Massive data breaches like the recent AT&T attack are increasingly traced to a simple culprit: inadequate identity controls.
Listen to this article >
Too often, usernames and passwords are the only thing standing between cyber criminals and an organization’s data, says Opal Security CEO and co-founder Umaimah Khan.
“There’s a major breach that happens almost every day where records are leaked from data sources only secured by usernames and passwords – no time access controls, and little to no process to have the necessary monitoring for whatever your crown jewel is,” says Khan. “This [practice] probably would continue in perpetuity until it popped because people rarely treat access as a security-first issue in building a business.”
While it seems obvious, implementing stronger identity controls has historically been a challenge for organizations because the mechanisms that cut off access to threats can also impede employees’ ability to access the systems they need to do their jobs. Opal Security was founded to solve for that tension.
Using least-privilege protocols for identity and access management, Opal’s platform ingests, normalizes, and calibrates identity and AUTHZ data across all systems, so organizations can see who has access at any point in time – and have the context and workflows to act on it.
Founded in 2020, Opal has made steady traction in the rapidly-changing cybersecurity market. The convergence of the cloud and AI tech shifts, the increased risk surface area, and the SEC’s data breach reporting requirements have incentivized organizations to rethink their security approach, and Opal works with a wide range of companies including Databricks, Figma, and Blend.
Khan spoke with Greylock partner Saam Motamedi on the Greymatter podcast about the company’s mission to deliver scalable least privilege from a security-first standpoint without slowing businesses down. You can listen to their conversation here.
Episode Transcript
Saam Motamedi:
Hey everyone, and welcome to this week’s episode of Greymatter.
I’m super excited to have Umaimah Khan here. Umaimah is the co-founder and CEO of Opal Security, and I’ve had the pleasure of working with her at Opal since the company got started. I’m super excited to have her on today to talk more about herself and what Opal’s doing to redefine identity security.
Umaimah, welcome.
Umaimah Khan:
Hi, Saam. It’s good to be here.
Saam Motamedi:
So we have a lot to talk about. Let’s just start at a really high level. For our listeners who aren’t aware, what is Opal Security and what does Opal Security do?
Umaimah Khan:
Yeah, we are an identity security platform, and we are designed to cover all of identity and access management. So what that means is we ingest, normalize, and calibrate identity and AUTHZ data across all systems. So not only can you see who has access to what at any point in time, but you also have the necessary context and workflows to calibrate and remediate.
So why? The goal is to allow people to attain what we like to call real-world least privilege. So flexible, scalable, adaptable, intelligent. I’ll probably end up using some analogies over the course of this conversation, but one we really like to use internally is self-driving technology. So if you think about driving a car, it’s actually very, very environment dependent. The level of urban development, the relative experience of the driver, local rules and regulations, cultural etiquette. And then there’s also some commonalities on what consistently good driving looks like that’s largely driven by regulation.
And so think about identity and authorization as the very primitive stages of this. There’s no continuous sensor data, let alone infrastructure or algorithms, to help make good automation decisions and update flexibly. But eventually, you get to a point where you can operate in that land, and you have a human in the loop on the most critical decision systems and situations to learn from. And so interpretability, transparency, resiliency matters a lot.
So from a product standpoint, what that means is not only do we build the underlying ETL and data layer, we also do a lot of classic ML and graph analysis so that we can actually start to get people sort of in the habit of thinking about access and identity as this scalable continuously monitored security-first system.
Saam Motamedi:
Yeah.
One thing I want to mention and ask you about (and then we’ll jump into Opal and kind of what you were talking about there at the end). I often get asked as a venture capitalist, like, “Hey, what do you look for in a founder?” And actually, often, I think of you. And in the specific way I think of you – and there’s many things I admire about you – but the specific thing I think about is you’re both highly technical, but you also understand the customer and how to get the customer to value. And I find for many founders who have come from technical backgrounds, whether it’s math, computer science, engineering, and companies, they might have the technical component. But then they don’t have the other half of the equation.
