From Burning Servers to Enterprise Resilience The Evolution of Internet Security With Akamai

Justin Beals:

 

Hello everyone, and welcome to SecureTalk. I'm your host, Justin Beals. 

 

Back in 1999, I found myself at the center of what was about to become an internet crisis. Herbalife, the supplement company, was being featured in an upcoming 60 Minutes segment. Concerned about how they might be portrayed, Herbalife had negotiated something unusual. They would own a second, complete recording of the entire interview. 60 Minutes didn't think much of it.

 

But Herbalife was plotting something unprecedented. They wanted to release the entire unedited interview online before the 60 minutes broadcast aired, essentially scooping one of television's most-watched news programs. The task of making this happen fell to me. This was 1999. Remember, streaming video online was barely a concept, let alone a common practice. 

 

I built a server, connected it to the internet, and created a URL where people could access the video. When word got out that the full interview would be available, the demand was astronomical. Millions of people tried to access the video simultaneously, and our infrastructure simply couldn't handle it. I am not speaking metaphorically. When I say the server caught fire, there was actual smoke coming from the hardware as I desperately tried to serve this content to the masses. 

 

In a panic, I reached out to a company I'd only recently heard about, Akamai Technologies. They had this revolutionary new concept called edge networking that could distribute content across multiple servers around the globe. Within hours, they had implemented a solution that not only prevented our hardware from literally burning up, but made the video accessible to everyone that wanted to see it. 

 

What Akamai offered back then was revolutionary. The concept of distributed computing that could handle massive traffic spikes without failing. Before cloud computing became mainstream, before resilience was a cybersecurity buzzword, Akamai was pioneering the idea that internet infrastructure should be robust enough to withstand any surge in demand. 

 

They were building cyber resilience before most of us even understood we needed it. 25 years later, that same company powers approximately 20 to 30 % of all web traffic globally. They've evolved from content delivery to becoming one of the leading cybersecurity providers in the world. The scale of their security operations is staggering.

 

 Akamai recorded over 108 billion API attacks in just an 18 month period from January, 2023 through June, 2024. In June, 2024 alone,they observed more than 26 billion web attacks against applications and APIs. Their security team analyzes more than seven trillion DNS queries per day, proactively identifying and blocking threats, including malware, ransomware, phishing, and botnets. While most of us are enjoying our Christmas holidays, their security teams are deploying automatic protections against threats like log4j vulnerabilities.

 

Their technology sits at the edge of the internet, monitoring traffic patterns and deploying defenses against everything from DDoS attacks to sophisticated bots attempting to count takeovers. Today, we're joined by someone who plays a crucial role in bridging the gap between Akamai's powerful security solutions and the enterprises that need them. 

 

As a technical account manager for nearly a decade, our guest helps Fortune 500 companies navigate the complex world of cybersecurity product, selecting the right protections and ensuring they achieve maximum value from their security investments. 

 

Joe Gronemeier serves as a technical account manager at Akamai Technologies with nearly a decade of experience in his current role. Based in Atlanta, Georgia, he specializes in leading global teams to deliver complex web-based applications for Fortune 500 companies across pharmaceuticals, consumer goods, and telecommunications industries. 

 

Prior to Akamai, he spent 13 years at Accenture as a senior manager, where he led digital solutions delivery and served as the global Oracle Web Center lead. His notable projects include work with Merck, Procter & Gamble, whose decision cockpit project received recognition in Harvard Business Review, Pfizer, and JP Morgan Chase. Joe's expertise spans project management, solution architecture, risk management, systems integration and stakeholder management. 

 

He holds a bachelor of science in industrial and systems engineering from Georgia Tech and is a CISSP certified. Join me as we explore the evolution of cybersecurity from simple firewalls to sophisticated edge computing and zero-trust architectures with someone who helps enterprises implement these technologies every day.

 

— 

Justin Beals:  Hey everyone and welcome back to secure talk I have the deep pleasure of introducing you to a very good friend of mine Joe Gronemeier.  Joe, thanks for joining us on the podcast today 

 

Joe Gronemeyer: Thanks for having me. I'm I've really been impressed with what you've done with this ever since you've taken over.

 

Justin Beals:  We're friends. We've been friends for a long time. Part of the reason we're friends is that we both have worked in tech for a long time. I beg you to come on the podcast because we keep going on these bike rides where we talk about the tech industry a bunch, and I really wanted to share with folks some of the things I learned from you. Are you comfortable taking it out of the bike race? 

 

Joe Gronemeyer: We'll see where this goes. 

 

Justin Beals:  So, you are actually help me with your complete title at Akamai. What's your title there?

 

Joe Gronemeyer: Well, it just changed I'm I'm in pre-sales as a solution engineer engineer solutions. I can pronounce that. Yeah, 

 

Justin Beals:I know before this gig, you were a tech consultant for many years At Accenture, right? 

