Senior Security Engineer
Resume:
VAMSI Y
Security Engineer/CyberArk Engineer/PAM/SailPoint Engineer
Eden Prairie, MN 55344
***.*****@*****.***
An Accomplished, Innovative and results oriented Security Engineer with over 8+ years of professional experience in Information Technology primarily focused on Privileged Access Management (PAM) on CyberArk experience in Identity Management primarily focused on SailPoint. Deep understanding of LDAP Directories, Single Sign-On (SSO), Provisioning and Identity Workflows, Access Management, RBAC (Role-Based Access Control), CyberArk on Prem and SaaS deployments, AAM, Bulk Onboarding, IT Continuity, Firewalls, Audits and Scripting. Strong ability to independently troubleshoot software applications, complex distributed system environments involving multiple configurations and protocols. Thrive in fast - paced environment, seamlessly managing multiple customer engagements simultaneously while adapting easily to changes in priorities.
PROFESSIONAL SUMMARY:
Security Engineer with 8+ years of professional experience in Information Technology, specializing in Privileged Access Management (PAM) (CyberArk) and Identity Management (SailPoint).
Highly experienced Privileged Access Management (PAM) Engineer with over 11+ years in IT security and 8+ years of specialized operational expertise across major CyberArk components including Vault, CPM, PVWA, PSM, EPM, and SCA.
Proven ability to architect, deploy, and optimize CyberArk and PAM solutions for diverse enterprise environments.
Demonstrated technical proficiency with PowerShell, Python, Bash scripting, REST APIs, and automating processes for secure account lifecycle management.
Adept at cross-platform integration (Windows, UNIX/Linux, macOS), Active Directory, LDAP, and cloud directory services.
Recognized for strong troubleshooting, analytical, and communications skills with a track record of successful stakeholder engagement, onboarding, and support for cloud, Conjur-based secrets management, and CI/CD pipeline integrations.
Proven expertise in implementing enterprise-wide security solutions, compliance frameworks, and automation processes.
Deep technical knowledge of LDAP Directories, Single Sign-On (SSO), RBAC, cloud and on-premises deployments, and security auditing across SOX, HIPAA, PCI, NIST, and ISO 27001 standards.
Experience in Engineering and Administrating Security Solutions.
Identity Management, Access Management, LDAP Directories, Single Sign - On (SSO), Provisioning & MFA, SaaS, RBAC (Role-Based Access Control), Compliance and Auditing Technologies, Identity Federation services, Enterprise System Architecture, Security Infrastructure Design, Authentication and Authorization technologies, as well as custom-built security and technology frameworks to name a few.
Strong IT Experience with major portion on IAM Specialized in SailPoint IIQ (IdentityIQ)
Proficient in CyberArk Engineering leveraging Security safeguards, Risk Management, Governance, Risk and Compliance, Identity Access Management (IAM), Active Directory (AD), Administration, Privileged Access Management (PAM) to improve business processes while maximize operational efficiency and Risk mitigation strategies with adherence to NIST Special publication and other industry regulatory, legal compliance frameworks.
Extensive experienced with Cyber - Ark's security products such as Enterprise Password Vault (EPV), Privileged Identity Management (PIM) including design and implementation of Disaster Recovery (DR).
Experienced in setting up Multi Factor Authentication in LDAP, AD, ORACLE, and has managed sessions in Privileged Session Management (PSM).
Experienced in implementation, deployment and upgrade of various versions of CyberArk (PIM suite) including the components - Vault, PSM, CPM, PVWA, and PSM SSH Proxy (PSMP), and PTA.
Good knowledge in installing, managing and monitoring of CyberArk privileged account security tool modules.
Great leadership analytical & technical skills combined with excellent communication & interpersonal skills.
Skilled in working as Team Lead as well as Team member.
Proven technical leadership skills include the ability to manage teams, earn the respect of its members, led by example, and thrive in an ever-changing environment.
Persuasive verbal and written communication skills compliment a proven ability to lead, multi-task, maintain an organized approach, and ensure success - even when faced with high-pressure or high-risk situations.
Skilled in providing effective leadership in fast - paced, deadline-driven with outstanding presentation and communication skills, understanding business requirement to cross-collaborate and increase security awareness maturity level.
