hashicorp · jonathanfrappier · Nov 13, 2025 · Oct 24, 2025 · Oct 25, 2025 · Oct 30, 2025
@@ -393,6 +393,35 @@
           }
         ]
       },
+      {
+        "title": "Secure infrastructure",
+        "routes": [
+          {
+            "title": "Implement zero trust security",
+            "path": "secure-systems/infrastructure/zero-trust-security"
+          },
+          {
+            "title": "Identity is the new perimeter",
+            "path": "secure-systems/infrastructure/identity-new-perimeter"
+          },
+          {
+            "title": "Build a culture of security automation",
+            "path": "secure-systems/infrastructure/build-culture-security"
+          },
+          {
+            "title": "Manage network ingress and egress",
+            "path": "secure-systems/infrastructure/manage-network-ingress-egress"
+          },
+          {
+            "title": "Secure human access to infrastructure",
+            "path": "secure-systems/infrastructure/secure-access"
+          },
+          {
+            "title": "Prevent lateral movement",
+            "path": "secure-systems/infrastructure/prevent-lateral-movement"
+          }
+        ]
+      },
       {
         "title": "Secure secrets",
         "routes": [
@@ -431,17 +460,9 @@
           }
         ]
       },
-      {
-        "title": "Prevent lateral movement",
-        "path": "secure-systems/prevent-lateral-movement"
-      },
       {
         "title": "Validate software integrity",
         "path": "secure-systems/validate-software-integrity"
-      },
-      {
-        "title": "Implement zero trust security",
-        "path": "secure-systems/zero-trust-security"
       }
     ]
   },

@@ -0,0 +1,125 @@
+---
+page_title: Build a culture of security automation
+description: Learn how to build security into your organization's culture.
+---
+
+# Build a culture of security automation
+
+Security is no longer a separate function in modern
+infrastructure. Organizations must incorporate security in all phases of
+infrastructure deployment and software development lifecycles (SDLC).
+
+Waiting for security teams to review and approve changes manually can lead to delays, increased risk of human error, and inconsistent security practices. Waiting for audits and compliance checks to verify your security program does not allow you to respond to emerging threats, leaving your organization vulnerable.
+
+When you build a culture of security automation, you integrate security practices and
+tools into your organization's culture, processes, and workflows. Approaching
+security as a necessary part of your organization's culture, you can:
+
+**Developer Experience:**
+
+- Developers get immediate feedback on security issues through their workflows.
+- Security becomes part of the development workflow, not an external gatekeeper.
+- Learning happens in context when teams discover security issues.
+
+**Operations Teams:**
+
+- Infrastructure security through familiar code-based workflows.
+- Security policies enforced and deployed automatically, reducing manual oversight burden.
+- Compliance becomes a byproduct of standard operations rather than a special process.
+
+**Security Teams:**
+
+- Shift from being gatekeepers to being enablers and consultants.
+- Focus on defining policies and standards rather than manual reviews.
+- Gain visibility into security posture across the entire organization.
+
+## What is security automation?
+
+Security automation involves using tools and processes to automate security
+tasks, such as scanning for vulnerabilities, managing secrets, applying
+security patches, and monitoring for threats. You can automate these
+tasks as code, instead of performing the tasks manually. By automating tasks
+like policy provisioning, or scanning for secrets, your security posture improves.
+
+<VideoEmbed url="http://youtube.com/watch?v=eamE18_WrW0"/>
+
+Another important aspect of security automation and building a culture around
+security is understanding that various compliance standards do not inhibit
+innovation. It can be easy to blame compliance requirements for slowing down
+development and infrastructure innovation. However, when you teach teams that
+security and compliance give you the necessary guardrails to innovate, you can
+build a culture that embraces security.
+
+## Deploy security as code with Terraform
+
+You can adopt security as code practices using Terraform to automate
+the deployment of security [policies as
+code](/well-architected-framework/secure-systems/compliance-and-governance/policy-as-code)
+in your infrastructure. You can manage policies for HashiCorp Vault, Boundary,
+and Sentinel, as well as policies for public cloud providers and orchestration
+platforms like Kubernetes and Nomad.
+
+You can also use Terraform to manage common infrastructure components such as
+user accounts, firewall configurations, and network settings.
+
+- **Security policies become testable code:** Teams can unit test, peer review, and version control security configurations just like application code.
+- **Prevents configuration drift:** Automated detection when infrastructure deviates from secure baselines, encouraging teams to maintain security standards.
+- **Enables security guardrails:** Terraform can enforce organization-wide security policies that prevent non-compliant infrastructure deployment.
+- **Democratizes security knowledge:** Security configurations are documented in code, making security requirements visible and understandable to all team members.
+- **Creates security feedback loops:** Failed deployments due to security violations become learning opportunities rather than blame events.
