We are honored to officially welcome Nils Swart as our new Vice President of Product. Nils was previously a Senior Director of Product Management at Cisco focused on application and workload security. After initially starting his career in infrastructure IT, Nils gradually moved up the tech stack towards application security. For the last three years, Nils has focused on how applications are built, deployed and secured. We are excited to have Nils bring his extensive experience in product and authorization to Styra!
In this Q&A, Nils shares his goals for the Styra product team, why he believes authorization is everywhere and even shared with us what power he would have if he was a superhero 🦸♂️.
What drew you to Styra?
In the past, security has been like dropping a developer into a dark room and having them blindly feel for a way out. The problem is that the developer has no idea if the room has multiple exits leaving it vulnerable to break-ins. Styra provides a light in the room allowing developers to implement all of the needed security measures, without having to reinvent the wheel.
Often developers view application security as going through the TSA. It is security that is happening to you instead of with you. Authorization is one of the key components of doing security well within applications. If AppSec is a top concern, then authorization should be as well. Authorization needs to be a part of the process instead of a last-minute addition. The good news: there is no need to reinvent the wheel to achieve this! Authorization can be easily externalized using Open Policy Agent (OPA) and Styra Declarative Authorization Service (DAS) and the extent of what they can do is powerful. To that end, my primary goal is to make application security as easy as possible. Doing authorization well is a very large chunk of that.
What excites you most about your new role as VP of Product?
The Styra founders have built a movement around OPA. Together with this community, they have made OPA the defacto standard for all developers. The opportunity to “stand on the shoulders of giants” is such a tremendous privilege. I am excited to join a team with the vision of supplying authorization to all and the talent to execute that vision.
Authorization is already everywhere, and it is only going to become more valuable in the future as businesses want more flexible conditions applied for granting access to their services and data.
What do you mean by "authorization is everywhere"?
"Everything" you want to accomplish with running a customer-facing application has authorization at the basis of it: deploy authorization (is this thing allowed to consume resources?), access authorization (is this application allowed to communicate with the world?), and data authorization (is this system allowed to have access to that piece of data on behalf of this user?). Across the entire lifecycle of a transaction, there are tens, if not hundreds, of authorization decisions that happen whether we think about it that way or not. Coming up with a flexible yet standardized way of addressing authorization is difficult but possible (OPA!); the next wave is to use these authorization capabilities in applications and infrastructure and treat all of this as policy-as-code.
Why is Styra DAS so important?
So authorization is everywhere, and everyone is re-implementing the same thing over and over again. I remember a customer once framed it as "every team has implemented something that approximates authorization but isn't fully functional authorization." I am a firm believer that externalizing authorization and policy management to Styra DAS, which utilizes the OPA standard, is a better model. Rather than reinventing a wheel, developers can now focus on adding valuable new functionality and other interesting problems. With DAS, enterprise hardening, operationalization and workflow integrations are all taken care of already.
There are several golden rules in development; a famous one is "don't implement your own encryption." Developers are starting to adopt a new golden rule: "don't implement your own authorization," and instead rely on an externalized authorization service like Styra DAS.
What are a few of your goals/hopes for the product team?
There are many people, outside the usual suspects in security, who impact or are impacted by policy and authorization. Styra has a massive opportunity to enable more people to collaborate on policy and authorization without the risk of breaking the organization's goals. Our product team helps guide product development to optimize the everyday life of our customers (when it comes to policy and authorization). One of my biggest goals for the product team: ensure that non-tech people can understand and influence policy without having to be experts in specific technology implementations.
If you could have any superhero power, what power would you have and why?
I would have the ability to speak and understand every language in the world (maybe beyond) with an understanding of all the cultural nuances. Language is so important and arguably the source of so much confusion and friction in the world. I believe the ability to speak any language would be a massive superpower when used for good.
If you had to work, but you didn't need the money, what would you do?
This is a difficult one! Penguin herder in Antarctica is high on the list. Next would be a tour guide at the Academy of Sciences Natural History Research Institute in San Francisco helping spread the wonders of nature to kids and adults alike. And they've got penguins. 😃