I want our listeners to learn a little bit more about you. So tell us a little bit more about yourself, Umaimah, and how did you get to starting a company and now being the CEO of Opal?
Umaimah Khan:
Oh God, yeah, that’s a fun one, right. I think, for me, this has been sort of both idiosyncratic and organic in a very unique way.
So I’ve mentioned this a couple of times. I was homeschooled, so that was probably a pretty defining moment in my life. I would describe my childhood as largely unsupervised – or feral, depending on how you want to think about it. But it’s good training for startups. I used to be self-conscious about it, but it actually got me in the habit of sort of thinking about goals and ambiguous environments.
I fell in love with math as a kid. I did a bunch of pure math both in high school and then in college at MIT, and sort of initially was very, very set on being an academic. I thought I’m going to go be a math professor somewhere. And it was a lot of fun. I would say I like very big ambiguous problems where you can kind of connect the pieces and think about unification and think creatively. But I also realized I go absolutely insane when I don’t see results. I love the dopamine hit of actually seeing things get somewhere. So what I sort of fell into was cryptography. And cryptography is very unique in that number theory used to be considered largely a totally useless and an incredibly beautiful field until World War II where people realized there were security applications. And this is actually, I think, one of the fun things about security. It has this characteristic of taking these very abstract technologies and making them very real world.
So, after that, I went to DC. I worked in the federal government. I worked on cryptography research and ended up, sort of over the course of my career, just getting a ton of exposure. After that, I worked at an early-stage startup. I worked at a mid-stage startup. I worked in open source, and I think I just had this rate of learning and exposure.
And there were a couple of unique things in retrospect I noticed. One was I like working in enterprise. I think the constraint of pragmatism helps when you’re naturally a very creative or product-oriented person. It’s a really aggressive combo if you can leverage it. And also, you get to observe problems before the market sometimes realizes they’re a thing.
So, in my case in particular, I constantly, I consistently noticed from breaches of the government to small startups that identity and access was basically an issue everywhere, all the way from my time in DC to super early-stage companies. And it was kind of fascinating because people would almost treat it like a professional services problem. They wouldn’t actually give it this sort of gravity of being a technically difficult and ambiguous problem. So they’d either ignore it entirely because they believed there were more hardcore security problems to solve or that there was one standard or technology that would emerge and solve everything.
And I initially kind of thought like this too. And then I sort of realized, “Wow, this is incredibly naive.” We have so many great technologies. We’ve had this very steep innovation curve in authentication and authorization and identity. We have the latest and greatest encryption standards and multifactor, et cetera. And while they’re all excellent, there was just sort of this key insight. I realized that they’re all strategies. The problem is not building these technologies. It’s how you deploy them and in what combination and in what environment. So the short answer is I effectively went crazy and talked to anybody who would listen for a period of two years about this was the problem, and I met many skeptics and also many believers, and, ultimately, it led to Opal.
Saam Motamedi:
I like many of the things you just went through there. And a lot of it resonates, including the pace, or I should say the lack of pace of progress in certain academic contexts, which I also remember from my past.
And so the things you did in your career prior to Opal that helped you build that understanding of ‘How does one actually interact with the customer? How does one connect what a customer is saying to a product? How does one then go deliver that product? – I see that now every day at Opal – but what gave you the understanding of that?
Umaimah Khan:
That’s a great question. I mean, some of it is I was just fortunate to work in those types of environments. Working in the defense industry, working in enterprise, software, you sort of understand the ways that businesses scale. And even if you’re not the person leading those conversations (or you’re front of house), it’s exposure. It’s kind of what I was saying.
The second thing is, I think, for me personally, I think it’s a type of self-awareness. I feel very comfortable that I will always want to solve things technically or think creatively or think from a technical standpoint. And so it’s a learning opportunity to try to think about how would I solve this in another way.
And I think sort of there’s this broader observation that there used to be this dimorphism where people used to think B2C companies, product companies solve product problems with product or technology, and enterprise companies solve things by just getting feedback from customers.
