Tech Trailblazers Showcase: Styra flash talk

For the first year ever, the 2020 Tech Trailblazers Awards teamed up with the London Enterprise Tech Meetup to host an event where some of the top of the crop of entrants could showcase their award-winning businesses. One of those who gave a flash talk at the event was Bill Mann the CEO of Styra, a firm which won the Containers Award and whose CTO and Co-Founder, Tim Hinrichs, was a runner-up for the Male CxO Award.

Bill gives a quick explanation of how Styra is aiming to revolutionize authorization, making it code instead of being defined in PDFs, fast making it the de facto standard for authorization in cloud native environments.

The host is Ian Ellis for London Tech Enterprise Meetup and the session is moderated by our very own Chief Trailblazer, Rose Ross. Also asking questions are two of our Tech Trailblazing judges: Dr Jacqui Taylor the Founder & CEO of FlyingBinary, and Dave Cartwright, Head of IT Security at Standard Bank Wealth International.


Also available as audio only on:

Interview transcript

Ian Ellis: Truly insightful, very good panel, good discussion and we’re very excited to now turn around to talk to some of the award winners from the Tech Trailblazers. So, first up is going to be Bill, who’s from Styra and he’s going to give us a quick overview of Styra, a quick chat Fireside chat for us. Or quick flash talk, I should say. And then we’ll have some Q&A from there. So if you’re thinking about questions, now is the time to ask them on the chat, on the Q&A chat. We’ll also invite some of the panelists back to ask questions as well. So Bill, I’ll pass over to you.

Bill Mann: Great, thank you very much and good morning everybody and good evening everywhere, everybody. So I’m Bill Mann, I’m the CEO of Styra. We are the creators of an open source project called Open Policy Agent. It’s the open source project which is focused on authorization in the cloud native environment. It’s now got millions of downloads, has hundreds of enterprise customers using this open source project and we believe we’ve got the opportunity to become a leader in cloud native authorization by operationalizing and providing an enterprise offering to this base of open source users.

It’s a very exciting space and let me take a couple of minutes, kind of walking you through it.

You know, to give you some context to Styra and what we’re trying to solve, you need to put yourself into the minds of the developer and what’s happening in all shops out there at the moment is we’re going through this transformation, digital transformation, moving to the cloud, whatever you want to call it. There’s a massive transformation happening, and there’s a massive shift in the way we’re building and deploying applications.

Everybody is going towards kind of a Google-like environment, using current generation technologies like Kubernetes, service meshes, and so forth. What’s now called a cloud native app stack. Some of you, at least when I started my career, it was in the client-server space, but this is the new kid on the block in terms of applications. The way we’re building applications is also changing, we’re moving towards development processes which are called DevOps, we’re shifting left, we’re automating as many things as we can, and software defined. Everything is kind of the buzzword at the moment when you’re defining when you defining and building software.

But as we all know, privacy is a big concern. You know, a lot of the discussion earlier on was about security and cyber security, so privacy is the number one concern. It’s only going to get more and more important moving forward. And this company is trying to solve a fundamental part of security, which is called authorizations. We intend to reinvent policy and authorization and we believe if we can get this right, we can become a leader in security for cloud native environments.

Just to give you guys a context for a second. You know why are we trying to invent policy and authorization? It really comes down to complexity and risk. So firstly, what is authorization? Authorization is what a person can do or what a service can do, and it’s a fundamental part of security, its foundation. When you do computer science in the early days, you learn about authentication, authorization, and auditing. This is it. This is our component. It’s never really been reinvented for the last 30 years.

Whenever you use any security product in the marketplace, be it a firewall, be it an intrusion detection system, be it an application, there’s always some part of authorization there, but if you look at this chart here, on the left hand side, most of the time you have a monolithic application. It’s got dozens of components. There’s thousands of access points.

And we’ve known there’s been risk in the millions of dollars. If you move to cloud native, which is going to be highly ephemeral, highly complex, highly dynamic, there’s going to be millions of components coming up and down, microservices. That is going to result in trillions of access points and risk in the billions of dollars. And that’s fundamentally the problem we’re trying to solve.

So enter Styra. Our founders came from a company called Nicira, which are famous for software-defined networking. Tim, our CTO, has a PhD in declarative policy languages. He and Teemu, created this company. We are now a Series A funded company from Accel. They created Open Policy Agent, obviously an open source project. The reason why developers love it is because you define policy as code. No more PDF documents, you actually are writing code.

You’ll see in a second that it’s integrated with all the components of the cloud native stack and it’s very developer centric. So, developers are guys who are picking this up. In terms of where it is in the market at the moment, it’s becoming the defacto standard for authorization for cloud native environments. We’ve gone to now 30 million plus downloads from 6 million at the beginning of last year, to 33 actually, at the end of last year. You’ve got thousands of users on our community and 4,000 GitHub stars.

This slide here just gives you an idea of where Open Policy Agent is being used across the cloud native environment. It’s being used in CICD platforms, in container management, microservices, etc etc. And it’s been used as the way to define policy and authorization. So rather than having a different way of doing policy and authorization.

