>> From theCUBE studios in Palo Alto and Boston, connecting with thought leaders all around the world, this is a CUBE conversation. >> Hi, and welcome to another CUBE Conversation. I'm Stu Miniman coming to you from our Boston area office. We've been in the cloud native ecosystem for many years. We know many open source projects, really helping to drive innovation, help companies modernize what they're doing. And one of the companies that leads one of those initiatives, happy to welcome to the program, we're going to be talking to the co-founder and CTO of Styra, that is Tim Hinrichs. First time on theCUBE, of course, company behind OPA. Tim, thank you for joining us. Welcome to the program. >> Hi Stu, thanks for having me. >> All right, so we've had the CEO of Styra, Bill Mann, on the program before, he's many time CUBE alum, it's your first time, and I always love when I get the founder on the program. Of course the question is, give us the why Tim. There's no shortage of tools out there in the industry, but as we've seen in the ecosystem, there's always companies, I wish something could happen, I wish we had something there. Often they've built it for themselves, and then, create a project. So bring us back a little bit to that origin story and what you and the team, what was the inspiration? >> So when we... the first thing to know is that really at Styra what we're focused on is helping enterprises that are embracing cloud native technology, sort of enforce and control the authorization policies across all their different Cloud native software. So I remember authorization is that problems of which people and which machines can perform which actions on software. And so the way this all got started was we were at DIEMware, before we founded Styra, and we were talking to a number of our customers from finance and tech, and what they did was they had built one of these things. They had built a unified solution policy to manage their authorization needs across many different pieces of software. So at that point we knew that the problem was very real, cause people had to solve it themselves. And so when- >> I'm sorry Tim. Just one thing to make sure I understand this. So in the policy management you talk about there, help me understand how that fits into say identity management which is one of the top things we think about when I'm managing my IT, when I go to the Cloud. It seems related but different, yes? >> Absolutely, yeah. So identity management is really this problem of who are you? It's often solved, from a user's point of view, by providing a username and a password, or a thumbprint, or a multi-factor authentication. That's an important problem that needs to be solved. That's authentication or identity. And it's really about proving who you are. But authorization is the next step, it's about what actions can you perform once you've convinced the machine who you are. And so really that's the piece that we focus on. >> All right, yeah, once can we get people in we need... It's usually you want to give them the least amount of access possible. We understand that from a security standpoint, we need to do this. So you've said what the kind of problem was, and that this is there so how open source?... I mean we know often it's, there's many reasons why projects end up open source. So give us the journey here. >> So it started, we've really got two pieces of software, So one of which, as you say is completely open source, it's become the open policy agent project, we decided to open source it and then eventually donate it to the CNCF because it's sort of mission in life is to make authorization decisions make decisions about if an action that a user or machine is trying to take a safe or not. And, that project is really designed to be a decision maker across all the different kinds of software in the cloud native ecosystem. And so naturally, there's a need for a lot of expertise about a whole bunch of different areas, about a whole bunch of different pieces of software and the best way to sort of leverage all of the world's knowledge about all those different pieces of software is to put that project out into the open. And so for us, it was just an easy, very easy thing to do. Every single line of OPA of code that goes into OPA has been done. >> Well, absolutely it's a project I know I've seen the stickers, I've seen people talking about it in the breakout at KubeCon CloudNativeCon shows. Let's not leave everybody, waiting for the news though Tim, it had been an incubating project, believe you've got some news for us. Yeah, absolutely so OPA has now officially graduated, it's now moved from incubation into the graduation portion the CNCF. And for us, it's really exciting because it really is a reflection of the maturity of the project. Right? There's so many people using OPA and using it to solve all kinds of different use cases. We're even seeing vendors pick it up and offer native integrations with their homegrown software. So it's really exciting to see the progress of the project has made >> It just for audience that might not be familiar. What does this mean now that it's graduated as a maturity level? Is it production? Ready? What what are those criteria that allowed to go from that incubating stage to the graduation? Yeah, so there are a bunch of criteria, but I think the biggest one really is really users in production, right? It has been proven at scale for many different users all over the world, right? CNCF just did a survey recently there, a