Umaimah Khan grew up in San Diego, but now lives in the Bay Area. A fun fact about her - she was home schooled until college, and growing up, loved puzzles and math. She planned to be a math professor until she eventually got into startups and tech. She is a curious person, with many hobbies and interests. In fact, she loves to cook and was a chef at two different Michelin star restaurants. She also likes to garden, growing food and also interesting plants.In the past, UK found herself drawn towards real world problems in real time.What she found herself noticing was that access management was incredibly messy - and that people weren't willing to look behind the curtain to fix the problem. After she noticed that this problem kept surfacing , and decided to solve it.This is the creation story of Opal Security.SponsorsCacheFlyClearQueryKiteworksLinkshttps://opal.dev/https://www.linkedin.com/in/umaimah-k-b7466a249/Our Sponsors:* Check out Vanta and use my code CODESTORY for a great deal: https://www.vanta.comSupport this podcast at — https://redcircle.com/code-story/donationsAdvertising Inquiries: https://redcircle.com/brandsPrivacy & Opt-Out: https://redcircle.com/privacy
We are a security company, first and foremost. From day one, we have to build a lot of trust, and that has to show through in our features.
So we made very specific choices on what we would prioritize from that perspective, such as being able to work in hybrid environments, because we knew that even as a small company, if we wanted to be the backbone of people's access management and least privilege infrastructure, that they needed to feel like they could manage us entirely and work in these complex environments.
Another example of this is like building in our back end, our product itself, which is something that you will often see in like B2C or product-led companies gets left until way too late. I'm Umema Khan, also known as UK, the co-founder and CEO of Opal Security.
This is CodeStory. A podcast bringing you interviews with tech visionaries. Who share what it takes to change an industry. Who built the teams that have their back. Keeping scalability top of mind. The stories you don't read in the headlines. To ride the ups and downs of the startup life. It's not just about technology. All this and more on Codestory. I'm your host, Noah Labpart.
And today, how Ume Makan decided to go out on her own and help organizations reduce access sprawl and enforce better security. This episode is sponsored by KiteWorks. Legacy managed file transfer tools lack proper security, putting sensitive data at risk. With KiteWorks MFT, companies can send automated or ad hoc files in a fully integrated, highly secure manner.
The solution is FedRAMP moderate authorized by the Department of Defense and has been so since 2017. Step into the future of secure managed file transfer with KiteWorks. Visit KiteWorks.com to get started. This episode is sponsored by ClearQuery. ClearQuery is the analytics for humans platform. With their full suite of features, you can go from data ingestion to automated insights seamlessly.
With Ask ClearQuery, you can find valuable insights into your data using plain English. Don't miss the opportunity to simplify your data analytics with ClearQuery. Get started today at clearquery.io slash code story. Ume Makan, also known as U.K., grew up in San Diego but now lives in the Bay Area.
A fun fact about her, she was homeschooled until college, and growing up, she loved puzzles and math. She planned to be a math professor until she eventually got into startups in tech. She's a curious person with many hobbies and interests. In fact, she loves to cook and was a chef at Michelin star restaurants. She also likes to garden, growing food and also interesting plants.
In the past, UK found herself drawn towards real world problems in real time. What she found herself noticing was that access management was incredibly messy and that people weren't willing to look behind the curtain to fix the problem. After she noticed that this problem kept surfacing, she then decided to solve it. This is the creation story of Opal Security.
So Opal Security is at the highest level. I like to think of it as an identity security platform. And what we really do is basically build the data layer and the workflows and then threat detection and response to actually understand who has access to what in your organization and how to calibrate that and eventually fully automate that in a way that actually scales with your work.
I did more academic security in a past life. I studied some cryptography and I did a bunch of math and found myself repeatedly drawn to real world problems at the same time. I enjoyed the technical challenge, but then would have this desire to fix things that I saw happening in the real world. And one of those things was access management was this incredibly messy, fragmented issue at every scale.
tiny 10-person startups to open source to big government labs. And it just felt like a strange thing. It's clear that this matters. It's important. It's almost ignored until it's too late. And I think a huge part of that is because people aren't willing to look under the surface and ask themselves, how did we get here? A huge part of that is the reality of how businesses grow and how they scale.