 

Joe Gronemeyer: Yeah, I was at Accenture for a very long time saw that place evolve quite a bit and trying to think I was in their global architecture group, the information management group kind of when things were first starting to talk about structured and unstructured data and bring that together. And then I switched over to this. 

 

Justin Beals: Yeah. Did you start at a center out of college? 

 

Joe Gronemeyer: I did. 

 

Justin Beals: You have the benefit of a computer science degree? 

 

Joe Gronemeyer: No. I have an industrial engineering degree.

 

Justin Beals: Wow, I didn't know that. 

 

Joe Gronemeyer: You no idea? 

 

Justin Beals:  No, I thought for sure you were a computer, a CS degree. 

 

Joe Gronemeyer: So I thought about getting a computer science degree.  And I decided against it because I didn't want to sit in front of computer all day. That didn't work out very well, but that was my decision process. 

 

Justin Beals: You had a bad computer experience early on. 

 

Joe Gronemeyer: No, I just, wanted to get outside, see a little bit more away from my desk.

That was the plan. 

 

Justin Beals: Yeah, think both jobs wound up in front of a computer a lot.

 

Joe Gronemeyer: That didn't go according to plan 

 

Justin Beals: So did you wind up at a center right after school then. 

 

Joe Gronemeyer:yeah, I even I even interned there even while at school Yeah. Yeah. 

 

Justin Beals:No, that's epic. So Seen as how you didn't weren't necessarily interested in computer science degree. Were computers a big part of your life as a kid? Played video games a lot? Programmed at all? 

 

Joe Gronemeyer:  Yeah, no, it was. Mean, computers always were of interest. It's just, I didn't think I wanted to be in front of a computer screen, but yeah, mean, growing up, it's all the classic stuff, having a computer, having access to one at early age, video games, trying to get them to work, which has really kind of got me into, you know, the inner workings of computers.

 

I kind of wonder how kids approach that today since things are so much easier. 

 

Justin Beals:Yeah, I certainly there's a lot of me missioness around the idea that you know the us older computer users want to store stuff locally on our hard drive and no one else seems to care about that or how to take it apart and put it back together Which I think we were really curious about 

 

Joe Gronemeyer:People don't want to do that anymore. Okay, 

 

Justin Beals:I Mean I think no, I think yeah, I talked to my you know, my family's children, my, perhaps nieces and nephews. And yeah, they're not as interested in the programmatic aspects of what makes the computer tick. I think they perfectly accept it, right? Yeah. Yeah, for sure. T

 

Joe Gronemeyer: They don't even know what the little disk icon for saving is anymore, right? 

 

Justin Beals: Well, that's a lost cause. Yeah. Yeah. The five and a quarters aren't coming back for us.

 

Joe Gronemeyer: Five and a quarters? Yeah. 

 

Justin Beals: Three and a halfs? 

 

Joe Gronemeyer: Three and a halves. We even had some 20 inches back in the day, but we had really big 20 inch at my dad's house. Yeah. were gigantic, but yeah.

 

Justin Beals: Well,  speaking of time in computing, Akamai as a company has been around for a long time. And, I always,  I love telling the story of how I first ever experienced Akamai products. It must've been 1999 and we. we had a Herbalife the supplement company had done an interview with 60 minutes, and somehow, they had negotiated with 60 Minutes that they could keep a copy of the tape that had been recorded there, and they wanted to preempt 60 minutes with their own video of the full recording by releasing it on the internet for free and no one had really released an hour-long video on the internet for anyone to use

 

And we loaded it up on, a rack mount computer and, on a fairly, you know, bandwidthy, you know, maybe like a T1 type thing. And it's the only time I've ever actually burnt a computer would we burn it. Cause it was working so hard to keep up with the traffic. And I called Akamai that night and I said, Hey, we have a real problem. We need to distribute this video to millions and millions of people that want to watch it.

 

We got to get it out before 60 minutes. They were like, we have just the solution. And that's where I learned about edge networking. Yeah. 

 

Joe Gronemeyer: I had no idea that you were using it that early on because they weren't around that long at that point. 

 

Justin Beals: Yeah, they were very new. But even the content on the edge and the infrastructure work that they were doing was like super helpful. And obviously we were also pressure testing what the internet could support at the time ourselves. Yeah.

 

They swooped right in. They were great. 

 

Joe Gronemeyer:That was well before my time, but it does remind me of story I heard. I think it was when the Star Wars trailer came out, when Star Wars was coming back into the theaters. 

 

Justin Beals: After the first three?  

 

Joe Gronemeyer: After the first three. And I think for every website that hosted it went down except for one, which was on us. I think that was actually Entertainment Tonight, oddly enough, if I remember correctly. But yeah, that was a surprising thing. 

