Security Solution Architect
- Provided services in a subject matter expert consultant role responsible for architecting, designing and implementing a variety of identity and access management solutions.
- Performed and managed all critical vendor facing tasks and worked closely with internal teams, for the mutual benefit and assurance of quality delivery of best in class security solutions.
- Worked with internal ISO resources and stakeholders to establish organization IAM priorities, roadmap, and program strategies to OLG executive management, while meeting tight deadlines.
- Engaged in all phases of requirements gathering, drafted RFPs and RFCs, development of use cases, security objectives and best practices discussions, security solution technical design, proofs of concept, creation of test cases, implementation and delivery, integrations, troubleshooting, defect resolution, drafted operational guides, migration plans, conducted dry - run activities, training session, knowledge sharing, and assisted in management of projects.
- Provided key insight and crucial leadership to the development of Identity and Access Management, Privileged Access, OAuth 2.0, Certificate Management, Role Based Access Controls (RBAC), and Credentials Vault standards, policies, and created or updated related architectures.
- Designed full lifecycle security for cloud-native applications running on Google Cloud, including automated deployments on GKE, providing consistent security across container deployments.
- Implemented Aqua Container Security Platform (CSP) for compliance and runtime protection on GCP, integrated with its container services, as well as with the GCP Security Command Center.
- Configured container firewall with Aqua Enforcer on GKE cluster nodes, created container-level alerts, data gathering, identify threats, and composed SOC manuals for mitigation and response.
- Prevented unauthorized images from running in GKE environment, by continuously scanning images stored in Google Container Registry (GCR), to ensure that DevOps teams do not introduce vulnerabilities, bad configurations, malware, or secrets into container images.
- Configured Aqua Container Security Platform (CSP) with GKE to prevent unvetted containers from running, preventing approved containers from performing unauthorized operations.
- Configured mission critical application monitoring (AppDynamics) with artificial intelligence.
- Participated on Azure digital transformation projects and provided detection and security use cases and workflows for malware, data exfiltration, privileged user monitoring, zero-day attacks, DNS data analysis (Azure Sentinel, Splunk ES), to identify suspicious activity.
- Provided weekly actionable recommendations for remediation of security issues.
- Performed an assessment of the CI/CD pipeline for threat vectors targeting the Development System, Git-Based Repository, Retrieval of Dependencies, Image Registry, Unsecured Orchestrator Platform, Host-Container Relationship, Rapid Rate of Change, MSA Communication and Network Segregation, Interprocess Communication (IPC), Threat Vector 10: Increased Number of Databases, and Application Layer Attacks.
- Provided recommendations for pervasive security and to mitigate the identified CI/CD threat vectors with vulnerability management and risk-based controls, including Software Composition, API Gateways, Authorization between Microservices and MSA Resilience, Host Hardening, Secure Computing Mode Profiles, Mandatory Access Controls, Secret Management, Behaviour-Based Controls, Data-Centric Controls (DAP and FCAP), Network Segmentation for Containers, and Architectural Considerations.
- Designed policies and developed a protection strategy for microservices and containers, using Secrets Management, Software Composition Analysis, Layer 7 Network Segmentation for Operational Containers, and requiring all vendors to integrate with secure container offerings from cloud providers.
- Distributed applications using containers (Docker), and implemented container orchestration (Kubernetes/OpenShift) for monitoring and automation of container restart and scaling, spread across multiple notes.
- Ensured that the Google Cloud accounts and services are configured according to best practices, including the CIS Foundation Benchmark for Google Cloud Platform.
- Integrated Aqua Cyber Intelligence for GKE with LDAP, AD, SAML, SSO, CyberArk and Splunk.
- Implemented Cloud Security Posture Management (CSPM) by continuously scanning hundreds of settings for risks and monitor events for anomalies, and created compliance reports for PCI.
- Scanned for vulnerabilities and malware, apply File Integrity Monitoring (FIM), checked configuration against the CIS Benchmark for Linux, and monitor user access and activity.
- Protected workloads running on GCE and ECS instances, and ensured proper hardening.
- Assessed and constructively questioned established processes and internal functions, to improve existing process flow and management in newly proposed and adopted areas of continuous development (CI/CD), version consolidation, version management, configuration management, environment provisioning, cloud and virtualization, release and change management, security and compliance, restore and disaster recovery.
- Defined and documented the future lightweight application architectures and target Cloud state.
- Identified integration and transition opportunities for patron facing applications and back-end services to the Cloud; and formulated a Cloud Strategy artefact for future transformation plans.
- Composed multiple RFPs and reviewed technical responses from Okta, SailPoint and ForgeRock.
- Mapped future architectures for identity and access systems, selected for replacement due to end of life and lack of vendor support, and in alignment with the new Digital Security Strategy.
- Evaluated integration opportunities for process flow improvements for access and identity management, and a consolidation of authentication services in ForgeRock and OpenIAM suites.
- Consolidated multiple processes & services for access verification, single sign-on, two factor authentication, session management, and reviewed existing encryption policies.
- Explored modernization practices for Java applications, modern web applications, and initiated the adoption of API’s, API Gateways (API Connect), and DevOps for more efficient development.
- Identified opportunities to relocate services to the Cloud, taking advantage of offerings such as lightweight infrastructure, PaaS and DevOps, for faster delivery of web applications and services.
- Ensured that containers performed only by design and within intended application context, by detecting and preventing activities that violate policy, and avoided container-specific attacks.
- Leveraged CyberArk EPV, to securely deploy secrets to containers in runtime, and managed, rotated, and revoked secrets with no downtime, running in memory without persistence on disk.
- Provided enhanced visibility into security and compliance-related events, and policy management for container security monitoring and policy violation detection, by integrating Aqua CSP with Splunk Cloud ES, and other security management tools.