Domain 3 of 8 · Chapter 1 of 10

Secure Design Principles

Why principles, not products, drive secure design

Most architecture stems hide the product on purpose: they describe a flaw (an account with far more access than it uses, a control that fails open and lets traffic through, a flat network where one breached host reaches everything) and ask what you should do first or what design is best. The defensible answer is the option that embodies the right principle, not the one naming the most impressive tool. A secure design principle is a durable, vendor-neutral rule applied while a system is being engineered, before any specific control is chosen, so that security is a built-in property rather than a patch added after an incident; NIST's systems-security-engineering guidance puts it directly, security must be designed in, not bolted on[1]. Internalize each principle and its trade-off (on top of the CIA triad and what a control is) and the product-level answer follows.

The principles matter on the exam because most architecture questions hide the product. A stem describes a situation - an account with far more access than it uses, a control that fails in a way that lets traffic through, a flat network where one breached host reaches everything - and asks what you should do first or what design is best. The defensible answer is the option that embodies the right principle (least privilege, fail securely, defense in depth), not the option that names the most impressive tool. Internalize the principle and its trade-off, and the product-level answer follows.

Keep two boundaries in mind as you read. Formal mathematical access models (Bell-LaPadula for confidentiality, Biba for integrity) implement these principles but are a separate topic - they live in security-models. Threat-modeling methodologies (STRIDE, PASTA) are how you discover where to apply principles; they live in the risk-management domain. This page owns the catalog of principles themselves and the decision of when each one applies.

The principle catalog and what each one optimizes

This section walks the catalog one principle at a time; each entry states the rule, then the trade-off, so you can match a scenario to a principle on the exam. They are not mutually exclusive - a sound design layers several at once. The diagram above groups the catalog into the three families this section walks in order: constraining what an identity can reach, surviving failure, and setting scope and trust boundaries.

Constraining what an identity can reach

Least privilege grants each subject only the minimum access needed to do its job and nothing more, so a misused or compromised account can damage only a narrow slice of the system. NIST defines it as designing the architecture so each entity gets the minimum resources and authorizations it needs to perform its function[2]. Need-to-know is least privilege applied to information specifically: a clearance sets the ceiling on what data a person could see, but need-to-know decides which data within that ceiling they may actually access. The two work together - clearance gates the level, need-to-know gates the item.

Separation of duties (SoD) extends the same containment idea across people: split a sensitive task so no one person can complete it alone. NIST's control objective is to reduce the risk of malevolent activity without collusion[3] - the classic example is that whoever authorizes a payment must not also be able to issue it. SoD can be static (conflicting roles are never assigned to the same person) or dynamic (the conflict is enforced at execution time, as in a two-person rule). Job rotation and mandatory vacations are companion controls: they surface fraud that depends on one person continuously occupying one seat.

Surviving failure

Defense in depth places multiple independent layers of control across people, technology, and operations, so defeating one layer still leaves the attacker facing the next. NIST describes it as integrating people, technology, and operations to establish variable barriers across multiple layers[4]. The load-bearing word is independent: two layers that share a single chokepoint or one credential store fail together and count as one layer, not two.

Keep it simple and small (economy of mechanism) says the smaller and simpler a mechanism, the fewer flaws it can hide and the easier it is to verify - complexity is where vulnerabilities live. It is why a minimal, auditable control beats a feature-rich one you cannot fully reason about.

Fail securely means that when a component crashes or a check errors out, it denies the protected action rather than allowing it - also called fail-closed or fail-safe. NIST's fail-safe definition is a termination mode that prevents damage to system resources when a failure occurs[5]. Its opposite, fail-open, keeps the function available through failure and is correct only where loss of availability is itself the greater harm - a fire-exit door must unlock when its controller dies. The design choice is therefore a CIA trade-off: fail-closed when confidentiality or integrity dominates, fail-open when safety/availability of life dominates.

Secure defaults mean the system ships denying access until access is explicitly granted, so a forgotten setting leaves you safe rather than exposed. Note the relationship to fail securely - they are the same instinct at two moments: secure defaults govern the initial state, fail-closed governs the failure state.

