KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The trend toward adopting multiple cloud providers means identity is now distributed, rendering traditional, centralized access policies and perimeters obsolete. As a result, the way we think about identity and access management (IAM) has to change. This session will present Identity Query Language (IDQL), a new standard for identity and access policy orchestration across distributed and multi-cloud environments.
The trend toward adopting multiple cloud providers means identity is now distributed, rendering traditional, centralized access policies and perimeters obsolete. As a result, the way we think about identity and access management (IAM) has to change. This session will present Identity Query Language (IDQL), a new standard for identity and access policy orchestration across distributed and multi-cloud environments.
Sorry, I couldn't be there in person in Munich this year, but glad to be able to join remotely. So, yes, my name is Jerry Gable. I'm head of standards at strata in, in the past. I've worked within enterprise it and financial services and the Analyst industry as, as a identity access access management Analyst, then in business development with an authorization vendor, and now here head of standards that strata.
And so, you know, the title of the session again, is addressing multi-cloud identity challenges with this new standard that we call I ID QL. So ID identity query language or ID QL is, is what I'll talk about today. It is exciting to be part of a, of a new standard process. We're trying to build an access policy standard that can work across cloud environments and as well as across the stack.
So I'll talk about that in a couple of moments, but I thought it would be important to set some additional context as to why we're here, why we're talking about this particular issue and, and how it fits into what we're doing at strata to give you a bit of, of that background.
So, as we've heard here at the, at the conference and elsewhere about, you know, the problem, one of the problems with multicloud and hybrid identity is the fragmentation of identity and fragmentation of policy across these environments and the vendor lock in because each of the cloud platforms handles identity and access in its own way. So we think the solution is distributed, identity management, you know, distribute distributed architectures and infrastructure is something that's been talked about as well in the session here this morning.
So we think the solution to this is identity orchestration. So you might ask, well, what is that? We think this is a new class of identity and access management software, you know, so different from single sign on in Federation and directories and access governance and so on. And identity orchestration is meant to replace much of the custom code or, and or manual effort that's needed today to integrate identity and applications and access across these multi-cloud and hybrid environments. So it it's built on top of an identity fabric.
And so the fabric is the connectivity layer that brings together all of these different identity systems. And you've heard about identity fabrics.
For example, yesterday, there was a whole track on this research has covered the topic and it's Strat we think the fabric is, is that abstraction, that connectivity layer that enables orchestration so orchestration can haha capabilities to address things like multi-cloud identity and access management migration of applications or workloads from say on-premise data centers to a cloud environment or from one cloud platform to another furthermore, it enables activities like user migration, again from on-premise data center legacy systems to a cloud identity provider, for example, or maybe even between cloud identity providers allows you to implement other modern technologies like multifactor or password list authentication.
So it's this abstraction, this orchestration layer that allows you to do this without necessarily being locked into the individual underlying cloud systems. So what what's, you know, what are some of the factors happening that have us in this place today?
Well, you know, we've seen the, the movement of, of organizations to deploy cloud capabilities, but they typically do not adopt a single cloud platform that might make life much easier. In fact, when we talk to customers, they're adopting, you know, 3, 4, 5, or maybe even more cloud platforms, you know, plus all of the, you know, the SaaS applications that an typical enterprise organization consumes. And then of course, each of them now Institute a, a new identity silo.
I mean, we've had identity silos as a problem in the past, even when we're dealing with legacy environments, you may be aligned with geographic regions or different business lines. Now we have new identity silos that are propagating across all of these cloud systems and some of the existing standards like Sam or federated single signon don't address all of the concerns that we have here. You know, certainly they have their place, but they're not dealing with, you know, synchronizing policy or identity data necessarily.
And I, I noticed, or I took note of like, you know, for example, Mike Small, previously talking about the distributed nature of the, the place we find ourselves in. And so that certainly tells me that we can't use a technology that's centralized. It just won't work either for management reasons, cost or just internal political politics, you know, within an organization. And then furthermore, we of course have this issue of many of the first generation identity systems, you know, maybe some of those federated or web access management kinds of systems that are now at, at end of support.
