Notifications
Clear all
Topic starter
14/05/2026 1:36 pm
TL;DR: Hybrid infrastructure creates identity fragmentation, static credential sprawl, and weak visibility because cloud and on-prem systems do not share a common trust root, according to Teleport’s guide. The practical answer is to move access decisions into the identity layer with short-lived certificates, workload identity, and protocol-level enforcement rather than relying on VPNs and bastions.
NHIMG editorial — based on content published by Teleport: Guide to unifying identity across cloud and data center infrastructure
By the numbers:
- 67% of organizations polled reported a heavy reliance on static credentials such as passwords, API keys, and long-lived tokens.
- Those same organizations also reported a 20-percentage-point increase in security incidents compared to those with low static credential reliance.
- Only 5.7% of organizations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams unify identity across cloud and data center environments?
A: Start by standardizing trust anchors, then issue short-lived credentials from a shared authority, and finally enforce access at the protocol layer.
Q: What is the difference between network controls and identity controls for infrastructure access?
A: Network controls decide whether a connection can reach a system, while identity controls decide whether a specific user, workload, or machine should use that system.
Q: Why do static credentials create more risk in hybrid infrastructure?
A: Static credentials tend to spread across sites, survive role changes, and remain valid long after the original need has passed.
Practitioner guidance
- Inventory every static credential path across hybrid sites Map SSH keys, API keys, tokens, shared passwords, and certificate issuers by environment, owner, and expiry so you can see where identity is fragmented.
- Adopt short-lived credentials for human and machine access Replace durable secrets with time-bound certificates wherever possible, and make expiry automatic rather than dependent on manual revocation workflows.
- Anchor enrollment in hardware or cluster trust Use TPM attestation for servers and signed cluster identity for Kubernetes so bootstrap secrets are not the default trust mechanism.
The operational shift is toward portable identity, short lifetimes, and explicit policy boundaries instead of inherited network trust?
👉 Read Teleport's guide on unifying identity across cloud and data center infrastructure →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 1:37 pm
A few things worth adding from our research at NHI Mgmt Group.
Identity fragmentation is now a control-plane failure, not a convenience issue. When cloud, data center, and colocation environments each use their own trust model, access review becomes incomplete by design. The organization may think it has one infrastructure estate, but its identity layer behaves like many disconnected estates. Practitioners should treat shared trust roots as a prerequisite for consistent governance.
A few things that frame the scale:
- Only 5.7% of organizations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Should organisations prioritize short-lived certificates before replacing VPNs and bastions?
A: Yes, because short-lived certificates address the root problem of durable credential exposure, while VPNs and bastions mainly reshape the network path. Once identities are time-bound and resource-specific, network chokepoints become less critical and easier to phase down. The order matters: fix identity first, then simplify the network architecture around it.
👉 Read our full editorial: Unifying identity across hybrid infrastructure requires new controls