couple hundred different organizations all across the world who were using open in some way, shape or form. We see it all the time and KubeCon and CloudNativeCon talks, you can hear all about all the folks who were using it. >> Yeah, so maybe it would help if you've got a customer example or use case that you can walk us through as to how exactly that fits. >> For sure yeah. So the nice thing about OPA and more generally Styra is that you can apply it to all different kinds of use cases. So there are a couple of very popular ones using it for Kubernetes admission control or micro service authorization, those are the two most popular right now. And they both work roughly the same way but I'll give you a concrete example. For Kubernetes, anytime some end users trying to spin up any resource, whether the pod or an Ingress or anything on the Kube cluster, you can integrate OPA with that Kube API server and allow open make a decision, is this new resource safe to deploy on the cluster? Or is it not? Micro service authorization works almost exactly the same way, every time one of those micro services receives an API call, it can ask OPA is this API call safe for me to off to execute or not? And so both of those are going to work in basically the same way and that's true for all the other applications and use cases for OPA. >> Okay, and give us some of the stats if you would, how many people how many companies and people contribute to it? What was the customer base look like? >> So think they're a bunch of interesting metrics I think that was the one that's most interesting to me is that number of downloads a week. Right now, we're at roughly a million downloads a week, which is super exciting. I remember those days when we hit that one million mark total and we were very excited. And so now we're at a point where it's every week, we're hitting a million downloads, all kinds of contributors as well and I think, another good metric there to think about are, talks I think we had nearly 50 talks, organic talks from end users on OPA that we ran across it last year. >> Well it's wonderful is the thing we love in that ecosystem there is it's not just using it contributing, to the code, sharing with the community. Tim, what are the challenges in this ecosystem? if you go to the CNCF website and you look at the landscape, it's a little bit scary and taunting just because there's so many different pieces. What I understand from OPA is, are there any dependencies there when you think about, the other services that it interacts with? Or does it just, kind of do its own thing enables customers? >> Yeah, so OPA is, wasn't designed to be a standalone project, right? It doesn't depend on really any other CNCF or really any other project. It was designed to make these policies of these authorization decisions and but at the same time, it's also designed to make it very easy to integrate with a wide range of software systems. And so, I think on the OPA website we've got over 25 different integrations that we are the community have built around OPA, to go ahead and give you and deliver on that vision of unified authorization. >> You mentioned that styro has kind of two pieces help us understand, what is graduating mean for customers in general? And for Styra? Help us understand a little bit more of the business that goes along with it. >> So like I said, that first piece that we build that first piece of software we built was the policy agent project open source, the second piece of software that we built is a control plane for OPA. The idea architecturally behind OPA is that you don't have one copy of OPA running, typically, you might have 10, or 100, or thousand copies of OPA running. And you do that for availability and performance aid for decision making. And so Styra second piece of software is what we call the declarative authorization service. It is a control plane and management plane, a single pane of glass that allows you to operationalize OPA at scale for the enterprise. So it really is designed to give you that ability to control and manage distribute policy, right policy log all the policy decisions for all those Opus. And so that's really where we're, that's the second piece of software that we're putting a lot of effort energy into. >> All right, now that the great graduation is there, what does this mean? Give us a little bit of the roadmap, you're the CTO, we know, there's always, feedbacks and other updates coming. So what should we be expecting to be seeing going forward? >> So there a couple of things I'll mention here, one of which is that with OPA we did a survey recently, just trying to get a sense as to what the community needs and how they're using OPA and so one of the things we found was that the fastest growing use case for OPA, it looks to be application authorization, right? So if you're building a custom application, maybe it's a banking application, that application needs to decide every time a user performs an action is this authorized or not? So if I'm trying to withdraw money from an account, is it safe or not? And so that's the fastest growing use case for OPA that we saw on that and so what I expect to see is more and more people talking about using OPA for that application level authorization. On the Styra side, I think what we're looking forward to is just continuing to chat with the community and understand what they need around operationalizing OPA and making that control plane, that management plane do all the things that enterprises