And I don’t think that it’s that clear of a distinction. I think you actually need both. And so it’s recognizing that, that it’s not zero-sum, it’s not either/or, and just generally approaching it with curiosity, right. Yeah, I think it’s a little bit of maybe also the humility over time of realizing abstractions don’t solve everything.
Saam Motamedi:
Right. Right.
Umaimah Khan:
Listening does.
Saam Motamedi:
Right. Exactly. And it turns out it’s really hard to listen and actually understand what a customer is asking for.
Umaimah Khan:
Yeah. And I think one other piece I’ll add to that specifically about security is that sometimes people talk about this concept in the security market of there’s no silver bullet. And the idea is that you’re often operating in a situation where you don’t have a ton of very clear or crisp information, or a before and after until after a breach happens. And so when you think about buying or selling a security product, it comes down to more than just saying, “Well, my product is good, it’s, like, self-evident.” You actually have to sit and understand how people, process, and technology fit together.
Saam Motamedi:
Exactly.
You talked about kind of the path to thinking about authentication, authorization, identity challenges. And all of this is even more important in today’s world. I feel like every week, I read the news to learn of another cyber attack that started with some sort of identity-related issue. I love what you said around real-world least privilege and this least privilege-first approach to identity and access management. We should talk more about it. Before we jump into more about what that means, what’s… tell us about the backdrop. What is changing in the world, and why do we keep seeing all these cyber attacks around identity and what’s resulting in this need for sort of actionable least privilege as it relates to identity and access management?
Umaimah Khan:
Yeah, this is a great question. I tend to sort of break these things down into a couple of variables. One is market timing. I think sometimes these shifts happen all of a sudden where people realize, “We really need to be solving this better.” Oftentimes, it’s coupled with a couple of other things. So, for example, regulation is a big one. When the SEC requires that public companies disclose breaches, it’s a forcing function for people. They have to actually bring things into the sunlight and explain, “Okay, this is why this happened, and this is why it’s not going to happen again. It has a material effect on the business and it’s a risk.”
Technological shifts are also a really big one, I believe, in security. Every major established player we’ve seen in security has sort of dovetailed really nicely with a technological shift, whether that’s cloud, whether that’s network, whether that’s moving from data centers. And so, right now, we are in the middle of a technological shift, right. We’re still riding both the explosion of cloud and also seeing the AI shift. So I think there’s sort of an early rumbling of ‘something has to get better.’
And then, to your point, just look at the news. There’s a major breach, it feels like, almost every day. AT&T was last week. Almost every record they had leaked by a data source that was only secured by username and password, no time controls, probably little to no process putting in the necessary monitoring for what is sort of your crown jewel. And this would’ve probably continued in perpetuity until it inevitably popped because people rarely treat access as a security first issue in building a business, and I think that’s changing.
Saam Motamedi:
Yeah, I totally agree. And one of the interesting things about access is, and getting it right is there’s two sites to the coin. And correct me if I’m wrong, but one is I need to enhance the security posture of the organization, but then the second is I’m the front door to the employees and their productivity and developer productivity. And so it’s like, how do I both harden the security posture while also making people more productive?
Umaimah Khan:
Exactly. Yeah. There is this natural… or historically, there’s been kind of this natural tension, right. At the end of the day, when you’re building a business, you want to unlock revenue, you want to keep your growth trajectory, and you reach these certain inflection points of maturity where, all of a sudden, the risk calculation changes. Once you’re the size of AT&T, it’s a much bigger deal at the bottom line of your revenue to have your records breached than to keep going quickly.
And I think, again, going back to analogies, the best solutions are actually product-oriented in this regard. They recognize that you have to sort of align incentives through product work. So the example I like to give is GitHub. Ultimately, we like to joke internally that GitHub is a compliance tool. I like to sometimes ask people, “Who do you think buys GitHub in an organization and what are you thinking where it’s used to check the box?” But that’s not how you think about it in an organization. You actually think about or just accelerating the rate of developments and helping people get the context faster.
