Governance & Standards

Introducing IDQL & Hexa: a new identity standard for Policy Orchestration

Hexa and IDQL

What’s especially valuable about IDQL/Hexa is it coordinates consistent policy across cloud platforms and the tech stack. This open-sourced, vendor-neutral approach is needed to expedite adoption across vendors, developers, and business users alike.
– Jack Poller, Senior Analyst for Enterprise Strategy Group (ESG)

Cloud computing
offers many benefits — agility, scalability, efficiency, and speed to name a few. Yet, it also creates big challenges for security and the administration of identity and access policies, especially with the rise of multi-cloud. Recent research reveals that the majority of organizations have at least three clouds and expect to use four or more by the end of 2022

Each cloud platform that your enterprise adopts has its own proprietary set of policies. Then, looking up and down your stack, each layer — application, identity, data, and network — has its own version of the policies. So, there’s a multiplying effect with all of the different combinations making it hard to understand which policies are even in place and almost impossible to manage them. 

When we talked to our customers as well as IT leaders and decision-makers about this topic, we heard a common refrain: “We want to have a common policy set that is independent of the target systems,” and “there isn’t a common way to express policy across all the systems we manage, and that is a huge gap that should be addressed.”

That’s where IDQL and Hexa come in and what I’m thrilled to be able to introduce to the world.

What is IDQL /Hexa? 

IDQL and Hexa are two sides of the same coin, each contributing their part to a Policy Orchestration solution. IDQL, or Identity Query Language, is the declarative, standardized policy language format that can be translated into a target system’s proprietary or bespoke access policy format.

On the other hand, Hexa is the open source reference implementation of the IDQL policy standard. Anyone can download and utilize the currently available connectors in the Hexa GitHub repo, or they can develop connectors for additional environments to expand the reach of Hexa.

How do IDQL and Hexa work?

Hexa is the open source project that makes IDQL operational in the real world by connecting to target systems and performing the three main functions of Discovery, Translation, and Orchestration. Together, IDQL and Hexa perform: 

Policy discovery

  • Analyzes and performs inventory of critical apps, data, and policies
  • Uncovers which apps exist and where they are
  • Finds what policies, users, and roles exist

Policy translation

  • Translates native, imperative policies into IDQL during policy discovery
  • Translates IDQL into native, imperative policies of the target system(s) during policy orchestration

Policy orchestration

  • Distributes policies to be enforced by identity providers (IdPs), clouds, IaaS, and network systems (does not replace existing runtime decision/enforcement mechanisms)
  • Works via a cloud-based architecture that does not require a proxy or local code
  • Uses an extensible, open source model that supports custom integrations

The Hexa architecture implements a provider framework enabling connectivity to a wide range of cloud platforms and technologies. Hexa connectors, or integrations, invoke the publicly available APIs of cloud-based and other systems to discover, translate, and orchestrate policy, as described above.

What are the benefits of IDQL and Hexa?

IDQL and Hexa act together to unify the very fragmented policies that IT administrators, information security officers, developers, and application owners struggle to manage today. With a more cohesive approach, enterprises will have increased visibility and control over sensitive resources. They will be able to report on access settings more accurately and enforce business and security rules in a much more consistent manner.

By utilizing IDQL and Hexa, any enterprise will gain many benefits, including:

  • Agentless and proxyless: Easily implement in minutes, without changing your infrastructure.
  • Distributed policy management: Orchestrate access policy securely through APIs, with no change required to target systems.
  • Universal access policy: Manage access policy that works across disparate systems to help enable a Zero Trust Architecture (ZTA).
  • Policy as code: Bring identity and access policy into code for large-scale automation.
  • Declarative policy: Understand who has access to which applications and data at a glance.
  • Vendor lock-in eliminated: Enjoy portability and vendor choice by breaking the lock-in to each cloud platform.

Why did the working group create IDQL/Hexa?

Developing and supporting industry standards has long been in the DNA of Strata and its founders. As co-authors of SAML, we know what it takes to collaborate with industry partners to bring a new standard to the market. This process starts with recognizing a need or gap within current identity standards when compared to the requirements of enterprise organizations. 

A core team of recognized industry pros was created to help refine the vision. Together, the IDQL format was defined, the first versions of the Hexa software were crafted, and preparations were made for submission to the Cloud Native Computing Foundation (CNCF).

Watch “The Building of a New Identity Standard” webinar to learn more about how to create a standard and reference software. 

IDQL Working Group MembersPersonally, I’ve been in and around identity standards for 20 years but have never been directly involved with creating an identity standard until now. As an analyst at Burton Group, I wrote reports about SAML (and other federation protocols) and hosted several interoperability demonstrations at the annual Catalyst Conference. Subsequently, I worked at Axiomatics — a supporter and implementer of the XACML standard. 

It’s been an incredibly gratifying experience to be on this side of the table and help to lead the effort in bringing IDQL and Hexa to life. That said, we are just getting started and have much more exciting work to do!

How can you get involved?

The IDQL/Hexa project is open to all participants, and we welcome your contribution! There are several ways that you can collaborate, depending on your interest, skill set, and availability. Vendor or enterprise representatives can participate in any of the roles below:

  • Supporter: Your membership signifies your support for the project and the community.
  • Contributor: Share your ideas on system design, use case requirements, and direction of the project.
  • Author: Roll up your sleeves and write some code! 
  • Reviewer: Provide feedback on the IDQL specification or do a code review of an existing Hexa connector or module.
  • Adopter: Implement IDQL and Hexa in your vendor product or enterprise – in a lab testing environment, pilot project, or production deployment.

To learn more about IDQL/Hexa, visit: or DM us on Twitter @hexapolicy. 

Gerry Gebel

Head of Standards