Depository Trust & Clearing Corporation (DTCC)
Cybersecurity IAM Architect
10/2023 - 06/2025
acted as the IAM Architect for DTCC’s Workforce and CIAM infrastructure supporting various technologies such as Azure AD / Entra ID, Okta, Ping Identity, CyberArk
built out PoC for NewHire onboarding using Ping DaVinci to orchestrate registration of prospective NewHires from Oracle HCM into an Azure AD / Entra ID (B2B) external tenant & External Identities which allowed users to enroll with social identity or email
setup and tested Entra ID authentication methods such as FIDO2 & Temporary Access Pass for passwordless login using YubiKey, Microsoft Authenticator, SMS/Voice/Email OTP
assisted with the requirements gathering, architecture design and PoC efforts of CyberArk Privilege Cloud for DTCC’s Workforce PAM replacement efforts of Bravura
worked with DTCC’s Platform Engineering, Mainframe, DBA, Web Security and Cloud Hosting teams to evaluate CyberArk integration capabilities
coordinated with PAM Engineering team to test CyberArk’s Privileged Session Manager (PSM) for session monitoring, recording and session isolation
coordinated with PAM Engineering team to test Central Policy Manager (CPM) for password verification and rollovers
evaluated CyberArk Conjur capabilities via REST API interface using Postman
evaluated CIEM solutions such as CyberArk Secure Cloud Access and Entra ID PIM
assisted with the requirements gathering, architecture design and PoC efforts of OKTA’s Universal Directory for DTCC’s Workforce ID Consolidation efforts
provided valuable input for the proposed design of DTCC’s CIAM redesign from disparate systems into a single CIAM solution using OKTA’s Universal Directory
conducted Proof of Technology demos with SailPoint for potential IGA implementation for Workforce and CIAM
Configured AWS Event Bridge with AWS SQS to send real time log data
Wrote AWS Lambda function to export findings to an S3 bucket to be retrieved by GCP Chronicle
Configured Azure Sentinel to collect data from various connectors and send data from the Azure workspace to Google Chronicle for ingestion
Office of the Chief Technology Officer (OCTO)
IAM Engineer
01/2018 - 09/2023
acted as The Office of the Chief Technology Officer’s (OCTO) Identity & Authentication Engineer whose primary duties include evaluation of existing technologies within the infrastructure and recommend new solutions to improve the security, effectiveness and usability of the infrastructure (Workforce & CIAM)
managed SecureAuth (IIS .NET based) Identity Provider (B2B/B2C) authentication service
configured SecureAuth to authenticate users against user data stores composed of Lightweight Directory Access Servers (LDAP) such as Active Directory, Active Directory Lightweight Directory Server (AD LDS) and data stores composed of databases (MS SQL)
onboarded hundreds of applications (.NET, Java, SaaS) onto Identity Providers (SecureAuth, Azure AD / Entra ID, DUO) using SAML, OIDC (OpenID Connect) and NTLM
managed SecureAuth’s PKI lifecycle (SSL & signing certificate request/renewal/deployment, certificate expirations/revocations, change coordination with dependent application teams)
devised and implemented multiple workflows incorporating various Strong Authentication factors such as username/password, Multi Factor Authentication (MFA), Adaptive Authentication, Behavioral Biometrics with various authentication protocols such as SAML, OIDC, WS-Fed, RADIUS, NTLM, APIs (.NET & Java)
managed DUO Cloud SSO & MFA for admin login into various infrastructure systems that required elevated administrative privileges (Windows, Linux and network devices using CISCO ISE with DUO Auth Proxy RADIUS as an intermediary)
managed Azure AD/Entra ID (B2B) environment and migrated SAML/OIDC applications SecureAuth
configured SecureAuth IdP to consume SAML assertions generated by and Azure AD
configured SecureAuth IdP to use Azure AD as a user source using Microsoft Graph API
assisted workforce users setup YubiKey for passwordless login into Azure AD
tested and validated pre-hire onboarding orchestration with Ping DaVinci in coordination with Ping Federate and PingID
managed the build out and planned the migration of existing applications to OKTA as a replacement for SecureAuth
managed and provisioned the Delinea/Thycotic Secret Server platform for Privileged Access Management (PAM) and safekeeping of service account passwords
managed the MS NPS environment to allow for wireless users to access the various subnets across District of Colombia’s agencies
setup MS NPS policies for WiFi controllers to communicate over RADIUS
handled the operational duties and troubleshooting of the OneLogin, OneLogin LDAP Connector, migration to SecureAuth platform
performed multiple upgrades, migrations and maintenance on the aforementioned technologies
worked closely with the GRC team to define and implement Information Security Policy for OCTO
worked with vulnerability assessment and compliance teams to create and enforce security & compliance standards
worked closely with vendors to troubleshoot, develop proof of concepts and maintain lifecycle (deployment, operation, upgrade, migration, decommission) of managed products
