Governance & Standards

Hexa Policy Orchestration framework: Simplifying IAM policy for multi-cloud ecosystems (by Tom Malta)

Hexa Policy Orchestration logo and image of Tom Malta

In this guest post, IAM expert and global consultant Tom Malta shares his views on how Hexa and IDQL – a new and unique policy orchestration platform –  are set to disrupt the multi-cloud space. 

Using multiple cloud platforms delivers significant benefits to enterprises, such as improved redundancy, availability, and security. As a result, the multi-cloud approach has been steadily winning over more and more C-level decision-makers.  

However, with such transformative changes, many IT leaders have found complex cloud-related challenges that can impact business operations when expanding their suite of cloud service providers (CSPs). Outdated and manual systems for identity and access management (IAM) are consistently at the core of the problem. 

Thankfully, there’s a new solution that I’m confident will help enterprises easily and consistently orchestrate policies across the multi-cloud. As I recently expressed to industry leaders regarding their IAM strategic plans:

Any company struggling with managing identity and access across multi-cloud will benefit from Hexa and IDQL. For the first time, you can unify and centrally manage your policies north/south, but also east/west across any cloud service provider (CSP), or virtually any end-point in your solution architecture.

A new era: the business case for early multi-cloud adoption 

Having worked in the IAM space for over two decades, I’ve had the opportunity to be part of multiple migrations to the cloud (and then multi-cloud) and have gained many insights along the way. In recent years, as a consultant, I’ve advised many IT leaders about how to avoid pain points they may encounter when transitioning to multi-cloud, including:

  • Complicated and disparate identity systems. A whopping 40,000+ authentication and authorization patterns across the big three CSPs alone. Cloud deployments may become brittle in such vast environments. 
  • Risk of sub-optimum outcomes. Whether a failed deployment in the backend or inconsistent run-time behavior that adversely impacts end-users, these are real and costly risks to businesses. 
  • Lack of standardization across clouds.  Without standards, fragmentation and complexity often mean enterprises need separate support and development teams as well as numerous CI/CD deployment models. Authorization is not easily understood nor controlled, which increases risk and requires constant tweaking to ensure it’s right. 
  • Vendor lock-in. Contractual constraints associated with proprietary software are a common challenge that compounds complexity, increases costs, and limits flexibility. 

These types of challenges also arose frequently in a previous role I held while navigating multiple cloud deployments in an Azure environment. My team’s experiences demonstrate the magnitude of our problems while seeking solutions to these challenges. 

Let’s take a brief look at how we tackled the problem. 

Case study: from cloud to multi-cloud before automation

At the time, a brief outage had just impacted authentication via Microsoft, and the risks of exclusive reliance on a single CSP were of growing concern to our leadership team. 

I recommended adopting AWS as an alternate CSP to increase our readiness to migrate critical customer workloads in the event of a similar outage. But we found ourselves in uncharted territory with significant unknowns, including how to: approach a move to an alternate primary IdP, establish a baseline for services and deployments, preserve consistent, seamless services, and ensure the solution was readily deployable. 

Manually implementing changing permissions updates and policies was already a struggle. Finding skilled workers that understood the myriad of possible scenarios in a multi-cloud ecosystem was tricky, given the global shortage of cyber talent. 

We needed to engage developers and architects from the proposed alternate CSP. Quality assurance checks and pre-PROD validations were required to benchmark workloads under each CSP to ensure alignment of policies and permissions. 

At the time, no viable solutions were on the horizon. Even today, many C-level executives report the same pain points using this outdated (and costly) approach. The process is resource-intensive for testing, individual deployment, and ongoing policy management.

Related reading: State of Multi-Cloud Identity Report 2022 

Why standards make a difference

Ultimately, the friction can be traced back to the absence of standardization across the various CSPs and their associated policies and permissions. With no standardization today, there is also no easy way to leverage multi-cloud to its full capability using a manual process.

During consultations with senior leaders, I’ve discovered common needs, expectations, and priorities, including:

  • Consistency – how to baseline permissions and authorizations across CSPs to ensure uniformity.
  • Flexibility – CTOs and CIOs want greater flexibility, not custom policy development and multiple CI/CD deployments per CSP.  
  • Value – transitioning to micro-service-based architectures with exposed APIs requires individual CSP configurations that are costly, time-consuming, and misaligned. 

The bottom line is that the days of going all-in on one CSP are a relic of the past. To simplify the adoption of multi-cloud, we need a new approach to enable customers to modernize their infrastructure without increased cost, complexity, and risk. 

IDQL & Hexa: developing a new approach to modernize IAM

Enter IDQL & Hexa. IDQL, a new declarative identity policy language, and its open-source reference software, Hexa — an active CNCF Sandbox project, enable you to centrally manage disparate access policies in a common format instead of the bespoke policy syntaxes associated with each CSP. 

Hexa discovers all your policies and translates them to and from IDQL. Then, it orchestrates those policies back to each native cloud service in its imperative format.

Together, IDQL and Hexa solve many common IAM issues in multi-cloud ecosystems:

  1. Eliminates custom codingPolicy discovery, translation, and orchestration back to any CSP or end-point in your solution architecture.
  2. Avoids vendor lock-in – No agents nor proxies are involved. Hexa is purpose-built for the cloud. It runs natively and with your existing containerized deployments and CI/CD processes.
  3. Enables transparent policy governance – Hexa relies on centralized management of policies using declarative IDQL – one place to manage all CSP policies and one open-source standard to centralize all your multi-cloud needs.
  4. Increases flexibility – Orchestrate policies. Hexa is a hub going to and from your bespoke cloud deployments or any endpoint in your architecture.
  5. Supports scalability without increased costs – Hexa facilitates widespread adoption and community development. It allows the opportunity to co-source and co-develop service-specific or broad business use cases and patterns.

Hexa & IDQL: simplify policy orchestration for multi-cloud 

Supporting multi-cloud can be due to business needs changing or current CSPs not meeting expectations. Or perhaps other drivers like regulatory or geographical constraints have pushed you to use multiple clouds. 

Whatever the reason, it’s becoming increasingly difficult to solve the vast array of challenges that come with a fruit salad of CSPs, more commonly dubbed by me as the “apples, oranges, and bananas” problem. 

Rare are new approaches that truly disrupt the status quo in IAM (identity and access management). Yet, that is what IDQL/Hexa together are capable of achieving. Being born in the cloud as open-source (with no proxies or agents) and further supported by standards and industry consortiums like the CNCF, I expect widespread adoption similar to Kubernetes, Docker, or even going back to the early days of SAML.

It’s time to simplify what’s on your plate with the unique benefits and opportunities of Hexa with IDQL: 

  • Declarative and simple to understand, in human-readable format, no agents nor proxies to deploy at runtime.
  • One policy management tool reduces support, recruitment, and training costs.
  • Simplified CI/CD process with the capability to orchestrate and deploy to all endpoints simultaneously.   

To discover more about this solution for your multi-cloud challenges. ​​Join the IDQL/Hexa working group