Identity-based security for modern infrastructure

Modern infrastructure encompasses a mix of on-premises, cloud, and software-as-a-service (SaaS) workloads. Securing modern infrastructure requires a shift in focus to securing access to resources using identities, as the network perimeter is no longer a reliable security boundary.

Identity has become the new perimeter for securing modern infrastructure. Instead of relying on network security tools to secure access to resources, organizations must focus on securing user and machine identities. In addition to shifting focus to identities, organizations must also ensure all services meet the following criteria:

• Follow the principle of least privilege: Grant the minimum access necessary to perform their tasks.
• Use strong authentication and authorization mechanisms: Implement robust sign-in workflows, including multi-factor authentication (MFA), to access resources.
• Use ephemeral credentials: Use ephemeral, short-lived credentials to reduce the risk of credential theft.
• Classify data: Implement a data classification scheme for all services.
• Isolate workloads and resources: Limit the effect of potential security breaches.
• Continuously monitor and audit access: Detect and respond to potential threats.

Benefits of identity-based security

Every user, machine, or service has an identity. Leveraging the identities of your users through an identity provider (IdP) allows you to manage access to resources more effectively. You can also leverage trusted platforms, such as your cloud provider or self-managed infrastructure-as-a-service (IaaS) platforms, to verify a workload's identity.

By adopting identity as the new perimeter, organizations can build a more secure infrastructure that is better equipped to handle the challenges of modern workloads.

Shifting security focus to identities provides several benefits:

• Improved security: By focusing on securing identities, organizations can better protect against threats such as phishing, credential theft, and insider threats.
• Greater flexibility: Identity-based security allows organizations to securely manage access to resources across a mix of on-premises, cloud, and SaaS workloads.
• Enhanced user experience: Identity-based security can provide a more seamless user experience, reducing the need for users to remember multiple passwords or navigate complex network security tools.
• Better compliance: Identity-based security can help organizations meet regulatory requirements by providing better visibility and control over access to sensitive data and resources.

Implement zero trust with Vault and Boundary

HashiCorp Vault allows you to adopt ephemeral, dynamic credentials, replacing long-lived credentials with short-lived ones to reduce the risk of credential theft. Vault dynamic credentials support multiple cloud providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), as well as databases like MySQL, PostgreSQL, and MongoDB.

HashiCorp Boundary provides identity-aware access without requiring network-level trust. Instead of opening firewall ports or managing VPN connections, Boundary verifies user identity and grants just-in-time access to specific resources based on their authenticated identity and assigned permissions.

You can further enhance your security posture by integrating Vault and Boundary to allow identity-based access to target resources without exposing or sharing the target's credentials. Users authenticate to Boundary through a trusted identity provider, and Boundary retrieves dynamic credentials from Vault to access the target resource.

HashiCorp Terraform enables you to manage identity policies as code, ensuring consistent security configurations across all environments and making your identity perimeter auditable and version-controlled.

HashiCorp resources:

• Follow the principles of least privilege
• Implement strong authentication and authorization mechanisms
• Use ephemeral, short-lived credentials
• Implement a data classification scheme
• Generate dynamic secrets in Vault
• OIDC authentication to Boundary using Okta
• OIDC authentication to Vault using Okta
• Connect to Kubernetes using Boundary and Vault

External resources:

• What is identity and access management (IAM)?
• Zero trust architecture
• The real AI risk isn’t AGI — it’s unregulated machine identity

Next steps

In this section of how to Secure infrastructure, you learned why it is important to shift to using identity as the new security perimeter. Focusing security programs around identity allows you create a more comprehensive security strategy. How to secure cloud infrastructure with identity-based access control is part of the Secure systems pillar.

Following these documents in order ensures a logical progression through the key concepts and best practices, helping you build a strong foundation for your organization's security program.

• Implement zero trust security and networking
• How to secure cloud infrastructure with identity-based access control (this document)
• Build a culture of security automation
• Secure network traffic with ingress and egress
• Secure human access to infrastructure
• Prevent lateral movement