Well-Architected Framework
Centralize identity management
Designing and planning policies to manage access is part of a complete identity and access management strategy. A key part of that strategy is to centralize identity management, allowing you to enforce those policies effectively.
There are several ways to grant access to systems. Most systems have built-in identity solutions that allow you to create local users and groups. Those users and groups only have access to that specific system. While isolated identity management may seem secure, it does not scale well and may introduce more security risks than centralizing identity management.
What is centralized identity management
Centralizing identity management allows you to manage access to all systems from a single location. Solutions like LDAP, Active Directory, or cloud identity providers like Okta, Azure EntraID, or Google Cloud Identity provide a way to centralize identity management. After you centralize authentication, you then integrate the identity provider with other systems and authorize access for those users. Each user has a single username and password, but can access the systems required to perform their job.
Having individual user accounts on multiple platforms is similar to having a local user on your laptop. You can log in to the laptop with the local user, but that username and password do not provide access to your email or other systems.
Why centralize identity management
When you manage your users through a centralized identity provider, you can enforce strong security policies like multi-factor authentication (MFA), password complexity, and rotation policies.
From an end user perspective, centralizing identity management provides a single sign-on (SSO) experience, allowing users to access the systems they need with a single set of credentials. Using SSO reduces the risk of password fatigue and improves security by reducing the number of passwords that users need to remember.
You can deploy HashiCorp Vault to support centralized identity management by:
- Act as an OIDC provider - Deploy Vault as an OIDC provider gives you complete control over your identity management workflow and allows you to expose the OIDC provider based on your security requirements.
- Generate credentials - Generate dynamic, short-lived credentials that eliminate static passwords stored in different systems.
Boundary provides identity-aware proxying to infrastructure without exposing credentials to end users:
- Integrate with identity providers - Connect Boundary to OIDC providers or Active Directory to authenticate users based on their existing corporate identities.
- Role-based access control - Map users and groups from your identity provider to Boundary roles, controlling which systems each user can access.
- Session recording and auditing - Track which users accessed which systems, creating an audit trail tied to real identities rather than shared credentials.
Most HashiCorp tools and services like the HashiCorp Cloud Platform, HCP Terraform, Boundary, and Vault integrate with third party identity providers natively or through OIDC allowing you to manage access to these tools from your centralized identity provider.
HashiCorp resources:
External resources:
Next steps
Following these documents in order ensures a logical progression through the key concepts and best practices, helping you build a strong foundation to build your identity and access management program.
- Define access requirements
- Grant least privilege
- Create permissions and guardrails
- Centralize identity management (this document)
- Implement strong sign-in workflows
- Use dynamic credentials
- Manage access lifecycle
In this section of Identity and access management you learned the benefits of centralizing identity management. Identity and access management is part of the Secure systems pillar.