Security sometimes ends up being an afterthought, especially in product-led organizations, when it hinders the business. You just get to a point where you got this like insane wild west of like authentication and authorization and you don't really know what's going on in your org and you're a little bit scared to pull the trigger anywhere because of what could happen down the line.
I found myself like just fascinated, like both from an organizational and technical perspective that like this kept happening and eventually got so frustrated that I was like, you know what, I'm going to go figure out why this is the case and possibly build it. I was confused.
It just seemed like there would be these big legacy players that were just built to check boxes from a compliance standpoint so that you could say, oh yeah, we definitely do this internally. but not actually solving the problem at some deep technical or product level. And I at some point just said, you know what? Screw it. I'm just going to build internally and try to build a good system here.
And what I found was that I wasn't the only one who had gone through this. There were many companies, especially in the Bay Area, who had a similar realization. And then they would hit this point where they're like, I can't scale this internally anymore. I can't justify this internally anymore. And it was like such an intense conviction.
This was like the right place to start that I took sabbatical from that job and just worked on it full time. I thought about it from many different angles. And it was funny. Two and a half years ago, I would meet people and they would just be like, isn't this a solved problem? I don't get it. It doesn't like so and so like company already do this.
And I would just constantly just be like pushing back and saying, no, have you actually looked at the guts of what gets deployed and like what happens? No, people are just buying things and nothing is actually like solving the problem.
Let's dive into the MVP or what you would consider the MVP. Maybe it's when you're building internally or maybe it's after. Tell me about that and how you put it together, what sort of tools you're using and how long it took you to build.
So the MVP was born from this, what is like a really obvious, like tactical problem or pain point to solve and how do you get there? And so like in our space, if you think about all of the context and the data necessary to even begin to like build scalable access, it's overwhelming, right?
And so then you scale back and you say, what is a way we can solve the problem knowing everything and having all the context would in a faster time to value? And that's this concept of just-in-time access. How do you just patch through access that's very time-based, that's very role-specific for a period of time that's tied to very specific events?
And in our case, that was building for syncing with on-call schedules. This is like... Huge pain point for a lot of engineering teams. You're on call, all of a sudden some production system goes down that you may or may not have been granted access to at some given point in time. And now you're on the hook to figure out how am I getting access to this? Am I making a ticket? Am I paying my manager?
And all of that got distilled into a very simple entry point. And when we would show it, people would be like, oh my God, I get it. You know what I mean?
OK, so with any MVP, right, you got to make certain decisions and tradeoffs. OK, when you're when you're building a product, when you are making choices about the features you're going to lean into first and how you're going to go about it. So wrap that into technical debt or feature cut or approach and those things. And they're hard to work through.
Tell me about some of those decisions you had to make and how you coped with them.
Oftentimes when people think like you're a product first organization, I think that means like you're just building stuff and it's just as important what you don't build early as what you do. When I think about where our products and vision really shines, it's in organizations that are incredibly large and complex and really basically need this firewall for like access, right?
They need to be able to understand the complexity with which Different entities are moving around and what they have access to. And that can get very complicated very quickly on the edge cases and how you implement least privilege for those things, right? We had to make some decisions on, one, who can we sell to in the early days, even though we know that this is where we're headed?
And where can we provide value in a more direct fashion? So what that ended up looking like was saying no to certain integrations or very complicated workflows.
And coming back to this concept of JIT, this concept of here's actionable lease privilege, here's like actual reporting we can show you on like mission critical systems you have today, even though you may have like thousands of applications you want to cover.
And then really tying that back to looking at our like cohort of early customers and making sure it resonated with all of our other customers who are in the same direction and looking for the same sort of like product vision.
This episode is sponsored by CashFly. The web is a competitive place, and if your site delivers its content pixelated slow or not at all, well, then you lose. But that's where CashFly comes in. CashFly delivers rich media content up to 159% faster than other major CDNs.
Through ultra-low latency streaming, lightning-fast gaming, and optimized mobile content, the company offers a variety of benefits. For over 20 years, Catchfly has held a track record for high-performing, ultra-reliable content delivery.
While competitors call themselves fast or use cute animal names, only CashFly holds the record of being the fastest and serves customers like Adobe, the NFL, or Roblox, where content is created by users and must be delivered in real time. For the first time ever, CodeStory listeners can get a 5TB CDN for free. Yep, you heard that right. Free. Learn more at CashFly.com slash CodeStory.