+
+This shifts security from being a "blocker" to being an integral part of how you
+design and deploy infrastructure.
+
+## Shift security left with HCP Vault Radar
+
+Security teams can help shift security left with HCP Vault Radar. Shifting security
+left means software and infrastructure as code (IaC) developers integrate security tools into their
+development process. HCP Vault Radar [scans for
+secrets](/well-architected-framework/secure-systems/secrets/manage-leaked-secrets)
+in source code during development, or once they commit their code to a version
+control system (VCS) such as GitHub.
+
+- **Continuous education:** Integrating scanning into the software development
+  lifecycle helps developers understand how secrets leak.
+- **Immediate feedback:** Real-time alerts when developers commit secrets help
+  improve secure coding practices.
+- **Integration with development workflows:** Security scanning becomes part of
+  the development process, not a separate security audit.
+- **Cross-team visibility:** Security teams can see patterns and provide
+  targeted training based on actual findings.
+
+
+HashiCorp resources:
+
+- [Correlate HCP Vault Radar findings with HCP Vault](/hcp/tutorials/hcp-vault-radar-operations)
+- [Boundary credential brokering with Vault](/boundary/tutorials/credential-management/hcp-vault-cred-brokering-quickstart)
+- [Enforce policies in HCP Terraform using Sentinel](/terraform/tutorials/policy/policy-quickstart)
+
+External resources:
+
+- [NIST cyberssecurity framework](https://www.nist.gov/cyberframework)
+- [Navigating behavioral change in security awareness and culture](https://www.ibm.com/think/insights/security-awareness-culture)
+- [Why Culture Is the First Line of Defense in the Age of Agentic AI](https://www.cio.com/article/4043094/why-culture-is-the-first-line-of-defense-in-the-age-of-agentic-ai.html)
+
+## Next steps
+
+In this section of how to Secure infrastructure, you learned why it is important to
+build a culture where security is integrated into every aspect of your
+organization's operations. Build a culture of security automation is part of the [Secure systems
+pillar](/well-architected-framework/secure-systems).
+
+Following these documents in order ensures a logical progression through the key
+concepts and best practices, helping you build a strong foundation for your
+organizations security program.
+
+- Integrate Terraform and Vault into common industry
+workflows, such as
+[GitOps](/well-architected-framework/define-and-automate-processes/process-automation/gitops)
+to further automate security practices.
+- [Implement zero trust security and networking](/well-architected-framework/secure-systems/infrastructure/zero-trust-security)
+- [How to secure cloud infrastructure with identity-based access control](/well-architected-framework/secure-systems/infrastructure/identity-new-perimeter)
+- [Build a culture of security automation](/well-architected-framework/secure-systems/infrastructure/build-culture-security) **(this document)**
+- [Secure network traffic with ingress and egress](/well-architected-framework/secure-systems/infrastructure/manage-network-ingress-egress)
+- [Secure human access to infrastructure](/well-architected-framework/secure-systems/infrastructure/secure-access)
+- [Prevent lateral movement](/well-architected-framework/secure-systems/infrastructure/prevent-lateral-movement)
@@ -0,0 +1,119 @@
+---
+page_title: How to secure cloud infrastructure with identity-based access control
+description: Identity is the new perimeter. Learn zero trust security, dynamic credentials, MFA, and least privilege access for cloud infrastructure.
+---
+
+# Identity-based security for modern infrastructure
+
+Modern infrastructure encompasses a mix of on-premises, cloud, and
+software-as-a-service (SaaS) workloads. Securing modern infrastructure requires
+a shift in focus to securing access to resources using identities, as the network
+perimeter is no longer a reliable security boundary.
+
+Identity has become the new perimeter for securing modern infrastructure.
+Instead of relying on network security tools to secure access to resources,
+organizations must focus on securing user and machine identities. In addition to
+shifting focus to identities, organizations must also ensure all services meet the following criteria:
+
+- **Follow the principle of least privilege:** Grant the minimum access necessary to perform their tasks.
+- **Use strong authentication and authorization mechanisms:** Implement robust sign-in workflows, including multi-factor authentication (MFA), to access resources.
+- **Use ephemeral credentials:** Use ephemeral, short-lived credentials to reduce the risk of credential theft.
+- **Classify data:** Implement a data classification scheme for all services.
+- **Isolate workloads and resources:** Limit the effect of potential security breaches.
+- **Continuously monitor and audit access:** Detect and respond to potential threats.
+
+<VideoEmbed url="https://www.youtube.com/watch?v=JrYBni2ojyE"/>
+
+## Benefits of identity-based security
+
+Every user, machine, or service has an identity. Leveraging the identities of
+your users through an identity provider (IdP) allows you to manage access to
+resources more effectively. You can also leverage trusted platforms, such as
+your cloud provider or self-managed infrastructure-as-a-service (IaaS)
+platforms, to verify a workload's identity.
