The recent, $6.5 billion acquisition of identity and authentication startup Auth0 by Okta put a spotlight on this increasingly important sector in enterprise software, particularly as more workloads move to the cloud. But we believe user authentication–validating that a user really is who they say they are–is just the starting part of the online-security battle for today’s organizations.
Equally important, but perhaps not as well understood, is the need for high-quality authorization, or ensuring that an authenticated user or service has the right permissions to perform certain actions.
Authorization is present in almost every user or service interaction. For example, in some situations, it may not be enough to know that an employee is a developer; it’s also critical to know that he/she is also a system administrator with elevated rights in the Kubernetes console. At the application level, authorization policies may include determining whether a user has read-only rights to fields within an application, or whether she can perform a certain action inside an application. This could depend on various factors, such as location, privileges or admin rights. Traditionally, this authorizing or permission logic has been hardcoded or embedded within application code.
At Battery, the themes of user and service identity and programmatic permissions and access have bubbled up frequently as we’ve evaluated developer-tools and identity-based, authentication and authorization security companies. This work resulted in our prior investments in JFrog* for binary repository; Cypress* for testing automation; and Bridgecrew* for developer-security automation.
While authentication is the first step of an application-security program, we’ve found in our work that authorization is a much more complex problem that has implications beyond simply validating identity. As we spent time in the category, we came to admire the popular open-source project Open Policy Agent (OPA), a unified policy-enforcement agent and language for implementing authorization controls and policy-as-code. That also led us to Styra*, the company that commercially maintains OPA and has quickly become the developer standard for application authorization. To that end, we are excited to announce our investment in Styra and thrilled for the opportunity to partner with the company’s leadership team.
How did we get here?
Identity and access management (IAM) gained widespread acceptance due to its strategic significance in an increasingly digital world. Managing a user’s or service’s identity is a critical part of any organization’s security program. This importance was only magnified during the Covid-19 pandemic as every company, from retail to entertainment to travel to commerce, accelerated digital-transformation initiatives to allow for work-from-home, improve online capabilities, and better serve its customers.
While authentication has largely been solved by services like Auth0, it became evident that authorization remained a cumbersome and manual process for enterprises. Traditionally, it has been defined by legacy languages such as XACML or reduced to simple access controls combined with role-based control lists that are manually maintained or hard-coded into the application business logic.
We learned that as more applications were being developed and deployed in the cloud, traditional perimeter security policies did not work with modern cloud-native or hybrid workloads. Authorization decisions needed to be made closer to applications, and organizations like Atlassian, Pinterest, and Goldman Sachs, among others, required standardized policy frameworks to be able to centrally define, monitor, and enforce policies at scale across their exploding number of cloud services and applications. This highlighted to us that authorization policy logic must be separate from application logic, and that OPA was leading the charge behind this movement.
Authorization touches every layer of the application stack.
Part of the complexity surrounding authorization today is the surface area it covers. Authorization is about giving users and services permission to access a specific resource or function at every level of the stack, from the application client to the API, service or database. The different types of applications developed and deployed by organizations, such as native applications, web applications and microservices all have their own identity and access requirements that each require authorization policies. We saw this as an opportunity for a company to define the right level of abstraction to implement policy-as-code and serve as the horizontal layer that unifies authorization controls.
Our investment in Styra
Styra and OPA are quickly becoming the de-facto standard for implementing policy controls across the entire tech stack, from service-to-service authorization to end-user application authorization. Feedback from our diligence indicated that Styra/OPA has quickly become a top- five priority when it comes to cloud initiatives and a tier 0 service (a typical nomenclature for describing the highest level of criticality for 3rd party software, similar to AWS or Datadog*).
Today, the company has one of the world’s largest open-source communities with over 65 million downloads and more than 4,000 community members across some of the most sophisticated cloud-native companies. Styra allows developers to write, implement and test access-control policies across the entire application stack from infrastructure resources to the application client. Having spent significant time evaluating and investing across developer-tools and security, we are thrilled to partner with the Styra team and believe they have the potential to become a category-defining company for authorization, just as Auth0 did for developer-first authentication.
Battery Ventures provides investment advisory services solely to privately offered funds. Battery Ventures neither solicits nor makes its services available to the public or other advisory clients. For more information about Battery Ventures’ potential financing capabilities for prospective portfolio companies, please refer to our website.
*Denotes a past or present Battery portfolio company. For a full list of all Battery investments, please click here. No assumptions should be made that any investments identified above were or will be profitable. It should not be assumed that recommendations in the future will be profitable or equal the performance of the companies identified above.
Content obtained from third-party sources, although believed to be reliable, has not been independently verified as to its accuracy or completeness and cannot be guaranteed. Battery Ventures has no obligation to update, modify or amend the content of this post nor notify its readers in the event that any information, opinion, projection, forecast or estimate included, changes or subsequently becomes inaccurate.