Saam Motamedi:
Yeah, totally. Totally. We talked about some of the attack stories. Let’s shift to some of the customer stories because I think what’s great for customers and enterprises who are using Opal is they can be rest assured that they’re not going to face these types of identity attacks. And so maybe before we jump into the stories, how do customers articulate the problem that they’re solving with Opal? How similar is it to what you just said versus different?
Umaimah Khan:
Yeah, so I think of this as an early disruptive market, and what that means is, a lot of times, people are formulating their own theories of what good looks like and are sort of approaching these conversations from a perspective of sharing their learnings as well. But there are some common themes. So a big one is visibility, right. When you talk about sort of just waiting to know when your crown jewel is going to get popped, you’re going to think about visibility all of the time.
Orchestration is another really common one. How are we going to put workflows or infrastructure in place that will actually scale with how our business changes over time? And then resiliency. And I think this one is oftentimes sort of overlooked and is really, really important. To your point, this is a very, very trust-based relationship. You’re trusting somebody to basically show you what’s going on in your organization. You need to be able to roll that back. You need to be able to extend it. And so how do you build systems and infra that organizations can ultimately trust and build on top of and scale?
So the number one thing I would say folks come to us with is sort of, I call it, two archetypes in the market. One is these earlier enterprises that are on this growth trajectory. They’re looking for revenue unlock, but they’re also looking for someone to help them set good hygiene in place so that as they hit the next stage of maturity, whether that’s IPO selling to big enterprise or regulated environments, they’re starting with good.
And for them, it’s really about driving least privilege from a security-first standpoint without slowing the business down. So an example here is if we catch an organization right before an IPO or something like that, they have generally a good idea of how the business is managing access. They just know something’s going to come around the corner that’s going to make it chaotic, and they want to get infrastructure in place today to sort of solidify some of that and help it evolve. And this is sort of the innovators. They’re like the forefront of the industry.They’ve often built systems like this at their old jobs.
The second market, I call it established, entrenched, the chaos is in the house, and these folks are looking for somebody to come in with a machete and just show them where they need to clean access up. So, specifically, for crown jewels. So you have to think about it in a phase rollout. So the story we see the most here with customers is, “Help us get AWS under control. Help us get Snowflake under control. Help us get Azure under control.”
So they have kind of this vague sense of like, “Oh my God, it’s been 30 years. Who knows where the skeletons are? We know roughly where the crown jewels are. Show us what’s going on and help us remediate it immediately.” So it’s nice because, as a product, we can capture both that proactive and that reactive loop.
Saam Motamedi:
I love the way you frame the two cohorts of organizations out there and kind of maturity and pain points. How much overlap is there versus difference, and how do you build a product that can kind of appeal to both?
Umaimah Khan:
Oh, I love this question. So, from a product standpoint, I actually break it out into certain themes. If I put sort of my technical product hat on, I think of that second established market as the one that’s going to help you think about your products from an infrastructure level. What do you need to do to scale? How do you need to think about the underlying infrastructure? How do you need to think about the storage layer? How do you need to think about all of the edge cases?
The first market is incredibly valuable in helping you build this kind of inside loop feedback for what the industry should look like in five to 10 years. And the biggest theme there, I would say, is usability, UI/UX, which is often a neglected point in enterprise products, but more and more, we see that it’s a non-negotiable. So these are the folks, whether by size of organization or just because they are used to using best-in-class products, will have very strong opinions on what usability should look like, and they help drive it for the ladder market, and you build for scale in the ladder market.
Saam Motamedi:
Yeah, totally. Getting that balance right is really hard, but when you get it right, it’s really powerful. And as you said, typically, these things converge over long time horizons.
Umaimah Khan:
Yep.
Saam Motamedi:
If you take those two segments of the market, maybe take one of each specific kind of customer or case study and how people are using Opal.