need to operationalize OPA at scale. >> Tim, you've reached the graduation, which is a phenomenal milestone in the project there, there's so many other projects out there wonder what advice you would give to other people starting business, starting a project engaging with the open source community? What have you learned along the way? Any lessons learned? And what feedback would you give others? >> Absolutely, so if I'm talking to somebody else who's interested in, starting an open source project, I'll give them a little bit of advice. So the first of which is that certainly the code matters a lot, it's codes got to be technically sound, it's got to be solving real problems. Everybody understands that. I think what a lot of people understand less of is that when you start a project, you need to put a lot of energy into growing, that community that communication, you need to focus a lot, you need to reach out to end users, and actively engage with them. Help them understand what the project's good for. Help them be successful with it. And so I think that piece is what a lot of people don't really understand, and it's something that I think we that if more people did, we'd see a lot more successful open source projects. >> Alright, Tim, I'll let you have the final word and any final things you want to feed back to the community or, potential customers for Styra? >> Sure, so first of all, I'd like to say thank you to all of our community members, all the users who've worked with us, all the vendors who are taking her doing integrations with OPA, we'd love to see it, we'd love to see more of it. And at the end of the day, I got to say I'm super excited to be working both with OPA and our commercial declared authorization service really deliver on that vision of unified authorization and deliver that to the vote to the world at large. >> Tim, congratulations to you and the OPA team and Styra definitely looking forward to seeing you at the next gathering of the community. And we'l hear more updates in the future. >> Thanks so much for having me. Steve, this is great. >> All right, and be sure to check out the cube.net for all the back catalog of interviews that we've done, including with the CEO Styra as well as upcoming events that we will be at including, of course KubeCon CloudNativeCon North America happening later this year virtually. I'm Stu Miniman, and thank you for watching theCUBE.

(upbeat music) >> Narrator: From the Cube Studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is the Cube Conversation. >> Welcome to this Cube Conversation. I'm Lisa Martin, excited to talk to the CEO of Styra, Bill Mann today. Bill, welcome to the Cube. >> Hi Lisa, how are you doing? >> I'm doing well. I should say welcome back. You've been on the Cube at a previous company, but we're excited to talk to you today about Styra, what's going on? So let's go ahead and start informing our audience who Styra is and what you do? >> Sure, so who Styra is and what do we do? So Styra is a company that's focused on reinventing policy and authorization in the cloud native stack. We're the company that created an open source project called Open Policy Agent, it's part of CNCF. And on top of Open Policy Agent, we built a control plane, a management plane to help organizations really put OPA into production and operationalized OPA. >> An OPA is Open Policy Agent. That's what the company actually developed with CNCF, correct? >> So, we actually founded Open Policy Agent and then we contributed Open Policy Agent to CNCF. And the real goal of contributing the Open Policy Agent to CNCF was we believe that we want to get authorization defacto in the market, right? And the only way to get something out there that everybody uses is to put it into the open source and having an entity like the CNCF supporting the project. So, really it's about getting everybody, all enterprises and vendors to use Open Policy Agent as a way of solving authorization for the cloud native environment. >> So you say Styra is reinventing policy and authorization for cloud native applications, your target audience, security folks, developer folks, what changes has cloud native brought to security and development teams? >> Sure, so what changes has cloud native brought to security and development teams? So fundamentally there've been three changes in the marketplace. One, as you know we're shifting from this monolithic architecture of building applications to now this new distributed architectures of kubernetes, microservices and Deep-coupled architecture. So fundamentally the way we build applications is fundamentally changed because everybody wants to have scale up and scale down and so forth. Second, the way we actually developed software, we've moved now to a DevOps model where we're doing more things earlier on in the cycle so we can innovate faster and we're producing code on an hourly basis versus when I joined the industry which was probably three releases a year. And then thirdly which is kind of a major topic that all of us kind of understand is our focus on privacy and security is higher than it's been before. And if these applications are going to be way more complex and more distributed and we're going to innovate faster than the way we focus on security and privacy has to be done differently as well. And if we don't do it differently, then we're going to have to all the breaches that we had in the previous generation of the app stack. >> And we don't want that, but you're right privacy and