You will be a key contributor in our Privileged IAM platform, blending development, SRE/operations, and security practices to build and maintain our Privileged IAM products. This position requires a candidate capable of managing concurrent and complex development and operational tasks, implementing secure, scalable, automated, and resilient access controls, automating security tasks, and ensuring operational excellence across the platform. You'll work in a hybrid (cloud and prem) Privileged IAM environment, understanding how different PAM systems might coexist or integrate across our enterprise.

Due to the business-critical and global nature of the ePAM platform, this position provides an outstanding opportunity to engage with, deliver value and gain exposure to Global business units, JVs and Technology teams, including Ford Credit, Ford Pro and Model e, Ford Blue, Manufacturing, EPEO, Application Employee Experience, Enterprise Connectivity/Network teams and Cyber Defense.

Responsibilities:

Secure IAM/PAM Architecture & Implementation

• Design & Build: Design scalable Privileged IAM solutions, enforcing the principle of least privilege. You will specifically manage and configure Google PAM, Entra ID PIM, and Microsoft Intune PAM tools.

• Hybrid Integration: Implement solutions for privileged accounts across hybrid environments (GCP, Entra, BeyondTrust PasswordSafe). Utilize cloud-native services (e.g., Secret Manager) while integrating enterprise PAM tools.

• Risk Mitigation: Conduct technical security reviews to identify identity-related risks and single points of failure early in the architectural lifecycle.

Automated Security & DevSecOps (SRE Integration)

• Infrastructure as Code: Embed validation for IAM/PAM configurations directly into CI/CD pipelines using IaC tools (Terraform) to prevent insecure deployments.

• Security Automation: Programmatically automate critical tasks,including credential rotation, access reviews, and compliance checks,championing "Security as Code."

• API Development: Utilize APIs to develop solutions and collect identity-related data to automate operations in a hybrid environment.

Observability, Incident Response & System Health

• Monitoring: Implement observability solutions (metrics, logs, traces) using tools like Dynatrace and Cloud Monitoring to analyze system health and detect malicious activity.

• Incident Management: Lead the investigation and resolution of security and reliability incidents, applying SRE practices to minimize Mean Time To Detect (MTTD) and Recover (MTTR).

• Maintenance: Maintain the operational health and performance of the PAM infrastructure, ensuring stability across integrated systems.

Governance, Compliance & Collaboration

• Strategy & Compliance: Evolve the IAM/PAM posture to meet internal standards and external compliance requirements (SOC 2, ISO 27001).

• Knowledge Sharing: Provide guidance on secure credential handling and application interaction to engineering and operations teams.

• Documentation: Create high-quality documentation, including architecture diagrams, system runbooks, and risk assessments.

Our preferred requirements:

• PAM Expertise: Experience with Privileged Access Management solutions from BeyondTrust or CyberArk, specifically workforce Privileged credential/password management.

• Automation & Scripting: Strong experience with scripting/programming languages (Python, Golang, BASH, PowerShell) and utilizing APIs (including Microsoft Graph API) for automation and solution development.

• Problem Solving: Proven ability to independently identify, analyze, and solve complex technical and operational problems with minimal oversight.

• Communication: Strong written and verbal communication skills with a high degree of attention to detail.

• SRE Principles: Solid understanding of Site Reliability Engineering practices (SLOs/SLIs, toil reduction, incident response).

• Cloud IAM: Strong practical experience with Cloud Identity and Access Management (IAM) concepts (roles, policies, service accounts) and related security services.

• CI/CD & IaC: Experience with pipeline development, Infrastructure as Code, and Terraform.

• Cloud Core Services: Hands-on experience with core cloud platform components across major providers (AWS, Azure, or GCP).

• Containerization: Experience with Docker and Kubernetes/GKE.

• Observability: Experience with monitoring tools (Dynatrace, Cloud Audit Logs).

Nice to have:

• Understanding of Enterprise security domains with a strong emphasis on Identity and Access Management and Cloud Security.

• Familiarity with Microsoft Entra Privileged Access Management.

• Experience with Perl programming/scripting.

• Familiarity with security risk assessment methodologies and compliance frameworks (SOC 2, ISO 27001)

XML job scraping automation by YubHub

Key Responsibilities:

• Design, automate, and operate the IAM, account/subscription, and project lifecycle across AWS, Azure, and GCP, enforcing least-privilege and standardized access patterns at scale.

• Review, implement, and continuously improve cloud identity and access policies (IAM, Okta, Opal) to align with Databricks security standards and audit requirements.

• Build and maintain reliable, observable automation and tooling to apply cloud changes (roles, policies, accounts, networking) safely and repeatedly.

• Treat operational and security issues as software problems: eliminate toil, drive root-cause analysis, and codify fixes into infrastructure and tooling.

• Own and improve security and audit logging data pipelines from cloud providers into our internal systems, ensuring timely, accurate data for detection, investigations, and audits.

• Partner with Security, Compliance, and Audit teams to provide evidence, clarifications, and policy updates that keep our environments aligned with evolving standards.

• Operate and improve specialized, highly regulated environments (e.g., FedRAMP / GovCloud) including release management, patching cadences, and supporting secure access workflows (e.g., SAW).

• Ensure high availability and resiliency for critical security and access infrastructure across these environments.

• Participate in a 24x7 on-call rotation for high-severity incidents impacting cloud accounts, IAM, or security data pipelines.

• Act as a key partner to product engineering, security engineering, and field teams during incidents to restore service and harden systems for the future.

Requirements:

• Candidates must be eligible for a Top Secret / Sensitive Compartmented Information (TS/SCI) security clearance.

• Possession of a current polygraph (Counterintelligence or Full Scope) is highly desired and considered a significant plus.

• Education- BS, MS, or PhD in Computer Science, Engineering, or a related technical field, or equivalent practical experience.

• Experience: 12+ years of experience, including leading the strategy for cloud IAM, account architecture, or security-critical infrastructure across multiple environments or business units.

• Cloud & Infrastructure Expertise

• Deep hands-on experience with at least one major cloud provider (AWS, Azure, or GCP) in areas such as IAM, networking, accounts/subscriptions/projects, and audit logging.

• Strong background in Infrastructure-as-Code and automation (e.g., Terraform, CloudFormation, or similar) and CI/CD for infrastructure changes.

• Security & Compliance Mindset

• Proven experience working in or with security-sensitive or regulated environments (e.g., SOC2, FedRAMP, ISO 27001, financial services, public sector) and translating requirements into concrete technical controls.

• Familiarity with access review processes, policy baselines, and audit evidence for cloud environments.

• Operational Excellence

• Demonstrated success running high-availability, security-critical services, including on-call responsibilities and incident management.

• Strong debugging and problem-solving skills across distributed systems, with the ability to navigate ambiguous issues spanning multiple teams and platforms.

Preferred Qualifications:

• Experience with Okta, Opal, or similar identity/access tooling.

• Background operating secure admin workstations (SAW) or comparable hardened access patterns.

• Experience migrating cloud accounts or subscriptions during M&A or large-scale reorganizations.

XML job scraping automation by YubHub