Setting scope and trust boundaries

Privacy by design builds data protection into a system's defaults and full lifecycle from the outset - data minimization, purpose limitation, retention limits - rather than adding a consent banner at the end. Shared responsibility defines the security boundary in cloud: the provider secures of the cloud (facilities, hardware, hypervisor) while the customer secures in the cloud (data, identity, configuration), and that boundary shifts toward the provider as you move from IaaS to managed services. Zero trust removes implicit trust by network location and gets its own section below, because it is the principle the exam tests most heavily.

Constraining what anidentity can reachLeast privilegeNeed-to-knowSeparation of dutiesSurviving failureDefense in depthEconomy of mechanismFail securelySecure defaultsSetting scope andtrust boundariesPrivacy by designShared responsibilityZero trust
The principle catalog, grouped by what each family optimizes: constraining identity reach, surviving failure, and setting scope and trust boundaries.

Zero trust and trust-but-verify

Zero trust treats the network as already compromised, so being on the corporate LAN earns no trust - a posture that builds on least privilege and defense in depth to retire trust-but-verify and place SASE correctly. Read the diagram first - it traces a single access request through a zero-trust decision.

Zero trust (ZT) is defined by NIST SP 800-207 as a set of concepts that minimize uncertainty in enforcing accurate, least-privilege, per-request access decisions in the face of a network viewed as compromised[6]. That last clause is the whole idea: the model assumes an attacker is already inside, so being on the corporate LAN earns you nothing. Its first tenet that matters here is that no implicit trust is granted based on physical or network location[6] - a request from inside the legacy perimeter must meet the same bar as one from the open internet. This is the "never trust, always verify" posture.

How the decision is made

Every access in zero trust is authenticated, authorized, and granted on a per-session basis with least privilege, and the decision is driven by dynamic policy that weighs the subject's identity, the requesting device's security posture, and contextual signals such as time and behavior. Architecturally, a request passes through a policy decision point (PDP) that judges it and a policy enforcement point (PEP) that allows or blocks it; SP 800-207 stresses that authenticating to one resource does not automatically grant access to a different resource[6], and that the implicit-trust zone behind any enforcement point should be kept as small as possible. The enterprise also continuously monitors asset integrity - no asset is permanently trusted.

Trust-but-verify is the stance it replaces

Trust but verify is the older posture zero trust is built to retire: it extends trust up front (often based on network location or a one-time login) and checks behavior afterward. The gap is precisely the implicit trust zone - the window in which a subject is trusted before the next check - and that window is what an attacker who has breached the perimeter exploits for lateral movement. Zero trust shrinks that window toward zero by re-evaluating each request. Note the realistic nuance NIST itself states: most enterprises run a hybrid of zero-trust and perimeter modes during migration rather than flipping a switch.

Where SASE fits

Secure access service edge (SASE) is the cloud-delivered delivery model that converges networking - software-defined WAN (SD-WAN) - with security functions such as secure web gateway, cloud access security broker, and firewall-as-a-service, and enforces zero-trust network access at the edge close to the user, described in NIST's guide to a secure enterprise network landscape[7]. The exam relationship to remember: zero trust is the principle (verify every session); SASE is one cloud-edge architecture that delivers it for a distributed, perimeter-less workforce. SASE is not a synonym for zero trust - it is one way to operationalize it.

Subjectper-session requestDynamic policyidentity, device, contextPolicy decision pointauthenticate + authorizePolicy enforcement pointResourceAllow (least privilege)Deny
Zero-trust access flow: the policy decision point judges a per-session request against dynamic policy, then the enforcement point allows or denies it (modeled on NIST SP 800-207).

Exam-pattern recognition

This section maps the principles above onto the question shapes ISC2 actually uses, so you can read a stem and reach for the right principle. The exam rarely names a product; it describes a flaw and asks for the BEST design response. The diagram above pairs each common stem pattern with the principle that answers it; the prose below adds the distractor to rule out in each case.

