Introducing IDQL and Hexa: A New Identity Standard for Policy Orchestration

Introducing IDQL and Hexa: A New Identity Standard for Policy Orchestration

What is especially valuable about IDQL/Hexa is that it coordinates a consistent policy across all cloud platforms and technology stack. This vendor-agnostic, open-source approach is necessary to accelerate adoption among vendors, developers, and business users alike.
– Jack Poller, Senior Analyst, Enterprise Strategy Group (ESG)


Cloud Computing
offers many benefits — agility, scalability, efficiency, and speed, to name a few. However, it also creates major challenges for security and identity and access policy management, especially with the rise of multi-cloud. Recent research reveals that most organizations have at least three clouds and expect use four or more by the end of 2022.

Cyber ​​Security Live - Boston

Each cloud platform your company adopts has its own set of proprietary policies. Then looking up and down your stack, each layer (application, identity, data, and network) has its own version of the policies. So there is a multiplier effect with all the different combinations, making it difficult to understand what policies are in place and nearly impossible to manage.

When we talk to our customers, as well as IT leaders and decision makers about this, we hear a common refrain: “We want to have a common set of policies that is independent of target systems” and “there is no common way of express policy across all the systems we run, and that’s a huge gap that needs to be addressed.”

That’s where IDQL and Hexa come in and what I’m excited to be able to present to the world.

What is IDQL/Hexa?

IDQL and Hexa are two sides of the same coin and each contribute their part to a Policy Orchestration solution. IDQL, or Identity Query Language, is the declarative, standardized policy language format that can be translated into a target system’s proprietary or custom access policy format.

On the other hand, Hexa is the open source reference implementation of the IDQL policy standard. Anyone can download and use the plug-ins currently available on the GitHub hex repositoryor they can develop plugins for additional environments to expand the reach of Hexa.

How do IDQL and Hexa work?

Hexa is the open source project that makes IDQL operational in the real world by connecting to target systems and performing the three main functions of Discovery, Translation, and Orchestration. Together, IDQL and Hexa perform:

Policy Discovery

  • Analyze and inventory critical applications, data and policies
  • Find out what apps exist and where they are
  • Find what policies, users and roles exist

Translation of policies

  • Translate native imperative policies to IDQL during policy discovery
  • Translates IDQL into native imperative policies of target systems during policy orchestration

Policy Orchestration

  • Distributes policies to be enforced by identity providers (IdPs), clouds, IaaS, and network systems (does not replace existing runtime enforcement/decision mechanisms)
  • Works through a cloud-based architecture that doesn’t require a proxy or local code
  • Uses an extensible open source model that supports custom integrations

The Hexa architecture implements a provider framework that enables connectivity to a wide range of cloud platforms and technologies. Hex connectors, or integrations, invoke publicly available APIs from cloud-based and other systems to discover, translate, and orchestrate policies, as described above.

What are the benefits of IDQL and Hexa?

IDQL and Hexa work together to unify the highly fragmented policies that IT administrators, information security officers, developers, and application owners struggle to manage today. With a more cohesive approach, companies will have greater visibility and control over sensitive resources. They will be able to report on access settings more accurately and enforce business and security rules in a much more consistent way.

By using IDQL and Hexa, any business will reap many benefits, including:

  • Agentless and proxyless: Easily deploy in minutes, without changing your infrastructure.
  • Distributed Policy Management: Securely orchestrate access policy through APIs, without the need to make changes to target systems.
  • Universal Access Policy: Manage access policy that works across disparate systems to help enable a Zero Trust Architecture (ZTA).
  • Policy as code: Bring identity and access policy into code for automation at scale.
  • Declarative Policy: Understand who has access to which apps and data at a glance.
  • Vendor lock-in removed: Enjoy portability and choice of providers by breaking the lock-in of each cloud platform.

Why did the working group create IDQL/Hexa?

Developing and supporting industry standards has long been in the DNA of Strata and its founders. As co-authors of SAML, we know what it takes to collaborate with industry partners to bring a new standard to market. This process begins with the recognition of a need or gap within current identity standards compared to the requirements of business organizations.

A core team of renowned industry professionals was created to help refine the vision. Together, the IDQL format was defined, the first versions of the Hexa software were designed, and preparations were made to submit it to the Cloud Native Computing Foundation (CNCF).

Watch “The construction of a new standard of identitywebinar to learn more about creating standard and reference software.

Members of the IDQL working groupPersonally, I have been in identity standards for 20 years, but had never been directly involved in creating an identity standard until now. As an analyst at the Burton Group, I wrote reports on SAML (and other federation protocols) and hosted several interoperability demos at the annual Catalyst Conference. Later, I worked at Axiomatics, a supporter and implementer of the XACML standard.

It has been an incredibly rewarding experience to be on this side of the table and help lead the effort to bring IDQL and Hexa to life. With that being said, we are just getting started and have much more exciting work to do!

How can you get involved?

The IDQL/Hexa project is open to all participants and we welcome your contribution. There are several ways you can collaborate, depending on your interest, skill set, and availability. Supplier or company representatives may participate in any of the following roles:

  • Follower: Your membership signifies your support for the project and the community.
  • Taxpayer: Share your ideas about system design, use case requirements, and project direction.
  • Author: Roll up your sleeves and write some code!
  • Critical: Provide feedback on the IDQL specification or do a code review of an existing Hexa connector or module.
  • Adopter: Implement IDQL and Hexa in your vendor’s product or company, in a lab test environment, pilot project, or production deployment.

For more information on IDQL/Hexa, visit: Hexaorchestration.org or send us a private message on Twitter @hexapolicy.

Leave a Comment