Senior Security Architect & Analyst Resume Title

Location:

Colorado Springs, CO

Posted:

April 03, 2026

Contact this candidate

Resume:

Mark Masias

***** ******** ***** ****, ******** Springs, CO

719-***-**** Cell: ****.******@*****.***

Objective

To find a challenging and dynamic opportunity that will allow me to utilize my diversified Technical depth and experience. I am seeking a Remote Sr Security Architect, Sr Security Analyst or Remote Sr Business Analyst position with my experience and ability to understand the Business, Functional, Technical and Security considerations for delivering Global Enterprise Projects.

March 2025 – Present – (Security Architect / Netskope SME Security Engineer - Datamtx)

Discover, analyze, build and test infrastructure for Netscaler ZIA, Forcepoint, Netskope and Azure Purview traffic and DLP deployments.

Built and validated security test scenarios and use cases and detection / response controls for Conditional Access, Intune, Purview and Defender for Cloud and endpoint environments. Conducted proof-of-concepts (POCs) for DLP (classifications, labeling / retention, data discovery within Exchange Online Teams / SharePoint (Cloud / On-Premise), OneDrive, Cloud CASB and Endpoint tools. Netskope: Hands-on Netskope SME with expertise in post go-live stabilization, real-time policy tuning, access troubleshooting, SWG/CASB optimization and platform health management.

Netskope analyzed, designed and built out Netskope SaaS Services multiple times. Building rules, configuring and deploying agents, performing diagnostics. Running CCI reports. Evaluating web traffic and setting up access for internal / external cloud services and usage. I have built runbooks and architecture documentation to support Netskope. Including EDR solutions CrowdStrike. Assessed a tenant to tenant SharePoint Cloud migration worked with a team to build a migration plan / cut-over. Assessed usage, permissions, retention, active and inactive sites and resources.

Detection / response detections and responses and integrate these detections into client incident response infrastructure. Using Azure Governance and Ticketing Systems such as ServiceNow.

July 2022 – March 2025 – (Security Architect / Netskope SME Security Engineer - Marriott)

Led the discovery and analysis of business and technical requirements for implementing security controls across SaaS platforms and cloud hypervisors (Azure, AWS, OCI).

Developed business and functional, technical, and operational requirements to align with business objectives and regulatory compliance.

Built and validated security test scenarios and use cases for cloud and endpoint environments. Conducted proof-of-concepts (POCs) for CASB and Endpoint tools including EDR solutions CrowdStrike.

Identity, Authentication & Access Management (IAM)

Contributed to enterprise authentication architecture and implementations including Active Directory, Entra ID (formerly Azure AD), MFA (Ping, customized policies)

IAM & RBAC: Okta, Ping Identity, EntraID and Azure PAM: Maintain infrastructure, patching updates, connectivity, Identities / entitlements, process / workflows, security policies, reporting and interconnections to ticketing systems.

Collaborate with product managers, security engineers, and business success to translate requirements into secure, usable features.

Design, implement, and maintain Ping identity and access management features for cloud and on-premises products.

Build and test secure authentication protocols, lifecycle management, and federation connectors.

Troubleshoot production incidents, perform root-cause analysis, and deploy fixes or mitigations.

Delivered secure authentication and authorization features that reduced time-to-access and support cost for internal enterprise development efforts.

Supported integration of advanced access management technologies, designed, built, deployed and tested: SSO, PAM (Delinea, SailPoint, CyberArk and Defender, assigned roles, policies entitlement workflows, monitoring / reporting)

Onboarded applications and deployed security agents, configuring role-based access policies for users and groups via PowerShell and Python automation.

Monitored logs and investigated policy violations with detailed reporting.

Conducted risk assessments using Qualys, built remediation plans in Kenna, and tracked risks through ServiceNow GRC. Developed and maintained technology and process-specific risk profiles.

IAM Lifecycle & Access Governance

Assessed access and risk through Oracle Role Manager and custom IdM workflows; developed access provisioning and governance runbooks.

Built and optimized identity groups and policies for Azure Access Controls (MAM/WAF-Imperva, F5 and Fortinet).

Provided support and updates for integrated HR, payroll, and workforce management modules; facilitated mobile app integrations and publishing via Azure.

Developed custom parsers and data identifiers to support identity provisioning and access workflows.

