Governance & Standards

How to go from zero to a standard: Building IDQL/Hexa

IDQL is the new identity standard and Hexa is the reference software that makes IDQL operational. Hexa is an active CNCF Sandbox project. Strata recently hosted a panel webinar introducing a new identity standard to the world: “The Building of a New Identity Standard: Why the Multi-Cloud World Needs IDQL and Hexa to Unify Policy.Here’s a quick summary of the highlights.

View the entire webinar on-demand via the below player or access the video transcript here.

“It’s pretty well understood these days that most organizations are dealing with a multi-cloud challenge,” said Gerry Gebel, Head of Standards at Strata Identity during the webinar, The Building of a New Identity Standard. The new standard in the title is IDQL or Identity Query Language, and it was built to solve today’s multi-cloud identity challenges. 

”When we talk to customers, they have some combination of Google and Microsoft, and Amazon, maybe Okta or others as well.” Gebel continued. “And of course, within each of these systems and platforms, policies are configured differently. It’s all proprietary for each of those systems.” 

Identity is now at the center of enterprise security, but because each cloud platform (east-west axis) has a proprietary identity system, managing across different clouds has become untenable. And as more clouds are added, the bigger the challenge. Standards exist to help manage policies, but the available standards weren’t built for the complexity of multi-cloud. 

“Then that’s further compounded when you think of the north-south axis,” added Gebel. “It’s not just about the applications, but the network, the data layer, and the platform itself. So in each of those technology areas, you have, again, another array of different policies and different techniques for managing access. And then, of course, we still have a fair amount of legacy systems on-premises that haven’t fully migrated to the cloud.”

In this disconnected world, how do you make the clouds interoperable from a security and identity, and access standpoint? Enter the new identity standard IDQL and its partner Hexa, the open-source reference software. 

The IDQL/Hexa working group members

Building a new standard is a big deal, that takes a lot of work, and incredible teamwork with some great minds. IDQL and Hexa Policy Orchestration software were built by a working group of identity industry leaders who saw the gap and set out to fill it. 

The panelists on the Building of a New Identity Standard webinar are representatives of the larger IDQL/Hexa working group and include Eric Olden, CEO and Co-founder of Strata Identity; Bob Blakley an Operating Partner from Team8; Neil Danilowicz, Principal Architect at Versa, and a MEF member and editor; Mike Barinek, Lead Developer and Co-founder of Initial Capacity; and Tom Malta a global leader in the IAM space.

Explaining how the IDQL standard & Hexa Policy Orchestration work together

IDQL and Hexa work coherently and consistently across enterprise platforms. Fundamentally, Hexa is a framework where providers are built to integrate with different components or technologies of the cloud stack. When connected to a target system, Hexa discovers policies that exist, translates bespoke policies to IDQL format, and enables common management of all connected systems. 

Administrators can now change/create policies in the IDQL format, and Hexa translates policies back into the bespoke format and orchestrates publishing of the changes to the connected systems. It allows different sets of tools to co-exist and to still have identical results across all cloud environments and across policy administration in general.

“You have all these clouds that have different policies and the customers have to worry about, doing policy in one cloud and then doing policy in the other cloud and working with all of the checks and balances just to make it consistent. That was becoming a problem. From on-premise to the cloud, the same set — that’s just in one layer. A lot of the same type of stuff that you want to do at the host level or the platform level, you also need to do at the network level and the data level,” said Neil Danilowicz. 

What are the problems that IDQL/Hexa help to solve?

Existing standards, such as SAML, introduced the concept of distributed trust and single sign-on, and the ability to share context between organizations and applications and sessions. Then, standards like OAuth and XACML came about and are great for authorization and in terms of runtime or how we allow or deny different things to happen.

But the problems with multi-cloud are new, and so, a new standard was needed to solve them. 

“Multi-cloud and distributed architectures came on to the market quickly,” explained Eric Olden. “And, a lot of it brought new challenges and problems where you had a lot of fragmentation so things didn’t work together. It was very difficult to find a way to make things consistent and manageable.” 