 

Justin Beals: Maybe I'd love for you to give us like your perspective on what the Edge network product is today.

 

Joe Gronemeyer:  Well, it's been evolving quite a bit, you know, we started off with what you're talking about with the delivery network, and they've evolved that over the years where it's more and more distributed. I think we have about 4,400 points of presence and 1200 different networks so highly distributed, and you know at first it was all about bringing your website or your movies or videos to the customers. Yeah or end users, but then, know at some point I think it was in the maybe 2011, 2012, is when would start looking at the traffic coming in and protecting the websites from attacks as well.  So applying security at the edge keeping the bad actors away from your servers, that you know the entire security space just continue to continue to evolve and more and more type of security controls along with that.

 

And more recently, we're getting more into the cloud space with distributed cloud. For a while there, we were calling it Gecko, globally edge compute,  think we're changing the terminology a little bit, but it's going to be a highly distributed cloud as well. 

 

Justin Beals: I  think there's two major factors in here in the market adjacencies from a business perspective for Akamai really interesting to me. Know, networking or a network-style infrastructure or a content delivery network.

 

That's a resiliency type issue, right? Like we survived a DDoS attack or, or, you know, even just a poor planning type of issue where we didn't plan for enough bandwidth, you know, for the type of, requests that we would get, and Akamai allow that to scale quite easily. But then, I think you move into the security side, right? Because you're at that interface. So you start locking down, how the systems are supported in a really effective way.

 

Akamai, so 2011, 2012 started bringing security products to the mix, but it's a big part of the business today, security products for Akamai, isn't it? 

 

Joe Gronemeyer: I think it's the biggest part of our business. Maybe I should listen to our earnings calls more closely, I it just became, may have eclipsed the delivery side at this point. 

 

Justin Beals: Wow. Yeah. Certainly, because you're obviously a shareholder, you might want to pay attention to those things.

 

Joe Gronemeyer:I have confidence in leadership. Yes. 

 

Justin Beals: Well spoken for the board. 

 

Joe Gronemeyer: I'm very confident they'll make all the right decisions. 

 

Justin Beals: I do have to say I am a big fan of the company. I do think they've been super smart and scientific and really pragmatic and the products they deliver. And I know I haven't bought all of them, but they've always performed for me at a, you know, at the level or above that were my expectations. So,  I am, I like them because I also think they have a sense of ethics in the way they build product and deliver it. You know, they're very plain spoken and factual about what it doesn't, doesn't do. It's gotta make your job as a technical sales leader a lot easier just to have that confidence in the conversation. 

 

Joe Gronemeyer: Oh Yeah, No, I certainly appreciate that as well.  There is no pulling the bull over people's eyes. It's very upfront about what we can do and how we can support you. Like resiliency has always been a key thing for us. Yeah. 

 

Justin Beals: So, I'm a little curious about some of the products that Akamai provides, the security products, for example. One thing that seems to be a thread in some of these security products is zero trust. And we have a hard time describing zero trust, you know, to each other a little bit.

 

I'm curious how, like, do you have customers that come to you and ask for products that adhere to Zero Trust? Are you explaining to them the value of Zero Trust or is it 50-50? 

 

Joe Gronemeyer: It could be 50-50. That is a key part of our business. And it's not one that I focus on, but it is one where, we'll tee up conversations and get in people that do specialize on that. Cause it's a little bit more of an approach versus, you know, product set.

 

Although we do have products that fit into that. I don't know if you've been looking around at. 

 

Justin Beals:The one that a couple of them stood out to me. One is the enterprise application access. 

 

Joe Gronemeyer:ZTNA. 

 

Justin Beals: Yeah. Identity management type of work. Or is that different? 

 

Joe Gronemeyer:It's a little bit different. It does have some identity management built into it, but it's not as robust as the peer plays with identity and access management. 

 

And I was calling it ZTNA Zero Trust Network Access is Enterprise Application Access, the product name. But that's the space. Another way of framing it is it's an identity-aware proxy. So we have to know who you are to let you in. 

 

Justin Beals: Oh, this is similar to a VPN-type solution that we might set up. Is that right? 

 

Joe Gronemeyer: Well, a VPN is a little different in that, you generally speaking, a VPN, you might need a login, but you have access to the entire network.

 

So that's no longer zero trust. You get access to the full network. With the identity-aware proxy, we're authenticating you against each application as well. 

 

Justin Beals: I see. So the identity management is happening throughout the chain of network requests as opposed to at one gate. Like we might do on a VPN into an intranet system. That's intriguing. So that must pair well with like the enterprise compute type of issues where you're hosting application or software, and need to work through management or some amount of infrastructure for computing products. 

 

Joe Gronemeyer:  you can certainly apply it to to your own compute comply to your your on-prem You can apply it to our compute. Yeah, gives you a consistent way of managing ZTNA across all your environments..

