PURPOSE:
This position is responsible for the architecture, design, and implementation of the UNFI Identity and Access Management (IAM) solutions in accordance with industry and UNFI architecture and security best practices and standards. The Principal IAM Engineer stays up to date on the latest technologies, security best practices and deployment strategies both in the cloud and on premise. Core functions include assessing existing deployments for remediation efforts regarding availability, recoverability, security and cost as well as designing new solutions based on requirements gathered working cross functionally with the key stakeholders. The Principal IAM Engineer will develop and maintain reference architectures, standards and procedures, complete high level and detailed designs and implement greenfield IAM solutions. The Principal IAM Engineer is recognized as an expert in the IAM discipline, capable of highly complex cross-functional work and represents the IAM team with extensive latitude to make functional decisions.

ESSENTIAL FUNCTIONS:

Job Responsibilities (Percentage)

IAM Engineering

• Leads UNFI IAM architecture and design efforts to meet the platform and product team requirements while aligning to UNFI IAM and security standards, controls and governance structure
• Leads design of IAM solutions such that they are resilient, highly available, fault tolerant and recoverable from disaster or ransomware
• Collaborate with architecture teams, IT teams and operations teams on design, tool selection and operations for enterprise projects
• Responsible for identifying, designing, and implementing IAM requirements for on-premises, SaaS, IaaS and PaaS solutions
• Responsible for designing solutions adhering to zero trust principles to prevent unauthorized access to the on-premises and cloud systems
• Leads design and management of identity federation, Single Sign On and Multi-Factor Authentication, including external users
• Leads design and implementation of solutions and systems for Automated Identity Lifecycle Management, Identity and Access Governance and Automated Provisioning
• Leads design and rollout of tools and processes to manage privileged access for humans and non-humans meeting security standards
• Research and recommend new IAM solutions, execute POC’s and feasibility studies to validate next-gen product concepts and technologies leveraging results to guide business and technology decisions.
• Leads complex IAM architecture requirements analysis to convert platform, security, and business requirements into technical solutions
• Apply extensive technical expertise in decision making and in the resolution of problems which are highly complex and technical in nature.
• Provide technical direction to less experienced members of the team
• A technical subject matter expert that recommends and advises the Operations team in the resolution of outages or high priority incidents
• Analyze log events and performance of IAM solutions and correct deficiencies, including recommendations to the Operations teams on alerting and monitoring
• Identify security gaps in the identity platforms and create remediation plans
• Act as Subject Matter Expert in the discovery and investigation of critical security vulnerabilities or incidents
• Create and maintain functional / technical design specifications and solutions to satisfy project requirements
• Create simple, repetitive deployment processes that increase both velocity and quality.
  Percentage: 90%

People Leadership

• Mentor less experienced members of the IAM team
• Serve as IAM SME for the extended Infrastructure team and help develop internal knowledge
  Percentage: 10%

Total: 100%

• Performs other relevant job duties as required.

JOB REQUIREMENTS:

Education/ Certifications/or Equivalent combination of education training and experience:

• Bachelor’s Degree in Computer Science or a related discipline desired, or relevant IAM Engineering work experience
• Industry Cybersecurity or IAM certifications such as CISSP, ISC2+, GSEC, GISF, GCIA and GISP or equivalent
• Relevant product certifications such as CyberArk, SailPoint, Microsoft, AWS Certified Cloud Practitioner

Experience:

• 10+ years’ professional experience working in large scale identity environments (10,000 users minimum).
• 10+ years’ experience as an IAM Engineer/Architect in a large complex on-premises/cloud hybrid identity environment
• 10+ years’ experience with directory services, authentication/authorization, privileged access management, identity lifecycle management and/or cloud identity services: Active Directory, Azure AD/SSO/MFA, Azure Identity Framework, AWS cloud native, CyberArk, SailPoint IIQ, Oracle OUD, LDAP, Centrify, SiteMinder, ControlMinder/UNAB or equivalent.
• 10+ years’ experience with Azure AD leveraging Graph API, Identity Experience Framework, CSS, REST, HTML
• 10+ year’s experience with scripting and automation tools such as Powershell, bash, Ansible or equivalent
• 4+ years’ experience with cloud providers AWS, GCP or Azure
• 2+ years’ experience with source code management software for branching, merging and merge conflicts