Stem: an account or role with more access than it uses

The answer is least privilege - reduce the grant to what the function requires. If the stem instead describes one person able to both initiate and approve a sensitive action (issue and authorize a payment, both write code and deploy it to production), the answer is separation of duties, not least privilege. Distinguish them: least privilege limits how much one identity can reach; SoD splits a task so no single identity can complete it. A tempting wrong answer is "give the user a second account" - that does not separate the duties if the same person controls both.

Stem: a control fails and traffic gets through

The answer is fail securely / fail-closed - the control should deny on error. The classic distractor is choosing fail-open "to preserve availability." That is right only when the stem is a safety-of-life system (egress doors, life-support) where loss of availability is the greater harm; absent that, defaulting to fail-open trades confidentiality for convenience and is wrong.

Stem: a flat network where one breach reaches everything

The answer is defense in depth (independent layers) and, for a perimeter-less or remote/cloud workforce, zero trust (per-session verification, no trust by location). Watch the distractor that proposes a bigger perimeter firewall - zero trust's whole premise is that the perimeter is already breached, so reinforcing it misses the point. If the stem stresses a distributed cloud workforce, SASE may be the right delivery vehicle, but only as a way to enforce zero trust, never as a replacement for the principle.

Stem: a new system that will collect personal data

The answer is privacy by design - minimize collection and default to the least-revealing setting up front, rather than adding consent or anonymization later. The distractor is "add a privacy notice before launch"; a notice is disclosure, not design.

Stem: who is responsible for X in the cloud

Apply shared responsibility: the provider owns security of the cloud (physical, hypervisor) and the customer owns security in the cloud (data, identity, configuration). The boundary moves toward the provider from IaaS to managed services, but data classification and access control almost always stay the customer's job - the distractor that says "the cloud provider secures your data" is the trap.

What the stem describesRight principleMore access than it usesLeast privilegeControl fails, traffic gets throughFail securely (fail-closed)Flat network, one breach spreadsDefense in depth + zero trustNew system collects personal dataPrivacy by designWho is responsible in the cloudShared responsibility
Reading a stem to the right principle: each common flaw pattern maps to the design principle that answers it.

Failure-mode and trust stances compared

Design choiceBehavior on failure / defaultOptimizesUse when
Fail securely (fail-closed)Denies the protected action on error or crashConfidentiality / integrityDefault for access control and data protection
Fail-openKeeps the function available through failureAvailability / safetyLoss of availability is the greater harm (e.g., fire-exit doors)
Secure defaultsShips denying access until explicitly grantedConfidentialityAny new system or feature out of the box
Zero trustNo implicit trust by location; verify every sessionConfidentiality / containmentNo clear perimeter; assume breach
Trust but verifyExtend trust, check afterwardUsability / legacy fitLegacy stance zero trust is meant to replace

Decision tree

Does a grant exceed whatthe function needs?YesNo / next decisionLeast privilege + need-to-knowcut the grant to the minimum neededCould loss of availabilityinjure people?Yes (safety of life)NoFail-openavailability is the greater harmFail securely + secure defaultsdeny on error; deny until grantedthen set trust stanceIs there a clear, trustednetwork perimeter?No / assume breachYes (legacy)Zero trustverify every session; no trust by locationTrust but verifyimplicit trust zone; stance ZT replacesAlways layer independent controls (defense in depth) and keep each mechanism simple and small

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Secure design principles are chosen before any product is

Secure design principles are durable, vendor-neutral rules an engineer applies while designing a system, before a specific control is selected, so security becomes a built-in property rather than a later patch. On the exam they decide the "what should you do FIRST / what design is BEST" questions: the right answer reflects a principle, not the most impressive product. Treating security as a bolt-on added after a breach is the failure these principles exist to prevent.

Trap Picking the most feature-rich or expensive product as the BEST answer instead of the design principle it should follow - on principle questions the right choice reflects the principle, not the strongest tool.