 

Justin Beals: So another product that I was really curious about at Akamai is the WAF product

 

I think it stands for wide area firewall or web application. 

 

Joe Gronemeyer:Web. It's web application firewall. 

 

Justin Beals: Tell how often I've actually bought these things because when I have ever done any firewall work, it's mostly like I log into the web server, do a little configuration on the routing table and the port management, and then it's done. I assume it's a much different type of product at scale. 

 

Joe Gronemeyer: Yeah. Well, you're talking about, like, in like an OSI model layer three. So the network layer. Right.

 

A WAF, know web is about the application layers web application firewall. Okay, and that's layer 7 So it's really focused on web traffic Port to 80 and 443. You're not really doing a lot of important protocol management. can't do some allow lists Yeah, the firewalls is I mean you tell me that's more like 

 

Justin Beals: it's more about forcing encryption, but you pretty much let yeah, cuz you're like, So I'm not gonna I'm gonna force everything on the port that runs a certain level of encryption,right? and no traffic can go on any other port or maybe I have a web application. And so I wanted to come in over port 8080. So I pushed them to you know, a TLS encryption. Not 80 like no HTTP access to that application. But that feels you know, very rudimentary because it doesn't I don't care how much traffic is coming through 8080 I don't care how that traffic is modeled or whether or not I really trust that traffic or not. I'm just willing to accept that it's using encrypted protocols.

 

Joe Gronemeyer: Well, I would say it's more fundamental because you still need that. You still need to have your firewall because you're designating what you're allowing in at the port and protocol layer. At that network layer. And the IP address layer. Yeah. So you're still blocking and allowing traffic. In fact, when we talk about zero trust, we apply that same concept down to the individual endpoint with micro-segmentation. So it's almost having miniature firewalls.

 

Every single endpoint inside your environment when you look at micro-segmentation. So huh? Kind of jumping around a little bit there, but web application firewall is different from a firewall Yeah, that you're looking more at the web traffic, and we're inspecting that, and the tax that might be associated with that, but you can also apply a similar concept with the firewalls to micro-segmentation. 

 

Justin Beals:Yeah One of the things that I think is interesting about Akamai data that they store and the products that they build is the inter-reliance on it. One time you told me that there's a percentage of internet traffic that runs over Akamai network per day. And I thought it was fairly large. Do you remember what that number was? 

 

Joe Gronemeyer: Yeah. It varies. When we're looking at the web traffic, it's about, my understanding, 20 to 30 % of web traffic. Blows through us.

 

And then, you we are very, like you said, enterprise business oriented. When you start whittling that down, it's even a higher proportion. Yeah. 

 

Justin Beals:That's a lot of the internet traffic. Yeah. I mean, it's a massive amount. You've got to be one of the largest. They ever tell you that? Whether you're one of the leaders or?

 

Joe Gronemeyer: I would imagine so. think there's a lot of ways to slice up how traffic flows. Sure. Yeah. Certainly the ISPs that are doing a whole different thing. 

 

Justin Beals: I guess like a nation-state level even. That's really fair. 

 

Joe Gronemeyer: Yeah. I would imagine, you know, in our space. Yeah, for sure. Yeah. 

 

Justin Beals: So we talk, you know, I've been working in machine learning and I know you've been building applications for a long time. And so we've been interested in how data science powers some of these products. That network traffic has got to help Akamai in the types of security products that they offer. 

 

Joe Gronemeyer:Yeah, that's one of our differentiators as well. Not only like when we're talking about the WAF and figure out how do we block against an application layer attack, which might be a SQL injection, command line injection, local file include, those types of attacks, we're able to also just inspect the traffic going across the internet and detect new and novel attacks. Wow. So we also try to make it as easy as possible for people to use our WAF. 

 

That's been a big focus for us. And part of that is being able to apply rules with a lot of trust and faith. And that's not going to have adverse impact on your site while also finding new things quickly on the internet. 

 

Justin Beals: Because it certainly would be one thing to say, hey, we're going to look for SQL injections on any traffic that hits our web application, but it's another thing to say, you don't have to worry about the rules because we're monitoring enough network traffic to respond in a timely manner with a unique rule set for how the network is changing. 

 

Joe Gronemeyer: Yeah. And we let you kind of lean into that, too. If you want to be really on the cutting edge and get the rules as soon as possibl,e and maybe you stub your toe a little bit, or maybe you want to be a little bit more conservative and wait a little bit and make sure it's, you are not going to have any adverse impacts. 

 

Justin Beals:Before new versions are loaded. 

 

Joe Gronemeyer: One of the more classic stories, I'm sure you heard like the log 4J incident. That one was a few years ago, but it's a good story because it happened right around Christmas. And even cybersecurity professionals like to take time off on Christmas. 

 

Justin Beals: Every once in while they tell me. Yeah. 