assisted form an Operations team to handle daily operational tasks for various authentication products through training, knowledge transfer, documentation, and acting as Level 3 Support
Citi (Citigroup)
IAM Engineer
03/2016 - 12/2017
acted as one of the primary Authentication Engineer for the company tasked with designing and maintaining the existing Security Platforms
tested and certified the R12.52 SiteMinder policy server to replace the R12 version
managed SiteMinder’s core service and SiteMinder AdminUI’s PKI lifecycle which consisted of Apache SSL certificates and Federation signing certificates
designed and deployed CA Directory server which was used to store the SiteMinder configurations, replacing the existing Oracle Directory Server
managed the CA Directory PKI and ensured SSL handshake occurred between SiteMinder over LDAPS (LDAP over SSL)
managed the Oracle Directory Server (Enterprise Edition) PKI which was used as the enterprise User Directory Server and ensure SSL handshake occurred over LDAPS
devised migration plans and generated migration scripts for the operations team
provided ongoing engineering support for the R12 policy server to the operations teams
worked with CA for numerous proofs of concept builds and application team integration requests for both R12.52 and R12 Policy Server versions
built and tested the proof of concept of using the CA Secure Proxy Server (SPS) as well as REST/SOAP integration
designed a migration path for applications (SAML, WS-Fed) from SiteMinder into Ping Federate
back tested interoperability for XAuth RADIUS (OTP & Challenge response), E2EE (end to end encryption using PKI)
created PowerShell scripts for post install updates to WebAgents config files on Window servers
resolved application vulnerability findings from penetration testing by working with developers, vendors and engineers
assisted resolve escalated issues from operations teams and application teams
composed architecture, security design, and instructional documents
Pricewaterhouse Coopers (PwC)
IAM Technical Design Architect
03/2014 - 03/2016
acted as one of the primary Technical Design Architects with a key part in designing and implementing PwC’s Identity and Access Management (IAM) infrastructure using Active Directory Federation Services (ADFS), Identity Guard, Virtual Identity Server (VIS) and Optimal Federation & Identity Services (OFIS)
cooperated with architects and vendors in designing and facilitating a parallel OFIS migration to decommission ADFS
supported the design and integration of a SaaS Authentication Service (IdentityBroker), a Forms Based Authentication (FBA) interface for Internal & External users
architected and integrated privacy & terms of use workflow into the existing External Authentication Service as part of Global Regulatory Compliance requirements
assisted integrate Strong Authentication into the existing Internal & External Authentication Services
Strong Authentication factors included OTP via SMS, OTP via Email, OTP via mobile app, Knowledge Based Answers (KBAs), Client Certificates (x509 PKI), FBA using Email/Password & GUID/Password
aided in multiple design and release efforts of the Internal & External Authentication Services
worked with external organizations to implement third-party Federation using their Identity Providers (Ping Federate, SiteMinder, ADFS) to Federate into PwC hosted applications
managed the ADFS, OFIS and VIS PKI infrastructure through SSL & signing certificate expirations, renewals, revocations
worked with penetration testers and product vendors to review & remediate vulnerabilities with the Federation Services
integrated Active Directory and Oracle Directory to act as a single Virtual Enterprise Directory using VIS through the LDAP (including password prioritization between combined directories)
tested and verified numerous VIS and OFIS releases prior to infrastructure release
reviewed, approved and integrated application onboardings into the authentication services
integrated applications using industry protocols (WS-Fed, SAML, OAuth) developed using C#, ASP and Java hosted on IIS, Apache, Tomcat, JBoss, Weblogic web & application servers
composed technical documents such as Application Integration Guides, Systems Requirements Specifications (SYRS), Technical System Architecture (TSA), Standards of Procedure (SOPs), Component Installs, Upgrades and Configuration
composed presentation slides regarding IAM Services, Solutions, Strategy and Roadmap and presented to Business Heads, Solution Architects, Enterprise Architects and Directors
Information Security Experts (ISX) Consulting
IAM Engineer
01/2013 - 03/2014
acted as the primary SME for CA’s Identity and Access Management technologies which include the architecture of Strong Authentication Systems (SiteMinder) and corresponding LDAP Servers (CA Directory, Oracle Directory Server) and PKI (SSL, signing & encryption certificates)
assisted the SiteMinder and Identity Minder build out of the CSF (Central States Funds) environment