What developers are looking for now is a unified way of doing policy and authorization, using a single edge construct for defining the policy language in the first place. So rather than having ‘n’ different ways of doing authorization, you’ve got a single way. Just like if you think about you know authentication, we’ve all now use a standard way of doing single sign-on in environments, and authentication was successful because of the SAML protocol we expect to be successful because of the OPA underlying framework.

And where we are focusing our energy at the moment is how to operationalize OPA for the enterprise. So we’ve got hundreds of open source users, which we are now trying to convert into paid users of our Styra DAS service, and our Styra DAS service fundamentally is a management plane, where you can author policies, do impact analysis, do distribution of policies, and so forth. So lots going on in this space, lots of interest. Developers are in our focus area. We’re selling to all verticals, all types of businesses. We go into organisations, really educating developers. Our platform architects are our major influences in the organization and that buyers tend to be risk and compliance businesses within enterprise users.

And thank you and let me pass over to questions now.

Ian Ellis: Great, thanks Bill. We have a couple of questions coming in. I think Jacqui has one for you there.

Jacqui Taylor: Hi there Bill, great presentation, great to see you doing so well. I just wondered what impact you’ve had on the changes with the Privacy Shield changes from between EU in the US and obviously the knock-on effects of what’s going on in Japan on that, and so DevOps is now starting to meet some of the enterprise issues at the DevOps level. Have you had to adjust what you’re doing? In order to take account of that change in 2020.

Bill Mann: Well, I think we haven’t had to adjust what we’re doing. What we are seeing is policy frameworks, customers are looking for standardized policy frameworks from organizations like ours. So we’re already putting together what we call ‘policy packs’ like PCI and best practices, and so forth. And I think that’s what’s going to continue moving forward. So as you have localized, standardization around policy, you’re going to see products like ours implement those because you’re right, DevOps tend to be developers. They don’t understand all the reasons why compliance needs to be built, so they’re looking for standardized ways of doing policy But one of the things I want to underline here is we are getting away from the old world of kind of defining policies within PDF documents, which really can’t be managed, to code. So with code, when you write a policy in code, you can test that policy just right, Just as you could do with regular code and you put it into git and you manage the lifecycle of that policy just like you did with code as well. So it’s a complete reset in the way we think about managing policy, and there’s tons of work to do here in the future, around policy governance and even using things like AI in the future to look at policy at different parts of the tech stack and understand why one thing contradicts another thing.

Jacqui Taylor: OK thanks.

Rose Ross: Hi. Hi Bill, that was great. I’m just gonna ask you a question from Charles Clark who’s one of our listeners. Hi Charle. Is this for underlying infrastructure access e.g granting access to CICD platform, releasing code or also useful for user authorization client app?

Bill Mann: Yeah,the answer is yes. The answer is yes. So, if your listener goes to, that’s the website for the Open Policy Agent project and Open Policy Agent has been used for the infrastructure like the listener was asking, all the way to the app level as well and just to underline the point I made earlier on, developers are looking for a standardized way of doing policy now. So it’s going to be a what we call a decoupled component of the architecture, just like other things are being decompiled out, like authentication or login and so forth. This is a thing that they’re asking to be decoupled as well.

Rose Ross: Brilliant, that’s great Bill. Did I see Dave’s hands go up there, as well with the questions?

Dave Cartwright: You certainly did. Yeah, if I might fling one at you Bill. Obviously one of the issues when you’re doing anything differently and taking a different approach, is that people have never come across that approach before. And clearly you’re now getting to the stage where you want to start monetizing this and start selling it to, I guess, people like my employer. How do you plan to get over that barrier of comprehension and understanding, of going from a world where you do compliance in PDFs and into a world where you doing it in code. How do you kind of keep that…how do you do that knowledge installation in parallel with actually selling them the product?

Bill Mann: Sure, sure, well that’s actually happening at the moment, right? I, like yourself, started my career in the 90s as well, which was a very very different world. And what we’re seeing now, and we are monetizing now already, we’re selling to a new set of developers within organizations who are building greenfield applications on this new cloud native stack and they are very, very familiar with declarative models already, in terms of infrastructure as code, defining how your deployment should be defined in YAML, let’s say, and so forth. And they immediately recognize the need for having policy done this way as well. But yes, you’ve got a generational gap. In fact, in my generation of architects who don’t get it. Or, are stuck in how it was done in the past. But yes, that’s what’s happening.

One of the things I would underline is, the way we approach this is it is open source. So we’re not selling the open source. You know there’s a pull from developers who are already learning about the open source who end up using it, within their environments and then tell their senior management “Hey, we’re using this already. Maybe we need to get the enterprise version of this to make it ready for prime time”. So that’s really what’s happening and you’ll see a lot of education from us as the creators of Open Policy Agent.

We have the Styra Academy to give free courses to developers as well. So that’s the way we’re going to market in terms of moving developers along that journey. But it is an education and fundamentally there’s been, billions of dollars of risk out there with misconfigured policy, too much access and so forth. And this is a completely different approach to solving that problem.

Ian Ellis: Great. Thanks Dave for the question and thanks Bill for a great answer. I think what we’ll do now in the spirit of moving forth is let’s move on to our next talk.