That's C-A-C-H-E-F-L-Y dot com slash CodeStory. This episode is sponsored by KiteWorks. Legacy managed file transfer tools are dated and lack the security that today's remote workforce demands. Companies that continue relying on outdated technology put their sensitive data at risk. And that's where Kiteworks comes in. Kiteworks MFT is absolutely the most secure MFT on the market today.
It has been FedRAMP moderate authorized by the Department of Defense since 2017. Through FedRAMP, Kiteworks' level of security compliance provides a fast route to CMMC compliance, saving customers time, effort, and money. Kiteworks MFT makes it easy for users to send automated or ad hoc files via fully integrated shared folders and e-mails.
administrators can manage policies in a unified console and create custom integrations using their API. Did we mention it's secure? The level of security with KiteWorks solution is rare to find. Step into the future of secure managed file transfer with KiteWorks. Visit KiteWorks.com to get started. That's K-I-T-E-W-O-R-K-S dot com. Let's take that point then.
You've got the MVP and it's built, right? Let's move forward. Let's progress forward with the product and the company. How did you mature it from that point and progress it? And I'm curious about, you know, roadmap, right? I'm curious about how you built your roadmap and what sort of criteria you're using to figure out, okay, this is the next most important thing to build or to address with Opal.
To me, like the way I think about this philosophically is it comes back to positioning. So access touches a lot of different stakeholders in an organization and a lot of different departments and economic buyers. Like you can think that if you just think about it, right, like access is about it's a workforce issue, right? It's not just like directly security or engineering issue.
It's also a security issue. It's also a compliance issue. when we think about our positioning and what's unique about us at Opal Security is that we are a security company first and foremost. And that means that like from day one, we have to build a lot of trust and that has to show through in our features.
So we made very specific choices on what we would prioritize from that perspective, such as being able to work in hybrid environments, because we knew that even as a small company, if we wanted to be the backbone of people's access management and least privilege like infrastructure that they needed to feel like they could manage us entirely and work in these complex environments.
Another example of this is like building in our back in our product itself, which is something that you will often see in like B2C or product led companies gets left until way too late.
There's like these things that I think got prioritized very early on the integration side, just like doubling down and like the cloud security space and building like really first class native integrations into the hyperscalers because we knew that while folks wanted to figure out what was happening in like their lower priority SaaS.
applications today, they had no visibility or ability to remediate in these mission-critical production systems. There's no vendor serving that. It was flowing directly from that positioning again. What does it mean to be a security and infrastructure company solving access? And then once you've got that, you can start to engage and think about what do the other stakeholders need?
The user experience is really important if you want to have that data and that coverage. And so talking to our customers, understanding how important it was with them, working with them and making these parts of the roadmaps possible. a partnership helped us sequence. I will say that in the early days, as much as you want data, like sometimes it's just not there.
And also as you're figuring out who you're selling to and who your power users are, you're going to get a wide variance of feedback until you tighten that up. So there is like an element of like art versus science to it as well. You just have to Spend some time using your own product. We dog food our product here internally and just talking to people and like really digging in.
Even if somebody says I need X feature, like trying to get behind that and say, what are you actually trying to solve for? And let's be creative about it.
You know, you said you said we a few times. I'm curious about team. Right. How do you go about building your team? How did you and how do you and what do you look for in those people to indicate that they're they're the right people, the right horses to join you?
It's very much being self-aware enough about who you are and building a team that's complementary to your own blind spots, as well as folks who amplify you. In my case, I would consider myself a fairly spiky individual. And so I knew that I would naturally gravitate towards other folks who spiked. in certain areas, right?
Who were just like incredibly good at whether it was because I'm a technical leader, engineering, or sometimes like on the sales side and building a team that like when you have a lot of personalities, you also need to like make sure you're building the infrastructure for like good communication, for good understandings.
Early stage companies are largely built by sort of bad students, good test takers on across every department. And you need to like be very comfortable with that, maybe be a little bit like that yourself to let people run around the field and do their thing and like basically figure it out with you and experiment. and be very comfortable not waiting for like marching orders.
