A new open source project aims to unify incompatible cloud identity systems like Microsoft Azure, Amazon Web Services (AWS), and Google Cloud, allowing users to apply consistent identity and access policies across multiple cloud platforms. According to Strata Identity, the project consists of Hexa, an open-source technology, and IDQL, a new common policy format that defines identity access policies, which work together to manage access policies across multi-clouds, on-premises systems, and vendors.
The announcement follows research that revealed the security risks associated with mismanaged, overly permissive cloud identities, which allow attackers to target cloud infrastructure. Strata Identity stated in a press release that current popular cloud platforms use proprietary identity systems with distinct policy languages, all of which are incompatible with one another. Furthermore, each application must be hard-coded to work with a specific identity system, according to the document.
According to Strata Identity, Hexa was designed to use IDQL to allow any number of identity systems to work together as a unified whole without requiring changes to the systems or applications. According to the vendor, it works by abstracting identity and access policies from cloud platforms, authorization systems, data resources, and zero trust networks to discover what policies exist, then translating them from their native syntax into the generic, IDQL declarative policy.
It then orchestrates identity and access instructions across cloud systems as well as apps, data resources, platforms, and networks by translating back into target systems’ native, imperative policies via a cloud-based architecture. IDQL enables access policies to move freely between proprietary identity systems, similar to how Kubernetes transformed computing by allowing applications to move from one machine to another, said Eric Olden, CEO of Strata Identity.
The use of IDQL as a lingua franca for authorisation policies, according to Jack Poller, senior analyst at Enterprise Strategy Group, is a novel approach to unifying identity and access across modern, hybrid multi-cloud IT architectures.
Cloud identities pose serious security risks to organisations that are struggling to manage and configure identity and access management (IAM) across cloud environments. Researchers from Palo Alto’s Unit 42 examined more than 680,000 identities across 18,000 cloud accounts and over 200 different organisations to understand their configurations and usage patterns in Identity and Access Management: The First Line of Defense, revealing that 99 percent of cloud users, roles, services, and resources grant excessive permissions that are left unused.
“For the first time ever, you can unify and centrally manage your policies not only north to south, but also east to west across any CSP [cloud service provider], or virtually any endpoint in your solution architecture,” commented Tom Malta, global identity and access management leader, IDQL working group member.