 

Joe Gronemeyer:So if you had like our auto rules applied, you guys wouldn't have had to take any action, had just been protecting you automatically. 

 

Justin Beals:  Cause any log for J traffic would have been halted at the WAF

 

Joe Gronemeyer: Or what would you consider malicious log for J traffic? 

 

Justin Beals: Wow. That's brilliant. Really? I mean, I mean, it's pretty amazing. Is there another product in the security suite that takes a lot of advantage out of that network traffic that you find interesting? 

 

Joe Gronemeyer: Yeah. I don't know if I can enumerate through all of them. 

 

Justin Beals: You can pick your top three if you want, or your favorite.

 

Joe Gronemeyer:   But so one area that Is very challenging is managing bots.  And when I'm saying bots, you these are bots that might be coming to your website. Maybe they're trying to do credential abuse, maybe like on a retail site. They're they're trying out gift cards any sort of transactional abuse Or even looking at like scraping your content on your site. 

 

Justin Beals: I remember those from the old DDOS days, right like You want to set up a big bot network to try and go take down a server or block all traffic, or confuse the traffic. 

 

Joe Gronemeyer:  Yeah. There's all sorts of different types of bots, and like you can even use bots for DDoS attacks. Right. Where you're just trying to overwhelm it with either, you know, volume of traffic or number of packets, just overwhelm the hardware, and then people can't access it. 

 

Justin Beals: The way you describe it is getting more nuanced, right? Like they're starting to, you know, not necessarily want to be detected or be so ham-fisted in the attack.

 

But actually a little more nuanced to steal data or gain access 

 

Joe Gronemeyer: Yeah, anything that they could like maybe take over an account takeover, right? And then, if there's something behind that account, maybe they can conduct a transaction. Yeah, whether it's your e-commerce site access to goods but yeah, they using bots to test out credentials  as part of that account takeover, once they test out the credential, they can either use it themselves where they can sell it to others who will then use it and commit fraud. 

But yeah, there are capabilities to detect that type of transaction abuse. And then also other bots that might be scraping your site, detecting that. And then it is a bit of a cat-and-mouse game. Having that visibility into all that traffic really helps us hone in more quickly to how they're evolving and updating our detections as well.

 

Justin Beals:  So, considering that, what do you think is the product inside the Akamai suite that is getting the most heavy uplift in adoption? And I think what I'm poking at here a little bit is what's the biggest concern when you're going in to talk to an enterprise CISO or chief information officer? What are they asking for you to help them solve?

 

Joe Gronemeyer: Well, I'm a little bit more in e-commerce a few times, so a little bit closer to that space. So it might be a bit more nuanced to what they're looking at. A lot of it does have to do with bots. There are also newer areas, like the WAF. That's been around for a while, so it's a little bit more mature, a little bit more stable. It's still very active, but it may not come up in as many conversations. Some other areas could be around API security.

 

So, as we start tightening up the controls in some places, the threat actors start looking at other areas that might not be as strictly controlled. And APIs are a whole different story as well. 

 

Justin Beals: Yeah. We've had a lot of discussion about APIs on the podcast lately. And I think it's a little bit of the aftermath from the CrowdStrike thing because CrowdStrike's deployment method was agent-centric. And I've railed against it in a way because I just don't think that matches a lot of good security practices where you have good network segmentation. 

 

Do you guys think about deployment models from those types of perspective for your own platforms? 

 

Joe Gronemeyer: Yeah. And it varies across the spectrum of our offerings. So certainly starting off with our edge network, we don't have to use agents through that. And there's a lot of capabilities that we can use through that.

 

Basically, we're a reverse proxy and we're able to terminate TLS and inspect all the traffic and do what we need to do, whether it's looking at the bots, web application firewall, APIs. But then if you are looking at how you protect more of the enterprise, maybe your end users, maybe as they're going out to the internet, like a secure internet access, you have to have a way to get in middle of that. Maybe that's a matter of controlling the recursive DNS.

 

Or if people are like on the road and you can't really control that as much, that's when we might have an agent deployed on a workstation. And then I was mentioning micro segmentation. There's no way around it. Basically have to have an agent there as well. 

 

Justin Beals: Yeah, I guess it's the right tools for the right job a little bit. you know, certainly I think trust comes into play. I don't know what happened at CrowdStrike because it seems like software development lifecycle processes should have halted what was a faulty code, a bug in the code that caused the outage.

 

I never heard any story like that out of backup line ever. Yeah. 

 

Joe Gronemeyer:  Well, let's keep it that way. 

 

Justin Beals: And you mentioned you focus in the e-commerce space. Is there a lot of integration work happening in the e-commerce space lately? that why the interest in APIs, or has it just been like the next surface area that you feel like they're concerned with. 

