Dmitry Nikolaev - stock.adobe.co
Styra rolled out an interface for IT compliance-as-code newbies this week as part of its bid to market the Open Policy Agent to a mainstream enterprise audience.
The open source Open Policy Agent (OPA) quickly gained momentum among the first enterprises to put Kubernetes container orchestration and microservices into production. The tool, which automatically enforces policies written in code across a wide array of infrastructure and application types, was in use at Netflix as early as 2017, Intel and Capital One in 2018, and began to generate mainstream buzz by mid-2019.
Styra Inc., founded by OPA's creators, also came out of stealth with its commercial product, Declarative Authorization Service (DAS), in March 2019. The company added a curated set of pre-built Kubernetes policies in April 2020, and similar packaged policies for microservices and service mesh in May.
Now, the company has added Rego Policy Builder, a user interface that abstracts away much of the difficult Rego coding language for users who aren't well-versed in programming, and offers guidance for writing policies in the form of drop-down lists of options, along with error detection.
It's not quite a drag-and-drop low-code interface, but Rego Policy Builder is intended to make DAS more approachable than the standard Styra IDE's UI, said Styra CTO and co-founder Tim Hinrichs.
"It's the same level of sophistication you get with the Open Policy Agent, but designed for a more casual policy author," Hinrichs said. "They could learn everything they need to about OPA, but they use it less frequently [than a developer], and so they need a little more guidance when it comes to writing policies."
Styra must move past early adopters to mainstream buyers
The new feature reflects Styra's intent to add further value and ease of use to DAS as it seeks to broaden its user base beyond open source communities, where many early adopters already have the expertise to work with the free OPA tool and skip the paid product.
For example, Frontdoor Inc., a 5,000-employee spinoff of ServiceMaster that is the parent company to brands like American Home Shield, is a committed contributor to OPA and already uses the tool as a core part of its Kubernetes and Istio deployments in production. It's also rolling out Styra DAS.
Frontdoor's engineers have already been working on their own version of Rego Policy Builder, although the Styra-made tool could save time, said Marlene Veum, director of security engineering at the company. Frontdoor may also contribute an internally developed domain-specific language to the OPA community that converts regular expressions in other languages to Rego.
"We do see value in [Rego Policy Builder] -- it's good news for Styra as a company," she said.
In the meantime, Veum is most excited about further developments in open source OPA, such as the addition of the Conftest subproject this month. Conftest offers a built-in way to test compliance-as-code policies automatically before they're deployed.
"This is very timely -- we'd rather take advantage of that rather than writing testing tools ourselves," she said.
IT compliance as code natural successor to DevOps automation
Most companies don't have the resources in-house to write their own tools as Frontdoor does, and it's these enterprises where Styra DAS will have more appeal, analysts say.
"Support isn't the only differential value of Styra, but even if it were, that actually might be enough of a reason to buy the licenses," said Paul Delory, analyst at Gartner Inc. "Many enterprises aren't allowed to use open source tools at all, if there's no support -- plus, many IT shops will want consulting and professional services engagements to get things set up and train the staff."
However, Styra is still a little ahead of major demand from mainstream enterprises as they still struggle with more basic forms of IT automation, according to Delory.
Paul DeloryAnalyst, Gartner
"Most of the organizations I talk to are still trying to get their automation pipelines built," he said. "Many have no automation at all today, so this isn't even on the radar for the typical enterprise -- yet."
"If you look at the most mature DevOps pipelines, what the operations engineers spend most of their time doing is optimization, governance and compliance," he said. "They aren't building infrastructure; that's all been automated. But Ops needs a way to put up guardrails so that the developers can't do anything that would violate corporate standards."