Identity Security DevOps Engineer

As part of the Security Identity and Access Management team, we are hiring a DevSecOps Engineer with a primary technical focus on Privileged Access Management, including Cloud IAM. This role offers an exciting opportunity to apply your strong engineering skills to critical security challenges, helping secure our vital on-prem, cloud, and hybrid environments.

You will be a key contributor in our Privileged IAM platform, blending development, SRE/operations, and security practices to build and maintain our Privileged IAM products. This position requires a candidate capable of managing concurrent and complex development and operational tasks, implementing secure, scalable, automated, and resilient access controls, automating security tasks, and ensuring operational excellence across the platform. You'll work in a hybrid (cloud and prem) Privileged IAM environment, understanding how different PAM systems might coexist or integrate across our enterprise.

Due to the business-critical and global nature of the ePAM platform, this position provides an outstanding opportunity to engage with, deliver value and gain exposure to Global business units, JVs and Technology teams, including Ford Credit, Ford Pro and Model e, Ford Blue, Manufacturing, EPEO, Application Employee Experience, Enterprise Connectivity/Network teams and Cyber Defense.

Position Responsibilities

1. Secure IAM/PAM Architecture & Implementation

• Design & Build: Design scalable Privileged IAM solutions, enforcing the principle of least privilege. You will specifically manage and configure Google PAM, Entra ID PIM, and Microsoft Intune PAM tools.

• Hybrid Integration: Implement solutions for privileged accounts across hybrid environments (GCP, Entra, BeyondTrust PasswordSafe). Utilize cloud-native services (e.g., Secret Manager) while integrating enterprise PAM tools.

• Risk Mitigation: Conduct technical security reviews to identify identity-related risks and single points of failure early in the architectural lifecycle.

2. Automated Security & DevSecOps (SRE Integration)

• Infrastructure as Code: Embed validation for IAM/PAM configurations directly into CI/CD pipelines using IaC tools (Terraform) to prevent insecure deployments.

• Security Automation: Programmatically automate critical tasks—including credential rotation, access reviews, and compliance checks—championing "Security as Code."

• API Development: Utilize APIs to develop solutions and collect identity-related data to automate operations in a hybrid environment.

3. Observability, Incident Response & System Health

• Monitoring: Implement observability solutions (metrics, logs, traces) using tools like Dynatrace and Cloud Monitoring to analyze system health and detect malicious activity.

• Incident Management: Lead the investigation and resolution of security and reliability incidents, applying SRE practices to minimize Mean Time To Detect (MTTD) and Recover (MTTR).

• Maintenance: Maintain the operational health and performance of the PAM infrastructure, ensuring stability across integrated systems.

4. Governance, Compliance & Collaboration

• Strategy & Compliance: Evolve the IAM/PAM posture to meet internal standards and external compliance requirements (SOC 2, ISO 27001).

• Knowledge Sharing: Provide guidance on secure credential handling and application interaction to engineering and operations teams.

• Documentation: Create high-quality documentation, including architecture diagrams, system runbooks, and risk assessments.
  

  Our preferred requirements: 

• PAM Expertise: Experience with Privileged Access Management solutions from BeyondTrust or CyberArk, specifically workforce Privileged credential/password management.

• Automation & Scripting: Strong experience with scripting/programming languages (Python, Golang, BASH, PowerShell) and utilizing APIs (including Microsoft Graph API) for automation and solution development.

• Problem Solving: Proven ability to independently identify, analyze, and solve complex technical and operational problems with minimal oversight.

• Communication: Strong written and verbal communication skills with a high degree of attention to detail.

• SRE Principles: Solid understanding of Site Reliability Engineering practices (SLOs/SLIs, toil reduction, incident response).

• Cloud IAM: Strong practical experience with Cloud Identity and Access Management (IAM) concepts (roles, policies, service accounts) and related security services.

• CI/CD & IaC: Experience with pipeline development, Infrastructure as Code, and Terraform.

• Cloud Core Services: Hands-on experience with core cloud platform components across major providers (AWS, Azure, or GCP).

• Containerization: Experience with Docker and Kubernetes/GKE.

• Observability: Experience with monitoring tools (Dynatrace, Cloud Audit Logs).

• Nice to have:

• Understanding of Enterprise security domains with a strong emphasis on Identity and Access Management  and Cloud Security.

• Familiarity with Microsoft Entra Privileged Access Management.

• Experience with Perl programming/scripting.

• Familiarity with security risk assessment methodologies and compliance frameworks (SOC 2, ISO 27001) 

• GCP Core: Specific hands-on experience with GCP components such as Cloud Resource Hierarchy, Pub Sub, Cloud Run, Cloud Task, and Cloud Scheduler.

• Bachelor’s degree in computer science, Information Technology, identity and security assurance

• 5+ years of total IT experience.

• 3-5 years of Enterprise Security Engineering or Operations experience.

• 2+ years of IT DevOps experience.