Complete Mediation
What you'll learn: How to ensure every single access attempt is checked and authorized, every time, without exception.
What Is Complete Mediation?
Complete Mediation means that every access to every resource must be checked every single time someone or something tries to use it. No shortcuts. No caching decisions like "I checked you five minutes ago, so you're still good." Every door requires showing your badge, every time you walk through it.
Think of it like airport security: even if you're a pilot who flies through that airport daily, you still go through security screening every single time. They don't say "Oh, we checked you yesterday—go ahead." Each access is mediated (checked and controlled) completely.
Why This Matters
Without Complete Mediation, attackers can exploit timing gaps or cached permissions. Imagine if a system checks your authorization once when you log in, then never again. If an administrator revokes your access while you're still logged in, you'd continue operating with privileges you shouldn't have.
This principle works hand-in-hand with Least Privilege (only giving minimum necessary access) and Defense in Depth (multiple security layers). Even if one check fails, complete mediation ensures that subsequent access attempts are still validated.
Real-World Example
Consider a file system: Every time you try to open, read, write, or delete a file, the system should verify you have permission for that specific action on that specific file at that exact moment—not rely on a permission check from earlier.
Key Takeaway: Complete Mediation means validate every access, every time, for every resource—never assume previous authorization still applies.