security are increasing concerns in any environment. How do you help address those and also with the thought of privacy and security are going to be concerned for quite a long time? >> Yeah, so let me take a step back. So how do we address privacy and security? So, at a fundamental level, authorization is a foundational part of security and authorization has never really been solved or re-imagined ever for the last 50 years or so. Every application developer or security vendor has built authorization into their own stack and done it in a very proprietary way. And it's been locked away within these applications and these stacks and so forth. So what happens now when you've got a highly distributed environment is that you've got so many moving parts, you still need to apply authorization. So, the way we've tackled it is by building Open Policy Agent. And there's three fundamental kind of tenants around Open Policy Agent that make it really ideal for this cloud native environment. Number one, it's policy as code and everything in the market now, everything is as code. You buy infrastructure as code. So this is now policy as code. So you can describe in a declarative model, how you want the policy for a system to be developed and you can use the language called Rego to do that. Second is the fact that all the cloud native projects out there which are all developed based upon open source technologies, kubernetes, microservices, envoy, SDO, cafco, all these kinds of buzzwords you hear in the marketplace, they all integrate with Open Policy Agent already. And then thirdly the architecture of Open Policy Agent is that it's distributed, which means that it's ideally suited for this distributed architecture for cloud native. And those are the three kind of characteristics of Open Policy Agent leading to developers loving it. And when I say they love it, we've got hundreds and thousands of users of Open Policy Agent. When you go to the CNCF shows co op con earlier this year and there's two more coming this year. There's many, many talks on it. You've got cloud vendors like Google and Microsoft adopting Open Policy Agent, got a lot of enterprises adopting Open Policy Agent. So, that's really fundamentally what we've built is we've built an authorization architecture for this new world to really address the security and privacy concerns, which have always existed and I'm going to be more exponential in this new world. >> And I think you've also built a community around OPA. Can you share a little bit of information about that and how they help with the co-development and even some of the other things that you're commercializing? >> Sure, yeah. So, now what have we done in from a community point of view with Open Policy Agents? So yeah, the community is a integral part of any open source project and we're lucky to have a great community. We've got a great community of enterprise users of Open Policy Agents and vendors as well, vendors like Microsoft and Google who are now contributing to OPA and building it up. And for me, the most important part of a community is that you learn how enterprises are using your software and they share ideas and they share use cases and you're able to innovate really, really fast. And what we've learned from that is the use cases that they use Open Policy Agent for, for instance, one of the major use cases for Open Policy Agent is for kubernetes Admission Control. So, essentially we can test the configuration of an application which is described in a file called YAML before it goes into production. So, think of it as pre-production tests, but companies are using it for microservices and applications and data and so forth. So, it helps us understand what they're using it for, but also we use it to help us develop our commercial product, which is the management control plane for OPA. So, we learn about what they're missing in the open source project that we can use to build our commercial product >> which is ready for enterprise use. >> So you've had a lot of success with OPA. Talk to me about Styra DAS and why the need for that? >> Sure, so why do we need Styra DAS recognizing that OPA is very, very successful. So, the fundamental difference is OPA is a very focused on developers and it's very focused on an environment for an individual node or cluster, but it doesn't have all the enterprise features necessary for a real enterprise to go into production. So what we notice is companies use OPA for pre-production, but when they want to go into production, they need a user interface. They need a way to author policies, distribute policies, monitor policies, do impact analysis and a whole bunch of other features and capabilities that are needed for enterprise deployments and so forth. So that's a fundamental difference between OPA and the commercial product. The commercial product is really operationalizing in OPA for an enterprise deployment. >> So the relationship between Styra and OPA seems very collaborative to me that what you just described with the commercial product of Styra DAS is really one that was developed based on what the OPA community and Styra have learned together? >> Correct, Yes. So, OPA was created by the CTO, the founders of the company saw early on several years ago, the need for distributed architectures and the need for unified policy so they left and created OPA. And from day one they wanted to get OPA into everybody's hands. That's why they contributed it to open source as part of CNCF. And then the next kind of