Cloud & Endpoint Security Technologies

Managed and supported technologies including Azure Purview, Microsoft Defender XDR, Intune (MDM/MAM), Citrix, Zscaler (ZIA /ZPA), Exabeam, CrowdStrike, and custom detection/response scripting and investigations.

Led a team of engineers in migrating DLP rules to Azure Purview from ForcePoint to Netskope; Analyzed, designed and built out Netskope SaaS Services multiple times. Building rules, configuring and deploying agents, performing diagnostics. Running CCI reports. Evaluating web traffic and setting up access for internal / external cloud services and usage. I have built runbooks and architecture documentation to support Netskope.

Maintained Controls for Exchange Online, OneDrive for Business and SharePoint (Cloud / On-Premise), Usage, retention. Monitored Orphaned Sites, Resources used, Archives and expansive permissions.

Built customized event forwarding and logging for SIEM platforms (Cribl – analyze and optimize event streams, traffic flows using automated scripting, troubleshoot SIEM ingestion for: QRadar, Splunk).

Maintained integrations and customizations across security orchestration and automation platforms: Cortex XSOAR, QRadar SOAR, ServiceNow, Bluecoat / Forcepoint, Exabeam, CrowdStrike, Carbon Black (customizations and investigations).

August 2018 – July 2022 – (Sr Security Engineer - Trinity Health)

Led the discovery, analysis, and documentation of business processes and security requirements for implementing cloud and infrastructure security controls across SaaS environments, including Azure (CA, Intune, Defender and Purview), AWS (app migrations, virtualization and storage management). Translated technical, functional, and operational requirements into actionable controls aligned with frameworks such as HITRUST, HIPAA (HITECH), NIST 800-53, and cloud security best practices.

Designed and tested use cases, scenarios, and security policies to safeguard hypervisor-based SaaS infrastructure.

Cloud Security Stack & Infrastructure Support

Primary focus on securing SaaS platforms and cloud-native applications through integration, monitoring, and optimization of advanced technologies:

Cloud Security Controls: (SAP, CRM, Lawson, and HRIS), Azure Purview, Microsoft Defender XDR, Intune (MDM/MDE), F5, Imperva and Fortinet WAF, Netskope, Zscaler (ZIA / ZPA), Cribl – configure, optimize event streams, traffic flows and troubleshoot SIEM ingestion for: QRadar, and email security solutions (IronPort, Abnormal).

IAM & RBAC: Okta, Ping Identity, SAP, HRIS systems. Maintain infrastructure, patching updates, connectivity, Identities / entitlements, process / workflows, security policies, reporting and interconnections to ticketing systems.

Collaborate with product managers, security engineers, and business success to translate requirements into secure, usable features.

Design, implement, and maintain Ping identity and access management features for cloud and on-premises products.

Build and test secure authentication protocols, lifecycle management, and federation connectors.

Troubleshoot production incidents, perform root-cause analysis, and deploy fixes or mitigations.

Delivered secure authentication and authorization features that reduced time-to-access and support cost for internal enterprise development efforts.

Access & Authentication: Deployed and configured access control mechanisms using Entra ID (Azure AD), MFA, conditional access. Supported PAM tools like Delinea, SailPoint, CyberArk). Assigned roles, policies entitlement workflows, monitoring / reporting.

Security Engineering, Monitoring & Customization

Built and maintained custom detection rules, parsing logic (Regex, PCRE), and integration scripts (PowerShell, Python) across CASB, Bluecoat / Websense SIEM, and UBA systems.

Customized and optimized alert/event handling for Cortex XSOAR, Exabeam, and QRadar UBA SOAR customizing existing data discovery, generators, python scripting, with deep focus on detection logic, response workflows, and enriched SIEM.

Migrated and optimized legacy DLP rules and policies (McAfee EPO, Bluecoat / Websense, Skyhigh) into Azure Purview and Netskope, improving data visibility and policy enforcement.

Data Governance / DLP

Security Operations, Incident Response & Reporting

Conducted real-time monitoring and response for security events across EDR (SentinelOne, CrowdStrike), UBA, and email threat detection platforms.

Developed Exchange-specific detection rules and parsing for Abnormal Security, FireEye, and IronPort.

Participated in security incident triage, root cause analysis, and mitigation planning, responding to alerts and building queries to enhance threat visibility.

Delivered scheduled and ad-hoc security and compliance reports to leadership and auditors.

