Every cloud provider has its own identity and access control system, which can make it challenging for organizations with multi-cloud deployments.
On May 18, Strata Identity announced the availability of the Hexa open source project, which includes the new Identity Query Language (IDQL) Standard. The goal of Hexa and IDQL is to ease CloudOps across multiple clouds with an abstraction layer for identity and access control policies.
"Upon discovery, Hexa will translate existing policies from GCP [Google Cloud Platform], AWS, [Microsoft] Azure, or other systems where a connector has been built into the common IDQL format," Gerry Gebel, head of standards for Strata, told ITPro Today.
How Hexa and IDQL Work for Multi-Cloud Identity
The Hexa software is a new open source project that was not previously developed or utilized in the Strata Maverics software. IDQL provides a new declarative policy format that has been created as part of the project.
Gebel said that Hexa implements three main functions:
- Discovery: Connect to target cloud system APIs and determine resources and policies that exist
- Translation: Upon discovery, translate existing policies into IDQL. Upon orchestration, translate IDQL back into the bespoke format of the target system
- Orchestration: Publish translated policies into the operational environment
While Hexa aims to provide an identity abstraction layer, it still needs the right credentials to access the identity and access management capabilities of a target cloud deployment.
"IDQL and Hexa won't cover every possible component within each cloud platform, at least not in the early days, so system administrators will still need to access cloud platforms to do some policy and configuration management," Gebel said.
A common way for organizations to manage access on-premises is with the use of Microsoft Active Directory policies, which can sometimes then be mapped to cloud credentials. Gebel explained that IDQL policies may contain references to groups that are managed in Active Directory.
"When a user logs into a business application that is controlled via IDQL policies, access can be granted or denied based on the user's group membership," he said.
Hexa Headed to the CNCF
Strata Identity has submitted the Hexa project to the Cloud Native Computing Foundation (CNCF) for possible inclusion as a sandbox project. The CNCF is home to an increasing number of cloud-native projects, including the Kubernetes container orchestration system.
The next major milestone for Hexa will be to gain CNCF approval, Gebel said. The CNCF Technical Oversight Committee meets again on June 14, and it has a backlog of applications to review.
The CNCF already has at least one other project dealing with cloud access — the Open Policy Agent (OPA). OPA provides policies for running containers and microservices. Gebel said that Hexa integrates with OPA today and the two co-exist in a complementary fashion.
"IDQL policies can be directly processed by an OPA server, so OPA systems can be one of the environments managed by a Hexa implementation," he said.