And we need to do something about those and, you know, move to a more modern identity infrastructure. So we think, again, you know, orchestration across this environment, having a control plane above the individual capabilities of these different platforms is an important way to think about a solution set so that we can manage more uniformly the access and the identity across these disparate environments instead of using the individual tooling or capabilities of each individual platform.
So being able to manage, you know, changes across this environment in a seamless and automatic way we think is, is a really important capability. So that's a bit of, you know, the backdrop of strata where we come from and why we think identity and orchestration is important. So as I mentioned, you know, the distributed world is what we find ourselves in. I think that's going to be the case for, for a long, long time.
And of course, it's not just that we're moving everything to the cloud, but we still have a lot of on-premise or legacy environments that will be part of a hybrid model for quite some time. And when we think about the different cloud environments, it's not just, you know, say the east west nature of things. We're dealing with Amazon as well as Google and, and Microsoft Azure and, and others, but also up and down the stack, we have a similar challenge, cuz all, all of these layers have their own notion of identity and access policy.
You think even a zero trust architecture model from the networking level and the, the sassy, the secure access service edge environments around zero trust and their, their view of policy and, and access and identity. So all of this is, you know, part of the, you know, the trends that we're seeing at were that we're trying to address. And so another NA you know, aspect of this, and we'll talk about it a little bit more is the fragmentation of a policy again, because each platform has their own bespoke way of dealing with policy formats typically, of course, proprietary.
And then how, how can we manage such an environment in a modern DevOps dev SecOps kind of way? Can we do that with a set of APIs that help help us accomplish this to get consistent access? I think that's also something that Mike Small mentioned in his talk earlier this morning is, you know, how can we get consistency across these different kinds of environments?
And with the, the fragmentation of policy, we have a real governance challenge, you know, do we know who has access to what you know, having to manage all of these different environments platforms and systems in a manual or semiautomated way can lead to error conditions or certainly a poor user experience. And also from a governance perspective, you know, that the policies are often buried within the infrastructure or within an application or within these different layers. And so how, how do we report on them? How do we audit them?
You know, the imperative nature of those policy formats really make it hard to get that visibility and transparency into what's happening in the environment. And we mentioned other standards, we mentioned SAML previously, you know, exact more an authorization standard. That's certainly in the, in the out, out there and has been for a while and have a lot of experience with that. But these other standards were built for different reasons.
You know, they weren't necessarily built for today's requirements of being cloud native, being very dynamic and, you know, dealing with, you know, a very hybrid and diverse environment. So where does ID QL fit into the picture here?
Well, again, it's, it's a way to standardize access policy across these environments. And, and I'll just pause and mention that, you know, what, you know, why is strata focusing so much attention on building a standard in this space?
Well, the, you know, the founders and the leadership of strata have a lot of history in promoting and supporting and creating industry standards, being the co-author of the SAML protocol back in the day when that was first brought to the marketplace. So there's, there's this inherent desire or view of the industry.
You know, that if there is a place where a standard can really help the situation and help improve things for, for customers, then we think it's a worthy effort, you know, to focus attention and, and resources on this sort of project. So ID QL, we view as a new standard for access policy orchestration and orchestration here, I think is an important term to emphasize because we are not replacing the runtime policy engines, you know, that is the decisioning process or the enforcement process within any given application or platform or component.
So it is, it is focusing on defining a policy format that can be used to define the different scenarios across these environments that we've described. Then the query part comes in with, you know, APIs where you can inspect and query the, the, the policies that are, have been defined and implemented within the system. So there's multiple components here.
That is, it is a format of the policy itself, the policy language, if you will, that can deal with different kinds of resources across, you know, applications, the platform, the data level, and even to the network. And we have a, today, a small working group F with leaders, from vendors, as well as enterprise organizations that are working on the standard. And then what's also interesting about this particular one is that there is also an open source component. We call it the Orca project.