Umaimah Khan:
Yeah, yeah. I think in the first bucket, you’re going to see folks usually in early enterprise in verticals like enterprise software infrastructure, AI, machine learning, anywhere where they’re working with a ton of data. And they’re mindful that they have to operate in a certain way. And so, oftentimes, these companies already have really good DNA on engineering security IT, and then they have a sense of what good looks like. So they’re coming in saying, “This is how we want to break down how we grant access on day one. This is how we want to break down how we do just-in-time access for on-call critical infrastructure systems. This is the type of data we need to integrate this into our SIM tools and our ecosystem.”
That’s a very, I would almost describe it as an intuitive sale. And really, what you’re doing there is understanding if you both sort of have that same security background, that security DNA of understanding what the future needs to look like.
The second market, think of it as big banks, nation-state actors like the media. You’re really coming to the table not necessarily with an opinion on what the product looks like, but a very, very clear idea of ‘here are the crown jewels. Here are the 10 systems that, no matter what happens, I cannot have popped,’ and what are you going to do to clean them up? And there, we talked a little bit about how we built some strategies for remediation in Opal. There’s some very straightforward things that are hard to apply at scale.
So an example here is with one of our big Fortune 500 customers applying two factor across all of their critical systems or applying just-in-time access across all of your production AWS accounts and making this play nice with whatever already exists in the stack, but adding that extra layer of protection and giving that measurability, because that’s the other thing that I think is often forgotten. In security, you’re not just fixing these things for your teams. You actually have to communicate how you’re getting better laterally to your sister teams upwards, sometimes at the board level, to your management. So you have to actually show how things are consistently getting better in that second market as well.
Saam Motamedi:
Makes sense. Maybe moving to how customers interact with Opal. You actually mentioned something there around playing nice with the stack. What is the common identity stack? And if I use something like an Okta or, on the identity governance side, a SailPoint, or on the privileged access side, a CyberArk, where do you interact? Where do you make existing solutions better? Where do you compete? What’s the right way to think about that?
Umaimah Khan:
Yeah, this is a great question, and I think it’s also one of the banes of our existence because people have effectively treated the identity stack as sort of a, “Let’s throw things at the wall and see if they stick.” And so it means that there’s a lot of resources and capital that are sunk into it without a ton of measurable results.
But there are some commonalities, to your point. Almost everyone has an identity provider. You need to have some concept of digital identities if you’re a scaling workplace. So we connect with an identity provider such as Okta or Microsoft Entra or Groups, et cetera. And you want to sort of use that as your baseline to start feeding in identity data. The other major thing is HR systems, which are notoriously hard to keep in sync after a certain size of an organization, but they have a ton of information on who a person is to help make some of those longer-term workflows and remediations. Further down the stack, you have these very, very sensitive systems like your hyper scalers, internal tools, customer impersonation, sometimes sensitive SaaS applications or business-critical systems like NetSuite or SAP. And all of these things are so sensitive that they’ve actually ended up building their own custom-built authorization.
And so what we end up doing is sort of sitting right in the middle of these types of things and actually collating all of that and helping folks actually visualize, “Okay, where is this identity coming from? Where is it going down to? What are they doing in that? What are the policies that are set on this? How are they being used? Are they being used? How are they pulling in the usage data on those things?” And so what that allows us to do is really fill in this missing context. And because everything is an API first by design, it means we can also start to make changes on those things.
If you want to take the step after visibility, you mentioned briefly the sort of governance stack. So one thing we talk about at Opal is good compliance is an output of good security. GRC, they have a very critical job. They have to kind of show that we’re checking the boxes, that things are running, that they’re able to provide the evidence that people are actually implementing these processes well, but oftentimes, they don’t actually have a source of truth for those things. So they’re sort of building these manual spreadsheets over the course of several quarters trying to ascertain what people actually have access to. And so there’s a natural confluence there where we have the source of truth.
We’re finally collating all of this. We’re giving visibility. We’re right-sizing policies. And what we can actually do is sort of even make the story as simple as saying, “Hey, actually nobody has longstanding access to this database in AWS, so therefore you’re under this compliance requirement and go forth.” And a lot of our customers have actually started doing this as they’ve started going for things like FedRAMP medium or FedRAMP high, actually make that part of their SSP.
