Company Key Facts

	Web – https://www.styra.com/  LinkedIn – https://www.linkedin.com/company/styra/  Twitter –   https://twitter.com/styrainc  YouTube –  https://www.youtube.com/channel/UC7qrGkXBjl1U3iVVFJWwEPg
Founded Date	2015
Founders	Pierre Ettori, Teemu Koponen, Tim Hinrichs
No. of Employees	~80
Total Funding	$54 million
Locations	HQ – San Francisco bay area.
In Their Own Words	“Reinventing Policy and Authorization for Cloud-Native – Today’s cloud app infrastructure has evolved. Access, security, and compliance must also evolve. It’s time for a new paradigm.It’s time for authorization-as-code.”

Funding

Styra has had $54 million in total funding, across three rounds – seed, Series A and latterly a Series B in May 2021.

Source: Crunchbase

Customer Case Studies

Technology Key Facts

Technology Review

What Do They Do?

Styra are the creators and maintainers for OPA – Open Policy Agent. OPA is focused upon “policy based control for cloud native environments”.  With a policy decision engine that can be deployed as a service or embedded as a library, OPA provides generic policy decision making capabilities that has been deployed in a range of scenarios – primarily being adopted in the cloud infrastructure and API protection space.

For The Cyber Hut’s technology test drive of OPA see here.

OPA is driven by rules written in the Rego language, with the OPA instance accepting runtime JSON data and leverages the Rego rules alongside persistent data to come to informed authorization decisions.  Which decisions OPA is helping with of course, is flexible which is why OPA adoption has taken off – with a recent Styra blog indicating over 120 million downloads of OPA as of January 2022.

Styra themselves are looking to monetize the emerging next-generation authorization market that OPA is helping to define, through their DAS – Declarative Authorization Service.  Styra DAS is a cloud based means to manage the OPA environment, through rules design, monitoring and distribution of the resulting policy data.  They also provide configuration templates that allow OPA deployments to be rapidly set up for compliance support. 

OPA for Kubernetes

Kubernetes is “is an open-source system for automating deployment, scaling, and management of containerized applications.”  The rise of containerization and the ability to deliver self-contained applications, services and APIs has led to the rise of Kubernetes (K8) as a means to orchestrate and manage such containers.

Source: Styra website

The next level in that management chain is the use of K8 admission controllers that govern access to how infrastructure is configured.  Here, Styra leverages the available API hooks to inject contextual policy to the admission controllers to provide additional security to the K8 environment.

Styra talks about the “left shift” of security for this K8 ecosystem, where security can become embedded earlier in the application infrastructure management lifecycle.

Source: Styra website

The security controls are managed by policies which can essentially be stored as files, coupling well to the “everything–as–code” model of infrastructure management and security.  This model allows for the visibility, version control and repeatability of policy usage across a range of containers.

Styra DAS provides a user interface for the creation of policies for the non-code stakeholders in this cycle.

A key concern of any policy based system, is the distribution and freshness of data.  Here Styra introduces a capability called Policy Stacks which provides the function to get policies consistently applied to different clusters and instances.

In addition Styra provides audit and monitoring services to identify the compliance of policies against the inound K8 traffic.

An extension of the “policy as code” concept is applied to the “compliance as code” initiative Styra promotes.  Here Styra provide a range of out of the box templates for a range of compliance initiatives such as PCI-DSS, Mitre Att&ck, and CIS benchmarks which can be rolled out as an immeidate baseline security umbrella.

Microservices Authorization

Styra provides generic microservices protection via their DAS solution.  Microservices provide agility for many organizations seeking to deliver both internal and external facing applications and services.  However, API based microservices require inbound and intra-service protection.  Here Styra describe their ability to provide contextually-aware authorization policy to a range of microservice deployment patterns.

Their narrative focuses around the ability to decouple the application logic from the control and protection logic.  This not only allows developers to focus on business value, but also allows for the creation of reusable assets as they pertain to authorization and security.

Source: Styra website

They also argue that performance improvements and deployment simplicity are a key benefit.

Styra provides the benefit of being able to centralize the policy creation process, then provide the ability for policy to be distributed to sidecars, proxies or embedded within services, where decision making functions can take place.  The enforcement aspect is left to the calling application once it has received full information regarding the subject, object, actions and context style questioning.