You I'll play on the orchestration term, but it will be an implement a reference implementation of ID Q L. So there will be open source what we call policy orchestration gateways that will be implemented for different kinds of target environments. And I'll explain here in a moment how that will work, but these open source implementations will be available from GI. It'll be under the umbrella of the CNCF, the cloud data of computing foundation and available under the Apache 2.0 license model.
So the idea here is that we can have a set of generic uniform ID, QL policies that can be distributed to the different cloud environments. And then they're at, at that point translated into the bespoke or proprietary formats of those systems.
And, you know, this gives us a more uniform or easy way to describe access policies that can be consistently applied across these different environments and work to break the, you know, the lock in to these individual platforms or systems. And we're viewing this as, you know, you might think of any, any policy structure, you know, it has a, a subject or actors dealing with actions against resources or objects. We have the notion of a scope or condition and, and context.
And so if you think about how you're dealing with that today across, you know, 10 20, or, or more different kinds of cloud platforms or identity systems, you know, that's, you know, it's, it's so difficult to manage that today because of the diversity of, of those environments. So this is why we are, we are approaching this, you know, to try to standardize this format at, at a higher abstraction level. And why do we need this?
Well, I mean, no one in the industry is working on this today. We view this as a huge gap in the industry and a great deal of potential. If we can address this, you know, that we have, you know, such disparity or, or diversity across these different domains and platforms and technologies. And without this, we have to rely on, you know, different kinds of tooling or manual efforts, custom coding. So we think there's a lot of risk in, in using, you know, some of the limited capabilities that we have today in, in the industry.
And of course, you know, the major platforms are locking you in as a customer to their own specific tooling, their own proprietary ways of dealing with identity and access. So the, you know, the current state of affairs is that identity and access is still very much fragmented and we're hopeful that identity QL or ID QL can help to address that need.
So it's, you know, a common and consistent definition of policies across these environments that are included in the umbrella of what is supported and the ability to distribute and convert into the bespoke format of those target systems.
You know, both as we describe it on the east east west access, as well as on the north south access, you know, and, and to bring a modern cloud D to approach to this so that the management of identity and access can be incorporated into your DevSecOps environments, just like you do with other aspects of your, your application and, and infrastructure environments.
So there, there are a few use cases I'll, I'll describe here on, on the upcoming slides, you know, these three different use cases, but again, just to reiterate that, you know, there will be a open source reference implementation available under Apache 2.0, and, you know, through, through the auspices of CNCF here in the, in the future. So one, you know, the first use case I'll walk through here is that of policy orchestration.
Again, we're not replacing the runtime environments that enforce or determined policy decisions, but at the top here, we'll have, you know, a simple declarative policy. This is just a basic example here.
You know, that there'll be version controlled, there'll be assigned to a, a certain type of resource this, and then this one, we have a resource that is the trading application, and we are going to allow us and Canadian employees to access it just with U access to us data. And only if they've done a MFA or a multifactor authentication, so a strong authentication.
So here's where the policy gateways will be able to query the system, get the policies that are targeted to the environment that they're configured with translator, or map that to the target systems format, and then call the public APIs of that target system to load that policy. Excuse me. So with these distributed policy gateways, it does not require additional coding within the target environment, and also enables you to break that vendor lock in of, of each of the individual platforms.
Furthermore, we think using this open source gateway approach allows us to bring support for ID Q L to the platform. If you think back to the long period of time that it took for something like SAML to be adopted in the industry in the past, it was a quite long time before you had enough identity providers and relying parties or service providers that all had support for SAML. So it's like the network effect of, you know, the telephone or the fax machine in this case, we think we can invert that model by bringing the standard to the platform. Now over time. It's great.
If those platforms do incorporate the ID QL support natively, but they don't need to do that on day one. We can bring that to the platforms that have a published format and a public API available to, to do this kind of operation. So that's the scenario. One is the policy orchestration, this case. The second one is around policy governance. I think we touched on this a little bit in the previous panel, you know, and in Mike Small talk as well, you know, how can we govern the environment?