strategy is to focus on the control apps aspects, the enterprise aspect. So yes, the same team that created OPA is the same team that's creating the Styra DAS commercial offering as well. >> So from the enterprise perspective, talk to me about some of the companies that you're talking to. I imagine any organization that's focused on cloud native, but any industry in particular that you see is really kind of leading edge right now? >> Yeah, so which industries are we talking to in terms of using Styra DAS and OPA? What we've actually found it's across the board. And we've seen in the early days that financial services and high tech were using OPA, but now it's really across the board. So it's all verticals really. And what we've noticed is any organization which is going through a cloud transformation project where they're either building new applications based upon cloud native app stacks like kubernetes and microservices and so forth or shift to the cloud are the companies that are also adopting OPA and the Styra DAS product, right? Because it's all part of the same solution set. And what we're noticing now and this is a fundamental difference is platform architects and developers are kind of prime to use these technologies. They learn about these technologies by going to the conferences and unlike the past which was very much top down selling from the sea level down, this is very much bottomed up. So developers learn about OPA from going to the conferences. They use it within their own environment and then they tell their management that, "Look, we're using OPA already. "We're missing these capabilities," or they come to us and we educate them about the Styra DAS product and so forth. So it's a very different sales model as well and that's why it's very important for ourselves and any open source company to really keep developers happy and provide a solution, that's meeting their requirements. >> On that side with so many of us and developers included working from home for the past nearly four months. We now are doing things like this virtual conversations, virtual events, how is Styra helping to continue to feed and educate those developers so that they can understand how you can impact their job functions and how they can then elevate you guys up the stack. >> Sure, so what's changed over the last three months or so in the market as a consequence of COVID-19 and from an educational point of view. So, what we've seen is fundamentally in the early days of COVID-19 everybody was kind of get the head around how to work from home and so forth, but what we've seen across the all verticals is developers have now really focused on educating themselves and just as a data point and the audience that we get to the OPA website is as high as it's ever been for the last three months. And what we're doing as a company is a lot of training sessions, video content, write-ups, blogs and so forth, right? And really helping the community learn about OPA and how to solve these kind of fundamental problems around policy and authorization within the environment. We've also been helped by the community as well. So there's been talks about a number of companies, Microsoft, Google, Palo Alto had a talk and many many companies are talking about OPA now and I love it because ultimately being an open source company and building a project which we want to become defacto, we want to raise the bar for security across the world, right? And if we can do that then it's going to be an achievement for us and it's very gratifying knowing that we're really fixing security problems for organizations because ultimately we always want to be able to use an application or a banking service and not worry about privacy and security concerns and that's ultimately what we're all after. But this is such a fundamental component that once we want to have developers learn this now because if they can incorporate this into the DevOps app stack then in future years when these applications are built and they're exposed there'll be more secure. >> And so it sounds like maybe there's even more engagement now during COVID when everybody is at home. Tell me about some of the things that are coming down the pipe for Styra in light of all of this exciting collaboration with the community. >> Sure, yeah. There's definitely been way more collaboration as a consequence of COVID-19. People are at home and they're focusing and they're going through learning sessions and browsing the website going through the video content and so forth. So what we're engaging as much as we have ever been, in fact I would argue that we're engaging even more so now, because it's just a different environment to work in. And what we're focused on now is really adding more features to the Styra DAS product, just to step back for a second, Open Policy Agent works across the cloud native stack and Styra DAS has been focused first on the kubernetes use case and now it also supports microservices as well. And then what we're continuing to do is add more of those enterprise features into Styra DAS and move up and up across the stack. But it is all driven by developers that we're talking to on a daily basis and that's leading to where the project is moving forward and the development for the roadmap and so forth. >> And Styra DAS was only launched in 2019, is that correct? >> 2019 yes, that's correct. That's correct. Yes, time flies, right? So, yes. >> A lot of change and a lot of development in a short period of time. >> That's right and 