← Foundations

Security Design Principles

From Saltzer and Schroeder to NIST SP 800-160 -- the principles that underpin every OSA pattern.

Every OSA pattern is built on security design principles -- fundamental rules that guide how controls are selected, composed, and implemented. Understanding these principles helps you evaluate whether a design is sound, even for scenarios no pattern has yet covered.

Foundations: Saltzer and Schroeder (1975)

The intellectual foundation for security design principles comes from Jerome Saltzer and Michael Schroeder's 1975 paper, The Protection of Information in Computer Systems. Their eight principles have stood the test of time for fifty years:

  • Economy of mechanism -- keep designs as simple and small as possible
  • Fail-safe defaults -- base access decisions on permission rather than exclusion
  • Complete mediation -- every access to every object must be checked for authority
  • Open design -- the mechanism should not depend on the ignorance of potential attackers
  • Separation of privilege -- require multiple conditions to grant access where practical
  • Least privilege -- every programme and user should operate with the minimum set of privileges necessary
  • Least common mechanism -- minimise the mechanisms shared between users
  • Psychological acceptability -- the human interface must be designed for ease of use so that users routinely apply protection mechanisms correctly

Saltzer and Schroeder also identified two additional principles they considered partially applicable: work factor (compare the cost of circumventing a mechanism with the resources of a potential attacker) and compromise recording (mechanisms that reliably record a compromise can be used in place of more elaborate prevention mechanisms).

These ten principles remain the canonical reference. Every subsequent framework traces its lineage back here.

Modern Framework: NIST SP 800-160 and SA-8

NIST SP 800-160 Volume 1 Revision 1 (Engineering Trustworthy Secure Systems, 2022) expands Saltzer and Schroeder's principles into 33 security engineering principles, formally codified as control enhancements to SA-8 (Security and Privacy Engineering Principles) in NIST 800-53 Rev 5. SA-8 is in all three NIST baselines -- every system is expected to apply these principles.

The 33 principles group naturally into categories relevant to OSA pattern design:

Simplicity and Minimisation

Principles: Clear abstractions, reduced complexity, modularity and layering, minimised security elements, minimisation.

Keep security mechanisms simple, modular, and minimal. Complex designs are harder to verify, harder to maintain, and more likely to contain flaws. OSA patterns apply this by decomposing security architectures into distinct control areas with clear boundaries -- for example, separating network segmentation (SP-017) from identity management (SP-004) from application security (SP-030).

Access Control and Mediation

Principles: Efficiently mediated access, least privilege, predicate permission, hierarchical protection.

Every access must be checked, privileges must be minimal, and defaults must deny. These principles are woven through Identity Management (SP-004), Modern Authentication (SP-032), Privileged User Management (SP-037), and Zero Trust Architecture (SP-029) -- which elevates complete mediation from a principle to an architectural pattern.

Trust and Composition

Principles: Trusted components, hierarchical trust, self-reliant trustworthiness, secure distributed composition, trusted communication channels.

New in SP 800-160, these address modern distributed systems where components from multiple suppliers must compose securely. Relevant to Cloud Security (SP-025), API Security (SP-030), Secure AI Integration (SP-027), and Third Party Risk Management (SP-042). Trust boundaries are the defining feature of OSA pattern diagrams.

Failure and Recovery

Principles: Secure defaults, secure failure and recovery, continuous protection.

Systems must fail into a secure state and maintain protection continuously. Central to Cyber Resilience (SP-034), Incident Response (SP-036), and the backup and recovery controls in Industrial Control Systems (SP-023).

Monitoring and Accountability

Principles: Self-analysis, accountability and traceability.

Systems must be capable of monitoring their own security state and maintaining audit trails. These principles underpin Security Monitoring and Response (SP-031), and the logging and audit controls present in virtually every pattern.

Human Factors

Principles: Human factored security, acceptable security.

Security mechanisms that users find burdensome will be circumvented. Passkey Authentication (SP-033) is a direct application -- replacing passwords with a ceremony that is both more secure and easier to use. Security Awareness (SP-020) addresses the training dimension.

Operational Rigour

Principles: Repeatable and documented procedures, procedural rigour, secure system modification, sufficient documentation.

New in SP 800-160, these formalise what operational security teams have always known: security depends on consistent, documented processes. Relevant to Secure DevOps Pipeline (SP-028), Vulnerability Management (SP-038), and Offensive Security Testing (SP-035).

For the full list of 33 principles, see NIST SP 800-160 Vol 1 Rev 1 Appendix E at https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final.

Cyber Resiliency Principles

NIST SP 800-160 Volume 2 Revision 1 (Developing Cyber-Resilient Systems, 2021) adds complementary resilience principles that assume breach rather than focusing solely on prevention. These include focus on common critical assets, support agility and architect for adaptability, and reduce attack surfaces. OSA's Cyber Resilience pattern (SP-034) applies these principles in the context of DORA, Bank of England, and PRA regulatory requirements.

Complementary Frameworks

Several other organisations publish security design principles that complement the NIST framework:

  • OWASP Developer Guide defines 16 practitioner-friendly security principles based on Saltzer and Schroeder, adding defence in depth and modern web-era concerns. See https://devguide.owasp.org/en/02-foundations/03-security-principles/.
  • UK NCSC publishes five outcome-oriented design principles: establish context, make compromise difficult, make disruption difficult, make detection easier, and reduce impact of compromise. See https://www.ncsc.gov.uk/collection/cyber-security-design-principles.
  • CISA Secure by Design establishes three vendor accountability principles (own security outcomes, embrace radical transparency, lead from the top) with a voluntary pledge signed by 200+ organisations. See https://www.cisa.gov/securebydesign.
  • ISO 27002:2022 control 8.27 requires organisations to establish and apply secure system architecture and engineering principles, but defers to frameworks like NIST 800-160 for the comprehensive list.

How Principles Relate to Controls

Principles and controls serve different purposes. Principles are design-time guidance -- they tell you how to think about security architecture. Controls are implementation requirements -- they tell you what to build. NIST connects the two through SA-8: the control that requires you to apply security engineering principles during system design. Every OSA pattern references SA-8, and the control areas within each pattern are the practical application of these principles to specific architectural scenarios.