CORE COMPETENCIES
IDENTITY GOVERNANCE:
•CyberArk (PAM/PIM) - On-Premises & SaaS
•SailPoint IdentityIQ & IdentityNow
•Active Directory & LDAP Management
•Single Sign-On (SSO) & Multi-Factor Authentication (MFA)
•Role-Based Access Control (RBAC)
TECHNICAL SKILLS:
•PowerShell Scripting & Automation
•REST APIs & SQL Database Management
•Power BI Dashboard Development
•Splunk Monitoring & Alerting
•Oracle Identity Manager & Microsoft Identity Manager
SECURITY & COMPLIANCE:
•SOX, HIPAA, PCI DSS, NIST, ISO 27001
•Privileged Account Management
•Security Audit & Risk Assessment
•Separation of Duties (SOD) Policies
•IT Continuity & Disaster Recovery
CERTIFICATIONS:
CyberArk Certified Trustee (Level 1)
CyberArk PAS Administration (Level 2)
CyberArk Defender (Level 3)
CompTIA Security+
SailPoint Administration
PowerShell Certified
ADDITIONAL QUALIFICATIONS
•Protocols & Standards: LDAP, WS-Federation, SAML, OAuth
•Database Technologies: MySQL, SQL Server, Oracle
•Cloud Platforms: AWS, Azure (AD Connect)
•Development: REST API development, Custom workflow creation
•Methodologies: Agile/Scrum, SDLC, DevSecOps practices
EDUCATION:
Master of Science, Information Security, Saint Cloud State University, St. Cloud, Minnesota, USA
PROFESSIONAL WORK EXPERIENCE:
Role: CyberArk Engineer
Client: 3M
Location: Woodberry, MN
Duration: June 2020 to Present
3M CYBERARK ON PREM PROJECT
Roles & Responsibilities:
Led the full lifecycle deployment of CyberArk and BeyondTrust PAM solutions, including design, installation, configuration, and integration with enterprise applications.
Worked as a lead operations engineer maintaining CyberArk compliance and operational processes.
Installation of CP (Credential Provider) through AAM and CCP (Central Credential Provider) for clients to retrieve accounts from CyberArk and use them in scripts.
Designed and implemented a centralized Identity and Access Management (IAM) strategy across hybrid (AWS, Azure) and multi-cloud environments, reducing the identity attack surface by 40% and streamlining user provisioning.
Led CyberArk compliance and operational processes as primary operations engineer
Successfully deployed CyberArk SaaS instance for newly acquired KCI domain while maintaining existing on-premises infrastructure
Implemented comprehensive monitoring dashboards reducing non-compliant accounts by 40%
Streamlined quarterly password rotation processes and hardware upgrade support
Developed and deployed a suite of PowerShell and Python scripts to automate the investigation of security alerts, cutting average incident triage time from 30 minutes to under 5 minutes.
Engineered automated incident response playbooks using Bash and Python to isolate compromised endpoints via API calls to EDR tools, containing threats within 60 seconds of detection.
Created a SQL-based correlation engine to analyze logs from disparate systems (firewalls, endpoints, proxies), identifying complex attack patterns that were previously undetected.
Architected and enforced a cohesive Single Sign-On (SSO) and federation framework utilizing Okta as the identity provider (IdP) for seamless and secure access to 150+ SaaS applications, Azure AD resources, and AWS accounts.
Integrated PVWA and PSM connectors to CyberArk which enables PSM connectivity and monitoring for checking out account and connecting to servers.
Worked in HashiCorp Enterprise Vault products terraform, Vault, Consul, and Packer. Ability to write Terraform code and Vault/Terraform policies.
Defined SQL queries to extract and filter account data from CyberArk Database using MySQL.
Defined SQL queries and created Power BI dashboards to monitor CyberArk account metrics related to different account types in CyberArk.
Configured CyberArk integration with ServiceNow ITSM platform for automated access request workflows, approval routing, change management, and incident tracking enabling self-service credential retrieval and temporary privilege elevation.
Implemented CyberArk SIEM integration with Splunk enabling real-time privileged activity monitoring, behavioral analytics, anomaly detection, and automated alerting for suspicious credential usage, failed authentication attempts, and policy violations.
Integrated various platforms such as different LDAP providers, Windows servers, UNIX servers, Databases, and networking Devices with CyberArk.
