Styra’s new launch of Styra Declarative Authorization Service (DAS) for Cloud-Native Entitlements. With this solution, IAM teams can move to cloud-native technologies while still using existing systems-of-record as well as scale to the level that their organization requires. The video is below followed by a transcript of the conversation.
Alan Shimel: Hello, everyone. Thanks for joining us on another TechStrong TV segment. Oh, I’m happy to have back on TechStrong TV today our friend, Tim Hinrichs, from Styra.
Hey, Tim, welcome. How are you?
Tim Hinrichs: I’m doing great, Alan. Thanks for having me back on.
Shimel: Yeah, it’s a pleasure to have you here. Tim, we always enjoy actually having the Styra folks on, whether it’s Bill, or you, or anyone else. Of course, Styra is a company that in the cloud native space has really kind of made a name for themselves. But though our audience is a cloud native audience and technical, they may or may not know Styra. They probably maybe have heard of Styra. They probably heard of OPA, but why don’t we kind of make sure everyone’s level set, Tim, and give them a little background?
Hinrichs: For sure. Yeah, great. So, yeah, what Styra does is we help enterprises by providing them a unified solution to authorization. And so for folks that don’t know and don’t work on authorization every day like I do, just remember that authorization is this problem of controlling what actions that people and maybe software can take within a piece of software.
So let me give you an example or two here. Every time I log onto my bank online, I can see all my bank accounts, but I may not be able to see my wife’s bank accounts. I may not be able to move money between her bank account and mine, and so that’s an authorization problem. It’s controlling what actions I can take. Can I withdraw money? Can I deposit money? So on and so forth. And so that’s one kind of authorization that we work on at Styra.
But another good example is sort of at the developer level. So those websites that we all use every day, those are built by developers and developers are also taking action. And so one kind of action that they might want to take is they’re upgrading the software, or they’re deploying a database, or they’re changing some network configurations. Again, all of those are actions and there needs to be authorization controls in place to make sure that the right actions are being taken by the right people at the right time.
And at Styra, we provide software that helps an organization sort of manage all of those permissions, all of those authorization policies across all those different kinds of decent software.
Shimel: Excellent. Love it. And we might as well get it out of the way while we’re here, Tim. People who want to get more information on Styra, it’s Styra, S-T-Y-R-A, and it’s styra.com, correct?
Hinrichs: Absolutely, yeah. Definitely check that one out.
Shimel: Cool. All right, we’ve gotten that. Oh, you know what else, Tim? We didn’t even tell them about what your position at Styra is. We should give them that, too.
Hinrichs: For sure, yeah. So my name’s Tim Hinrichs. I’m the CTO and co-founder at Styra and I spend part of my time working on our commercial product offerings, but then I spend the other part of my time on our open source efforts. And one of the things that we do in open source is we started the Open Policy Agent project, or OPA, as we like to call it, and then we donate it to the CNCF. So I’ve got a foot in both of those areas of work.
Shimel: Love it. Hey, Tim, are you gonna be out at KubeCon in Spain in May, or planning it, not sure yet?
Hinrichs: Not sure yet, but yeah, it would be great. I’d love to get back out, and start going back on that conference circuit, and seeing people, chatting with them about policy and authorization, and just seeing folks, again. I think it would be great.
Shimel: We are currently planning on being there. We’re going to hopefully try to do some videos but a different sort of setup. I forgot what they’re calling it, something topist talks or something, so short, little, smaller segments. Again, assuming the world is right, we’ll be there.
Anyway, but Tim, let’s focus in on what we want to talk about today, which is you guys recently announced a new offering. Tell us.
Hinrichs: Yeah, for sure. So the new offering that we just released a little while ago, we call it the Entitlements Offering as part of our normal product called the Declarative Authorization Service. And so the idea behind this new offering is that it’s really designed to help organizations take custom applications and migrate them from on-premise data centers into the cloud more effectively, more quickly.
And so the problem we kind of saw happening over and over was that if you’ve got one of these on-prem applications, especially an application that’s focused around helping your employees interact with each other or the organization as a whole, these employee-focused applications, a lot of those apps are dependent on what folks will call an on-premise entitlement service. So that entitlement service is often backed by LDAP, or Active Directory, or something, and it’s sort of just those applications sort of need to know which groups that employees are a member of in order to sort of grant permissions within the application.
