Security Architect (IAM Focused)
Artech LLC
New York, NY
Apply
JOB DETAILS
SALARY
$80–$85 Per Hour
LOCATION
New York, NY
POSTED
2 days ago
Position: Security Engineer/Architect (IAM Focus)
Location: New York or Pittsburgh (Remote flexibility available)
Duration: 12 months
Pay Rate: $80 - $85/Hr on W2
Overview:
BNY is seeking a hands-on Security Engineer/Architect to design, implement, and govern identity and access management for a FedRAMP-compliant Azure environment using native Client security tooling. You will own the IAM architecture and control lifecycle—policy design, privileged access, identity threat protection, lifecycle governance, and evidence generation—ensuring NIST SP 800-53 control coverage and audit readiness. This role partners with platform engineering, SecOps, risk/compliance, and 3PAOs, and requires the ability to dive deep into native Azure capabilities while setting a scalable, standards-driven architecture.
Key Responsibilities Architecture and Design (IAM Focus)
•Define and maintain Azure IAM architecture and guardrails: tenant segmentation, RBAC strategy, least privilege, managed identities, Conditional Access, and Just-In-Time access via PIM.
•Establish standardized access patterns for workloads, service principals, Managed Identities, and human identities across multi-tenant/multi-subscription Azure footprints.
•Design and enforce secure key/secret management using Azure Key Vault (FIPS 140-2 validated modules), including rotation, access policies, and monitoring.
•Integrate identity threat protection signals (Entra ID Protection, Defender for Identity) into detection and response workflows; ensure coverage for high-risk scenarios (privilege escalation, token theft, MFA fatigue, legacy protocols). Implementation and Control Enforcement
•Build and maintain Azure Policy/Blueprints to enforce IAM baselines (e.g., MFA requirements, disallow legacy auth, privileged role constraints, Key Vault access policies, managed identity usage).
•Configure Conditional Access, Authentication Strengths, and token controls; manage role assignments, custom roles, and privileged workflows consistent with FedRAMP requirements.
•Drive onboarding of identities and applications to native controls; integrate with CI/CD pipelines for pre-deployment checks and policy-as-code control inheritance.
Must haves:
•7+ years in security engineering/architecture, with 3+ years focused on IAM in Azure using native tooling.
•Deep hands-on experience with Entra ID (Azure AD), RBAC, PIM, Conditional Access, Managed Identities, and Key Vault—including policy design and enforcement at scale.
•Practical knowledge of FedRAMP baselines (Moderate/High), NIST SP 800-53 control families, and audit/assessment processes; experience contributing to SSP/ConMon evidence.
•Strong proficiency in Azure Policy/Blueprints and policy-as-code approaches; experience embedding controls into CI/CD.
•Ability to design high-fidelity detections and automate incident response for identity threats using Sentinel and Logic Apps.
•Excellent documentation and communication skills for control narratives, runbooks, access governance procedures, and executive status reporting.
•Bachelor’s degree in Information Security, Computer Science, Information Systems, or related field; equivalent experience considered.
Nice to Have
•Experience operating in Azure Government or GCC High tenants and understanding telemetry/control nuances in those environments.
•Background in Zero Trust principles, privileged identity strategy, and secure service-to-service authentication patterns.
•Familiarity with Client Purview and data access governance for sensitive workloads.
•Scripting/automation skills (KQL, PowerShell, Bicep/Terraform basics) to manage identities, enforce policies, and generate evidence.
•Certifications: AZ-500 (Azure Security Engineer Associate), SC-300 (Identity and Access Administrator), SC-200 (Security Operations Analyst), CISSP/CCSP, or equivalent
About the Company
A