Saam Motamedi:
Yeah, that’s really interesting. And I think it’s from my perspective, you’re taking a historically very fragmented space, which creates two challenges. One is that I have to have this fragmented stack, which means I have a lot of tools I have to manage. And then two is that things fall between the gaps. And so then, both in terms of risk identification and remediation, I’m constrained by the siloed nature of my tools.
Umaimah Khan:
Yep.
Saam Motamedi:
And you’re creating a converged architecture that can interoperate and play nice with the things you have in the stack but can kind of converge the space. And it seems like that’s why customers love Opal.
Umaimah Khan:
Yeah. And I think this is a really critical point – not to harp on the AT&T, but I mean, just think about it. The fact that there were 110 million records that wasn’t… it just sort of fell through the cracks in the sense that nobody recognized that this is being used in this way, that it’s only being protected by a username and a password, and it’s a result of having this sort of fragmented access stack, this fragmented identity stack. So you need that overall sort of convergence, as you said.
Saam Motamedi:
The other element of convergence, if you will, is on people and personas. And I think one of the interesting things, again about identity, you touched on security versus compliance, but there’s so many dimensions of this.
Umaimah Khan:
Yeah.
Saam Motamedi:
And so, if you look at the enterprises you’re serving today, who are the people who are involved with Opal?
Umaimah Khan:
Yeah. I like to joke – I call it the Holy Trinity. So, just as a baseline, obviously, access impacts all users in a workforce at varying levels of depth. But the folks that we primarily interact with are security, IT, engineering, and then GRC. And it’s really our job to align the various incentives of these stakeholders and also help them see that a security-first approach here is actually going to help them and not slow them down.
So we primarily sell to security because our belief and conviction is that this is a security issue. What we see over and over in the industry is once a breach happens in identity, the responsibility moves over to security, but you have to serve the needs of the business as well, right? So what does that look like in terms of efficiency, in terms of usability, in terms of helping people establish the right cultural precedence?
And then, on the engineering side, just because we are such a fundamentally flexible product and we are built to be developed on as well, there’s just sort of a natural relationship there as well.
Saam Motamedi:
Yeah, exactly. I’ve always been struck by how I feel that Opal is one of the only tools in a security stack that the champions and the security personnel love, but actually maybe developers love it even more because it makes their jobs better, makes them more productive.
Umaimah Khan:
Yeah. I mean, I think that’s part of going back into that early customer attraction, a little bit of our own DNA, right. And I didn’t mention this, but I built an early version of Opal at my last startup. Some of our early customers, Figma, Databricks, Scale AI, they came from teams where they had gone through that same trajectory that I had, where they got frustrated that there wasn’t a good engineering system in place that was meant to serve the entire business and had just sort of rolled up their sleeves and taken it on themselves.
We’ve talked a lot about the importance of the customer and building enterprise SaaS companies, but I think architectural decisions matter a lot too. And that’s one of those things that actually really does shine when you have an eng buyer in the room. People will notice what a considered architecture looks like, and they will be able to think through scale and trade-offs and things like that. And that’s something that we’ve always been very good at because that’s sort of our DNA at Opal as well.
Saam Motamedi:
Exactly. Well, we’re not texting about Opal topics. I think the other topic we’re texting about is the one topic that’s hard to steer clear on the technology right now, which is AI. And there’s a lot we could talk about as it relates to AI, but I want to talk about it in the context of Opal and in the context of security. So what’s the role that AI plays at Opal?
Umaimah Khan:
Yeah, I do love this question, and you’re right. We have talked about it at some length because part of my job is also just thinking about how the technological shift is going to impact us and how it’s changing and evolving.
So I think just to take a step back, when I think about the broader AI space, I think at this point, non-trivial milestones and learning are largely going to come from big frontier shops or big research institutions, but there’s a lot of work to be done in the surrounding ecosystem. We’re kind of at the point where we’re starting to see applications in smaller and more specialized use cases. And while it’s not a moat per se, you’re starting to see strong traction in infrastructure deployment and regulation.