And so the challenge when you’re mind reading those kinds of applications into the cloud is that the cloud, what you don’t want to be doing is having an application running on the other side of the world and having to make a request all the way back to your on-premise LDAP or AD. The roundtrip time, the availability, the performance and availability, are just too poor. It’s sort of an anti-pattern in the cloud. And so these folks that we’re talking to are struggling because they want to migrate these applications in the cloud, but in order to do that, they also have to migrate those on-prem entitlement services to the cloud.
And so this new offering from Styra really makes that easy. You sort of just hook it up to your LDAP or AD and then you can deploy that thing in as many cloud regions as you like.
Shimel: Excellent, excellent. Back at the end of last year, I told our team here and I think we said it on our predictive that I thought IAM was going to be the battleground, the most important thing for us to be focusing on, especially as it relates to cloud native, and security, and stuff like this. Of course, this was before the software supply chain builder management, and the ransomware, and a lot of the stuff that we’ve seen come down.
But I still believe that IAM is the kind of the soft, white underbelly. It’s where cloud security gets down in a lot of ways, right? You have cloud providers who are investing billions, literally billions of dollars, into their infrastructure and their security, and we count on them to deliver the security to a certain level of that stack. The rest of that stack, through a good chunk of it, is protected by our IAM.
I mean, I’m not blaming anyone, but just this week, we’ve seen Okta with a problem, and I’m not blaming Okta. Any one of us can be the next Okta, or the next Solar Winds, or the next take your pick. We’re all vulnerable, at some point. But it goes to show you how vulnerable we really are through the IAM stuff.
Tim, what made you guys kind of go down this path? I mean, obviously with what you do, it was kind of adjacent and it wasn’t out of left field, but what made you say, hey, we need to do this?
Hinrichs: Yeah, there are a couple of things. You mentioned a whole bunch of things and one in which I want to respond to before I get to your question.
Shimel: I’m sorry.
Hinrichs: I think that the recent stuff around Okta was interesting because I think one of the things that should remind all of us of is just this idea that there are two kinds of companies in the world, those that have been compromised and those that don’t know they’ve been compromised, to your point.
Shimel: Exactly, yeah.
Hinrichs: And so this thing with Okta just I can highlight this idea that once you sort of understand and sort of internalize this idea that you’re gonna be compromised, the only sort of thing you can do is put defensive in depth in place. And so authentication, proving that you are who you say you are, which single sign-on vendors have done a tremendously good job of, is that first level of defense. But then authorization is that second level where what you want to do is sort of control the amount of damage that is done once one of those user accounts is compromised and that’s the notion of authorization. You limit the amount of permissions that every one of those accounts have.
And so that’s, to your point, one of the foundational principles of security, that you layer levels of security in place so that when any one of them gets compromised, you have several others to put in place.
Shimel: Absolutely. We hear the term zero trust getting thrown around and it’s funny, with zero trust, to a lot of people’s idea, I do my single sign on, so now I know Tim is Tim. And now, Tim, here’s the keys to the castle. Have at it. But I think what people miss is with zero trust, is just because Tim is Tim, Tim doesn’t get the keys to the castle. Tim should get just what Tim needs, not what Tim may want. He doesn’t get everything. So if Tim is compromised, I still limited my exposure.
And, again, to me, that’s really when we start getting into the permutations of zero trust and how we do IAM, it’s so important that we have that. Not everybody’s access is created equal.
Hinrichs: Right. I totally agree and I think, well, one of the more interesting things that we’ve seen is that part of why I think a lot of folks end up with maybe more permissions than they need is just that these authorization systems today traditionally have been hard to use. Every product, every project, every service on the planet has a unique way of solving authorization.
So if somebody needs additional permissions for some small period of time and I’m the admin, well, I’ve got to go poke around and figure out how to give them additional permissions and then there’s this back and forth. “Okay, I gave you more permissions. Did that work? No, okay, I’ll give you more permission. Did that work? No.” And at some point, you just say, “Forget it, you’re an admin.”
