Opal announced that they have closed a $10 million Series A funding round led by Greylock. Opal’s platform enables enterprises to manage employee access scalably with a focus on reducing the amount of access granted. By decentralizing access management away from bottlenecked teams like Security and IT, Opal empowers organizations to grant access more selectively, which lessens their attack surface and compliance burden.
Traditionally, corporate security has focused heavily on perimeter defense. In this model, companies attempt to stop attackers on outer layers of protection like firewalls. More recently, companies have begun adopting a defense-in-depth posture where perimeter breaches are assumed to happen, but internal layers of protection are also implemented to mitigate the damage.
One core strategy is limiting the amount of access granted to employees. The less access granted, the less damage a compromised account can do.
Marketing Technology News: Docusign Bolsters Leadership Team in Push Toward Enabling the Anywhere Economy
“True authorization is often delayed or oversimplified,” said Umaimah Khan, Head of Product. “There’s nuance involved in designing a system like this—bringing in data about who a person is, for example, or accounting for re-orgs and changing roles.”
However, limiting access without hurting productivity is hard. Employees use many complex systems in their day-to-day work, each with their own way of defining access control. For many organizations, it’s easier to err on the side of giving more access than necessary, avoiding the manual overhead of granting employees only the access they need according to the principle of least privilege.
This is where Opal fills the gap, implementing a culture change where it can help organizations give out less access without compromising on productivity.
By limiting access that’s given permanently and making it easy to request for additional access rapidly, Opal helps organizations adopt true least privilege. Companies using Opal can process requests faster with a decentralized model that shifts ownership away from only one or two teams. Opal’s focus on integrations allows employees to request granular access including databases, Salesforce roles, GitHub repos, Okta groups, and more. Opal also offers workflows for conducting company-wide access reviews to make it easier to meet compliance standards and keep access footprint down.
Marketing Technology News: MarTech Interview with Chris Knowlton, Chief Evangelist at Panopto
“Every security and engineering leader we speak to wants to move towards least privilege, but is unable to with current offerings,” said Saam Motamedi, General Partner at Greylock. “Opal’s approach is a new way of thinking about access management at scale. Its innovative approach balances usability with least privilege—empowering both end users and admins. We believe Opal will be an emerging leader in an important and large category.”
Currently, Opal is the access management tool of leading technology companies across a range of industries including Databricks, Blend, and Marqeta.
Mike Hamilton, VP of IT at Databricks, said, “Opal is building the framework for identity management and authorization— providing an incredible user experience for our employees while ensuring we have the infrastructure for auditability and evidence.”
Marketing Technology News: Harnessing Online Traffic: Best Practices For Marketers
Started in 2020, Opal was founded based on the leadership team’s firsthand experience with access management challenges at companies like Dropbox and Collective Health.
“Our internal tooling at Dropbox was powerful, but there was a lot of friction in the user experience,” said Stephen Cobbe, CEO. “It was difficult to answer simple questions like, What does this group grant me access to?, or When was the last time I used that access?. If the aim is to build a culture of least privilege, it has to be effortless to browse, request, and receive new access.”
“We found that, after speaking to different enterprises, that true authorization is often delayed or oversimplified,” said Umaimah Khan, Head of Product. “There’s nuance involved in designing a system like this—bringing in data about who a person is, for example, or accounting for re-orgs and changing roles. It also requires a lot of engineering effort both to build and maintain internally. The focus can’t just be on function—designing something that people actually will use is one of the hardest parts of implementing best security practices.”