So I believe – we believe – that enterprises will likely continue to use increasingly customized smaller open-source models that are going to adopt these tools into their dev stacks. And they’re also going to be concerned with privacy and safety, and they don’t want to flood all of this to providers who end risk leaking their data.
So what that means for us is we have to account for how that environment in our customers is changing and how they deploy. So how is the attack surface different? So, for example, how are non-human entities operating with respect to access? How are the crown jewels evolving? One sort of obvious example is PII just becomes this massive sort of training set, which I worked in health tech briefly. PII was locked down to operations and only data engineering teams. Now everyone’s like, “No, no, no, we have to train.” So crown jewels are evolving, and the business case for accessing those crown jewels is evolving as well. So you have to kind of take into account these attack surfaces. You have to take into account the ways in which businesses themselves are evolving.
From a technical innovation perspective, I would say I think about two lenses here. One is we operate in a very data-rich environment. Not just the policies and the identity primitives that we’ve talked about ingesting, but also how folks are using requesting, making access, holding onto access, right, how they’re making those judgment calls. If we provide transparency and explainability for decision-making for access changes, we actually have a very unique opportunity to introduce new forms of automation and incorporate different types of reinforcement learning and constitutional models. If you’ve ever seen, there was an Anthropic paper a couple of years ago, there’s a lot of automation, and this is going back to the theme of efficiency. When it’s two in the morning or 9:00 PM, and you’ve scaled as much as you could, but you’re the eng manager, and you’re like, “What is this ticket? What am I doing?” And now, I have to write the justification, and this person requesting is writing the justification.” There’s so much that can be done if you have that baseline of interpretability and transparency that can just be automated there. The other area that we think about is code generation.
So as code generation gets better, we operate in a relatively defined language with tons of human input and review and repair. So things like IAM policy creation and adaptation get markedly more prolific and proficient than they were even two years ago. And this is an interesting area. I did some research in this back in the day, and I used to be a bit of a skeptic. I was like, “Great, now we’re just going to make AWS IAM policies on policies.” But the technology has (verifying and correcting and generating decent policies) has actually gotten good. So that’s another area I think we’re going to see authorization really take off in.
Saam Motamedi:
Yeah, I think those are great examples of how you all are leveraging AI.
I’m curious – this is a somewhat orthogonal question – which is, you’re a CEO of a fast-growing company. A lot of this AI stuff is relatively new and also evolving very quickly. As a leader internally, are there any best practices for other founders listening on how you encourage your engineering team to kind of, on the one hand, not distract themselves, which one easily could do, given how fast the pace of change, but on the other hand, to stay aware of what’s happening and in particular in the context of how it can be applied to strengthen Opal’s product and bring new features to your customers?
Umaimah Khan:
Yeah, I love this. And I think…every founder sets their culture, and it’s very company-specific, but even as an engineering leader in past jobs, one thing I always loved to do was I’d run paper reading groups. I’ve always built very curious sort of engineering teams that are also pragmatists, but staying abreast of literature is actually important. And it’s not even AI-specific. I think, in the last 10 years, there was this complete explosion of database technologies, and I remember there was this need to be like, “What’s happening? What’s the latest? What’s the greatest? How can we incorporate this?”
And then the second piece is on distractions. I think that really comes from sort of being very, very clear about what the problems you’re solving and having a culture of actually debating the pros and cons. So I mentioned earlier that we do a lot of classic ML at Opal, and that’s not necessarily a contrarian stance. A lot of our engineering team does come from places like DeepMind and Meta, and they’ve worked on actually varying levels of the AI stack. But we think about what do we need to do today, and what do we need to stay aware of so that we can continue to innovate in a reasonable manner. And you tie that back to the needs of the business.
