Hexa Policy Orchestration Framework: simplifying IAM policy for multi-cloud ecosystems (by Tom Malta)
In this guest post, IAM expert and global consultant Tom Malta shares his views on how Hexa and IDQL – a new and unique platform for policy orchestration – they are ready to disrupt the multi-cloud space.
The use of multiple cloud platforms gives significant benefits to enterprises, such as redundancy, availability and improved security. As a result, the multi-cloud approach has always been winning over more and more C-level decision makers.
However, with such transformative changes, many IT leaders have found complex cloud-related challenges which can impact business operations when expanding their group of cloud service providers (CSPs). Outdated systems and manuals for identity and access management (IAM) are consistently at the heart of the problem.
Thankfully, there is a new solution that I am confident will help businesses orchestrate policies in an easy and consistent way across the multi-cloud. As I have recently expressed to industry leaders regarding their IAM strategic plans:
Any company struggling with identity management and multi-cloud access will benefit from Hexa and IDQL. For the first time, you can centrally merge and manage your policies in the North / South, but also in the East / West in any cloud service provider (CSP), or virtually any endpoint in the architecture. of your solution.
A new era: the business case for the early adoption of multi-cloud
After working in the IAM space for over twenty years, I had the opportunity to be part of multiple migrations to the clouds (and then multi-cloud) and gained a lot of knowledge along the way. In recent years, as a consultant, I have advised many IT leaders on how to avoid painful points they may encounter when transitioning to multi-cloud, including:
- Complicated and different identity systems. 40,000+ large authentication and authorization trends in the three major CSPs alone. Cloud deployments can become fragile in such vast environments.
- Risk of sub-optimal results. Whether a failed backend deployment or inconsistent execution-time behavior that adversely affects end users, these are real and costly risks for businesses.
- Lack of standardization between clouds. Without standards, fragmentation and complexity often mean that enterprises need separate support and development teams as well as multiple CI / CD deployment models. Authorization is neither easily understood nor controlled, which increases the risk and requires constant tweaking to ensure it is right.
- seller’s lock-in. The contractual constraints associated with proprietary software are a common challenge that combines complexity, increases costs, and limits flexibility.
These types of challenges have also often arisen in a previous role I played while navigating multiple cloud deployments in an Azure environment. My team’s experiences show the magnitude of our problems as we seek solutions to these challenges.
Let’s take a brief look at how we addressed the problem.
Case study: from cloud to multi-cloud before automation
At the time, short logging had just had an impact on authentication through Microsoft, and the risks of exclusive reliance on a single CSP were a growing concern for our management team.
I recommended adopting AWS as an alternative CSP to increase our willingness to migrate customers ’critical workloads in the event of a similar outage. But we have found ourselves in unfamiliar territory with significant unknowns, including how to: approach a shift to an alternative primary IdP, establish a baseline for services and deployments, preserve consistent and smooth services, and ensure that the solution can be used. easily.
Manually implementing updates and changing permitting policies was already a struggle. Finding skilled workers who understood the sheer number of possible scenarios in a multi-cloud ecosystem was tricky, given the global lack of cyber talent.
We had to hire developers and architects from the proposed alternative CSP. Quality assurance audits and pre-PROD validations were required to benchmark the workloads under each CSP to ensure the alignment of policies and permits.
At the time, there was no viable solution on the horizon. Even today, many C-level executives report the same pain points using this outdated (and expensive) approach. The process is resource intensive for testing, individual deployment, and ongoing policy management.
Related reading: Multi-Cloud Identity Status Report 2022
Because standards make a difference
Ultimately, friction can be traced back to the lack of standardization across the various CSPs and their associated policies and permits. With no standardization today, there is no easy way to exploit multi-cloud to its full capacity using a manual process.
During consultations with senior leaders, I discovered common needs, expectations and priorities, including:
- Consistency – how to base permits and authorizations across CSPs to ensure uniformity.
- Flexibility – CTOs and CIOs want greater flexibility, not customs policy development and multiple CI / CD deployments per CSP.
- Value – the transition to micro-service-based architectures with exposed APIs requires individual, time-consuming, and misaligned individual CSP configurations.
The bottom line is that the days of going all-in on one CSP are a relic of the past. To simplify the adoption of multi-cloud, we need a new approach to enable customers to modernize their infrastructure without an increase in cost, complexity and risk.
IDQL & Hexa: develop a new approach to IAM modernization
Enter IDQL & Hexa. IDQL, a new declarative identity policy language, and its open-source reference software, Hexa, allow you to centrally manage different access policies in a common format instead of the associated policy syntax. with each CSP.
Hexa detects all your policies and translates them to and from IDQL. Then, orchestrate those policies back to each native cloud service in its imperative format.
Together, IDQL and Hexa solve many common IAM issues in multi-cloud ecosystems:
- Eliminates custom coding – Political discovery, translation, and orchestration back to any CSP or endpoint in your solution architecture.
- Avoid vendor lock-in – No agents or proxies are involved. Hexa is specially built for the cloud. It works natively and with existing deployments in your containers and CI / CD processes.
- It allows for transparent political governance – Hexa relies on centralized policy management using declarative IDQL – one place to manage all CSP policies and one open source standard to centralize all your multi-cloud needs.
- Increases flexibility – Orchestral politics. Hexa is a hub that goes to and from your custom cloud deployments or any endpoint in your architecture.
- Supports scalability without cost increase – Hexa facilitates widespread adoption and community development. It allows the opportunity to co-source and co-develop service-specific or wide-ranging business use cases and models.
Hexa & IDQL: simplifies policy orchestration for multi-cloud
Support for multi-cloud may be due to changing business needs or current CSPs that do not meet expectations. Or maybe other drivers like regulatory or geographic restrictions pushed you to use multiple partners.
Whatever the reason, it’s becoming increasingly difficult to solve the vast array of challenges that come with a CSPs fruit salad, more commonly referred to by me as the “apple, orange, and banana” problem.
Rare are new approaches that really disrupt the status quo in IAM (identity and access management). However, this is what IDQL / Hexa together are able to achieve. Born in the cloud as an open source (without proxy or agents) and supported more by industry standards and consortia such as CNCFI expect widespread adoption similar to Kubernetes, Docker, or even going back to the early days of SAML.
It’s time to simplify what’s on your plate with the unique benefits and opportunities of Hexa with IDQL:
- Declarative and simple to understand, in a human-readable format, no agents nor proxies to use at runtime.
- One policy management tool reduces support, recruitment and training costs.
- Simplified CI / CD process with the ability to orchestrate and use all endpoints simultaneously.
To find out more about this solution to your multi-cloud challenges.Join the IDQL / Hexa working group https://hexaorchestration.org/.