A new open source project aims to unify incompatible cloud identity systems such as Microsoft Azure, Amazon Web Services (AWS) and Google Cloud, giving users the ability to apply consistent identity and access policies across multi-cloud platforms.
Announced by identity orchestration firm Strata Identity, the project consists of Hexa, an open-source technology, and IDQL, a new common policy format that defines identity access policies, which combine to manage access policies across multi-clouds, on-premises systems, and vendors, the company said.
The news comes in the wake of research that laid bare the security risks surrounding mismanaged, overly-permissive cloud identities that open the door to attackers targeting cloud infrastructure.
Standard addresses multi-cloud identity silos, orchestrates policies across systems
In a press release, Strata Identity stated that current popular cloud platforms use proprietary identity systems with individual policy languages, all of which are incompatible with each other. What’s more, each application must be hard-coded to work with a specific identity system, it added.
Hexa has been designed to use IDQL to enable any number of identity systems to work together as a unified whole, without making changes to them or to applications, Strata Identity said. It works by abstracting identity and access policies from cloud platforms, authorisation systems, data resources, and zero trust networks to discover what policies exist, then translates them from their native syntax into the generic, IDQL declarative policy, the vendor continued.
It then orchestrates identity and access instructions across cloud systems and throughout apps, data resources, platforms, and networks by translating back into native, imperative policies of target systems via a cloud-based architecture.
“For the first time ever, you can unify and centrally manage your policies not only north to south, but also east to west across any CSP [cloud service provider], or virtually any endpoint in your solution architecture,” commented Tom Malta, global identity and access management leader, IDQL working group member.
“IDQL enables you to centrally manage disparate access policies in an abstraction layer as opposed to individually in each CSP.”
Just as Kubernetes transformed computing by allowing applications to transparently move from one machine to another, IDQL enables access policies to move freely between proprietary identity systems, added Eric Olden, CEO of Strata Identity.
Jack Poller, senior analyst at Enterprise Strategy Group, tells CSO the use of IDQL as a lingua franca for authorisation policies is a novel approach to unifying identity and access across modern, hybrid multi-cloud IT architectures.
“Further, Hexa, using IDQL, looks set to help organisations orchestrate and automate access policies throughout the IT environment, ensuring policy consistency and plugging the inevitable security gaps that occur with manual policy management.”
Mismanaged cloud identities pose significant cybersecurity risk
Cloud identities pose significant security threats to organisations struggling to effectively manage and configure identity and access management (IAM) across cloud environments.
In Identity and Access Management: The First Line of Defense, researchers from Palo Alto’s Unit 42 analysed more than 680,000 identities across 18,000 cloud accounts and over 200 different organisations to understand their configurations and usage patterns, revealing that 99 per cent of cloud users, roles, services, and resources grant excessive permissions that are left unused.
Adversaries who compromise such identities can leverage permissions to move laterally or vertically and expand the attack radius, the report read.