Cloud

• Hands-on experience in designing Azure Conditional Access policies, Azure SSO, Azure MFA and Identity federation using AD Connect and/or ADFS
• Experience supporting AWS identity federation and AWS governance
• Experience securing applications with cloud access security broker (CASB)
• Experience managing an Azure B2C tenant for external users, including design and creation of Azure B2C policies, Azure forms and workflows using the Azure Identity Framework

Directory Services

• Experience designing Active Directory Group Policies, fine-grain password policies, AD Sites, Time Service (NTP), DNS and AD replication topology, with Active Directory 2016 functional forest level or higher
• Demonstrated experience with PowerShell scripting to automate Active Directory tasks
• Experience with AD delegated administration tools such as Quest ARS, RMAD, GPO Admin, Enterprise Reporter
• Experience applying security standards using automated processes to prevent misuse of stale accounts, compromise of passwords or escalation of permissions, such as identifying and disabling stale accounts

Identity Lifecycle Management

• Experience with SailPoint Identity IQ
• Extensive understanding and experience in Java application development
• Demonstrated experience with Beanshell, Linux/Unix, Windows, scripting (Bash, PowerShell, Perl), SQL, LDAP, and web services
• Experience developing custom workflows for joiners, leavers and movers
• Experience connecting applications to SailPoint for automated provisioning/deprovisioning and access reviews
• Experience with designing and implementing Role Based Access Control using technical and business roles
• Experience with the design and deployment of secure RESTful Web Services
• Experience with the following web technologies (XML, SPML/SOAP, Web Services, etc.)
• Experience with web application servers (Tomcat, WebSphere, WebLogic, JBOSS, etc.)

Privileged Access Management

• Extensive experience architecting, designing and implementing CyberArk products for a complex enterprise environment with multiple domains and platforms
• Experience integrating CyberArk with various applications using out of the box and custom connectors
• Experience rolling out privileged access to administrative users to maximize security and operational efficiency
• Experience using CyberArk to secure remote access for vendors
• Demonstrated experience with CI/CD pipelines for delivery of new software/configurations
• Experience with architecting and designing for Security Constraints, Resiliency, Fault-Tolerance, and Scalability in context of hybrid network architectures
• Demonstrated experience leading troubleshooting and solving issues related to identities, systems, access, accounts, authentication, authorization, entitlements, and permissions
• Some proficiency with core network services like DNS, DHCP, IPAM, and NTP in a global, distributed environment.
• Experience with traffic and network analysis using tools such as Wireshark, Netflow, Solarwinds and TCPDump
• Experience working with highly effective engineering teams through major technology transitions
• Experience working in complex network environments with legacy systems

Knowledge/ Skills/ Abilities:

• Proficient with industry security frameworks such as NIST, ISO 17799, CIS, etc.
• Familiar with one or more regulatory requirements and laws such as, but not limited to, PCI, Federal Financial Institutions Examination Council (FFIEC), Sarbanes-Oxley (SOX), HIPAA, GDPR and GLBA.
• Knowledge of zero trust principles
• Knowledge of ITIL and able to follow established processes for ITSM
• Knowledge of agile or Kanban principles and practices
• Some familiarity of iOS and Android ecosystems to support the credentialing of mobile devices
• Knowledge of Microsoft Exchange
• Knowledge of relational databases (Oracle, MSSQL, MySQL, etc)
• Knowledge of enterprise systems (SAP, PeopleSoft, ServiceNow)
• Able to develop solutions based on secure design and/or coding practices
• Ability to be flexible, decision oriented, and motivated to support management initiatives
• Ability to demonstrate a consultative approach to strategic decisions with a particular emphasis on design and delivery
• Strong documentation and communication skills
• Strong attention to details
• Problem investigation and diagnostic skills
• Able to write and maintaining clear documentation about system architecture, release, and implementation plans, and develop and maintain internal documentation.
• Able to automate configuration and develop repeatable enterprise processes, including CI/CD

PHYSICAL ENVIRONMENT / DEMANDS:
Some travel may be required.
Most work is performed in a temperature-controlled office environment.
Incumbent may sit for long periods of time at a desk or computer terminal.
While performing the duties of this job, the employee is regularly required to sit; use hands to finger, handle, or feel; reach with hands and arms; and talk or hear.
Incumbent may use calculators, keyboards, telephone, and other office equipment during normal workday activities.
Stooping, bending, twisting, and reaching may be required in the completion of job duties.
The above statements are intended to describe the general nature of the work performed by the employees assigned to this job. All employees must comply with Company policy and applicable laws. The responsibilities, duties and skills required of personnel so classified may vary within each department and/or location.