Specific design principles underlie the design and implementation of mechanisms for supporting policies. These principles build on the ideas of simplicity and restriction. Simplicity reduces the potential for inconsistencies within a policy or set of policies. Restriction minimizes the power of an entity. The entity can access only information it needs. 
Saltzer and Schroeder  describe eight principles on the ideas of simplicity and restriction:
- Principle of least privilege – states that a subject should be given only those privileges that it needs in order to complete a task.
- If a subject does not need an access right, the subject should not have it.
- The function of the subject should control the assignment of rights
- If specific actions require that a subjects access right be augmented, those extra rights should be relinquished immediately on completion of the action.
- Requires that processes be confined to as small a protection domain as possible.
- Privilege of fail-safe defaults – states that, unless a subject is given explicit access to an object, it should be denied access to that object.
- Requires that the default access to an object be none.
- If a subject is unable to complete its action or task, it should undo those changes it made in the security state of the system before it terminates so that even if the program fails the system is still safe.
- Principle of economy of mechanism – states that security mechanisms should be as simple as possible.
- If a design and implementation are simple, fewer possibilities exist for errors.
- The checking and testing process is less complex, because fewer components and cases need to be tested.
- Principle of complete mediation – requires that all accesses to objects be checked to ensure that they are allowed.
- If the system checks that a user has permission to access a file and then permission is granted to access the resource, the next time the user requests that same file, the system should again check if the subject is still allowed to access the resource. Do not cache the results of the first check!
- Principle of open design – states that the security of mechanism should not depend on the secrecy of its design or implementation.
- It should be assumed that attackers know or can find out all the design details of the system through some means and therefore secrecy of the design should not be part of the security.
- Principle of separation of privilege – states that a system should not grant permission based on a single condition.
- Principle of least common mechanism – states that mechanisms used to access resources should not be shared.
- Sharing resources provides a channel along which information can be transmitted, so this should be minimized.
- Principle of psychological acceptability– states that security mechanisms should not make the resource more difficult to access than if the security were not present.
- Configuring and executing a program should be as easy and as intuitive as possible and any output should be clear, direct and useful.
- If security related software is too complicated to configure, administrators may unintentionally setup the software in a nonsecure manner.
 Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005
 J. Saltzer and M. Schroeder, The Protection of Information in Computer Systems, Proceeding of the IEEE 63 (9), pp. 1278-1308 (Sep. 1975)