2019 was a big year for us, right? We started last 2019 with a soft launch at the RSA conference and we finished 2019 with series a funding led by Xcel. And yeah, it's great to see how the commercial product has been gaining traction in the marketplace as well as OPA as well and I think it's a combination of events. One, the fact that cloud native is now really well understood. Second, the fact that kubernetes at the beginning of 2019, it was still, "What does kubernetes mean, "is it going into production?" Now kubernetes is absolutely going into production and there's such a desire for organizations to make sure that security and policy and compliance are resolved before applications go into production otherwise we're going to have the same kind of challenges we had with previous app stacks. >> Well, the momentum is certainly with you. I can definitely hear that in your voice bell. Thank you so much for joining me talking about Styra, how you're reinventing policy and authorization for cloud native applications. >> Thank you, Lisa. >> For my guest Bill Mann, I'm Lisa Martin. You're watching the Cube Conversation. Thanks for your time. (upbeat music)

(upbeat music) >> Narrator: From the Cube Studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is the Cube Conversation. >> Welcome to this Cube Conversation. I'm Lisa Martin, excited to talk to the CEO of Styra, Bill Mann today. Bill, welcome to the Cube. >> Hi Lisa, how are you doing? >> I'm doing well. I should say welcome back. You've been on the Cube at a previous company, but we're excited to talk to you today about Styra, what's going on? So let's go ahead and start informing our audience who Styra is and what you do? >> Sure, so who Styra is and what do we do? So Styra is a company that's focused on reinventing policy and authorization in the cloud native stack. We're the company that created an open source project called Open Policy Agent, it's part of CNCF. And on top of Open Policy Agent, we built a control flame, a management plane to help organizations really put OPA into production and operationalized OPA. >> An OPA is Open Policy Agent. That's what the company actually developed with CNCF, correct? >> So, we actually founded Open Policy Agent and then we contributed Open Policy Agent to CNCF. And the real goal of contributing the Open Policy Agent to CNCF was we believe that we want to get authorization defacto in the market, right? And the only way to get something out there that everybody uses is to put it into the open source and having an entity like the CNCF supporting the project. So, really it's about getting everybody, all enterprises and vendors to use Open Policy Agent as a way of solving authorization for the cloud native environment. >> So you say Styra is reinventing policy and authorization for cloud native applications, your target audience, security folks, developer folks, what changes has cloud native brought to security and development teams? >> Sure, so what changes has cloud native brought to security and development teams? So fundamentally there've been three changes in the marketplace. One, as you know we're shifting from this monolithic architecture of building applications to now this new distributed architectures of kubernetes, microservices and Deep-coupled architecture. So fundamentally the way we build applications is fundamentally changed because everybody wants to have scale up and scale down and so forth. Second, the way we actually developed software, we've moved now to a DevOps model where we're doing more things earlier on in the cycle so we can innovate faster and we're producing code on an hourly basis versus when I joined the industry which was probably three releases a year. And then thirdly which is kind of a major topic that all of us kind of understand is our focus on privacy and security is higher than it's been before. And if these applications are going to be way more complex and more distributed and we're going to innovate faster than the way we focus on security and privacy has to be done differently as well. And if we don't do it differently, then we're going to have to all the breaches that we had in the previous generation of the app stack. >> And we don't want that, but you're right privacy and security are increasing concerns in any environment. How do you help address those and also with the thought of privacy and security are going to be concerned for quite a long time? >> Yeah, so let me take a step back. So how do we address privacy and security? So, at a fundamental level, authorization is a foundational part of security and authorization has never really been solved or re-imagined ever for the last 50 years or so. Every application developer or security vendor has built authorization into their own stack and done it in a very proprietary way. And it's been locked away within these applications and these stacks and so forth. So what happens now when you've got a highly distributed environment is that you've got so many moving parts, you still need to apply authorization. So, the way we've tackled it is by building Open Policy Agent. And there's three fundamental kind of tenants around Open Policy Agent that make it really ideal for this cloud native environment. Number one, it's policy as code and everything in the market now, everything is as code. You buy infrastructure as code. So this is now policy as code. So you can describe in a declarative model, how you want the policy for a system to be developed and you can use the