Styra: Security as Code for Cloud-Native

prasad blog - Styra: Security as Code for Cloud-NativePrasad Parthasarathi is Director & Global Head for Cybersecurity Investments and M&A at Cisco Investments. His team is responsible for sourcing, qualifying, and transacting multi-stage venture investments as well as end-to-end M&A execution in Cybersecurity. Prior to Cisco, Prasad led multiple M&A transactions in large cap technology companies and was instrumental in EDS’ $14B sale to HP. Prasad earned an MBA from Indian School of Business (ISB) Hyderabad and held Corporate Finance and Advisory stints in Singapore and India.

Styra Launches With a Lofty Goal: To Unify Authorization Policy Across Tech

If I wanted to hop on a plane and travel to another country, there is one essential document that I’ll need to make sure I pack: a passport. That’s because back in 1920, the League of Nations brought together representatives from around the globe and made these little booklets the international standard to expedite travel and protect national security.

Now imagine a world without passports – one in which I may need to follow a completely different process and method to verify my identity for each country that I visit. Sounds like a nightmare, right?

The nightmare is real for many enterprises with hundreds of thousands of applications in use but no unified standard for authorization/policy – users “travel” from the cloud, to on-prem, to microservices, and more.

Some teams have found creative solutions by building custom authorization directly into either the applications or centralized systems that applications interface with for access control. On the downside, these approaches make it impossible for security to decipher where access control presents risks.

Tim Hinrichs and Teemu Koponen, who were working together at the time, heard frustrated customers lament that there had to be a better way. So in 2015, the two founded Styra and started the Open Policy Agent (OPA) project to unify policy enforcement across different technologies and systems.

From this project, a new paradigm — “Policy as Code” — was born, and the old world of policy management would never be the same.

By March 2018, the Styra team donated OPA to the Cloud Native Computing Foundation (CNCF), the governance body for all cloud-native open-source projects. After almost three years of rigorous validation by industry peers, OPA became the 15th open-source project and the first focused on authorization to reach graduation.

In my book, the years of dedication and arduous vetting it takes for a team to graduate their project from CNCF makes the process less of a cloud-based training and certification and more akin to graduating from the SWAT academy. This milestone marked an incredible accomplishment.

Our Cisco Investments team first met Styra in 2018 after they had established OPA as a CNCF project. Instantly, we felt a strong conviction in OPA’s ability to achieve graduation status within the CNCF successfully and recognized the company’s trailblazing advantage in building a proprietary monetization platform around OPA.

Our hunch proved true. OPA now boasts more than 75 million downloads, with a customer portfolio including Capital One, Zalando, and the European Patent Office.

Cisco Investments is excited to announce our participation in the company’s Series B funding alongside Battery Ventures, A.Capital, Unusual Ventures, Accel, Capital One Ventures, and Citi Ventures.

Reinventing Policy and Authorization for Cloud-Native

I recently sat down with Bill Mann, who was appointed CEO in 2018. Looking back on why he decided to join Styra following his role as Chief Product Officer at Centrify, he says, “Once upon a time, I was a developer, and I’ve always been intrigued about how aspects of technology can be standardized. When I was first introduced to Styra, I instantly realized that they were building something unique, and it touched a nerve for me. I have thought about this problem of how to standardize access and authorization for a long time.”

At the time, the startup was embarking on its journey to commercialize OPA, which provided a route to revenue after making OPA open source. “The Styra team always had the vision to create something that would increase the security for applications for everyone,” he says. “If they had kept it private, it would never have become standardized.”

Of course, making OPA open source also revealed the company’s hand to the competition, which might have posed a problem if the company hadn’t already enjoyed a massive head start. As Mann notes, “During our year developing OPA, we relied on our community of open-source users. We think of the OPA community as product managers because of how critical a role they’ve played and how well they lead the project into new use cases.”

Applying those insights, the team created Styra Declarative Authorization Service (DAS), the management plane that makes OPA enterprise-ready and scalable. With Styra DAS, users can manage policy as code as part of an established GitOps process; validate the impact of policy changes before committing or deploying; distribute policy across clusters, clouds, and teams; and monitor authorization decisions in real-time, and historically, to ensure policy works as expected.

Simplifying Access for Developers

By supporting cloud-native, developer-friendly, and shift-left architectures, Cisco Security has always aimed to win the hearts and minds of developers. Our investment in Styra represents a significant step in this direction.

When asked why Styra chose to bring Cisco on as an investor, Mann says, “Cisco has such a strong presence in access and authorization with Duo and AppDynamics. We see Cisco as a key element as we look to move across the new cloud-native stack and eventually, proactively, recommend policies using AI.”

Looking ahead to Mann’s long-term roadmap of Styra years from now, he says, “There is a new generation of developers entering the workforce who want to build applications securely, and we want to be the ones who reinvent authorization right alongside them.”

Developers finally have the passport they were missing to seamlessly and securely teleport across compute and applications stack.

Contact Us