Opal, a platform that decentralizes access management for enterprise customers, today announced that it raised $10 million in a Series A funding round led by Greylock. CEO Stephen Cobbe says that the proceeds will be put toward product development and expanding the size of Opal’s 25-person team.
It’s Cobbe’s assertion that companies give out too much access to systems. To his point, a 2021 survey by cloud infrastructure security startup Ermetic found that enterprises with more than 20,000 employees experienced at least 38% cloud data breaches due to unauthorized access. Employees use systems like Amazon Web Services (AWS), GitHub and Salesforce in their day-to-day work, and each of these systems has its own way of defining access control (e.g. via roles, groups, resources, permission sets or policies). With so much variety, defining the right role-based abstraction can be challenging.
“Being an ‘engineer’ might have a well-defined meaning in Jira, where it involves having access to the ‘engineering’ ticketing project. However, in a more complicated system like AWS, being an ‘engineer’ may offer little insight into what a user needs to do their job,” Cobbe explained. “Opal solves this problem by leveraging a more dynamic model of access.”
Opal was founded in 2020 by Cobbe, a former software engineer at Dropbox. Umaimah Khan, Opal’s other co-founder and head of product, came from Collective Health, a self-funded employer health benefits firm.
Opal offers employees a self-serve catalog that allows them to request and receive access to systems. An analytics dashboard provides usage-based suggestions, visualizations, and insights about access to a customer’s security team. If a user hasn’t accessed a resource in many months, for instance, Opal’s analytics dashboard might recommend that the user’s access be removed.
“Opal brings a unique approach to the problem of access management, combining insights with workflows. Most products are one or the other,” Cobbe said. “Opal decentralizes away from overburdened teams like security and IT to resource owners with the most context.”
Opal can automatically discover databases, servers, internal tools and apps, delegating access requests to the relevant teams and managers. The platform can also automatically remove access when it’s no longer needed, sending reminders to reviewers through Slack and email and monitoring for any changes to access.
“Opal was built to give teams a single pane of glass to manage access scalably and according to the security principle of least privilege where only the minimum amount of access necessary is granted,” Cobbe said. “Broadly, Opal helps enterprises move nimbly while staying secure and maintaining compliance … [We do] this by establishing a culture in which least privilege, the act of giving the least amount of access for someone to complete a task, is an established norm and everyday practice.”
Opal competes with companies large and small in the access management space, including DoControl. But Cobbe, while declining to answer questions about Opal’s revenue, said he’s confident his company can stand out with a customer base that includes Databricks, Blend and Marqeta.
“Security and compliance are crucial for most companies. Even amidst the current economic environment, we believe there will continue to be a budget for products that drive value in these spaces,” he added.