Safety Engineer (Identity Security and Access Control)

Job Responsibilities 1. IAM System Construction and Operation ● Responsible for the planning, construction, and daily operation of the company's identity and access management system, including user lifecycle management, authentication, authorization, and role permission governance. ● Promote the implementation and optimization of Single Sign-On (SSO), Multi-Factor Authentication (MFA), and unified identity directories (such as LDAP, AD, Azure AD). ● Design and implement permission management strategies based on the principle of least privilege, and conduct regular permission compliance audits. 2. Privileged Access Management (PAM) ● Build and maintain a privileged account management system (PAM) that covers core assets such as servers, databases, network devices, and cloud consoles. ● Implement management of privileged accounts, regular password changes, session auditing, command interception, and alerts for high-risk operations. ● Interface with operations, databases, cloud platforms, etc., to promote the implementation of "zero permanent privilege" and "just-in-time elevation" mechanisms. 3. Account Security Governance ● Establish a unified account security baseline to manage various types of accounts, including employee, third-party, service accounts, and machine identities. ● Regularly organize account permission cleanup to eliminate risks such as zombie accounts, shared accounts, weak passwords, expired permissions, and excessive authorizations. ● Design and implement rules for detecting abnormal account behaviors (such as abnormal logins, unauthorized access attempts, and access outside of working hours). 4. Security Operations and Incident Response ● Monitor identity and access-related logs, analyze security incidents such as account breaches, unauthorized access, and abnormal configuration changes. ● Participate in emergency response to security incidents, providing forensic analysis and improvement plans. ● Regularly conduct internal red-blue exercises or penetration tests related to identity/permissions/change attack paths. 5. Security Capability Building and Automation ● Integrate identity security, PAM, and change security controls into CI/CD, cloud infrastructure, and IT service management processes. ● Write automation scripts or policies to achieve permission compliance checks and account lifecycle automation. ● Promote the construction and visualization of identity security metrics (such as MFA coverage, privileged account management rate, and excessive permission granting ratio). Job Requirements Basic Requirements ● Bachelor's degree or above in computer science, information security, or related fields, with more than 3 years of security work experience. ● Familiar with identity and access control standards and frameworks, such as zero trust architecture, least privilege, RBAC/ABAC, and SoD (Separation of Duties). ● Practical experience in building or operating IAM or PAM products (commercial products such as CyberArk, BeyondTrust, SailPoint; open-source products like Keycloak, etc.). Key Technical Skills ● Identity Security: Mastery of protocols such as LDAP, OIDC, SAML, OAuth2, SCIM, and understanding of implementation methods for SSO, MFA, and user directory synchronization. ● PAM: Familiarity with core capabilities of privileged account discovery, management, password changes, auditing, and session recording, as well as understanding Just-In-Time (JIT) privilege elevation mechanisms and Breakglass emergency mechanisms. ● Account Security: Experience in establishing account baselines, account auditing, and anomaly detection (UEBA), with knowledge of service account and machine identity management. Platforms and Tools ● Familiar with IAM capabilities across multiple cloud platforms (AWS/Azure/AliCloud), such as identity policies, service accounts, and access analyzers. ● Basic scripting skills (Python/Shell/Go) to interface with APIs for automation tasks. ● Experience with SIEM or log analysis (such as Splunk, ELK, DataDog), capable of writing queries and alert rules. Soft Skills ● Ability to effectively communicate security requirements and control measures with operations, development, compliance, and business departments. ● Possess risk judgment skills, able to make reasonable trade-offs between security and efficiency. ● Experience with security compliance for SFC and HKMA regulated licensed institutions is preferred.