Multicloud is a reality for many organizations – whether by design or accident. And when applications and data are deployed across multiple cloud environments, creating and managing consistent identity access policies become a challenge.
Hexa is a new open source project from identity orchestration company Strata Identity to unify disparate cloud identity systems and allow consistent policies. Since each cloud provider has its own tool and policy format, Hexa relies on IDQL, a common policy format for defining identity access policies, Strata says.
Each cloud provider relies on proprietary identity systems and its own policy languages to create and manage identity and access on its platform. Most security engineers tend to be well-versed in one, maybe two, of the public clouds, but rarely more than that. In the era of multicloud, however, security engineers need to be able to create, read, and manage policies across multiple environments and be able to keep up with changing tools and new capabilities. IDQL is the universal declarative policy language that can translate policies into the individual provider’s proprietary format, says Gerry Gebel, Strata Identity’s head of standards. Hexa is the reference software built on top of the IDQL policy language and handles the tasks of discovering, translating, and orchestration policies across cloud environments, he says.
“Hexa is the open source reference software that brings IDQL to life and makes it operational in the real world,” Gebel says.
Case for Managing Cloud Identities
In a recent Dark Reading Report on the state of cloud computing, just 19% of respondents said their organizations work with only one cloud provider, while 43% said they worked with two to three providers. There are many reasons why organizations may be juggling multiple cloud providers. Organizations may require multicloud for redundancy and resiliency – such as one provider experiencing an outage – or to meet regulatory requirements about where the data could be stored. In some organizations, cloud infrastructure may have been originally set up without IT’s awareness, which is why the provider and policies may not be in sync with others.
Regardless of the reasons that led to multicloud, identity and access need to be consistent and managed. In a report from Palo Alto Networks, Unit42 researchers analyzed more than 680,000 identities across 18,000 cloud accounts and over 200 different organizations, and found 99% of cloud users, roles, services, and resources were granted excessive permissions. Not only were the permissions excessive, they were also left unused for 60 days, the report found.
Misconfigured identities are behind 65% of detected cloud security incidents, Unit42 said. Threat actors can abuse these identities and move laterally through the cloud environment or expand the pool of systems they can target.
Strata Identity’s own research found that only 25% of respondents said they have visibility into multicloud access policies.
A Universal Policy Language
Each cloud provider has its own identity system, and each application has to be hard-coded to work with that identity system. If the application is to work on multiple cloud platforms, traditionally the application would have to be modified for each one. Hexa, however, has been designed to use IDQL to bring multiple identity systems to work together as a unified whole and not have to make changes to the applications, according to Strata Identity. For policy discovery, Hexa abstracts identity and access policies from cloud platforms, authorization systems, data resources, and zero-trust networks.
Strata Identity set up an example multiregional banking application to demonstrate Hexa and its policy discovery management capabilities, Gebel says. The US region in this scenario deploys the application on Google Cloud Platform using App Engine, while another two regions rely on Kubernetes. Hexa connects to the Google Cloud instance to discover the resources and associated policies, and then converts the policies into IDQL. The analyst can make changes to the policies and then use Hexa to translate the new policies back into GCP format and push the changes on to the platform, he explains.
Hexa handles policy discovery by analyzing the environment to discover applications and resources being used and creating an inventory of all existing policies, users, and roles. Security teams have a comprehensive view of all the policies in place once they have been retrieved and translated into IDQL. Organizations can potentially develop tools to analyze the ISQL for any policy gaps, duplicates, or other error conditions. This capability is not in the open source Hexa, Gebel says, but it is something organizations can do on their own after converting to IDQL.
While it may seem that IDQL adds a layer of complexity to cloud identity access management, the reality is that organizations have to manage hundreds to thousands of cloud, SaaS, and on-premises apps, says Jack Poller, an ESG analyst covering identity and data security. Each application has a separate concept of identity and access authorization, and organizations are currently stuck with manually translating high level business access policies into each application’s own policy language or management tool.
"IDQL provides a lingua franca for authorization policies," Poller says. "Organizations can use Hexa or develop their own tools to orchestrate and automate access policies throughout the IT environment, closing the gaps that occur with manual policy management and ensuring continuous and consistent application of authorization policies."
IDQL and Hexa were created by some of the co-authors of Security Assertion Markup Language (SAML), the cross-platform standard for single sign-on that lets users move across cloud platforms and Web applications without re-entering their credentials. However, Gebel notes that IDQL should not be viewed as a replacement for modern standards such as the Open Policy Agent (OPA), but "are complementary to them."
OPA is a unified declarative policy language that enables cloud-native developers to "decouple policy from the service's code so you can release, analyze, and review policies (which security and compliance teams love) without sacrificing availability or performance," Poller says, noting that IDQL is very similar to OPA.
"Just as Kubernetes transformed computing by allowing applications to transparently move from one machine to another, IDQL enables access policies to move freely between proprietary identity systems," said Eric Olden, CEO of Strata Identity and one of the co-authors of the SAML standard, said in a statement. "IDQL and Hexa eliminate identity silos in the cloud and on-premises by creating an intelligent, distributed identity system with one brain."