Authentication Troubleshooting & Customization

Troubleshot and supported Active Directory and Entra ID authentication flows for hybrid cloud and conditional access models.

Developed custom authentication domains and managed service channels for secure communications.

Maintained entitlement watchlists and researched complex access violations as part of Incident Response (IR) and GRC reporting.

Experience

Jan 2017 – July 2018 – (Sr Security Engineer - Cigna)

Led the discovery, analysis, and development of business, technical, and security requirements to implement robust controls across SaaS platforms (Azure, AWS, GCP).

Focused on securing hypervisors, cloud-hosted applications, and external/internal CASB traffic using (Imperva, F5, WordPress) by designing and deploying targeted countermeasures, threat detection strategies, and transition plans for cloud migration.

Evaluated cloud service transitions (e.g., Office 365, SAP, CRM) and integrated authentication mechanisms to ensure secure onboarding and interoperability with existing infrastructure.

Defined and implemented technical, functional, and security requirements for Office 365, ATP, DLP, Active Directory, and cloud applications, prioritizing sensitive assets and regulatory compliance.

Designed and deployed Netskope infrastructure including classification baselines, detection/response policies, and integrations with ServiceNow, Exabeam, Splunk, and CrowdStrike.

Built and optimized custom detections and data identifiers for Netskope, Microsoft Purview, and Exabeam; automated incident response and reporting workflows.

Conducted Active Directory audits to assess and enforce Role-Based Access Control (RBAC), eliminate shared accounts, and implement privileged access monitoring.

Created remediation plans for high-risk SaaS environments based on internal security assessments and compliance frameworks.

Jan 2016 – Jan 2017 – (Sr Security Engineer - WellsFargo)

Cloud Security & Infrastructure SaaS Migration Compliance & Risk Management

Led the discovery, analysis, and documentation of business, technical, and security requirements for migrating and securing critical SaaS applications (Azure, AWS, GCP).

Focused on consolidating sensitive business applications into centralized cloud infrastructures and implementing security controls to meet regulatory compliance (SOX, HIPAA, HITECH/HITRUST).

Conducted application risk assessments for Oracle, SAP, ERP, CRM, Lawson, and HRIS systems (handling PII, PHI, and corporate data) to evaluate and mitigate security risks, focusing on Identity and Access Management (IAM) and Role-Based Access Control (RBAC).

Documented firewall and network traffic flows (Checkpoint, Cisco PIX, Netscreen) and created data loss prevention strategies, integrating them into incident response workflows to ensure compliance with security standards and regulatory requirements.

Developed forensic audit security remediation plans for infrastructure in line with PCI, HIPAA, and SOX controls and internal security frameworks.

Analyzed, created, and reviewed business, technical, and functional requirements for Netskope cloud applications, upgrading instances, implementing distributed appliance deployments, and ensuring smooth integration into existing cloud environments.

Led the integration of CyberArk (Active Directory / Unix), maintaining infrastructure, monitoring events, and managing privileged access profiles.

Managed QRadar SIEM infrastructure, including custom parsing, query development, event collection, and incident response. Created detailed security reports and responded to triage requests.

Key Technologies:

SaaS Platforms: Azure, AWS, GCP

Security Tools: Netskope, Bluecoat / Websense, CyberArk, QRadar, RSA Archer

Compliance: PCI, HIPAA, SOX, HITRUST

IAM & RBAC: Okta, Oracle, SAP, ERP, CRM, HRIS systems. Maintain infrastructure, patching updates, connectivity, Identities / entitlements, process / workflows, security policies, reporting and interconnections to ticketing systems.

December 2013 – December 2015 – (Business Analyst / Sr Security Analyst - State Street Bank)

I lead the discovery, analysis, and documentation of business and technical requirements for migrating and upgrading datacenter infrastructure across multiple US-based locations.

Responsible for transitioning IBM Px servers to P7 and iSeries environments, including planning and executing migration strategies.

Developed and implemented test scenarios and use cases for migrating servers and applications, ensuring alignment with security and functional requirements.

Created and managed cutover plans for server migration, including updates to firewalls, routers, switches, proxies, and load balancers.

Security Risk Management & Compliance

Identified, documented, and secured entitlements for applications, services, and databases (Local Storage, SAN, NAS) through tools, processes, and procedures.