language called Rego to do that. Second is the fact that all the cloud native projects out there which are all developed based upon open source technologies, kubernetes, microservices, envoy, SDO, cafco, all these kinds of buzzwords you hear in the marketplace, they all integrate with Open Policy Agent already. And then thirdly the architecture of Open Policy Agent is that it's distributed, which means that it's ideally suited for this distributed architecture for cloud native. And those are the three kind of characteristics of Open Policy Agent leading to developers loving it. And when I say they love it, we've got hundreds and thousands of users of Open Policy Agent. When you go to the CNCF shows co op con earlier this year and there's two more coming this year. There's many, many talks on it. You've got cloud vendors like Google and Microsoft adopting Open Policy Agent, got a lot of enterprises adopting Open Policy Agent. So, that's really fundamentally what we've built is we've built an authorization architecture for this new world to really address the security and privacy concerns, which have always existed and I'm going to be more exponential in this new world. >> And I think you've also built a community around OPA. Can you share a little bit of information about that and how they help with the co-development and even some of the other things that you're commercializing? >> Sure, yeah. So, now what have we done in from a community point of view with Open Policy Agents? So yeah, the community is a integral part of any open source project and we're lucky to have a great community. We've got a great community of enterprise users of Open Policy Agents and vendors as well, vendors like Microsoft and Google who are now contributing to OPA and building it up. And for me, the most important part of a community is that you learn how enterprises are using your software and they share ideas and they share use cases and you're able to innovate really, really fast. And what we've learned from that is the use cases that they use Open Policy Agent for, for instance, one of the major use cases for Open Policy Agent is for kubernetes Admission Control. So, essentially we can test the configuration of an application which is described in a file called Yammer before it goes into production. So, think of it as pre-production tests, but companies are using it for microservices and applications and data and so forth. So, it helps us understand what they're using it for, but also we use it to help us develop our commercial product, which is the management control plane for OPA. So, we learn about what they're missing in the open source project that we can use to build our commercial product which is ready for enterprise use. >> So you've had a lot of success with OPA. Talk to me about Styra DAS and why the need for that? >> Sure, so why do we need Styra DAS recognizing that OPA is very, very successful. So, the fundamental difference is OPA is a very focused on developers and it's very focused on an environment for an individual node or cluster, but it doesn't have all the enterprise features necessary for a real enterprise to go into production. So what we notice is companies use OPA for pre-production, but when they want to go into production, they need a user interface. They need a way to author policies, distribute policies, monitor policies, do impact analysis and a whole bunch of other features and capabilities that are needed for enterprise deployments and so forth. So that's a fundamental difference between OPA and the commercial product. The commercial product is really operationalizing in OPA for an enterprise deployment. >> So the relationship between Styra and OPA seems very collaborative to me that what you just described with the commercial product of Styra DAS is really one that was developed based on what the OPA community and Styra have learned together? >> Correct, Yes. So, OPA was created by the CTO, the founders of the company when the team was actually part of Nicira and they left Nicira which got acquired by VMware and so on early on several years ago, the need for distributed architectures and the need for unified policy so they left and created OPA. And from day one they wanted to get over into everybody's hands. That's why they contributed it to open source as part of CNCF. And then the next kind of strategy is to focus on the control apps aspects, the enterprise aspect. So yes, the same team that created OPA is the same team that's creating the Styra DAS commercial offering as well. >> So from the enterprise perspective, talk to me about some of the companies that you're talking to. I imagine any organization that's focused on cloud native, but any industry in particular that you see is really kind of leading edge right now? >> Yeah, so which industries are we talking to in terms of using Styra DAS and OPA? What we've actually found it's across the board. And we've seen in the early days that financial services and high tech were using OPA, but now it's really across the board. So it's all verticals really. And what we've noticed is any organization which is going through a cloud transformation project where they're either building new applications based upon cloud native app stacks like kubernetes and microservices and so forth or shift to the cloud are the companies that are also adopting OPA and the Styra DAS product, right? Because it's all part of the same solution set. And what we're noticing now and this is a fundamental difference is