The other thing, and this kind of touches into how we're talking about roadmap, is obviously we built very critical infrastructure. Building a team that had the experience to know what they were building was also very important. because this is a product that requires a lot of trust and understanding.
So having a balance of those two things keeps the pace of execution going, but also the experience of having seen things before.
This episode is sponsored by CashFly. The web is a competitive place, and if your site delivers its content pixelated slow or not at all, well, then you lose. But that's where CashFly comes in. CashFly delivers rich media content up to 159% faster than other major CDNs.
Through ultra-low latency streaming, lightning-fast gaming, and optimized mobile content, the company offers a variety of benefits. For over 20 years, CashFly has held a track record for high-performing, ultra-reliable content delivery.
While competitors call themselves fast or use cute animal names, only CashFly holds the record of being the fastest and serves customers like Adobe, the NFL, or Roblox, where content is created by users and must be delivered in real time. For the first time ever, CodeStory listeners can get a 5TB CDN for free. Yep, you heard that right. Free. Learn more at cashfly.com slash codestory.
That's C-A-C-H-E-F-L-Y dot com slash codestory. Hello? Welcome to the Data Analytics Club. Do you know the password? No, didn't know there was one. Do you know how to code? Uh, no. Do you know how to query data? Like, ask a question? I guess not. Hmm, I see. Then you can't be in this club. Sorry. Goodbye. Don't be left out of the analytics club. ClearQuery is the analytics for humans platform.
With their full suite of features, you can go from data ingestion to automated insights seamlessly. ClearQuery provides you with the information you need without requiring you to do the heavy lifting. Their Ask ClearQuery feature allows you to ask questions in plain English, helping you find relationships and connections in your data that may have previously gone unnoticed.
You can even visualize your data with presentation mode, taking your data storytelling to the next level. Pricing is based on storage, not licenses, and that ensures that you get the most bang for your buck. Don't miss the opportunity to simplify data analytics, your data analytics, with ClearQuery. Get started today at clearquery.io slash codestory. Let's talk about scalability.
So your critical infrastructure, right? You're integrated into the thick of things. So I assume that scalability is important to a growing business, period. But I assume it was important to you in the beginning. But I'm curious, was it built to scale efficiently from day one or with scale in mind? Or are there areas where you've had to fight it as you've grown?
It's a balance. And I would say from day one, there was this notion of scale in mind. And at the same time, like recognizing when you're making one way decisions versus two way decisions. There are things you do early on, especially on the engineering side that like could be construed as tech debt. But you have to make those calls so that you can get to the next milestone.
There is like a small bucket of decisions, I think, architecturally that matter a lot, and it's very important to get them right from day one. So in our case, if you look at how Access products have been built in the past, none of them have really been built for hyperscale or complexity. They're not really built to have flexible data models.
This idea of context or being able to be flexible between role-based access control or attribute-based access control, it's quite difficult. And then the other thing is there's latency on all these things, whether it's requesting access or knowing who has access in real time. There's just not been systems that have been built from the ground up.
And some of that is just as a result of the fact that some of these companies and products are from a different era. But this idea of being built for scale was always like very top of mind and being able to be flexible enough on the data model. And that's where it's worth like putting in the investment. That's how we think about it, like from day one. And so that's where we didn't compromise.
On the rest of the stuff, it's very case by case. Sometimes it's better to have something done than have something perfect. And you make that call by, again, understanding what your core strengths are as a product. Our core strengths are reliability, accuracy, speed, and data. So that's where we wouldn't compromise architecturally and continue to make the investment to improve.
So UK, as you step out on the balcony and you look across all that you've built, what are you most proud of?
I would say the team, first and foremost, like I wake up every day and I'm just like, I can't believe that these people chose to like come here and work this hard with me, basically. That's first and foremost. I think the second thing is a lot of the things we've talked about as a product, and I don't say this as like a diss on us, but
They are just how you think about good system building to scale across many things. We've seen the entire DevOps space, like CI, CD, mature as an industry in the last 10 years. And a lot of that just came from this idea of good engineers thinking very carefully about what reliability and infrastructure look like there.
And I think that we're starting to get to a point where people understand this is necessary in identity and access as well. Right.
