IDQL and Hexa: can policy orchestration close the cloud gap?

TL;DR: IDQL and Hexa propose a vendor-neutral way to express, translate, and orchestrate access policy across cloud platforms and the wider stack, addressing the fragmentation that makes multi-cloud governance hard to see and harder to enforce, according to Strata Identity. The architectural shift matters because policy consistency, not another enforcement silo, is what identity teams need to regain control.

NHIMG editorial — based on content published by Strata Identity: What is IDQL? A guide to Hexa Policy Orchestration Governance & Standards

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: How should security teams manage policy consistency across multi-cloud environments?

A: Security teams should centralise policy intent, then translate it into each platform only where necessary.

Q: Why do fragmented cloud policies create identity governance risk?

A: Fragmented policies create governance risk because the same access rule can be written differently in each cloud, application, or network layer.

Q: What should organisations check before adopting policy orchestration?

A: Organisations should check whether their entitlement data, role models, and cloud access rules are already clean enough to translate without distortion.

Practitioner guidance

• Inventory every current policy source Map native policy locations across cloud platforms, identity providers, apps, and network layers before introducing orchestration so you know where drift begins.
• Define policy ownership boundaries Assign one system to own policy intent and separate that from systems that enforce or mirror it, especially where cloud teams and identity teams both edit access rules.
• Pilot translation on a narrow entitlement set Test policy translation on a single app, workload, or cloud account set first, then compare the translated output against native policy to catch semantic loss.

What's in the full article

Strata Identity's full article covers the operational detail this post intentionally leaves for the source:

• A plain-language walkthrough of how IDQL maps into native policy formats across different systems.
• Details on Hexa connectors and how the reference implementation reaches cloud platforms through public APIs.
• The project roles available to supporters, contributors, authors, reviewers, and adopters.
• The working-group rationale for creating a policy standard and reference software.

👉 Read Strata Identity's guide to IDQL and Hexa policy orchestration →

IDQL and Hexa: can policy orchestration close the cloud gap?

Explore further

View Full Forum →  |  NHI Foundation Course →