+
+By adopting identity as the new perimeter, organizations can build a more secure
+infrastructure that is better equipped to handle the challenges of modern
+workloads.
+
+Shifting security focus to identities provides several benefits:
+
+- **Improved security**: By focusing on securing identities, organizations can
+  better protect against threats such as phishing, credential theft, and
+  insider threats.
+- **Greater flexibility**: Identity-based security allows organizations to
+  securely manage access to resources across a mix of on-premises, cloud, and
+  SaaS workloads.
+- **Enhanced user experience**: Identity-based security can provide a more
+  seamless user experience, reducing the need for users to remember multiple
+  passwords or navigate complex network security tools.
+- **Better compliance**: Identity-based security can help organizations meet
+  regulatory requirements by providing better visibility and control over
+  access to sensitive data and resources.
+
+<VideoEmbed url="https://www.youtube.com/watch?v=5uNifnVlBy4"/>
+
+## Implement zero trust with Vault and Boundary
+
+HashiCorp Vault allows you to adopt ephemeral, dynamic credentials, replacing
+long-lived credentials with short-lived ones to reduce the risk of credential
+theft. Vault dynamic credentials support multiple cloud providers like Amazon Web
+Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), as well as
+databases like MySQL, PostgreSQL, and MongoDB.
+
+HashiCorp Boundary provides identity-aware access without requiring
+network-level trust. Instead of opening firewall ports or managing VPN
+connections, Boundary verifies user identity and grants just-in-time access to
+specific resources based on their authenticated identity and assigned
+permissions.
+
+You can further enhance your security posture by integrating Vault and Boundary
+to allow identity-based access to target resources without exposing or sharing
+the target's credentials. Users authenticate to Boundary through a trusted
+identity provider, and Boundary retrieves dynamic credentials from Vault to
+access the target resource.
+
+HashiCorp Terraform enables you to manage identity [policies as
+code](/well-architected-framework/secure-systems/compliance-and-governance/policy-as-code),
+ensuring consistent security configurations across all environments and making
+your identity perimeter auditable and version-controlled.
+
+HashiCorp resources:
+
+- Follow the principles of [least
+  privilege](/well-architected-framework/secure-systems/identity-access-management/grant-least-privilege)
+- Implement [strong authentication and authorization
+  mechanisms](/well-architected-framework/secure-systems/identity-access-management/implement-strong-sign-in-workflows)
+- Use [ephemeral, short-lived
+  credentials](/well-architected-framework/secure-systems/identity-access-management/use-dynamic-credentials)
+- Implement a [data classification
+  scheme](/well-architected-framework/secure-systems/data/classify-data)
+- [Generate dynamic secrets in Vault](/vault/tutorials/db-credentials)
+- [OIDC authentication to Boundary using Okta](/boundary/tutorials/identity-management/oidc-okta)
+- [OIDC authentication to Vault using Okta](/vault/tutorials/auth-methods/vault-oidc-okta)
+- [Connect to Kubernetes using Boundary and Vault](/boundary/tutorials/kubernetes-connect)
+
+External resources:
+
+- [What is identity and access management (IAM)?](https://www.ibm.com/think/topics/identity-access-management)
+- [Zero trust architecture](https://www.nist.gov/publications/zero-trust-architecture)
+- [The real AI risk isn’t AGI — it’s unregulated machine identity](https://www.cio.com/article/4075672/the-real-ai-risk-isnt-agi-its-unregulated-machine-identity.html)
+
+## Next steps
+
+In this section of how to Secure infrastructure, you learned why it is important to
+shift to using identity as the new security perimeter. Focusing security
+programs around identity allows you create a more comprehensive security
+strategy. How to secure cloud infrastructure with identity-based access control is part of the [Secure systems
+pillar](/well-architected-framework/secure-systems).
+
+Following these documents in order ensures a logical progression through the key
+concepts and best practices, helping you build a strong foundation for your
+organization's security program.
+
+- [Implement zero trust security and networking](/well-architected-framework/secure-systems/infrastructure/zero-trust-security)
+- [How to secure cloud infrastructure with identity-based access control](/well-architected-framework/secure-systems/infrastructure/identity-new-perimeter) **(this document)**
+- [Build a culture of security automation](/well-architected-framework/secure-systems/infrastructure/build-culture-security)
+- [Secure network traffic with ingress and egress](/well-architected-framework/secure-systems/infrastructure/manage-network-ingress-egress)
+- [Secure human access to infrastructure](/well-architected-framework/secure-systems/infrastructure/secure-access)
+- [Prevent lateral movement](/well-architected-framework/secure-systems/infrastructure/prevent-lateral-movement)