As designers create access control systems, they should keep in mind a set of commonly accepted design principles. These principles are intended to create access control systems that meet business requirements in a manner that is acceptable to users and provides adequate security while balancing complexity and cost. These principles include:

• Least privilege and separation of privileges, which were discussed earlier in this chapter.
• Economy of mechanism, also known as simplicity of design, which says that access control mechanisms should be as simple as possible, using as few components and procedures as necessary to meet the requirements. Increasing the complexity of a mechanism increases the likelihood that it will fail.
• Least common mechanism, also known as minimization of implementation, suggests that the mechanisms used by different classes of users should be separated to the extent possible. This reduces the likelihood of privilege escalation attacks.
• Least astonishment, also known as psychological acceptability, relates to usability. It says that security mechanisms should be as nonintrusive as possible, providing security while minimizing disruption to user activity.
• Open design is the opposite of security through obscurity. It says that the security of an access control mechanism should not depend upon the secrecy of its design or the secrecy of details of its implementation.
• Complete mediation says that access control decisions should not be cached for later use. Each attempt to access an object should be verified. This allows the immediate revocation of credentials.
• Default deny says that the base assumption of any access control mechanism should be that the access is denied unless it was explicitly authorized. This principle is closely related to the idea of minimizing the trust surface or implementing a reluctance to trust.