Introducing Enterprise OPA: an Enterprise-grade OPA Distribution Built for Data-heavy Workloads

3 min read

Delivering 10x memory and 40% CPU throughput improvements

TLDR

Today, we launched Enterprise OPA, an enterprise-grade OPA distribution built to provide resource-efficient performance for data-heavy authorization. Designed to mitigate the effects of data-heavy workloads, our new offering allows you to reduce infrastructure costs, optimize authorization performance and minimize enterprise risk with powerful live impact analysis, while connecting natively to existing data sources. Overall, Enterprise OPA provides a 10X reduction in memory usage and a 40% increase in CPU throughput when processing large authorization data sets. 

Enterprise OPA allows enterprises to:

  • Reduce infrastructure costs with smaller cloud instances and more efficient operations
  • Faster time-to-production using out-of-the-box data source integrations that allow you to reduce development costs and get into production quickly 
  • Minimize enterprise risk with the industry’s only live Impact Analysis tool to validate policies before deployment, shrinking deployment failure and costly security issues

Reducing the costs of data-heavy authorization

This distribution of Open Policy Agent (OPA) empowers enterprises to embrace large data sets with richer, more contextual data and drive better, more secure authorization decisions at scale while reducing the cloud costs needed. Enterprise OPA is a drop-in replacement for OPA with native datasource integrations, meaning that enterprises can implement this distribution quickly, with little-to-no configuration changes and no additional learning curve. Moreover, Enterprise OPA is equipped with the industry’s only live Impact Analysis feature, which allows users to check policy-as-code changes against the decisions already running in production — and catch any production-impacting changes early in the policy lifecycle, before they go live. 

While Enterprise OPA is designed to work well with Styra Declarative Authorization Service (DAS), our enterprise control plane and data plane for OPA policy management, customers can also use it as a standalone product in their existing OPA architectures. 

Enterprise OPA is a drop-in OPA replacement that requires no additional learning curve

“We’re incredibly excited to bring Enterprise OPA to market, because it empowers our customers to achieve immediate cost and performance savings while pursuing the policy-as-code projects that are so essential to the security, compliance and operational performance of their infrastructure and applications,” said Chris Hendrix, director of product at Styra. “This new product gives any member of the OPA community the confidence that they can apply the right large-scale data sets to achieve the robust fine-grained authorization decisions they need, while actually lowering the costs required with smaller cloud instances.”

Caption: Memory footprint (32 clients): Enterprise OPA uses 10X less memory

Industry Background: Data Gravity Impacts Authorization

As enterprises embrace cloud-native applications and infrastructure, DevOps and platform teams are turning to policy-as-code authorization to implement fine-grained access controls and enforce security, compliance and operational best practices by default. Open Policy Agent (OPA) has emerged as the de facto standard to implement policy as code across the cloud-native stack; from securing Kubernetes, to validating Terraform resource changes, to enforcing fine-grained controls across API gateways, microservices and service mesh and more.

At enterprise scale, however, data gravity can become a significant challenge. Generally speaking, as teams invoke larger and richer authorization data sets — such as large or complex attribute data sets for ABAC decisions — that data tends to gravitate closer to the location of individual OPAs, or the policy decision point (PDP) where authorization decisions are made. As a result, enterprise architectures tend to evolve into fewer and larger instances of OPA, as opposed to many distributed OPAs that live close to the data. The result is that OPAs (and sources of truth) are placed under significant load, driving up the cost of infrastructure and creating the need to build custom workarounds like HTTP facades for performance. In the end, enterprises should not have to choose between security and cost — in other words, between data-heavy workloads for robust authorization decisions and low costs for their cloud environments. 

What are the top benefits of Enterprise OPA?

Because of its ability to lower infrastructure costs and optimize performance, Enterprise OPA will allow organizations to embrace larger and richer larger data sets and new use cases, resulting in better authorization decisions and a more secure enterprise. For instance, here’s a quick sampling of use cases and areas where enterprises may find immediate value, with this new resource-efficient option available to them:

  • Fine-grained Access Control. Generate secure and robust ABAC decisions by leveraging contextual data, such as additional fields from aN IAM data source, user location data, user risk scores, machine types, contract types, last access data, access frequency, IP address or any other additional attributes.
  • Continuous Event Streaming. Send more data to Enterprise OPA nearer to real-time using tools like Kafka. With greater local memory available, this means that your authorization engine always has the fullest, most accurate data picture possible at scale
  • Enterprise Entitlements. Identity and Access Management (IAM) teams can easily use existing data sources like Okta or any LDAP tool to extend context-rich identity to policy decisions in your applications. This improves time-to-market and enables better AuthZ decisions with larger data sets.

While this is far from a complete list, we hope that customers can start to see how and where Enterprise OPA can begin to make an immediate impact.

Wrap-up and Next Steps

Data is one of the three pillars of policy-as-code authorization, together with policies and software. It only follows that enterprises should be able to use the data sets they need, of any size, to inform the authorizations they require. We hope that with Enterprise OPA, our customers will feel empowered to embrace larger, data-heavy workloads while reducing the cost and operational complexity needed to support them.

Want to give Enterprise OPA a try? Request an Enterprise OPA Demo today To learn more about Enterprise OPA and how it can further your authorization journey, book a meeting with a Styra team member today.

Cloud native
Authorization

Entitlement Explosion Repair

Join Styra and PACLabs on April 11 for a webinar exploring how organizations are using Policy as Code for smarter Access Control.

Speak with an Engineer

Request time with our team to talk about how you can modernize your access management.