is behind a large share of breaches that spread. The strong form is access that is just-in-time and time-bound rather than standing and broad.

Defense in Depth

Layer independent controls so no single failure is fatal — but the point is not redundancy for its own sake. Three firewalls with the same rule fail the same way at once; real depth means the attacker must defeat different kinds of control — network, host, application, identity — each of which fails differently. Depth is about diversity of mechanism, not quantity.

Fail-Secure and Complete Mediation

When a control errors, it should deny rather than allow: a login system that lets everyone in when its database is down has turned an outage into a breach. And every access should be checked every time — complete mediation — rather than checked once and cached into a bypass. A check you can skip is a check you do not have.

Zero Trust as the Modern Synthesis

Zero trust drops the assumption that "inside the network" means trusted, and authenticates and authorizes every request on its own merits regardless of where it came from. It is really least privilege and complete mediation applied to the network: a foothold inside the perimeter grants nothing extra, because there is no implicit trust to inherit. Meridian's segmentation (Chapter 4) and identity design (Chapter 3) are this principle made concrete.

The principles, and where the book makes each concrete
Least privilege
exactly what is needed · Chapters 3, 7, 13
Defense in depth
different layers, not identical ones · every chapter
Fail-secure · complete mediation
deny on error · check every time · Chapters 3, 6
Zero trust
verify every request · Chapters 3, 4
Common Mistakes
  • Granting broad access "to save time" and never walking it back, so temporary admin becomes permanent and least privilege dies by a thousand exceptions.
  • Stacking identical controls and calling it depth — three firewalls with the same rule fail together, because depth means different kinds of control.
  • Failing open: a control that allows access when it errors turns an outage into a breach.
  • Caching an authorization decision into a path that later skips the check, breaking complete mediation.
  • Trusting the internal network implicitly, so one foothold reaches everything — the exact thing zero trust exists to prevent.
Best Practices
  • Default to least privilege and grant access just-in-time and time-bound rather than standing and broad.
  • Layer controls of different types — network, host, application, identity — so an attacker must defeat several independent mechanisms.
  • Design controls to fail closed and to mediate every access, with no cached bypass.
  • Adopt a zero-trust posture: authenticate and authorize each request regardless of network location.
  • Separate high-privilege actions so no single person or component can complete a sensitive operation alone.
Comparable toolsFoundations Saltzer & Schroeder design principlesStandard NIST SP 800-207 (zero-trust architecture)Reference OWASP proactive controls

Knowledge Check

What makes defense in depth real rather than an illusion?

  • The layers use different mechanisms, so they fail independently
  • The very same control is simply duplicated as many times as possible
  • Every layer is placed at the network perimeter
  • All controls are configured to fail open for availability

A login service grants access to everyone when its user database is unreachable. Which principle does this violate?

  • Fail-secure — deny, not allow, on error
  • Least privilege, because users are handed too little access here
  • Separation of duties, because a single person did far too much
  • Defense in depth, because there was only one login service

What does zero trust fundamentally change about network trust?

  • Being inside the network no longer implies trust; every request is verified
  • It encrypts all internal traffic and considers the job done
  • It automatically trusts any device once it has connected through the corporate VPN
  • It removes the need for authentication once inside the perimeter

You got correct