 From theCUBE Studios in Palo Alto in Boston, connecting with thought leaders all around the world, this is a CUBE Conversation. Welcome to this CUBE Conversation. I'm Lisa Martin, excited to talk to the CEO of Styra, Bill Mann today. Bill, welcome to theCUBE. Hi Lisa, how you doing? I'm doing well, I should say welcome back. You've been on theCUBE at a previous company, but we're excited to talk to you today about Styra, what's going on. So let's go ahead and start informing your audience who Styra is and what you do. Sure, so who Styra is and what do we do? So Styra is a company that's focused on reinventing policy and authorization in the cloud native stack. We're the company that created an open source project called Open Policy Agent, it's part of CNCF. And on top of Open Policy Agent, we built a control flame, a management plane, to help organizations really put Oprah into production and operationalize Oprah. And Oprah is Open Policy Agent, that's what the company actually developed with CNCF, correct? So we actually founded Open Policy Agent and then we contributed Open Policy Agent to CNCF. And the real goal of contributing the Open Policy Agent to CNCF was we believe that we want to get authorization de facto in the market, right? And the only way to get something out there that everybody uses is to put it into the open source and having an entity like the CNCF supporting the project. So really it's about getting everybody, all enterprises and vendors to use Open Policy Agent as a way of solving authorization for the cloud native environment. So you say Styra is reinventing policy and authorization for cloud native applications. Your target audience, security folks, developer folks, what changes has cloud native brought to security and development teams? Sure, so what changes has cloud native brought to security and development teams? So fundamentally, there's been three changes in the marketplace. One, as you know, we're shifting from this monolithic architecture of building applications to now this new distributed architectures of Kubernetes and microservices and decoupled architectures. So fundamentally, the way we build applications is fundamentally changed because everybody wants to have scale up and scale down and so forth. Second, the way we actually develop software, we've moved now to a DevOps model where we're doing more things earlier on in the cycle so we can innovate faster. And we're producing code on an hourly basis versus when I joined the industry which was probably three releases a year. And then thirdly, which is kind of a major topic that all of us kind of understand is our focus on privacy and security is higher than it's ever been before. And if these applications are going to be way more complex and more distributed and we're going to innovate faster then the way we focus on security and privacy has to be done differently as well. And if we don't do it differently, then we're going to have all the breaches that we had in the previous generation of the app stack. And we don't want that, but you're right. Privacy and security are increasing concerns in any environment. How do you help address those? And also with the thought of privacy and security are going to be concerns for quite a long time. Yeah, so let me take a step back. So how do we address privacy and security? So at a fundamental level, authorization is a foundational part of security and authorization has never really been solved or reimagined ever for the last 50 years or so. Every application developer or security vendor has built authorization into their own stack and done it in a very proprietary way. And it's been locked away within these applications and these stacks and so forth. So what happens now when you've got a highly distributed environment is that you've got so many moving parts you still need to apply authorization. So the way we've tackled it is by building open policy agent and there's three fundamental kind of tenants around open policy agent that make it really ideal for this cloud native environment. Number one, it's policy as code. And everything in the market now is everything is as code. You know, you've got infrastructure as code. So this is now policy as code. So you can describe in a declarative model how you want the policy for a system to be developed and you can use the language called Rego to do that. Second is the fact that all the cloud native projects out there which are all developed based upon open source technologies Kubernetes, microservices, you know, Mboy, SEO, Kafka, all these kind of buzzwords you hear in the marketplace, they all integrate with open policy agent already. And then thirdly, the architecture of open policy agent is that it's distributed which means that it's ideally suited for this distributed architecture for cloud native. And those are the three kind of characteristics of open policy agent leading to developers loving it. And when I say they love it, we've got, you know, hundreds and thousands of users of open policy agent, you know, when you go to the CNCF shows, you know, KubeCon, you know, earlier this year and there's two more coming this year. There's many, many talks on it. You've got cloud vendors like Google and Microsoft adopting open policy agent. You got a lot of enterprises adopting open policy agent. So that's really fundamentally what we've built is we've built an authorization, you know, architecture for this new world to really address the security and privacy concerns which we are, which have always existed and are going to be more exponential in this new world. I don't think you've also built a community around OPA. Can you share a little bit of information about that and how they help with the code development and even some of the other things that you're commercializing? Sure, yeah, so now what have we done from a community point of view with open policy agent? So yeah, the community is a integral part of any open source project and we're lucky to have a great community. We've got a great community of enterprise users of open policy agent and vendors as well, you know, vendors like Microsoft and Google who are now contributing to OPA and building it up. And for me, you know, the most important part of a community is that you learn how enterprises are using your software and they share ideas and they share use cases and you're able to innovate really, really fast. And what we've learned from that is the use cases that they use open policy agent for, for instance, you know, one of the major use cases for open policy agent is for Kubernetes admission control. So essentially we can test the configuration of an application which is described in a file called YAML before it goes into production. So it's, you know, think of it as pre-production tests. But you know, companies are using it for microservices and applications and data and so forth. So it helps us understand what they're using this for. But also we use it to help us develop our commercial product which is the management control plane for OPA. So we learn about what they're missing in the open source project that we can use to build our commercial product which is ready for enterprise use. So you've had a lot of success with OPA. Talk to me about StyroDaz and why the need for that. Sure. So why do we need StyroDaz? Recognizing that OPA is very, very successful. So the fundamental difference is OPA is a very focused on developers and it's very focused on, you know, an environment for an individual node or cluster. But it doesn't have all the enterprise features necessary for a real enterprise to go into production. So what we notice is companies use OPA for pre-production but when they want to go into production they need a user interface. They need a way to author