And, and this is where the query part of IQL comes into the picture, because we, we can, we can interrogate the system of, and ask questions like we have here. You know, what applications and servers does Mary have access to, or what kind of access does she have to those systems?
You know, what users have access to the trading application that we talked about previously? You know, what applications are out in the environment that are being protected? So this is where the gateways can query again, the APIs that are available from these underlying systems and provide these kinds of answers, you know, to it system admins, auditors. And so on a third part of this is the policy discovery.
Again, being able to query systems about their current configurations, you know, what applications are deployed there, what policies are in place today, what data is available about users or, or the, the resources. So being able to get an inventory of the current environment of of course, is an important aspect to getting a system up and running configured and then operational going forward. So those are just a few of the use cases that we see possible with standard like ID QL.
So how's it working well, you know, this declarative policy model can be published in human readable files, you know, for those humans that can read YAML. And we would expect also, you know, that different vendors would have user interfaces, more graphical interfaces on top of that.
So it, you know, we view it in many ways as meta policy and, you know, covering the, you know, the common base use cases, but then also being, having the ability to ha add extensions for either to the policy model or to different APIs, you know, to cover special cases or edge cases. And then, you know, the policy in ID QL is, is able to be translated into the proprietary or bespoke formats of the target systems. And then there'll be things like versioning encryption of policies and, you know, those sort of life cycle aspects to it.
And then, you know, a set of APIs to do the functions, like the querying that we saw in the, you know, the previous couple of examples, we expect it, we be able to work with other standards in the industry, you know, skin being an interesting one as well. So how are, how are we doing this?
So we are leveraging some of the experience that the team has had with the, the co-authoring of the SAML and, and that whole process, you know, it's like any other kind of collaborative effort, you know, working together with others in the industry, defining the base components for the, the standard, you know, the policy language, the APIs, and so on, and then ultimately bringing to an industry organization for further work with a larger audience.
So today I think I've mentioned we, we have a small working group of some key individuals and thought leaders from different and, you know, different industry segments, as well as some vendor partners, excuse me. And, and we're working together on this process over the last several months. We've also been socialized in this a bit with industry Analyst and, and some other folks, but this is really one of the first public presentations we've had about IQL. So I hope you'll feel very special about getting some of this early information.
We, we do plan to submit this work into the cloud div competing foundation, the CNCF to con continue to work on the, the policy format and specification, as well as the open source code. For those of you familiar with CNCF, you know, that they really focus on the open source project. So that's why it's such an important part of our, you know, the working group so far.
So, as I say, we're working on this, the policy spec and so on. And then also we have, you know, subject matter experts that are familiar with, you know, the application layer platform, data and networking layers as well. So to wrap up here, we think that a standard like ID Q L can bring a lot of benefits to the industry. We think this is, you know, important work that needs to be done to help us more consistently manage identity and access policy across these very disparate heterogeneous environments to help improve security.
I think, you know, the governance and the consistency of policy implementation across these environments, you know, and dealing, dealing with this very fragmented area is, is a key factor that we're we're working on. We also think there's a large benefit to help renew some of the vendor lock in to these proprietary systems to really give you the mobility, to move user identities, to move workloads around as appropriate either because of a cost savings or because of, you know, new features or capabilities that are in competing cloud platforms.
And then of course from the governance governance side, again, you meeting, you know, the increasingly granular compliance and reporting requirements that that organizations have. So there's many ways to join us and support if you are interested.
I, I hope you will. You would like to do that.
If so, please contact me afterwards. You can be as you know, deeply involved in this on a day to day basis, as you like, or have a lighter touch, you know, and help contribute on your, just through your own thoughts and requirements and use cases, you can help by reviewing some of the design work we're doing, or some of the code we're building and ultimately to, to adopt, you know, the IDQ L in file or in production environments. So we're looking for, you know, for additional members at this stage to join the community, to be, to be a supporter.
So if you'd like to do that, I would appreciate it. Thank you very much. Here's my email, if you would care to reach out. So we might have another moment or so Matthias already run a bit long, but we'll turn the platform back over to you. Thank.
