Take Over, Bos’n!

Eleven years ago, Danny Lewin was murdered.

This is a story from before that — and how Danny inspired me to change the web.

It starts about twelve years ago. Akamai had just launched EdgeSuite, our new, whole-site content delivery product. Instead of having to change the URLs on your objects to start with a7.g.akamai.net/v/7/13346/2d/, you could just CNAME your whole domain over, and we’d deliver everything – even the HTML. It was revolutionary, and would power our move to application delivery.

But Danny wasn’t satisfied with that (Danny was rarely satisfied with anything, actually). I’d just become Akamai’s Chief Security Architect – mostly focusing on protecting our own infrastructure -– and Danny came to me and said, “What will it take to convince banks to use EdgeSuite?”

I’ll be honest, I laughed at him at first. We argued for weeks about how paranoid bank security teams were, and why they’d never let their SSL keys be held by someone else. We debated what security model would scale (we even considered having 24×7 security guards outside our datacenter racks). We talked about the scalability of IP space for SSL. Through all of that, Danny was insistent that, if we built it, the market would accept it – even need it. I didn’t really believe him at the time, but it was an exciting challenge. We were designing a distributed, lights-out security model in a world with no good guidance on how to do it. And we did.

But I still didn’t believe  not the way Danny did. Then came the phone call. I’d been up until 4 am working an incident, and my phone rings at 9 am. It’s Danny. “Andy, I’m here with [large credit card company], and they want to understand how our SSL network works. Can you explain it to them?”

I begged for thirty seconds to switch to a landline (and toss cold water on my face), and off we go. We didn’t actually have a pitch, so I was making it up on the fly, standing next to the bed in my basement apartment, without notes. I talked about the security model we’d built – and how putting datacenter security into the rack was the wave of the future. I talked about our access control model, the software audits we were building, and our automated installation system. I talked for forty-five minutes, and when I was done, I was convinced – we had a product that would sell, and sell well (it just took a few years for that latter half to come true).

When I got off the phone, I went to my desk, and turned that improvisational pitch into the core of the security story I still tell to this day. More importantly, I truly believed that our SSL capability would be used by those financial services customers. Like Danny, I was wrong by about a decade – but in the meantime, we enabled e-commerce, e-government, and business-to-business applications to work better.

Danny, thanks for that early morning phone call.

“When you’re bossman” he added, “in command and responsible for the rest, you- you sure get to see things different don’t you?”