Least privilege grants only the minimum access a function needs

Least privilege gives each subject the minimum system resources and authorizations required to perform its function and nothing more, so a misused or compromised account can damage only a narrow slice of the system. It is a design-time decision about scope, not a runtime monitoring control. Per NIST it is a property the architecture is designed to enforce, not something added once over-broad access already exists.

Trap Treating least privilege as identical to need-to-know - least privilege limits all access an identity holds, while need-to-know specifically limits which information within a clearance level a person may see.

1 question tests this
Separation of duties forces collusion before fraud is possible

Separation of duties (SoD) splits a sensitive task so no single person can complete it alone, reducing the risk of malevolent activity without collusion - the person who authorizes a payment must not also be able to issue it. It can be static (conflicting roles are never assigned to the same user) or dynamic (the conflict is enforced at execution, as in a two-person rule). A specific SoD example NIST calls out: those who administer access-control functions must not also administer the audit functions that would catch them.

Trap Giving the same person a second account to "separate" the duties - if one individual still controls both halves of the task, no duties are actually separated.

4 questions test this
Job rotation and mandatory vacations expose single-seat fraud

Job rotation and mandatory vacations are companion controls to separation of duties: they surface fraud schemes that depend on one person continuously occupying one role, because a substitute taking over the seat would notice irregularities. Mandatory vacation forces a break long enough for a concealed scheme to come to light. They are detective and deterrent controls, distinct from SoD which is preventive.

Trap Classifying job rotation and mandatory vacation as preventive controls like separation of duties - they uncover a scheme already running, so they are detective and deterrent, not preventive.

Defense in depth requires independent layers, not just many

Defense in depth places multiple layers of control across people, technology, and operations so defeating one layer still leaves the attacker facing the next. The load-bearing requirement is independence: two layers sharing a single chokepoint or one credential store fail together and count as one layer, not two. Stacking redundant copies of the same control is not defense in depth.

Trap Counting two controls that fail the same way (same credential store, same single gateway) as two layers - shared failure modes collapse them into one effective layer.

1 question tests this
Keep it simple and small to shrink the attack surface

Economy of mechanism (keep it simple and small) holds that the smaller and simpler a mechanism, the fewer flaws it can hide and the easier it is to verify, because complexity is where vulnerabilities live. A minimal, auditable control is preferable to a feature-rich one you cannot fully reason about. It is the principle behind preferring a small trusted computing base.

Trap Reading economy of mechanism as security through obscurity - it calls for a simple, openly verifiable design, not a hidden one whose safety depends on secrecy.

Fail securely means deny the protected action on failure

Fail securely (fail-closed / fail-safe) means that when a component crashes or a check errors out, it denies the protected action rather than allowing it through. It is the default for access control and data protection because it preserves confidentiality and integrity when the system can no longer make a sound decision. NIST defines fail-safe as a termination mode that prevents damage to system resources when a failure occurs.

Trap Choosing fail-open to preserve availability on a normal access-control component - fail-open is correct only when loss of availability is itself the greater harm, such as a safety-of-life system.

4 questions test this
Fail-open is correct only when availability is the greater harm

Fail-open keeps a function available through failure and is the right choice only where loss of availability would cause more harm than loss of control - a fire-exit door must unlock when its controller dies. The decision between fail-open and fail-closed is therefore a CIA trade-off resolved by which property dominates: confidentiality/integrity favors fail-closed, safety/availability of life favors fail-open. For ordinary access control, fail-closed wins.

Trap Defaulting an ordinary access-control or data-protection component to fail-open to maximize uptime - fail-open is reserved for cases where lost availability is the greater harm, such as a physical safety system.

2 questions test this
Secure defaults ship denying access until it is explicitly granted

Secure defaults mean a system ships in its most-protected state, denying access until access is explicitly granted, so a forgotten configuration leaves you safe rather than exposed. It is the same instinct as fail securely applied at a different moment: secure defaults govern the initial out-of-the-box state, fail-closed governs the failure state. Both default toward denial.

Trap Equating secure defaults with fail-closed - both default to denial, but secure defaults govern the out-of-the-box initial state while fail-closed governs behavior during a failure.