Cloud Native Entitlements

A third solution Styra offers, is associated with cloud entitlements.  This relatively new offering is claimed to be one of the only on the market.  The approach is promoting an architecture that comprises an externalized entitlements service that contains the subject, object and action mappings.  This entitlement service is often based on data from existing persistent storage systems such as generic LDAP services or Active Directory.

The problem Styra are solving, is that as many organizations move to a more cloud-native approach to application delivery, their existing on-premises entitlements databases and directories are not fit for purpose.  They are firstly on-premise and can not easily be accessed by applications and services requiring entitlement data and are often seen as a single point of failure (SPOF) from an operations perspective.

Styra are essentially providing the ability to create an entitlement service that can be deployed in a multitude of cloud environments, close to where the protected resources are running.  This entitlement service is managed centrally by the Styra DAS, but distributed locally.

Source: Styra whitepaper on CES

Further information is available from the Styra whitepaper on Cloud Entitlements.

How Do They Do It?

The Styra model is to provide a set of overlay services and capabilities that complement the policy decision making power of OPA.  They do this via their Declarative Authorization Service – DAS.

DAS

Signup is available to a DAS workspace for free.  This gives access to a cloud hosted tenant with quick start guides and documentation.

The main entry point is a dashboard that shows all of the decision request responses the integrated OPA instances have responded to.  This is essentially for time monitoring, error reporting and latency.

The dashboard contains 4 main tabbed areas.  The most important is likely to be the Settings areas, where instructions for the installation of remote OPA instances is held, along with the storage and bundle distribution aspects of the centrally created policies.

Source: DAS instance

The collected policy sets that are ready for distribution are known as “Bundles”.  Integration with version control systems such as Git is also available here.

The left hand side of the DAS console is for the creation of rules for each of the protected “Systems”

Source: DAS instance

This is essentially an IDE for the development of the Rego based rules.

The creation of a new System contains out of the box settings for the likes of Kubernetes, istio, Kong, Envoy and Terraform.

Source: DAS instance

Each configured system can also contain a “dataset” which is essentially persistent file based data that is used during policy evaluation.  The standard is a JSON formatted key value mapping that will contain static data required during evaluation.

Pricing

Styra provides two simple pricing options: Free and Enterprise.  The free option is aimed at rapid developer adoption, through a quick step registration and getting started process.  This free model is aimed at developers who are comfortable with the creation of Rego based rules and an IDE based environment.  

The Enterprise package contains more pre-built configuration items such as Policy Pack templates that contain mappings for common compliance initiatives such as PCI-DSS and the MITRE Att&ck framework.  The Enterprise model also includes 24 x 7 support, essential for a production deployment.

The Cyber Hut Comment

Open Policy Agent is a popular lightweight authorization decision engine that can be integrated into a variety of cloud-native deployment patterns.

Styra aims to provide a set of tools and services that supports the “productionization” of OPA for a large-scale enterprise deployment.

Their DAS is aiming to become the centralized management tool of distributed OPA instances via monitoring and policy design.

Authorization in large enterprises is typically broken down into two components: enforcement and policy design based on business outcomes.  OPA is providing the decision making aspect for enforcement, whilst DAS is aiming to provide an entry point into the policy design process for other stakeholders with an interest in authorization for the large enterprise.

Strengths

• Strong developer focus, with documentation, training academy and adoption resources
• Simple pricing model
• DAS signup process is rapid for quick testing
• Policy Packs will accelerate compliance initiatives across different parts of the enterprise
• Strong features for cloud-native and microservices based environments
• Cloud Entitlements service is innovative and tackles an emerging problem associated with hybrid cloud

Methodology

The Cyber Hut Vendor Assessments are always independent and free from vendor sponsorship.  We follow a 5 step process to create a body of knowledge that provides buyside decision makers with a tool that can assist with overcoming the information asymmetries often associated with vendor due diligence.

1 – OSINT

The first stage in the process is to leverage a range of open source intelligence data points (OSINT) to create an impartial and empirical view of the vendor, through their natural actions, talk tracks and observable data points. We leverage free and paid for data sources to help understand the basic history and vision of the organization, as well as technical details that help to create a picture of capabilities, features and functions.  

