Sign in

Security Information

Staten Island, New York, United States
November 07, 2019

Contact this candidate


Mikhail Kostyukovsky

**** *** **., ****** ******, NY 10305.

Phone 347-***-****

Profile Software Architect/Lead/Manager with 15+ software hands-on development and management experience in the information security, Cloud security, Identity Management, Single Sign On, cryptography. Deep knowledge of the software development, solutions, and problems. Involved in all phases of the software development cycle with proven record of accomplishment in developing high quality, distributed and scalable application frameworks using multiple technologies for companies like JP Morgan, Bear Stearns, Medco, Lucent, ADP, and Academy of Science of the USSR. In depth experience in J2EE, OOD, GUI, multiprocessing, multithreading, and WEB development, Big Data.




AWS, Azure, Unix, Solaris, Linux (Red Hat, SUSE), Windows

AWS Certified Security – Specialty, AWS Cloud Practitioner


Java, Angular, C++, HTML, XACML, XML, IDL, VB, C#

Data stores:



SOA, WEB Services, Struts, Apache, JBoss, Tomcat, WebLogic, WebSphere, BroadVision, IIS, CSS, CGI, NSAPI, SOAP, TCP/IP

IT Security:

XACML, Kerberos, cryptography, SSO, SAML, WSS4J, JCE, ClearTrust, SiteMinder, WS- Security, WS-Federation, PKCS, XKMS, PKI


Docker/Kubernetes, Microservices, Perl, PowerShell, SOAP, ETL (Mule), Multithreading, Concurrency, Reactive Programming, YACC/LEX


BA, MS Computer Science, Kharkov University, 1972-1977

Ph.D., Academy of Science, Moscow, 1986


Senior Security Architect, S&P Global Ratings, NY, NY, 2015-current

AWS Cloud security, on-prem to AWS cloud migration:

oDeveloped and executed Cloud Information Security strategy to proactively identify risk and drive remediation

oWrite detailed and Agile product requirements documents and ensure clear communication of those requirements to the business, engineering, security, development, and product teams.

oProvide hands-on security engineering expertise across a wide variety of platforms

oExamine current cloud security practices and identify key risks, then execute programs to address them.

oCreate technical and managerial level reports and risk assessments for AWS Cloud based applications and infrastructure

oProviding the security architecture evaluation and establish a process for assessing and auditing security exceptions

oCreated comprehensive set of security standards (based on NIST 800-53) for development teams

Have expert knowledge of Data Loss Prevention principles. Architected, developed/codded and built fully functional Azure Information Protection based document security framework. The framework allowed hundreds of thousands Azure AD groups control access to the documents, as well as SharePoint/One Drive directories and Office 365 apps. The Framework distributed protected documents globally using GEO SharePoint, One Drive and

Architected, designed, coded and built fully functional state of the art YACC/LEX based authorization solution for the firm (NIST 800-53 compliant). Hands-On lead architect for Access Control in S&P Global. Provided architectural guidance and analysis for hundreds of applications across the firm for integration with AC. Defined integration patterns for all integrated applications. Solution implemented fully automated Jenkin’s CI/CD with AWS CodePipeline pipeline. Solution built/deployed both as Docker container and as AWS Beanstalk.

Designed business and regional access hierarchy to satisfy diverse regional regulators for different asset classes, types of data, level of security

Responsible for the S&P Ratings security pasture:

oDVA/SVA/NVA implementation/tooling, report analysis. Prioritized remediation of security findings by Dev teams.

oProvided application security guidance and oversight as security part of the DevSecOps.

oAs a voting member Architectural Board of S&P Global Ratings responsible for the security design, implementation and compliance of products, applications and services.

oCreated multiple security guides, including data confidential data handling and distribution, DVA/SVA/NVA, cryptography, encryption, SSO, MFA and TFA, NIST 800-53 requirements implementation.

Lead architect for the firm-wide EUCA management platform. Designed platform allowed monitoring and scanning 100’s of millions of excel files in all formats stored on variety of different devices/platforms, including SaaS (BOX), File Shares (Samba). Solution addressed security requirements for ESMA, SEC and other regulators.

Vice President, JP Morgan/Bear Stearns & Co., Inc., NY, NY, 2006 -2015.

Architect of the firm-wide XACML based Authorization Service (Enterprise Entitlement Service-EES). Developed highly efficient (patent pending) XACML policy engine with exceptional performance metrics. Developed multiple cashing and policy finding solutions. LDAP schema allowed easy, fast, and compact policy storage. Multiple deployment strategies (server based and distributed) available. XACML's engine (both in Java and C#) very compact and easy configurable allowed any VM to have its own PDP which guaranties 100% availability. Extensive use of reactive programming pattern.

Managing worldwide team of 20 developers and operate personal.

Defined strategies, designed, built and managed and support (24/7) Enterprise Entitlement Solution. 400 application and 1.2M users supported. System resides in 5 data centers on 3 continents process 10M requests a day. No service interruption in 4 years

Heading JP Morgan Entitlement’s committee, which brings together leaders from all line of businesses and lead architects.

Designed and deployed LOB’s integration platform utilizing Mule. Built multiple ETL workflows to manage complex data processing

Hadoop/Cassandra development allowed analyzing entitlement requests to provide most efficient authorization policies.