policies, distribute policies, monitor policies, do impact analysis and a whole bunch of other features and capabilities that are needed for enterprise deployments and so forth. So that's a fundamental difference between OPA and the commercial product. The commercial product is really operationalizing OPA for an enterprise deployment. So the relationship between Styro and OPA seems very collaborative to me that what you just described with the commercial product of StyroDaz is really one that was developed based on what the OPA community and Styro have learned together. Correct, yeah. So, you know, OPA was created by, you know, the CTO, the founders of the company, saw early on several years ago the need for distributed architectures and the need for unified policy. So they left and created OPA and from day one, they wanted to get OPA into everybody's hands. That's why they contributed it to open sources, part of CNCF and then the next kind of, you know, strategy is to, you know, focus on the control apps aspects, the enterprise aspect. So yes, there's a, you know, the same team that created OPA is the same team that's creating the StyroDaz commercial offering as well. So from the enterprise perspective, talk to me about some of the companies that you're talking to. I imagine any organization that's focused on cloud native, but any industry in particular that you see is really kind of leading edge right now? Yeah, so, you know, which industries are we talking to in terms of, you know, using StyroDaz and OPA? What we've actually found is it's across the board. And, you know, we've seen in the early days that financial services and, you know, high tech were using OPA, but now it's really across the board. So it's all verticals really. And, you know, what we've noticed is any organization which is going through a cloud transformation project where they're, you know, either building new applications based upon cloud native, you know, app stacks like Kubernetes and microservices and so forth or shifting to the cloud are the companies that are also adopting OPA and, you know, the StyroDaz product, right? Because it's all part of the same solution set. And what we're noticing now, and this is a fundamental difference, is, you know, platform architects and developers are kind of prime to, you know, use these technologies. They learn about these technologies by going to the conferences. And unlike the past, which it was very much top-down selling from the C level down, this is very much bottoms up. So developers learn about OPA if I'm going to the conferences, they use it within their own environment and then they tell their management that, look, we're using OPA already, we're missing these capabilities or they come to us and we educate them about the StyroDaz product and so forth. So it's a very different sales model as well. And that's why it's very important for ourselves and any open-source company to really keep developers happy and provide a solution that's meeting their requirements. On that front, with so many of us and developers included, working from home for the past nearly four months, we know we're doing things like this virtual conversations, virtual events, how is Cybert helping to continue to feed and educate those developers so that they can have those understand what you, how you can impact their job functions and how they can then elevate you guys up the stack. Sure, so what's changed over the last three months or so in the market as a consequence of COVID-19 and from an educational point of view. So what we've seen is fundamentally, in the early days of COVID-19, everybody was trying to kind of get the head around how to work from home and so forth. But what we've seen across the all verticals is developers have now really focused on educating themselves. And just as a data point and the audience that we get to the Oprah website is as high as it's ever been for the last three months. And what we're doing as a company is a lot of training sessions, video, content, write-ups, blogs and so forth, right? And really helping the community learn about Oprah and how to solve these kind of fundamental problems around policy and authorization within their environments. We've also been helped by the community as well. So there's been talks from a number of companies, Microsoft, Google, Palo Alto had a talk and many, many companies are talking about Oprah now. And I love it because ultimately being an open source company and building a project which we want to become de facto, we want to raise the bar for security across the world, right? And if we can do that, then it's going to be an achievement for us and it's very gratifying knowing that we're really fixing security problems for organizations because ultimately we always want to be able to use an application or a banking service and not worry about privacy and security concerns. And that's ultimately what we're all after. But this is such a fundamental component that once we want to have developers learn this now because if they can incorporate this into their DevOps app stack, then in future years when these applications are built and they're exposed, they'll be more secure. And so it sounds like maybe there's even more engagement now during COVID when everybody is at home. Tell me about some of the things that are coming down the pipe for, Sarah, in light of all of this exciting collaboration with the community? Sure, yeah, there's definitely been way more collaboration as a consequence of COVID-19. People are at home and they're focusing and they're going through learning sessions and browsing the website, going through the video content and so forth. So what we're engaging as much as we have ever been, in fact, I would argue that we're engaging even more so now because it's just a different environment to work in. And what we're focused on now is really adding more features to the StyroDaz product. Just to step back for a second, Open Policy Agent works across the cloud native stack and StyroDaz has been focused first on the Kubernetes use case and now it also supports microservices as well. And then what we're continuing to do is add more of those enterprise features into StyroDaz and move up and up across the stack. But it is all driven by developers that we're talking to on a daily basis and that's leading to where the project is moving forward and the development for the roadmap and so forth. And StyroDaz was only launched in 2019, is that correct? 2019, yes, that's correct. That's correct. Yes, it's time flies, right? A lot of change and a lot of development in a short period of time. That's right and 2019 was a big year for us, right? We started last 2019 with a soft launch at the RSA conference and we finished 2019 with series A funding led by Axel. And yeah, it's great to see how the commercial product has been gaining traction in the marketplace as well as Oprah as well. And I think it's a combination of events. One, the fact that cloud native is now really well understood. Second, the fact that Kubernetes, at the beginning of 2019, it was still, what does Kubernetes mean? Is it going into production? Now, Kubernetes is absolutely going into production and there's such a desire for organizations to make sure that security and policy and compliance are resolved before applications go into production. Otherwise, we're going to have the same kind of challenges we had with previous app stacks. Well, the momentum is certainly with you. I can definitely hear that in your voice, Bill. Thank you so much for joining me, talking about Sarah, how you're reinventing policy and authorization for cloud native applications. Thank you, Lisa. For my guest, Bill Mann, I'm Lisa Martin. You're watching theCUBE Conversation. Thanks for your time.