Let us start with the basics. IDQL stands for Identity Query Language. The description given to it from the Hexa website (I'll come back to Hexa in a minute) is "Identity Query Language (IDQL) is a declarative access policy and set of APIs that enables the mapping of a centrally managed policy into the native format of multiple clouds and application platforms". The main initiator of the IDQL project is Strata who issued a press release back in May 2022 outlining the concept and idea. Strata is the "identity orchestration" company, that looks to solve the growing problem where identity and permissions data is being spread across a multi-cloud landscape - but somehow needs to be managed centrally in order to improve visibility and security.

Even as many organisations are moving to a "cloud first" strategy for the consumption of new applications and services, the cloud line is blurred. Not all services can be consumed in a pure cloud setting, and not all "clouds" are the same.

Any analysis in the popularity, options or strategy with respect to IAM deployment should be firmly based against a set of basic definitions.

Our latest LinkedIn poll on September 27th was focused on understanding the role and impact of artificial intelligence and machine learning (AI/ML) technology on the general identity and access management industry.
Last week I had the privilege of attending a consumer identity and access management day hosted by specialist CIAM consultancy IdentIT to deliver a key note presentation on the future trends of consumer IAM. Identity specialists, security leaders and enterprise architects gathered at the Circuit Zolder in Belgium for an afternoon of identity discussions, case studies and more importantly track racing on a former F1 circuit!
Styra, the team behind "Cloud Native Authorization" recently announced a few feature called "Styra Run". Their launch blog back in July described Run as being "a new holistic approach" to authorization. But that is trying to solve? Styra are behind the popular Open Policy Agent - a policy driven decision engine for authorization in cloud native environments. Whilst likely OPA is focused on the protection of infrastructure (think containerized ecosytems) it is also used for protecting APIs and custom applications. The developer-first angle sees a dedicated rule language and the storage of policy data in files. The OPA project on github has over 7000 stars.
In the last 3 years or so, we have seen huge interest in the need to improve authentication techniques, that deliver a passwordless MFA experience. What is stopping adoption?
Security starts when authentication ends. It's a line I have used a few times over the years as it is one I actually quite believe in. In an era where firewalls are derided as being pretty toothless in the fight against omnipresent complex cyber attacks - and the concept of trusted networks quite rightly become obsolete in the world of "zero trust" - it always seemed odd to me, to put such a large emphasis on stringent authentication services. Clearly authentication is hugely important don't misunderstand, but my point really was that authentication (even with a strong MFA component) becomes less relevant if a) it is not continuous and b) not part of a more holistic approach focused on the access control of services, data and APIs.
Trust within the identity world is a huge priority. Trust regarding the on-boarding and registration of external users via proofing (think assurance levels using identity validation and verification techniques) right through to creating trust labels for employees in order to monitor for malicious activity - that is either driven by external threat actors, insider threat or just unintentional bad user behaviour.

When on briefings and inquiry workshops there are often emerging themes that start to spring up repeatedly. Perhaps every few months, perhaps under different projects, using different terms and stories and perhaps from unexpected people or teams.

There has been one theme over the past 12 months or so that is difficult to ignore: not only how identity based security has left-shifted into the thinking of information leaders to being a first-class citizen in the technology arsenal, but how identity is moving into a new territory. The territory of autonomy.

A long read post investigating the evolution of decoupled authorization platforms – including use case and capability analysis and brief vendor review including Axiomatics, PlainID, Styra and Scaled Access.

This post is only available to members.