directed, designed and migrated the parallel R12 SiteMinder environment for the PwC (Pricewaterhouse Coopers) security infrastructure
PwC’s architecture consisted of Policy Servers, Report Server, Federation, Apache/IHS/IIS WebAgents, WebSphere Application Server Agents, Oracle Directory, CA Directory, SMWalker and Authentication Override
ensured all tested cases of SiteMinder and Federation were functioning in a similar manner as the PwC R6 environment
lead the Identity Minder architecture and build out of UB (Union Bank) Next Generation SSO project to replace existing custom IDM environment
UB’s architecture consisted of Identity Minder, Provisioning Server, CA Directory, SiteMinder, Auth Minder and Risk Minder
architected and designed UB’s Directory Environment which consisted of Enterprise Directory, Provisioning Directory, Policy Store, Key Store, Session Store and Admin User Store
assisted with the Identity Minder Integration effort at TCCC (The Coca Cola Company)
installed and configured custom Identity Minder Reports for TCCC
Citi (Citigroup)
IAM & Windows Subject Matter Expert
01/2007 - 01/2013
played a vital role of implementing Citi's SSO infrastructure (Workforce & CIAM) components such as ADFS (Kerberos, SAML, WS-Fed), SiteMinder (SAML, session cookies, cookie providers, RADIUS), RSA SecureID (SAML & OTP), IWA (NTLM), Strong Authentication, and LDAP Directories (Oracle Directory Server, Sun One Directory)
collaborated with numerous system administrators, application administrators, engineers, developers & vendors to manage projects and meet deadlines
reviewed and approved web architecture designs for application development and engineering teams
acted as the project coordinator for web applications onboarding into Citi's internet & intranet shared/dedicated hosting infrastructures
assisted onboarding applications developed using C#, ASP, Java & Pearl running on IIS (.NET), Apache, HIS, OHS, WebLogic & JBoss web and application servers
oversaw the PKI infrastructure for hosted applications on the supported web/application servers (SSL cert management for IIS, Apache, WebLogic, JBoss) and the PKI infrastructure for Federation signing certificates
worked with audit and compliance teams to ensure the SSO/Windows infrastructure was up to standards
created and enforced standards for external/internal user authentication and resource authorization into the hosting infrastructure
acted as the Integration team's lead SiteMinder/LDAP expert (AIX/Linux/Solaris/Windows platforms) providing valuable advice to teammates on SSO (Single Sign-On) usage
acted as the Integrations team's head Windows Server expert (Windows 2000, 2003, 2008)
interviewed, hired and trained employees/consultants to assist with multiple projects
composed technical documents for hosting infrastructure processes, SSO setup & configuration
assisted review & remediate SSO & Windows vulnerabilities and ethical hack findings
tested and certified SSO & Windows components with engineering teams before releasing it to the infrastructure
verified and coordinated SM setups on different platforms in various data centers
helped design the SSO interface and integration for IBM DataPower
mediated and resolved disputes amongst clients, developers & support personnel
provided 24/7 level 3 support for emergency SSO related issues to an environment containing over 2,500 client web applications
Centertown Community Health Centre
System Administrator
2005-2006
acted as one of the two primary System Administrators at the organization
maintained an Active Directory user store and managed user accounts
wrote documentations for the migration of the Centre’s old Health Information’s Database System (Purkinje EMR – as required by Ontario’s Ministry Of Health)
conducted various test cases to create the migration document through individual component testing and overall systems testing
aided in the maintenance of Windows NT, 2003 and Linux back-end servers
coordinated with Consultants from York-Med Systems Inc. and IKON Office Solutions throughout the migration phase
analyzed, tested & resolved hardware and software related issues
resolved the many IT needs of the centre’s employees
provided valuable input into the purchasing & configuring of new hardware
worked in an environment where confidentiality and data integrity was of utmost importance
Millennium Learning Centre
Project Coordinator
2001-2004
managed volunteers at workshop events
organized & scheduled workshops on general PC software usage for the local community
helped first time computer users operate PCs
administrated and maintained the lab's computers
interviewed new volunteer candidates
SITEL
Information Systems Support
2004 Summer
fixed OS, Virus, and Spyware related problems
solved problems in a fast-paced environment by doing real-time research to find solutions
collected data to determine the problem(s) through root cause analysis
handled disgruntled and irate clients
troubleshot user authentication/authorization issues, assisted users with locked out accounts
repaired broken employee workstations and servers
administered and taught tutorial workshops for new employees