RSA's ClearTrust development: designed hooks, LDAP plugins, WEB agent (Apache, Web logic, and IIS) handlers; troubleshooting, configuring and monitoring CT servers. Implemented custom types authentications for CT, including Securid, basic, IWA, Kerberos.

Designed SSO LDAP (SUN's ONE directory) topology to support intercontinental deployment. LDAP maintenance, support, schema design, backup policies. Pre-post LDAP authentication and searches plugin design.

Designed real-time company-wide SSO monitoring infrastructure. Created multiple log file parsers for monitoring and alerting security infrastructure. Web Logic front end. Support and performance improvements for the Bear's legacy SSO (java and C++) system.

Designed and managed project for merging JP Morgan’s IB and legacy Bear Stearns SSO into the common SSO, including multi-domain support for the heterogeneous SSO systems, including user community merge, simultaneous password reset.

Security review of the JP Morgan application, including international security deployments.

Evaluated and architected entitlement systems for the Bear Stearns and JP Morgan’s IB.

Senior Applications Architect, Medco, Franklin Lakes NJ, 2000-2006.

Architected and Developed B2C secure WEB Service for B2B site, implementing both SOAP and REST technologies, using SAML (Apaches WSS4J implementation) for security assertion. Considering data size ~8 Mb, customized both Axis engine and XML parsing schemas, to minimized processing time.

Designed Medco's WSDL SOAP type definition schema for the services, including XMLSecurity.

Designed automated deployment process for multiple partners, with different security and application platform requirements (WebSphera, Apache/Axis, #NET).

Designed and developed multi threading WEB Security Service (cryptography engine -Java's JCE). The WEB Service encrypts, decrypts, signs and verifies signature, gets and verifies Netegrity Security Tokens, provides LDAP support. PKCS7 Envelopes and Signs data, as well as supports XKMS.

Provided C++ (HP UNIX, ActiveX) as well as Java client socket connection to the WEB Service. The WEB Service handles more then 100 simultaneous clients with more then 1000 cryptography requests a minute. Designed and developed internal test harness web site using .NETs C# to test different SSO partner requests. Web site allowed to use multiple SSO formats, easy user data access, provided statistical analysis(visual and tabulated format)and monitoring production web site Struts/Tomcat development, including EJB Security Architecture and development. Design allows the same EJB to be used (through ActiveX bridge) on .NET, and (through TCP/IP) on UNIX. Implemented security infrastructure for the Struts.

Complete intranet Web Site allowed monitoring and configuring company's B2B security infrastructure. Designed and developed security tag library for the Struts. Designed and developed Single Sign On package (Java) to provide SSO for multiple clients written for different OS (MS Windows, HP Unix)..Architecture was SAML and WS-Federation compliant.

Created ActiveX to encrypt/sign data using (CAPICOM's PKCS7 and PKI) and decrypt/verify data using Java's JCE. Encryptor used by IIS5 and descriptor was BroadVision JSP component Developed IPlanet, LDAP pluggins, to handle Netegrity token verification for Tier 2 applications. Applications written in Java/C++, VB and ran on Unix/Windows. Designed Merck-Medco Client Java Script web pages utilizing CSS. CORBA based C++/IDL development components for the BroadVision JSP, including STL based logging subsystem to write log messages into Oracle DB, BroadVision logs and sending log messages through multiple machines and using different OS (MS Windows, HP Unix).

Senior Architect, Lucent Technologies, 1995 – 2000.

Designed and developed dual WEB/Telephony inventory system. This system supports inventory (including ordering and purchasing) via internet/intranet and telephone. DCOM/COM design allowed connecting to multiple servers for simultaneous multithreaded requests' process. Text-to-Talk module reads item description and user messages directly from the DB. MS ISM-WEB API created HTML files on a fly based on user access privileges. Item orders processed by ISM (for HTML/JAVA pages) or by telephone server (using the Dialogic telephone card). Sybase DB server via ODBC interface processed db requests. The same set of the DB classes (Visual C++) was used for both WEB and telephony requests. Business logic supported exclusively by the DB Server, using stored procedures. System allowed creating up to 120 full requests per minute.

Designed and developed flexible filter for AutoPACE CP failure messages feature. This filter allowed users to isolate down a specific subset of their CP failure messages before they perform CPFail analysis. It will also allow them to look at only a subset of all their post-analysis CPFail data. The major goal of the design is removing any limitation for creating reports. All data, report formats, and user interface are database driven. Modified "Softel vdm" tree edit dialog software for using with OWL 1.0. This software and derived classes used into new interfaces of the AutoPACE. Design and development object oriented generic import/export/report writer system for the RF engineering tool CE4. System design allowed fast and easy changes in export/import files for the application. The system allows automatic DB restores in cases of DB or DB Log file crushes. Migrated version of the CE4 from 16 to 32 bits platform, including Windows 95/NT support and conversion OWL 1.0 to OWL 5.0.

Senior Programmer/Analyst, Automatic Data Processing, Roseland, NJ. 1991-1995

Analyzed, designed and developed Logical databases Module (written in C++). The Module supports ODBC, Watcom and GUPTA SQL databases.

Designed and developed support for C++ Object Definition Language. Created C++ parser, using YACC/LEX (MKS clone).

Developed payroll programs using PowerBuilder and Borland OWL.

Contact this candidate