Joe Gronemeyer:   I think maybe more the latter. mean, the traffic has evolved a lot. There's a lot more APIs being used as people look at how they interact with backends, whether it's the website using the APIs, talk to the backend, maybe your mobile device could be using the same APIs, or maybe you're talking with partners and integrating with partners. How do you communicate with them? And it just turns out it's almost all APIs.

 

But those those come with their own set of Risks and how do you become aware of that and defend against it? 

 

Justin Beals: Yeah I was I'm interested in micro segmentation a little bit I've only heard that term a couple of times. Can you describe for us what micro segmentation is? 

 

Joe Gronemeyer: Yeah, well basically at least our approach to it is that you know, we're talking about firewalls earlier.

 

So it's basically a firewall running on every single, every single computer, every single instance, every single container, and being able to be aware of what traffic is running between that device and another device and being comfortable that that is acceptable. And then, at some point, being able to lock that down.

 

And being able to only have that communicate there. It sounds kind of restrictive and it is, so a big goal of ours is to make that as easy as possible And maybe when you begin that sort of process You might have some really sensitive applications that you put like a we call it ring fence around that set of applications, almost kind of like a DMZ type concept, but just for that set of applications. So that's kind of know segmented off from the rest of the network, you know, that can be applied to like helping with PCI compliance if you can prove that anything that touches PCI. 

It's all ring-fenced away from everything else,  you know that that could be a an approach for a business case as well I'm not sure if that helps it does. 

 

Justin Beals:Yeah, it actually leads to hold another question and careful about mentioning compliance on the podcast because we're always really curious about out. 

 

Joe Gronemeyer: I'm not much of a compliance guy 

 

Justin Beals:But I do think it's kind of interesting mostly what's interesting to me is based upon your description of the product and the problems it solves, compliance is a question that you must get asked as providing security products to your customers. 

 

Joe Gronemeyer:Yeah, there's actually a PCI compliance requirement that's coming into effect at end of March. PCI DSS version four, not sure if you've heard of that.

 

Justin Beals: Yeah, we heard it months ago. Yeah, it's all ready to go. 

 

Joe Gronemeyer:there are many ways that it fits into our world and some I'm not even as aware of, but one of the hot ones is, especially with retailers, is that as they're interacting with an end-user on the web and they're taking in the credit card information, they now have to be conscious about the JavaScript running on their payment pages or any page that interacts with credit cards. we've had our capabilities around that for a while now, but the PCI compliance is requiring it. 

 

And this could be things like, I don't know if you've heard of mage cart or form jacking. Basically what we're doing is we're looking at the JavaScript saying, where is it coming from? What's it doing? And where's it going? And then as you might imagine, you have a lot of users come to your site. This all happens inside the browser. It's very hard to get that visibility. And then all that activity, how do you whittle it down to when is something misbehaving? How do we know when to act on that?

 

So you're talking about like machine learning earlier about like how do we whittle down that noise and present just the effective information of you might want to take a look at this event related to that JavaScript. Does that look right to you? 

 

Justin Beals:Is this the Page Integrity Manager product? 

 

Joe Gronemeyer It's previously known as Page Integrity Manager with the advent of PCI DSS version 4. renamed it to Client Side Access and Compliance. 

 

Justin Beals: It's gonna line up with the search engine. 

 

Joe Gronemeyer: You'll notice a trend in our naming. It's almost becoming too intuitive. 

 

Justin Beals: Well, I though I think this is I'm curious if this is normal operation for you. I think you've been at Akamai for a little over two years now. 

 

Joe Gronemeyer : I'm working on my 10th year.

 

Justin Beals:I'm so sorry. I think you've been at Akamai for just about 10 years now. Has compliance been a change in the way people think about buying products compared to a decade ago, or has it been common in the enterprise to consider it? 

 

Joe Gronemeyer :Well, mean, they always consider it. It's more a matter of, are we compliant with what they need? 

 

Justin Beals: Akamai compliant with their requirements? 

 

Joe Gronemeyer : As a software or kit software provider or partner, are we compliant with whatever they'd be compliant with? And now, we're helping them be compliant as well. So whether it's that we call it, well, the client side access and compliance as a mouthful, CAC, is how we refer to it. Whether it's that, helping others be compliant or maybe like the micro-segmentation as well. 

 

Justin Beals: Being able to section off a network that is storing a very specific set of data that needs a very specific set of security around it. I mean, it's intriguing to me because I feel like I started my career a little bit in security and then left it entirely and have lately over the last five years come back to it. But a long time ago when I was at BT British Holocaust in my first gig, I worked in the security department as a security analyst and they were like, if we didn't get hacked, you know, we got had enough money last year and if we did get hacked and then we're gonna ask for more money Justin and I was like that is the most backwards way to think about security, but I guess that's where we're at. 