platform architects and developers are kind of prime to use these technologies. They learn about these technologies by going to the conferences and unlike the past which was very much top down selling from the sea level down, this is very much bottomed up. So developers learn about OPA from going to the conferences. They use it within their own environment and then they tell their management that, "Look, we're using OPA already. "We're missing these capabilities," or they come to us and we educate them about the Styra DAS product and so forth. So it's a very different sales model as well and that's why it's very important for ourselves and any open source company to really keep developers happy and provide a solution, that's meeting their requirements. >> On that side with so many of us and developers included working from home for the past nearly four months. We now are doing things like this virtual conversations, virtual events, how is Styra helping to continue to feed and educate those developers so that they can understand how you can impact their job functions and how they can then elevate you guys up the stack. >> Sure, so what's changed over the last three months or so in the market as a consequence of COVID-19 and from an educational point of view. So, what we've seen is fundamentally in the early days of COVID-19 everybody was kind of get the head around how to work from home and so forth, but what we've seen across the all verticals is developers have now really focused on educating themselves and just as a data point and the audience that we get to the OPA website is as high as it's ever been for the last three months. And what we're doing as a company is a lot of training sessions, video content, write-ups, blogs and so forth, right? And really helping the community learn about OPA and how to solve these kind of fundamental problems around policy and authorization within the environment. We've also been helped by the community as well. So there's been talks about a number of companies, Microsoft, Google, Palo Alto had a talk and many many companies are talking about OPA now and I love it because ultimately being an open source company and building a project which we want to become defacto, we want to raise the bar for security across the world, right? And if we can do that then it's going to be an achievement for us and it's very gratifying knowing that we're really fixing security problems for organizations because ultimately we always want to be able to use an application or a banking service and not worry about privacy and security concerns and that's ultimately what we're all after. But this is such a fundamental component that once we want to have developers learn this now because if they can incorporate this into the DevOps app stack then in future years when these applications are built and they're exposed there'll be more secure. >> And so it sounds like maybe there's even more engagement now during COVID when everybody is at home. Tell me about some of the things that are coming down the pipe for Styra in light of all of this exciting collaboration with the community. >> Sure, yeah. There's definitely been way more collaboration as a consequence of COVID-19. People are at home and they're focusing and they're going through learning sessions and browsing the website going through the video content and so forth. So what we're engaging as much as we have ever been, in fact I would argue that we're engaging even more so now, because it's just a different environment to work in. And what we're focused on now is really adding more features to the Styra DAS product, just to step back for a second, Open Policy Agent works across the cloud native stack and Styra DAS has been focused first on the kubernetes use case and now it also supports microservices as well. And then what we're continuing to do is add more of those enterprise features into Styra DAS and move up and up across the stack. But it is all driven by developers that we're talking to on a daily basis and that's leading to where the project is moving forward and the development for the roadmap and so forth. >> And Styra DAS was only launched in 2019, is that correct? >> 2019 yes, that's correct. That's correct. Yes, time flies, right? So, yes. >> A lot of change and a lot of development in a short period of time. >> That's right and 2019 was a big year for us, right? We started last 2019 with a soft launch at the RSA conference and we finished 2019 with series a funding led by Xcel. And yeah, it's great to see how the commercial product has been gaining traction in the marketplace as well as OPA as well and I think it's a combination of events. One, the fact that cloud native is now really well understood. Second, the fact that kubernetes at the beginning of 2019, it was still, "What does kubernetes mean, "is it going into production?" Now kubernetes is absolutely going into production and there's such a desire for organizations to make sure that security and policy and compliance are resolved before applications go into production otherwise we're going to have the same kind of challenges we had with previous app stacks. >> Well, the momentum is certainly with you. I can definitely hear that in your voice bell. Thank you so much for joining me talking about Styra, how you're reinventing policy and authorization for cloud native applications. >> Thank you, Lisa. >> For my guest Bill Mann, I'm Lisa Martin. You're watching the Cube Conversation. Thanks for your time. (upbeat music)