[Crosstalk]
Shimel: You know what? I’ll give you everything.
Hinrichs: “You’re an admin.” And then what happens is you’re supposed to pull those permissions back a week later, but then you forget because you get busy. And so I think there’s this very real notion of permissions creep where people just have more and more permissions over time. Because everybody’s definitely gonna ask for more permissions when they need them to do their job. Very few people are gonna say, “Oh, you know what? I’ve got too many. I don’t need those, anymore.”
And so I think one of the things that we do at Styra, by trying to provide a unified solution, a foundational solution for authorization, is help with this. Because we say, look, there’s one collection of tools and technologies you need to learn in order to deal with permissions. If you can apply those to all your 57 different products and services, well, you just are more conversant with being able to give rights correctly and being able to revoke them. And so I think that speaks well to why in part we’re doing what we’re doing at Styra.
Shimel: Absolutely. So if you don’t mind, Tim, let’s talk a little bit about kind of the business aspect of this new offering. How’s it packaged? How’s it offered? How’s it priced? Is there a free open source version, that kind of thing?
Hinrichs: Yeah, and maybe I’ll also offer the answer to the question about why did we end up doing this ’cause I didn’t get to that.
Shimel: Yeah, please.
Hinrichs: Yeah, so it’s one of these nice things that because we have an active user base in the open source world and because we have active customers on the commercial world, we can just watch what they do all the time and then when we see a pattern emerge where we see the same people having to address the same kinds of authorization problems, then we realize, well, that’s a systemic problem throughout our community and organizations. And so then we can go ahead and put the energy into building a new offering, and that was exactly what happened with this entitlements solution.
We just saw a number of our open source and commercial customers and users having to solve this problem and using OPA and DAS to do that. And so then we just realized, well, hey, if they’re kind of piece-mealing things together, why don’t we just put forth a real offering around this design specifically to solve this entitlements problem. So that’s how it came about.
To answer your second question, how’s it packaged, and priced, and all that good stuff. Well, so typically what we do is this is another feature, so to speak, or a solution, or sometimes we call it a use case, for our product, our declarative authorization service. So that declarative authorization service was designed to provide a unified solution to authorization. It helps you with Kubernetes authorization, with microservice authorization service mesh. It helps you with public cloud through terraform, and now entitlements. And so in that sense, it’s yet another feature, so to speak, in the product that exists.
And so in that sense, if you’re just using DAS, then you can kind of just pick that out of a list and put it in place. DAS is available as a SAS offering so everybody can run it and you can sign up for free, as well, so I definitely suggest if you want to try it out, go log in and do that. We do, for the enterprise version, also offer an on-prem solution. And so if folks want to actually run DAS on prem, it doesn’t have to be on prem. It could be in their private cloud accounts, then they can do that, as well.
Shimel: Excellent. Once again, proving the old axiom, it’s not a product, it’s a feature, and it’s good when you can have a product, whether people can’t decide, well, it’s a platform, not a product, but you have a product that has multiple features like that that handle this kind of thing.
Tim, it’s available now? So I assume it’s been beta tested, hardened, gotten the feedback, and it’s ready to rock and roll.
Hinrichs: Yeah, it’s one of our earlier releases, for sure, but yeah, we definitely want people out there trying it and giving us feedback, for sure.
Shimel: How do people go sign up and give it a whirl?
Hinrichs: Yeah, just go to styra.com. There’s a signup link, and then when it drops you into the product, you’ll get to pick from one of several quick starts that help you sort of walk through putting stuff in place, and you can kind of kick the tires.
Shimel: I love it. Tim, thanks for coming on and telling us about this exciting new feature in the Styra product line. Looking forward to hearing more. I do hope we get to see you at KubeCon in May in Valencia, hopefully, fingers crossed.
Hinrichs: That would be absolutely fantastic, and thanks. It’s been a pleasure chatting with you, again, Alan.
Shimel: All right. Say hello to all our friends at Styra. Tim Hinrichs, CTO co-founder at Styra here on TechStrong TV. We’re gonna take a break. We’ll be right back.