Designed multiple REST API’s and created PowerShell Scripts for operational process in CyberArk like bulk onboarding, bulk account actions and data retrieval.
Provided CyberArk evidences for audits which include SOX, HIPAA, PCI, NIST and ISO 27001.
Implemented Sphere tool for account discovery across 3M domain and performed onboarding activities on the unvaulted accounts discovered.
Integrated Sphere connectors for AD, multiple SQL types, Windows and Linux.
Implemented Splunk integration to CyberArk for longer log retention period.
Configured Splunk alerts when elevated permissions are assigned to CyberArk user accounts.
Deployed CyberArk EPM for 3m On Prem and aided in setting up SSO authentication.
Deployed CyberArk WPM for 3m On Prem and configured a stable password management for clients.
Supported existing 3M on prem version of CyberArk by handling new Integration Requests.
Performed troubleshooting activities to maintain CyberArk accounts compliant.
Successfully integrated PAM solutions with SIEM (Splunk, Sentinel) and identity platforms (Active Directory, Okta) to enhance threat detection and streamline identity governance.
Performed security patches and vault and component upgrades based on vendor recommendations.
Advocate and support improvements to Vault APIs and core to improve development and integration of tools and plugins Work on issues and improvements critical to the success of HashiCorp customers and the broader community
Performed quarterly password rotation onsite at the datacenter for 3M Cyberark iLo Production and Disaster Recovery Servers and support in upgrading the hardware.
Credential Management: Deployed CP and CCP solutions for secure account retrieval
Database Management: Created SQL queries for CyberArk database analysis using MySQL
Automation: Developed REST APIs and PowerShell scripts for bulk onboarding
Monitoring: Built Power BI dashboards and configured Splunk alerts
Compliance: Provided audit evidence for SOX, HIPAA, PCI, NIST, and ISO 27001 frameworks
3M CYBERARK SAAS IMPLEMENTATION ON KCI DOMAIN AND HANDOFF PROJECT
Roles & Responsibilities:
Led end-to-end deployment of CyberArk's Privileged Access Security solution, including the Enterprise Password Vault (EPV), Central Policy Manager (CPM), and Password Vault Web Access (PVWA) across a 5,000+ server environment.
Provided hands-on expertise in the administration and troubleshooting of core PAM components, including Password Vault, Privileged Session Manager (PSM), and Application Identity Manager (AIM).
Deployed CyberArk SaaS instance on a newly acquired domain (KCI) by 3M to maintain Privilege Access Management while maintaining existing On Prem CyberArk instance at 3M
Worked with Application teams to determine the appetite of accounts that needed to be onboarded once the SaaS instance is deployed.
Led the migration from a fragmented, on-premises Active Directory to a cloud-first IAM model using Azure AD Connect and Okta Universal Directory, improving security posture and enabling a hybrid workforce.
Developed and maintained comprehensive IAM policies, standards, and procedures governing user access lifecycle (onboarding, transfers, offboarding) across all integrated platforms (Okta, Azure AD, AWS IAM).
Used Sphere tool Scans and DNA (Discovery Analysis Tool) to discover accounts that needed to be managed by CyberArk.
Orchestrated automated vulnerability remediation by writing Python scripts that interface with patch management (WSUS/SCCM) and ticketing systems (Jira/ServiceNow), reducing critical patch deployment time by 40%.
Built a custom PowerShell framework to automatically identify non-compliant assets (missing AV, outdated OS) and execute remediation steps, increasing organizational compliance from 85% to 99%.
Designed an automated workflow using Bash and SQL to prioritize vulnerabilities based on asset criticality and exploit availability, focusing remediation efforts on the top 5% of high-risk issues
Engineered and maintained the PAM policies within CyberArk and BeyondTrust to enforce least privilege access, secure privileged accounts, and manage secrets for critical infrastructure.
Defined connector requirements with OKTA and KCI -AD to implement SSO and MFA.
Constructed the Component Map for CyberArk SaaS instance on KCI
Analyzed existing 3M CyberArk On Prem state for connector requirements that can be used for CyberArk SaaS Instance on KCI
Collaborated with development and DevOps teams to integrate IAM services into the CI/CD pipeline, ensuring security by design for new applications.
Authored and maintained detailed documentation for IAM configurations, policies, and procedures, facilitating knowledge transfer and supporting incident response efforts.