Policy Management

“We looked at the ways to solve [the multi-cloud identity challenges] using the existing standards and a number that have been helpful and foundational to get identity to the cloud today are still going to be around,” said Olden. “IDQL doesn’t replace them, but it fills a gap that hadn’t been met before, specifically around policies.”

The commonality between all the systems — whether north/south or east/west — is that they all have policies. Yet, each policy is proprietary, because they weren’t ever designed to be interoperable. The idea of using multiple clouds wasn’t a thing even five or so years ago. 

To solve the interoperability problem, the IDQL/Hexa working group decided to start with the policies to build a standard. Like other standards, IDQL and Hexa expand the openness of the market. That was the spark that lit the effort to build a new open-source, declarative identity standard. 

User Provisioning 

Bob Blakley added, “In the early days of user provisioning in the enterprise, you had a bunch of different systems, each of which had a notion of identity, and each of which had a notion of access control. And you had a small group of administrators who needed to be able to create all of those policies and who needed them to be consistent because you had the same users being managed in all those systems.

“And you were trying to give them the same set of permissions to a set of resources across the business. And so a bunch of different companies — Sun, Oracle, and SailPoint [and more] all did the same thing. They all built a universe of connectors to all of the backend systems. Then put a single user interface on top of all of those connectors to create a comprehensible environment for administrators.  That worked as long as you are going to be only on that system, but it was enormously duplicative of effort because everybody was providing connectors.”

Vendor lock-in

The other big problem was vendor lock-in. With each system being proprietary and not interoperable, companies became locked in with a particular vendor’s administrative framework. 

“So what IDQL is designed for is to provide one set of connectors via an open-source project and allow everybody who’s trying to create an administrative function for enterprise at for multi-cloud environments in their toolsets to write to the homogeneous interface of IDQL and create a great experience for administering things,” said Blakley. 

Zero Trust

At the heart of achieving Zero Trust is consistency across not just the cloud platform or on-premises legacy IdP axis, but also at the network, data, application, and identity layers. 

“If we’re going to do zero trust at the network edge, then [we] need to make sure that everybody connecting is authenticated and authorized,” said Neil Danilowicz of why Versa got on board with creating IDQL. 

“You want to give that single pane of policy glass, if you will, to the customer. And if they want to do it at the application layer, or if they want to do it at the network layer, let them do it and let them reuse that definition as they see fit through a common language,” continued Danilowicz. 

What is the background behind the building of IDQL/Hexa?

How do you go from zero to a standard? That was the question the working group started with when starting out building IDQL. As luck would have it, Eric Olden, Gerry Gebel, Bob Blakley, and others in the working group had done it before when SAML was built in the nineties — the standard that allowed for single-sign-on and other modern cloud computing concepts. 

The team started with a basic conceptual framework and embarked on a lot of customer development. The answers validated their hypothesis that a solution was needed to the multi-cloud identity policy problem.

“We talked with as many of the types of people as possible,” said Olden. “Not just in the application space where Strata has a lot of our focus, but we looked through the stack. If we can make policy orchestration work at the application, at the platform, at the data, and the network level, then its applicability is going to be exponentially more valuable [to everyone].”

So we talked to technology providers and standards organizations like the MEF and others to say, look, join in with us. Let’s do this together. We don’t want this to be a proprietary product of any one company, but let’s put our best thinking together and create this working group.

“So we did that. And then we looked for an organization to contribute this to, and we’re looking to reach these cloud-native implementers who are also looking to the future. Where’s the market going? With that philosophy in mind, the cloud-native computing foundation (CNCF) made a lot of sense.” 

What’s next for IDQL/Hexa?

This is only the beginning for IDQL and Hexa. The working group is continuing to build and expand both the standard and reference software. We are waiting on approval from the CNCF to become a formal sandbox project but you don’t need to wait for that to jump into the ring with us. All who are interested to join are encouraged to check out the Hexa/IDQL website.

Further, a workshop will be held for developers in June 2022. Details are also available at hexapolicyorchestration.com.