 

Joe Gronemeyer :I've definitely noticed it become a lot more mature and evolved. Yeah, there's a more. More standardized approaches to security. Yeah, no, I remember that before. It's kind of like where does security fit in? Is that just the DMZ? Is that security right? It's much more refined thing now.

 

Justin Beals:Well, and this is something I certainly railed against, you you've built enough product and done enough technology projects, start your career, the like scope is everything to success. And if you go in just buying products that you think are helpful, each of those products have an implementation. No matter how easy they are to use, there's a timeframe to roll them out. Then, you know, you're just, you're just kind of randomizing effective security practices. But if you either use a framework or some type of risk-based approach.

 

then you can identify the major areas and at least make more valuable purchasing decisions, I think. 

 

Joe Gronemeyer :Yeah, for sure. 

 

Justin Beals:I'm sure at the enterprise scale, you have risk officers and folks like that that are engaged as the CISO is thinking about what the cybersecurity tools look like for them. 

 

Joe Gronemeyer :Yeah, I don't really bump into that title as much. yeah. But definitely a lot of CISOs. That one one standard that comes up quite a bit is OWASP. Certainly with the WAF. There's also a top 10 around APIs. OK, and there's even a top 10 around AI firewall. So wow, that's new. It is new. Yeah, that keeps evolving as well. But that that one's a pretty common standard that bumping into a lot. 

 

Justin Beals:Yeah, that's a very technical standard. I you know, when I used to both get to write code and do some server deployment. I remember the server checklist that you go through for each instance. I don't... 

 

Joe Gronemeyer I may have been less hands-on with the infrastructure, but yeah. 

 

Justin Beals:You know, we were working on very small teams. Yeah. got to do a little bit of everything. I think that's what we wanted. That's what I wanted to do. What do you think...

 

CISOs are concerned with from a future perspective as you talk to them? . And then vice versa, know, maybe Akamai is working on some product or thinking about product that is about the future of security.

 

Joe Gronemeyer: That is a good question. You know what? I always think about it from kind of where we fit in with our capabilities. I don't remember, you know, some of the surveys with some of the top areas off top of my head. You know, ransomware has certainly been a hot area, especially for e-commerce. I could see that. Yeah. Micro-segmentation helps with that. The idea there is that if they get in, you're able to control the blast radius. Right. Of course, talked about bots.

 

APIs Believe it or not, you know DDoS is such a it seems like such a brutish type of attack, but it isn't going anywhere.  You kind of think that maybe it's been solved but then it keeps coming back with a vengeance That was very hot recently and like Australia and New Zealand, they were very very much impacted last year. Yeah Now, of course, you know geopolitics There's a lot of activity coming out of that. 

 

Justin Beals: Your customers are typically enterprise customers. I think your prices are the, you know, contract values that you deal with are similar. You know, obviously I don't want you to give anything that would get you in trouble, but I think you're, you know, most of your customer contracts are above a million dollars a year, you know, or higher. These are enterprise scale engagements, right? 

 

Joe Gronemeyer:   Yeah, they can vary. Don't, I don't focus on the, the contract as much. Yeah.

 

They got an A.E. for that. Yeah, the account executive is the one who really hones in on that. I'm a little tertiary to it, so I'm familiar, but yeah, that's not really one of my fortes. 

 

Justin Beals: What about you? Like personally, I'm curious about your career. You both delivered tech. And of course, I think in the essential model, you had a lot of customer engagement around the tech you were delivering.

 

And then now you're working on selling product but as a solutions architect. What do you think about for like the future of you? Like it seems like you could you more the sales side and continue to work that route. But I'm curious yeah, 

 

Joe Gronemeyer:   Tthat's a great question. I am enjoying what I'm doing I am I like being able to visit, you know a lot of different customers, getting their perspective, helping them solve problems of what we have to offer. 

 

It's been a great ride, but I'm not sure where that should go from here. 

 

Justin Beals: I know it's always comfortable to, think, to work in a company that has, I think, shared values around the products that they deliver too, right? 

 

Joe Gronemeyer: Yeah.Mean, Akamai has been great like that. You were talking about the ethics coming all the way from the top. That's always been consistent, which is fantastic. We keep evolving the technology, which of course I love, and learning about new things.

 

And then also the approach that we take of just being able to bring it to our customers.  

 

Justin Beals:Yeah, are there bit I'm curious, you know, for your type of customer base, what type of events you might go to or do you mostly? Show up when there's an actual opportunity and they need a solutions architect to help identify what the total purchase might look like? 

 

Joe Gronemeyer:  So I am assigned to accounts. Yeah, and I have relationship with them. Yeah. So we're meeting with them regularly. Gotcha. I'm joining calls with them. I was just on a call with them, some of them a few hours ago. 

 

Justin Beals:Good job, Joe. 

