Series A Financing to Continue Styra’s Vision

This week, I’m pleased to announce that we closed our $14M Series A financing round. We look forward to partnering with our new investor, Accel, who led the round alongside existing investors, Unusual Ventures and A.Capital. Accel’s Eric Wolford will join our board, bringing a wealth of open source experience from Heptio, SysDig and Corelight.

This round marks a significant milestone for Styra, both open source and commercial. Our vision to reinvent Policy and Authorization is well underway, as demonstrated by our growing ecosystem of users, including F500 enterprises, public cloud providers, ISVs and open source contributors. A great example is this coming KubeCon + CloudNativeCon show, where our technology solutions will be presented by teams from Adobe, Atlassian, CapitalOne, Chef, Goldman Sachs, Google, Microsoft, Pinterest, TripAdvisor, Yelp, and many others that have joined us on the journey to reinventing authorization for the cloud-native stack. 

This new investment allows us to continue investing in both our open source and commercial offerings, at a critical time in the evolution application development and cyber security.

The core of this reinvention is Open Policy Agent (OPA)—our open source project—the de-facto standard for policy and authorization across the new application development stack. OPA contributors now include Google, Microsoft, Goldman Sachs and Cisco, and Styra currently supports a growing developer community of over 1,200 users on Slack. With our new investment, we are committed to nurturing and growing this vibrant community.

This year we launched Styra DAS for Kubernetes—our first turnkey enterprise security solution—built on OPA. Styra DAS provides security, compliance and operational guardrails for Kubernetes, to help our customers mitigate risk, reduce errors, and accelerate development. We will continue to make our “policy-as-code” solutions easier and faster to implement as we expand from Kubernetes to CICD, databases, APIs, servicemesh, apps, cloud platforms and more.

The application development market is moving from monolithic apps, to containerized “cloud-native” application architectures. This provides a substantial market opportunity for policy and authorization to evolve, in order to provide the underpinnings of all security strategies including Zero Trust, Gartner’s CARTA and Google’s BeyondCorp. This foundational technology has not changed for decades, but new macro trends have created an inflection point now, which requires a complete reinvention of authorization to manage the operational, security, and compliance risk of the new app development world.

Three macro trends have led to this inflection point:

Over the last 24 months, the cloud-native application stack, based on microservice architecture, has officially arrived in the enterprise, with deployments now moving from exploration into production. Open Source projects have been key to this shift, thanks to the innovation, iteration and hardening that can come from a global, peer-reviewed community.  Technologies like Docker, Istio, Envoy, Prometheus, and most of all Kubernetes have all gone mainstream for developers, and all of these technologies are rooted in open source projects that have moved from interesting to critical for F2000 companies. 

By design, this new microservices stack is highly dynamic, ephemeral and decoupled. This scale and complexity are beyond the capabilities of humans and the old, often manual approaches to Policy and Authorization will not suffice.

Just like the compute, network, storage and monitoring had to evolve to match the demands of the apps, the policy and authorization services will have to evolve as well.

Enterprises have also revolutionized their software development process, using new automation to move from two or three releases a year, to multiple releases each a day. The driver here is time to market and competitive advantage. Indeed, most businesses are becoming software businesses, with cloud-based ordering, marketing, and community apps becoming the norm, regardless of the actual product being sold. Case in point is the recent CEO hire at Nike, John Donahoe, who came from ServiceNow. 

This trend has multiple facets. Teams are breaking down the walls between development and operations to form DevOps teams that ensure high levels of automation, testing, and reliability so that speed-of-delivery doesn’t introduce additional risk. The process has also resulted in a role shift. In the past, specific groups had key responsibilities, now we are “shifting-left” to move testing earlier in the cycle, and security is no different. App developers often need to understand security earlier in the development process (previously owned by IT security), plus they need to define how their application will run (previously owned by the operations team). This move means that both security and operational policy has to be implemented and codified earlier in the cycle. 

This shift requires security to be converted to policy-as-code, so DevOps teams can create, review and definitively assert that the policy meets all their compliance requirements.

Even amidst an overwhelming tide of data breaches, Mark Zuckerberg’s senate hearing last year made consumers across the globe start to understand that privacy needed more attention. In Europe, GDPR is just the tip of the iceberg, with California’s privacy law coming on-line in January and dozens more in various stages of development.  It’s now clear the enterprise and governments must take data privacy more seriously. 

At the core of the privacy discussion is data access. Who and what has access to private data? The definition of this access is defined by policy, but it’s obvious that current solutions to the definition and enforcement of that policy have failed. This failure is a result of simple human error, the inability to enforce control at the right points, and the sheer complexity of defining policies that use appropriate context to make the right decisions.  

With a spotlight on privacy now, and the need to define privacy policy at a granular level, we need to rethink Policy and Authorization. 

Our founders recognized these trends early, and built OPA as an architectural base for Policy and Authorization.  They submitted OPA to the CNCF so that all enterprises can improve their security posture. With OPA at the core, our commercial SaaS security products provide the necessary management, intelligence and governance to implement and understand Policy across the new stack. Styra has been on this journey for years, and with this new financing round, we will continue to scale and deliver policy and authorization services for the new stack.