We work in a very critical part of the stack. We need to always establish trust, transparency, and accuracy. And when you work on critical decision systems, if you think about anomaly detection, even in credit cards or fraud or things like that, you don’t want to get distracted. First, you need to establish that you know what you’re doing and how you’re solving a problem before you start to layer on different types of innovation. So I think the company being aligned on what problems you’re solving, but also making space to continue to be curious and stay aware of things, right.
Saam Motamedi:
Yeah, absolutely. This kind of leads to the last question I have for you, which is what’s coming next for Opal. And if you take kind of, let’s say, a two-year view and then a five-year view. So I’ll ask you two forms of the question.
Umaimah Khan:
Yep.
Saam Motamedi:
What will Opal look like, and how will the way enterprises secure their identity change?
Umaimah Khan:
Yeah. So another theme you and I talk about at times is positioning. And I think a lot about, and I’ve mentioned we’re going to over the course of this conversation, this idea of security-first identity. I think there’s a unique opportunity right now and a unique window, let’s say, in the next two years, to really establish what it means to build a security-first identity company. And what that means practically is shifting some of the ways in which we measure, which we monitor and the ways we think about architecting identity solutions in the identity stack, to your point.
We’re already seeing some sort of initial early signs of this. There’s been sort of the whole non-human identity space, but there hasn’t really been this cohesive, almost manifesto-like, “This is how you have to think about identity security.” And I think we have a unique opportunity to sort of set some of those precedents. So continuous monitoring, immediate remediation, not waiting for regulation to force better authorization decisions, but actually building them in directly from the ground up and really sort of revitalizing the industry from that standpoint. I think what makes Opal unique in this space is that we’re not… we are intentionally not abstract about it.
And this was the thing I learned when I built up my last job. You can build the nicest policy language in the world, but at the end of the day, if people aren’t using it, then you haven’t built the right system. So we think if we build the right system for getting people to think about authorization from a secure and access from a security-first identity standpoint, it will naturally change some of these cultural attitudes. And we measure these things. In our customers, when they deploy, we see how many of them are operating in a zero-trust model. How many of them are actually using multifactor? How many of them are actually getting benefit from having used these strategies?
On a five-year… One of the reasons I love this, and you and I joked about this once where I was like, if I wasn’t doing this, I’d probably just go do it again, almost like it was some joke of this form. I just think it’s such a great market, and in security, it’s always a game of entry points and then boxing out markets. And I think if you solve the IAM layer in this sort of practical, “Oh, we have the context, we have the visibility, we have the orchestration remediation way,” that gives you the ability to go in several directions.
You have the ability to influence what the authorization schema standard could look like because you’ve effectively built the database. You can define what vulnerabilities look like at the OSS FRNS level. You can even help set direction on hardware for identity. So if you control this layer of the stack, you have just this incredible opportunity to really build an iconic sort of company and identity security. But in order to get there, you have to be pragmatic about where you’re meeting customers today without being overly rigid in how that solution is architected.
Saam Motamedi:
Yeah. Of the many things that impressed me about what you’re building at Opal, that’s always the thing that stands out, which is, it feels like, I don’t want to jinx it, but you all have found this balance of a really clear point of view on how this category should converge and work very seamlessly end to end with great UI, UX, AI, and power developers strengthen security, but you’ve entered the market very pragmatically.
And in a way where you can solve concrete problems today, you can live alongside other tools and make those tools better and kind of progressively get the customer to modern identity security. And I think that’s a great template for company building in general, and the way you’re applying that in this space seems to really be resonating in the market.
Umaimah Khan:
I appreciate that. I mean, I will say there were hard lessons won, and we talked a lot about pragmatism, but I mean, I do think like a mathematician sometimes. And there’s only so many systems you can build, and you realize that they don’t work where you have to realize you have to be pragmatic and meet people where they are.
Saam Motamedi:
Exactly. Well, Umaimah, this was a lot of fun. I’m really glad we were able to have you on Greymatter and for our listeners to get to hear more about the Opal story. And I’m really excited for what’s ahead for Opal. It’s amazing how far you guys have come in just a few short years, and the best is very much ahead of us.
Umaimah Khan:
Awesome. Thank you so much for having me.