 

Joe Gronemeyer: Thank you. And then we visit them as well. We tried to visit them multiple times a year just to share a lot of the things that we're talking about, how we're evolving and also hear about where their current concerns are, where do they need help, where are their initiatives.

 

Justin Beals: One thing I wanted to give you kudos on you, not that you built this, but it certainly is something that I found very interesting in Akamai. But when I was doing research on Akamai, I noticed that you all have a fairly robust Terraform implementation. it's always a big sign of maturity for me and working with another company when they pick a standardized way of, doing the integration work. It's really robust. It's a neat setup.

 

Joe Gronemeyer:That has been evolving a lot over the last few years. They've really been investing in that considerably. Our customers are asking for it and we're supporting them as well as we can. 

 

Justin Beals:I mean, especially as you guys get into cloud computing tools themselves, You know, being able to deploy at scale, certainly for an e-commerce customer has got to be a big value prop for them. 

 

Joe Gronemeyer:Yeah. Yeah. That, that I imagine that'd be a whole nother set of Terraform tools compared to the kind the original Akamai platform versus the cloud computing type platform. 

 

Justin Beals  Yeah, maybe we'll, I'm curious about the cloud computing side thing for y'all. is, it feels like a little bit of a crowded space. know, we have Azure, we have Google, which I think is running a third from an adoption perspective. I'm an old AWS user. I've used it since there were EC2 things out there. How do you, y'all must be looking at the landscape and thinking about why you over another group or where you fit versus other groups. How do you think the products on the compute side fit into the marketplace for y'all? 

 

Joe Gronemeyer: I think, you know, we're not going to be able to compete directly with those hyperscalers. Yeah. We just don't have that type of compute capacity. It's such a crazy word, hyperscaler. 

 

Justin Beals:  It makes it seem so unattainable. 

 

Joe Gronemeyer: Yeah. So my understanding is we're keeping our spirit of being distribute and applying that to compute as well. So we're going to, we, have approximately 75 distributed locations and 25 core locations. Okay. And we're, in the process of making it easy to deploy across those. Yeah. So like our VPC model is going to be very different than like, Amazon or RV PCs going to allow you to essentially be deployed across a wide area. Yeah.

 

Being able to keep your data in specific jurisdictions, being able to access parts of the world that you might not be able to access in a highly performant way. Certainly, some of the early players with this around gaming, where they need very high or low latency,  high performance, and they just aren't hyperscalers in certain locations. I imagine, over time, that's gonna evolve where more and more people will want that type of engagement. then, you know, sticking to another part of our bread and butter is all the network traffic. We're able to have much more market-relevant egress pricing. Just because we already have so much egress as it is, we're able to share that with our customers. 

 

Justin Beals: Yeah. I can see, I mean, we've gotten a lot of asks to deploy to EU, which we did and now we're considering a separate deployment to a more secure tier of cloud provider ourselves, being able to really adjust that a little dynamically from an edge computing perspective is certainly interesting. And it does seem to follow on with a trend we've seen in computing platforms to like the Lambda style object where we don't know where that thing gets run call it to run some Python code, for example. And we want it to disappear when we're done with it. So yeah, I can see an extension of that in like, I broadly have a function that broadly runs on a geographically wide network, depending on where it's being called from. 

 

Joe Gronemeyer: I think that's right. Yeah. 

 

Justin Beals: Wow. Really powerful. Did they ever talk about quantum computing? That's the other touch point. We can't get out of a podcast. We don't talk about AI and quantum computing.

 

Joe Gronemeyer:What is it the quantum proof crypto or something? Yes. Yeah, I think what didn't and I asked missed come up with a standard They have been so yeah, 

 

Justin Beals: They've got a bunch of different models for building that encryption, and I think two of them they feel are robust enough for public use at this point 

 

Joe Gronemeyer: I haven't looked as closely maybe as I should yeah, but certainly we're going to be be supporting that with you know, our edge network.

 

I know where we're coming to market with applying those cryptography tools at the edge. I think it's about to enter beta. But yeah, it's following all the NIST standards. 

 

Joe Gronemeyer:Yeah, that's exciting. Well, Joe, I really appreciate you joining me for the podcast. I hope it wasn't too terrifying. 

 

Justin Beals: Very terrifying. You made me feel right at home, Justin. I'm glad. Yeah, I think I just want to say that I think what you do is really cool, even though you're very low-key about it. I really am a fan of, I think Akamai has set a really good corporate example for the types of businesses that I would want to do business with or work at. I

 

'm sure we all make mistakes, but so far they just seem to have been good about building product, representing it honestly, and then delivering on a regular basis. Yeah. 

 

Joe Gronemeyer: And then when you don't, being transparent about that as well.

 

Justin Beals:  Yeah, that's true as well. Thanks for joining us, Joey. 

 

Joe Gronemeyer:  Thanks, Justin.