And I'm really proud of the fact that as a market, there has been enough maturity over the last couple of years that people are starting to stand up and take notice of that and are now thinking about this problem from this perspective, as opposed to, oh, I'm building a ticketing platform that's going to allow me to have this one workflow for everything.
Let's flip the script a little bit. Tell me about a mistake you made and how you and your team responded to it.
On the product and edge side, there have definitely been things I look back and I say, I shouldn't have prioritized that. For example, there's this class of ill-fated UX redesigns, which are incredibly painful and very resource intensive that I think back to and I'm like, man, it just feels like the team was on a merry goose chase for three months.
In terms of how you respond to it, my perspective on things like this is honesty is the best policy. You own up, you explain why you made the decision you made, you explain how we got to this point, why it's and just open the space for feedback and how as a team, we won't find ourselves in similar positions. How can we learn from these things? The reality is you make a lot of mistakes.
The question is, do you make the same mistakes over and over again or are they learning opportunities?
This will be fun. What does the future look like for the product and for your team?
Up to this point, from a product standpoint, we've talked about data ingestion and workflows and things like that. What really gets me excited about this space is this idea of really building this intelligent layer to calibrate access. We now have pretty good self-driving technology, right? And it's wild if you stop and think about it.
We have cars that drive themselves and they're able to navigate these incredibly complex environments and respond in real time to them. And a huge amount of that is a result of the fact that LIDAR technology allowed us to capture a ton of information and actually start to figure out how to model all kinds of heterogeneous environments.
I think there's something similar that happens in access and identity, that if you can really nail the ability to create a ton of context and data, then you can actually start to build out the automation layer for real, basically. I think that's like a very unique opportunity. It's something like I feel like technologically is where the industry is headed to.
If you follow like anything that's happening in the big AI companies, there's a lot of discourse around security and specifically access management and how you calibrate that and how that grows flexibly and how you feel like you actually understand what's going on. I'm excited to see this industry take that leap in that direction.
It's just it's been so primitive right now from a technical perspective that there's just a ton of foundation you have to lay down.
Let's switch to you. Who influences the way that you work? Name a person or many persons or something you look up to and why.
My first team, like the leadership team, does influence a lot of the way that I work. I really enjoy working with whether it's my sales leader, marketing leader, engineering leader, and then really seeing how they bring their own leadership styles and manage their teams.
I also, I think, look up to certain like industry founders that I think were willing to do like the hard work, like really roll up their sleeves and figure things out. I'm a big fan of Databricks as an organization. I think they had like kind of an interesting early journey. And there's a lot of similarities. They had a very technical team and then they had to figure out how to build a business.
And I think they did. And a huge part of that story, it does feel like it's just like being willing to recognize what you don't know and embrace it and just learn things. I would say that I'm fortunate to have a lot of role models and people to look up to in various aspects. And I try to be self-aware.
I think it can be hard sometimes when you're in the zone, but I don't know, I feel like I'm still learning.
UK, last question. So you're getting on a plane and you're sitting next to a young entrepreneur who's built the next big thing. What advice would you give that person having gone down this road a bit? Like they're on the plane. They're excited. They can't wait to show you the product right there. What are you going to tell them?
It's a weird job. Like nothing preps you for it. There's nothing you could read. There's no one you could talk to. And you can feel very self-conscious about all the mistakes you're going to make and all the things you do. And I think the thing that helped me the most and the advice I got was just being reminded of that. You don't have to know how... Everything works.
You're not going to be able to know how everything is supposed to be. I remember when I was earlier in my career, I would think to myself, oh, I have to become like a C-level somewhere to be able to start a company. And the reality is, even if I had done that, I would still not be prepared for it. the level of like ambiguity and the questions and open-ended questions and mistakes I would make.
And so just being really comfortable with the fact that you're just constantly going to be learning and, and not lose that enthusiasm or excitement, I think is like the most important thing.
That's fantastic advice. Well, UK, thank you for being on the show today. Thank you for telling the creation story of Opal security.
Thank you. Thanks for having me.
And this concludes another chapter of code story. Code Story is hosted and produced by Noah Laphart. Be sure to subscribe on Apple Podcasts, Spotify, or the podcasting app of your choice. And when you get a chance, leave us a review. Both things help us out tremendously. And thanks again for listening.