Original source: GigamonTV
This video from GigamonTV covered a lot of ground. 8 segments stood out as worth your time. Everything below links directly to the timestamp in the original video.
Imagine managing cloud security policies without having to learn a new language for every single cloud provider. This new standard offers a potential solution to a long-standing challenge in multi-cloud management, simplifying security and operations.
New IDQL Standard Aims to Standardize Cloud Policy Across Platforms
A new industry standard called Identity Query Language (IDQL) is being developed to create a consistent, generic representation of security policies across diverse proprietary cloud platforms such as AWS and Azure. This initiative, spearheaded by Strata Identity and a community of practitioners, seeks to overcome the complexities of managing policies that are currently expressed in platform-specific syntaxes, akin to requiring fluency in multiple programming languages to understand cross-platform rules.
IDQL is designed to simplify governance, auditing, and the migration of workloads between different cloud environments by providing a human-readable, declarative format for policies. An open-source tool called Hexa, available through the Cloud Native Computing Foundation (CNCF), serves as a reference implementation, allowing organizations to extract proprietary policies from one cloud, translate them into generic IDQL, and then re-orchestrate them into another cloud, thereby enabling consistent policy enforcement and reducing the need for extensive rewrites during cloud transitions.
"What we're trying to do with this standard is to create a consistent representation of policy in different systems."
Identity Orchestration Streamlines Multi-Factor Authentication in Fragmented Environments
Identity orchestration provides a solution to multi-factor authentication (MFA) fragmentation, a common issue arising from corporate mergers and acquisitions or modernization efforts. This technology allows organizations to present users with a choice of strong, non-password-based authentication methods, such as mobile one-time passwords, hardware tokens, or passkeys, all managed through a unified policy within an abstraction layer.
At runtime, the orchestration layer directs users to the appropriate MFA flow based on their selection, validating their credentials across different providers. This approach accommodates scenarios like a user forgetting one authentication device or needing to access systems from an acquired company that uses a different MFA system, ensuring continuous strong authentication without forcing users into less secure, password-based alternatives.
"Orchestration's job is to send the user at runtime to different places within the identity environment or the identity fabric."
Identity Orchestration Advances Beyond Virtual Directories with Automation Capabilities
Identity orchestration offers significant advancements over traditional virtual directories, often referred to as LDAP proxies, by providing a common abstraction layer that handles more than just namespace mapping. While virtual directories primarily serve as databases for user information and can reconcile some user identity discrepancies, orchestration extends this capability to abstract semantic differences in roles and groups across disparate technologies.
This robust abstraction layer enables advanced automation features that virtual directories cannot support. Examples include deploying passwordless authentication to applications without requiring application rewrites, and facilitating multi-step user registration processes that incorporate elements like fraud checks or social identity onboarding. Orchestration's ability to see and direct user traffic at runtime allows it to automate complex identity-related workflows, positioning it as a distinct and more capable category of identity management.
"Orchestration was created as a new approach that would solve a lot of those namespace and consistency issues and give you the ability to do more things like automation."
Resource-Centric Policies Recommended for Differentiated User Access
To effectively differentiate between varying user access levels, it is recommended to attach security policies to resources rather than to user personas. This approach, known as resource-centric policy, ensures that access requirements for applications and data dictate the necessary authentication and authorization methods, whether for a standard user or one requiring privileged access.
Under this model, a policy might stipulate that to access a particular application or dataset, a user must authenticate in a specific way and possess certain role memberships or attributes. This consistent pattern allows for greater governance and the ability to distinguish authentication and authorization types efficiently, enabling robust security for both general applications and highly sensitive infrastructure, such as Infrastructure as a Service (IaaS) resources that might mandate passwordless access.
"Flip the equation around and attach your policies not to your users but to your resources."
Orchestration Layer Reconciles Semantic Differences in Cloud Identity Management
An identity orchestration layer can effectively abstract the semantic differences between similar yet distinct identity concepts, such as "roles" in Amazon Web Services and "groups" in Microsoft Azure. While both roles and groups serve to organize users and manage permissions, their specific implementations and capabilities can vary between cloud providers. Roles typically denote specialized user responsibilities and authorities, whereas groups often encompass both users and associated resources like applications and data.
By providing a consistent abstraction layer, orchestration enables scalable administration and unified policy creation across these diverse systems. This means that a single policy can be defined to assess user membership in either an Amazon role or an Azure group, translating these distinctions into a coherent access management strategy. This reconciliation simplifies the complex task of managing permissions and access at scale in multi-cloud environments.
"The abstraction layer, the orchestration layer, that's where you're going to have that mapping."
Identity Orchestration Solves Fragmented Namespace Challenges with Abstraction Layer
Identity orchestration effectively addresses the challenge of fragmented namespaces, a common issue when individual user identities are represented differently across multiple systems. This technology establishes an abstraction layer that maps canonical user identities, reconciling discrepancies such as a user being known as "Jim" in one system and "James" in another. This mapping capability allows for a consistent view of a user regardless of which directory or system is being queried.
Implementing such a reconciliation without an abstraction layer is inherently complex and labor-intensive. Identity orchestration simplifies this process, making it a key motivator for organizations seeking a more efficient and less burdensome way to manage user identities across a growing number of diverse systems.
"Implementing that without an abstraction layer, without identity orchestration, is really challenging."
Identity Orchestration Addresses Multi-Authoritative Identity Sources in M&A Scenarios
The challenge of managing multiple authoritative identity sources, especially prevalent during mergers and acquisitions, can be effectively resolved through identity orchestration. In scenarios where employees might exist in the HR systems of both an acquiring and an acquired company, orchestration provides an abstraction layer to consolidate or aggregate permissions.
By connecting both legacy and new identity systems to this layer, policies can be established to stipulate which source is authoritative or to offer users flexible authentication paths. For instance, a policy can direct a user to authenticate via one system as a default, but accept authentication from another if the first fails, gradually learning user preferences to streamline future logins. This method minimizes user confusion and allows for dynamic management of permissions across hybrid identity environments.
"The way that you deal with it with orchestration is to plug both systems into the abstraction layer and then you create a policy that stipulates which one is authoritative."
Organizations Struggle with Fragmented Identity Systems in Multi-Cloud Environments
Many organizations are encountering significant challenges in managing identity across increasingly complex multi-cloud environments. As workloads shift from on-premises private clouds to public cloud platforms, companies often adopt not just one, but two, three, or even more public clouds in addition to their existing private infrastructure. This expansive adoption leads to a fragmented landscape where applications and data are spread across numerous locations, each with its own distinct identity system.
This proliferation of disparate identity systems creates a scaling problem for organizations, making it difficult to ensure consistent and secure access control. The struggle lies in making these multiple, often incompatible, identity systems work cohesively, marking a new era of complexity in multi-cloud and hybrid identity management.
"The problem has really developed into multi-cloud at scale where people are struggling now with how to make identity work when their applications and workloads are running in two, three, four, five different places and they've got two, three, four, five different identity systems to make work together."
Also mentioned in this video
- Of managing different identity stores across various clouds, noting the… (2:05)
- If identity orchestration is similar to existing LDAP proxies and virtual… (4:34)
- Of managing roles, noting that AWS has a clear concept of roles while Azure… (8:33)
- The distinction between groups and roles using a job analogy and then shifts to… (11:03)
- Jim asks how identity orchestration handles different human personas, such as a… (19:08)
- Jim asks how machine-based identities, or 'non-carbon based life forms,' are… (22:05)
Summarised from GigamonTV · 29:36. All credit belongs to the original creators. Streamed.News summarises publicly available video content.