Defined Monitoring and Reporting requirements for CyberArk SaaS.
Defined Backup & IT Continuity process requirements for CyberArk SaaS.
Onboarded Enterprise and Domain Admin accounts which are the most privilege accounts in KCI domain.
Carried out other onboarding types based on how privilege the account types are.
Defined end to end operational workflows to help maintain CyberArk accounts compliant.
Performed UAT Testing on the KCI CyberArk SaaS pilot build and prepared process documents for user education.
3M CYBERARK SAAS IMPLEMENTATION ON 3M CHINA DOMAIN AND HANDOFF PROJECT
Roles & Responsibilities:
Deployed CyberArk SaaS instance on China domain creating a Secured Team accounts structure for 3M China.
Used Sphere tool Scans and DNA (Discovery Analysis Tool) to discover accounts that needed to be managed by CyberArk.
Engineered and deployed a new BeyondTrust Password Safe environment, integrating with existing SIEM and ticketing systems to streamline privileged access requests and auditing.
Architected a highly available PAM infrastructure with load-balanced components and disaster recovery sites to ensure 99.99% uptime for critical privileged access services.
Leveraged Python (Boto3) to automate the security hardening of AWS EC2, S3, and IAM resources, enforcing compliance standards across 500+ cloud assets and eliminating common misconfigurations.
Developed infrastructure-as-code (IaC) scripts in Python and Bash to automate the deployment and configuration of security tools (e.g., Splunk, Wazuh), reducing setup time from days to hours
Designed, configured, and managed Identity and Access Management (IAM) solutions across Okta, AzureAD, and AWS environments, ensuring secure and streamlined access for over 5,000 users.
Constructed the Component Map for CyberArk SaaS instance on 3M China
Defined Monitoring and Reporting requirements for CyberArk SaaS in 3M China
Defined Backup & IT Continuity process requirements for CyberArk SaaS in 3M China
Onboarded Enterprise and Domain Admin accounts which are the most privilege accounts in KCI domain.
Conducted in-depth security audits and assessments of PAM configurations, identifying and remediating vulnerabilities to ensure compliance with industry standards and internal security policies.
Developed and deployed HashiCorp Sentinel “Policy as Code” to enforce security against infrastructure between plan and apply phases of Terraform run.
Carried out other onboarding types based on how privilege the account types are.
Defined end to end operational workflows to help maintain CyberArk accounts compliant.
Role: SailPoint Engineer
Client: Delta Air Lines
Location: Eagan, MN
Duration: July 2019 to June 2020
Roles & Responsibilities:
•Implemented Role Based Access Control by creating Role’s based on Business, Application and Entitlements and performed Role Modeling with respect to applications onboarded. As well as performed automation of RBAC using Role Mining.
•Gathered data from the customers/business and performed Applications/Entitlements Onboarding as well as Active Directory groups migration into SailPoint IQ.
•Integrated many HR SOT’s (Source of Truth) with IIQ automated provisioning of Identities by generating forms inside Identity IQ.
•Integrated multiple HR Systems of Truth with automated identity provisioning
•Reduced access review overhead through advanced certification scheduling
•Implemented enterprise-wide RBAC through role mining and modeling
•Integrated IIQ Quick Links for Active Directory Group Aggregation, Admin Account Management, Membership Management and Email Storage Increase with respect to SailPoint.
•Performed collection and analysis of existing business and technical requirements to enhance Enterprise-wide IAM processes and procedures.
•Installation and configuration of SailPoint IIQ as required by design solution.
•Created various reports like Role composition report, Identity Reports and Application attribute reports for IIQ.
•Evaluated SailPoint-IIQ by Life Cycle Management, Access Review/Certifications, Policy Management, Role-Based Access Control and Connector modules.
•Analyzed the application before on boarding to get extract of application with the user unique ID, access levels and permission and do deep dive sessions.
•Implemented Self-service feature, Password feature, Provisioning feature and policies in SailPoint.
•Maintained user account workflows using form Joiner, Mover and Leaver.
•Involved with existing Provisioning Team for the application in order to make it fit in to IIQ and to get the existing User Access Management (UAM) model.
•Installation and configuration of SailPoint IIQ as required by design solution.
•Created various reports like Role composition report, Identity Reports and Application attribute reports for IIQ.