This process takes between 2 and 4 weeks to complete and uses sources such as the following:

• Crunchbase / Glassdoor
• YouTube / Twitter / LinkedIn
• Vendor Website
• Vendor Webinars & Events
• Vendor Whitepapers & Datasheets
• Vendor Case Studies
• Patent Search
• Blogs
• Documentation & Release Notes
• APIs and SDKs
• Downloads and Trials

2 – Vendor Briefings

After a basic dossier has been created, a reach out to a vendor is performed to arrange a briefing, pitch and demo and to answer any questions that may have been raised during the OSINT phase.

The briefings usually last about 60 mins and normally cover a general go to market pitch and position, followed by a secondary demonstration session by a sales engineer.  This process typically results in some further more technical questions that can be easily answered via email and existing documentation.

At this point, The Cyber Hut are in a position to start creating the first version of their Vendor Assessment.

This will take up to 2 weeks and will contain all the information gathered in the OSINT and vendor briefing stages.  Existing public case studies will also be analysed.

3 – Vendor Fact Check

Once the initial draft of the Vendor Assessment has been created, this is sent back to the vendor, to allow them to validate any technical points and “fact check” any information that has been documented.  The vendor typically responds within 14 days with any corrections and edits.

4 – Vendor Assessment Completion

After the vendor has been given the opportunity to fact check the assessment any corrections are incorporated into the final document.

At this stage, the document can be made available to buy side practitioners as a standalone artifact.  This is provided as a non-distributable PDF available in single-seat and enterprise-wide licenses.

Vendors may also purchase a redistributable version of the Vendor Assessment which they can use as marketing and pre-sales collateral for a 6 or 12 month period.

Methodology Benefits

The benefits to this approach are twofold:  firstly the vendor is not burdened with cumbersome questionnaires, normalised market requirements and time consuming templates.  The “heavy lifting” is performed by The Cyber Hut in order to provide a more empirical and evidence based assessment.

The vendor has full control over the ability to correct and fact check any written material, which validates the evidence that has been collected.

Secondly, The Cyber Hut does not place emphasis on the concept of “ranking” vendors and identifying “who is the best” in a particular segment, vertical or implementation.  

The Cyber Hut aims to produce impartial evidence based reports that help to bridge the supplier and buyer divide.

Vendor Assessments are typically re-evaluated every 12 months.

About The Cyber Hut

The Cyber Hut (previously Infosec Professional) has a 10+ year history of delivering research, analysis and insight on the global cyber security industry.

The Cyber Hut blends economic theory with deep technical understanding of information security, cyber security and the protection of critical information assets.  

We are leaders in the field of security economics, helping to provide actionable insight for buy side, sell side and technical practitioners.

We leverage open source, publicly available data signals and vendor briefings to analyse patterns at the edge of the emerging security plane. 

Our analysts are deep technical specialists, called upon by national bodies for standards advisory, are published authors, board members and senior community leaders.

The Cyber Hut is the trading name of TCH Research Ltd, registered in England & Wales, company number 13188456.  

Registered address: 7 Christie Way, Christie Fields, Manchester, UK, M21 7QY

Corrections should be sent to sales@thecyberhut.com.

About The Author

Simon Moffatt is Founder and Analyst at The Cyber Hut.  Simon provides the overall strategy and content management, analysing unique positions with many different lenses. He is a published author and contributor to identity and security standards at the likes of NIST and the IETF.  He has a 20+ year career working within the identity & access management and cyber security sectors – for vendors, system integrators and within industry.  

Education

B.Sc (hons) Economics (York, 2001)

Post Graduate Diploma Information Security (Royal Holloway, University of London, 2022)

Professional Memberships

MBCS – Member of the British Computer Society

F.CIIS – Fellow of the Chartered Institute of Information Security

Professional Qualifications

CISSP (Certified Information Systems Security Professional) – 2007 to present

CCSP (Certified Cloud Security Professional) – 2020 to present

CEH (Certified Ethical Hacker) – 2018 to present

CISA (Certified Information Systems Auditor) – 2010 to 2014

Disclaimer

© 2021 TCH Research Ltd.  All rights reserved. The Cyber Hut is a trading name of TCH Research Ltd.

This publication may not be reproduced or distributed in any form without The Cyber Hut’s prior written permission. It consists of the opinions of The Cyber Hut’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, The Cyber Hut disclaims all warranties as to the accuracy, completeness or adequacy of such information. 

The Cyber Hut does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by The Cyber Hut’s Usage Policy. 

The Cyber Hut prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party.