Security Engineer & Architect

Overview

Security Engineer/Architect (IAM Focus) – BNY is seeking a hands‑on Security Engineer/Architect to design, implement, and govern identity and access management for a FedRAMP‑compliant Azure environment using native Microsoft security tooling. You will own the IAM architecture and control lifecycle—policy design, privileged access, identity threat protection, lifecycle governance, and evidence generation—ensuring NIST SP 800‑53 control coverage and audit readiness. This role partners with platform engineering, SecOps, risk/compliance, and 3PAOs, and requires the ability to dive deep into native Azure capabilities while setting a scalable, standards‑driven architecture.

Responsibilities

Architecture and Design (IAM Focus)

• Define and maintain Azure IAM architecture and guardrails: tenant segmentation, RBAC strategy, least privilege, managed identities, Conditional Access, and Just‑In‑Time access via PIM.
• Establish standardized access patterns for workloads, service principals, Managed Identities, and human identities across multi‑tenant/multi‑subscription Azure footprints.
• Design and enforce secure key/secret management using Azure Key Vault (FIPS 140‑2 validated modules), including rotation, access policies, and monitoring.
• Integrate identity threat protection signals (Entra ID Protection, Defender for Identity) into detection and response workflows; ensure coverage for high‑risk scenarios (privilege escalation, token theft, MFA fatigue, legacy protocols).
• Build and maintain Azure Policy/Blueprints to enforce IAM baselines (e.g., MFA requirements, disallow legacy auth, privileged role constraints, Key Vault access policies, managed identity usage).
• Configure Conditional Access, Authentication Strengths, and token controls; manage role assignments, custom roles, and privileged workflows consistent with FedRAMP requirements.
• Drive onboarding of identities and applications to native controls; integrate with CI/CD pipelines for pre‑deployment checks and policy‑as‑code control inheritance.

Operations, Continuous Monitoring, and Evidence

• Partner with SecOps to ensure logging/telemetry completeness (Audit logs, Sign‑In logs, Entra ID Risk events, Azure Activity logs) and Sentinel ingestion; author KQL‑based detections/playbooks for IAM threats.
• Maintain IAM control narratives, SSP sections, and evidence packages; support POA&M lifecycle for IAM‑related findings and corrective actions.
• Produce monthly/quarterly Continuous Monitoring artifacts for IAM controls (AC, IA, AU, CM, SC), including access reviews, break‑glass account attestations, PIM usage audits, and privilege minimization metrics.

Risk, Access Reviews, and Compliance

• Lead periodic access certification campaigns for privileged roles and sensitive applications; implement automated recertification workflows and exception governance.
• Quantify residual risk and document compensating controls; partner with risk/compliance and 3PAOs on assessments, interviews, and artifact reviews.
• Ensure material changes in IAM configurations are reflected in SSP/control narratives and communicated via change management.

Azure Native Tooling (Primary)

• Identity & Access: Microsoft Entra ID (Azure AD), PIM, Conditional Access, Authentication Strengths, RBAC, Managed Identities
• Threat Protection: Entra ID Protection, Microsoft Defender for Identity, Microsoft Defender XDR signals
• SIEM/SOAR: Microsoft Sentinel (Log Analytics, Workbooks, Playbooks/Logic Apps)
• Posture & Policy: Azure Policy, Azure Blueprints, Azure Automation
• Secrets & Crypto: Azure Key Vault (FIPS 140‑2), Key Vault HSM (as applicable)
• Monitoring/Telemetry: Azure Monitor, Sign‑In/Audit Logs, Diagnostic Settings, Activity Logs

Required Qualifications

• 7+ years in security engineering/architecture, with 3+ years focused on IAM in Azure using native tooling.
• Deep hands‑on experience with Entra ID (Azure AD), RBAC, PIM, Conditional Access, Managed Identities, and Key Vault—including policy design and enforcement at scale.
• Practical knowledge of FedRAMP baselines (Moderate/High), NIST SP 800‑53 control families, and audit/assessment processes; experience contributing to SSP/ConMon evidence.
• Strong proficiency in Azure Policy/Blueprints and policy‑as‑code approaches; experience embedding controls into CI/CD.
• Ability to design high‑fidelity detections and automate incident response for identity threats using Sentinel and Logic Apps.
• Excellent documentation and communication skills for control narratives, runbooks, access governance procedures, and executive status reporting.
• Bachelor’s degree in Information Security, Computer Science, Information Systems, or related field; equivalent experience considered.

Preferred Qualifications

• Experience operating in Azure Government or GCC High tenants and understanding telemetry/control nuances in those environments.
• Background in Zero Trust principles, privileged identity strategy, and secure service‑to‑service authentication patterns.
• Familiarity with Microsoft Purview and data access governance for sensitive workloads.
• Scripting/automation skills (KQL, PowerShell, Bicep/Terraform basics) to manage identities, enforce policies, and generate evidence.
• Certifications: AZ‑500 (Azure Security Engineer Associate), SC‑300 (Identity and Access Administrator), SC‑200 (Security Operations Analyst), CISSP/CCSP, or equivalent.

Key Competencies

• Architectural rigor with hands‑on execution: able to set standards and implement them.
• Risk‑based decision‑making; measurable outcomes through IAM KPIs and audits.
• Cross‑functional leadership and stakeholder management across engineering, SecOps, and compliance.
• Continuous improvement mindset; detection tuning, control effectiveness measurement, and drift minimization.

Day‑One Priorities (First 90 Days)

• Baseline Conditional Access, PIM policies, and RBAC role taxonomy; eliminate legacy authentication and high‑risk configurations.
• Validate log ingestion coverage for identity signals into Sentinel; implement priority detections/playbooks for privilege misuse and identity compromise.
• Stand up access certification cadence for high‑risk roles; document procedures and evidence artifacts aligned to ConMon.
• Implement Azure Policy sets for IAM baselines; create dashboards for compliance and exception management.

Program KPIs (example targets; customizable)

• Privileged access minimization: ≥ 90 % of admin access via PIM JIT; break‑glass account attestations monthly.
• MFA/strong authentication coverage: ≥ 99 % for all in‑scope human identities; ≥ 95 % enforcement for service identities via managed identities where applicable.
• Detection quality: ≥ 70 % high‑fidelity alert ratio for IAM detections; MTTR ≤ defined SLA for high‑severity identity incidents.
• Configuration drift: ≤ 5 % variance from IAM baselines across subscriptions per month.
• Audit readiness: “Green” on IAM evidence completeness prior to assessments