•Evaluated SailPoint IIQ by Life Cycle Management, Access Review/Certifications, Policy Management, Role-Based Access Control and Connector modules.
•On-boarded applications using Provisioning application’s requests in IIQ.
•Implemented and scheduled various type of User Entitlement Reviews for applications and databases in a timely manner to all the business areas across the organization.
•To implement Change Requests in IIQ, Drawing Scheduling of Events and Shape of the weekend for Business check Outs.
•Develop Role Model Templates based on the applications on boarding by getting engaged with various business people and TS also.
•Specify and upload application data feed on to IIQ application
•Conducted Pre-onboarding Application integration analysis, which involved application ownership confirmation, analysis and identification of current roles/entitlement structure, identification of ISO, IT owner and Business owner of the Applications.
•Involved with existing Provisioning Team for the application in order to make it fit in to IIQ and to get the existing User Access Management (UAM) model.
•On-boarded applications using Provisioning application’s requests in IIQ
•Streamline App Onboarding process and identify opportunities for automation and standardization and work with automation teams to implement the automation solutions.
•Onboarded Authoritative and non-authoritative applications of different delimited and JDBC type and performed Aggregation Task with respect to application onboarding.
•Expertise in User life cycle management and implementation of various workflows design with different Application Resources.
•Experience in building custom Workflows, Rules, Policy, Provisioning in IAM.
•Implemented SOD (Separation of Duties) policies both at role and entitlement level as well as defining Advance, Risk, Activity and Account policies.
•Configured Risk Soring based on Identity and Application Risk Scoring mechanisms and defined baseline access and composite risk scoring.
•Created periodic access reviews Certifications based on Identity, Membership and composition and setting up advanced as well as scheduled certifications.
•Worked on creation on Workgroups inside IIQ for the Onboarded AWS AD Connect for Applications/Entitlements using PowerShell scripts.
•Setting up IIQ Customers with LDAP, SSSD Unix Likewise attributes for server access along with creating a Profile Path and Home Directory.
•Setting up Microsoft Exchange O365 Mailboxes for newly provisioned identities inside IIQ Embedded Systems.
•Performed Role Mining to establish RBAC (Role Based Access Control) inside IIQ in order to auto assign Entitlements and Access groups.
•Created Lifecycle Events and Workflows inside IIQ like – Joiner, Leaver, Manager Transfer, Synchronize Attributes, Reinstate, New Affiliation and Affiliation change.
•Solved tickets on Shared Mailboxes, Distribution List’s, Shared Drive Access, Admin accounts, Service Accounts and Security Groups inside Active Directory on several Delta Domains in accordance with Service Now request.
•Solved Incidents raised with respect to SailPoint and Active Directory through service now along with Incident Response.
•Application onboarding and Active Directory group migration
•Identity lifecycle management workflows for joiner, leaver, manager transfer
•SOD policies, risk scoring, and periodic access reviews
•PowerShell scripts for AWS AD Connect workgroup creation
•ServiceNow incident resolution for security groups and mailboxes
Role: Security Analyst
Client: GSS InfoTech
Duration: June 2016 to Jul 2017
Roles & Responsibilities:
•Managed enterprise-wide Active Directory infrastructure including user account creation/deletion, security group management, OU structure administration, and group policy configuration supporting 50,000+ users
•Administered Windows Server environments, coordinated with network teams on domain controller management, replication monitoring, and directory service optimization
•Utilized security rules and approval workflows to grant/revoke access to applications, servers, group folders, and network resources based on role-based access control policies
•Created and managed email accounts, group mailboxes, and distribution lists using Microsoft Exchange and Active Directory integration
•Configured LDAP integration for application authentication, identity synchronization, and distributed directory services across heterogeneous systems
•Created, tested, and maintained complex security rules ensuring enforcement of security standards, separation of duties, and compliance requirements
•Developed PowerShell scripts automating account provisioning, bulk user modifications, security group updates, and reporting functions reducing manual effort by 60%
•Investigated and resolved complex access issues involving nested groups, group policy conflicts, permission inheritance problems, and application-specific security configurations
•Coordinated with internal systems teams (WICS, DEVSECOPS, Email systems) ensuring proper security configuration and access management integration
•Performed audits on EMR (Electronic Medical Records) access, managed security rights through backend EMR systems, ensuring HIPAA compliance and proper access controls
Contact this candidate