Collaborated with business units to create and implement remediation plans for identified security risks.

Conducted security audits and participated in incident response activities, providing root cause analysis (RCA) and suggesting improvements to network and security designs.

Developed Disaster Recovery and Incident Response plans, incorporating Tripwire best practices and aligning with compliance frameworks.

Identity & Access Management (IAM)

Managed IAM solutions like Thycotic, CyberArk, and SSO (Federation), focusing on RBAC and Privileged Access Monitoring.

Administered and monitored Active Directory integrations with Unix, maintaining security profiles, vaults, and generating reports.

Deployed security agents and maintained IAM policies across key applications and infrastructure systems, including Oracle, SAP, CRM, ERP, SQL, and MySQL.

Cloud & Endpoint Security

Monitored and managed Netskope CASB tools, DLP processes, and Azure security measures to protect cloud environments.

Ensured the security of VMware, Citrix, AWS, OpenStack, and O365 environments.

Dec 2010 – Dec 2013 – (Sr Security Architect Analyst - IBM)

Delivered Global Enterprise Security Project Solutions to IT Managed Services customers.

I established or implement security controls for DuPont, United Launch Alliance and John Deere.

Project scope:

oResearch business, technical, functional security risks based on networks and Identification segregation and security

oCreated, reviewed and analyzed change request for networks and firewalls aligned with project deliverables.

oParticipated in Change Incident and escalations when needed.

oSecurity Disaster Recovery / Incident response best practices. Participated in incident response events using (Loglogic, Splunk and SumoLogic) determine RCA and suggested improvements to network and security design.

oPerformed VLANing network segmentation objectives focusing on Security.

oPerformed Pen tests and VA Assessments using and built gap and risk remediation’s for changes and directed firewall changes incident responses.

oAnalyzed, standardized and improved Datacenter Server provision using VMWare Securing Information Rights Management (SAN, NAS, DR and BR) for instances.

oResearched and developed VMWare and Cloud Proof of Concept for desktop optimization for (Windows 7 / 10).

oTechnologies in scope:

VMware, Citrix, Azure / Openstack, AWS, Luna / Rackspace, Office / o365

Oracle, SQL, MySQL

Oracle, SAP, ERP, and CRM

Proventia IDS / IPS for ECM

IdM, SSO (federation)

March 1998 – April 2010, (Sr Systems Security Analyst - Verizon Business)

I defined and assessed enterprise and datacenter support projects from Verizon Managed Security Services Product Development

Project scope:

oSubk, build MS Project WBS and negotiate project finances (SAP / ERP Systems – subsystems). Negotiate vendor sows to create and ensure product / technology support.

oWork with enterprise applications and datacenter network call center security groups to engineer and optimize Verizon’s customer service solutions consisting of 3rd party security product offerings such as:

Cisco (Security Manager, Firewall, Intrusion Detection & Protection).

Netscreen (Security Manager, Firewall, Intrusion Detection).

Nokia (IPSO / Checkpoint NG), Sidewinder (Enterprise Manager, Firewall).

Websense (URL Filtering), Qualys & Trendmicro (Anti-Virus Management System), Message Labs (Secure Managed e-Mail).

oI assisted in firewall Re-designs, WAN redesigns to support Verizon’s security solutions to support these technologies.

oI defined and assessed enterprise Security Operation Center and Network Operation Center ITIL COBIT, CMMI change controls detailing project dependencies and system requirements using Octave practices / principles.

oI used PCI / SOX and HIPAA Compliances, Qualys and Configuresoft ECM scanning tools to baseline, test, analyze, measure and improve all around security controls based on Octave, NIST 800-27 practices / principles.

Education:

Associates Pending - Advanced Computer Science at Colorado Technical University Colorado Springs, CO

Certifications:

AWS Certified Security Specialty SCS-C02

Azure Information Protection SC-400

Microsoft 365 Purview AZ-400

Azure Fundamentals AZ-900

Azure Introduction to Cloud Security

Windows 7 – 10 - MCSA

Windows 2008 / 2012 AD Admin CCTI 2012

Cisco: ICND, BCRN ITIL - 2008

Checkpoint 2000 System / Security - 2014

Checkpoint NG Administrator - 2014

MCNS - 2016

CCNA - 2010

CISSP 2018

PMP (Pending)

CBAP (Pending)

Contact this candidate