Zero trust assumes the network is already compromised

Zero trust (NIST SP 800-207) grants no implicit trust based on physical or network location, because it assumes an attacker is already present inside the environment - being on the corporate LAN earns nothing. It is the "never trust, always verify" posture, defined as minimizing uncertainty in per-request, least-privilege access decisions in the face of a network viewed as compromised. The focus shifts from defending a perimeter to protecting individual resources.

Trap Answering a perimeter-less or breached-network scenario with a bigger perimeter firewall - zero trust's premise is that the perimeter is already breached, so reinforcing it misses the point.

Zero trust evaluates every request per-session on dynamic policy

In zero trust, access is authenticated, authorized, and granted per-session with least privilege, and the decision is driven by dynamic policy weighing identity, device security posture, and context such as time and behavior. Authenticating to one resource does not automatically grant access to a different resource. A policy decision point (PDP) judges each request and a policy enforcement point (PEP) allows or blocks it.

Trap Assuming a single successful authentication grants ongoing access to other resources - zero trust re-evaluates each request per-session, so one login never carries trust to a different resource.

1 question tests this
Trust but verify is the legacy stance zero trust replaces

Trust but verify extends trust up front - often from network location or a single login - and checks behavior afterward, leaving an implicit trust zone in which a subject is trusted until the next check. That window is exactly what an attacker who has breached the perimeter exploits for lateral movement, which is why zero trust shrinks it toward zero by re-evaluating each request. NIST notes most enterprises run a hybrid of zero-trust and perimeter modes during migration rather than switching all at once.

Trap Treating trust but verify as a synonym for zero trust because both mention verification - trust but verify grants trust up front and checks later, the implicit-trust window zero trust eliminates.

SASE delivers zero-trust access from the cloud edge, but is not zero trust itself

Secure access service edge (SASE) is a cloud-delivered model that converges networking (SD-WAN) with security functions such as secure web gateway, cloud access security broker, and firewall-as-a-service, and enforces zero-trust network access at the edge close to the user. Zero trust is the principle (verify every session); SASE is one architecture that operationalizes it for a distributed, perimeter-less workforce. They are related but not synonyms.

Trap Treating SASE as a replacement for zero trust rather than a delivery vehicle for it - SASE enforces zero-trust access, it does not substitute for the principle.

Privacy by design builds data protection into defaults, not into a late add-on

Privacy by design embeds data protection into a system's defaults and full lifecycle from the outset - data minimization, purpose limitation, and retention limits baked into the data model - rather than adding a consent banner or anonymization step at the end. The exam contrast is disclosure versus design: a privacy notice tells users what happens to their data, whereas privacy by design changes what the system collects and keeps in the first place.

Trap Answering a new-personal-data design question with "add a privacy notice before launch" - a notice is disclosure, not the up-front data-minimizing design the principle requires.

Shared responsibility splits security OF the cloud from security IN the cloud

Under the cloud shared-responsibility model the provider secures OF the cloud (physical facilities, hardware, the hypervisor) while the customer secures IN the cloud (their data, identity, and configuration). The boundary shifts toward the provider as you move from IaaS to managed and abstracted services, but data classification and access control almost always stay the customer's job. Knowing which side owns a given control is the recurring exam decision.

Trap Assuming the provider secures your data because it secures the infrastructure - data protection, identity, and configuration remain the customer's responsibility in nearly every cloud service model.

Also tested in

References

  1. NIST SP 800-160 Vol. 1 Rev. 1: Engineering Trustworthy Secure Systems Whitepaper
  2. NIST Glossary: Least Privilege (SP 800-53 Rev. 5) Whitepaper
  3. NIST Glossary: Separation of Duty (SP 800-192) Whitepaper
  4. NIST Glossary: Defense-in-Depth (SP 800-53 Rev. 5) Whitepaper
  5. NIST Glossary: Fail-Safe (CNSSI 4009-2015 / RFC 4949) Whitepaper
  6. NIST SP 800-207: Zero Trust Architecture Whitepaper
  7. NIST Glossary: Secure Access Service Edge (SP 800-215) Whitepaper