Job description
I. Job Responsibilities
1. Identity and Access Management Operations: Responsible for the daily operation and optimization of systems such as SSO, MFA, and unified directory (LDAP/AD/Azure AD), designing least privilege policies, and regularly conducting access compliance audits.
2. Privileged Access Management (PAM): Build and operate a privileged account management platform to manage accounts for core assets (servers, databases, cloud consoles, etc.), implement automatic password changes, session auditing, and high-risk operation interception, and promote the implementation of zero permanent privilege and Just-In-Time (JIT) elevation mechanisms.
3. Security Operations and Response: Analyze security incidents related to identity and access, participate in emergency response and red-blue exercises, promote the automation of security capabilities, and visualize identity security metrics (MFA coverage, privileged account management rate, etc.). Establish a unified account security baseline, continuously clean up zombie accounts, weak passwords, excessive authorizations, and other risks, manage employee, third-party, service accounts, and machine identities, design abnormal behavior detection rules, and conduct monitoring and analysis.
II. Qualifications
1. Bachelor's degree or above in computer science or information security-related fields, with more than 3 years of experience in security operations or identity security.
2. In-depth understanding of principles such as zero trust, RBAC/ABAC, least privilege, and separation of duties, with experience in building and operating IAM or PAM products (such as CyberArk, BeyondTrust, SailPoint, or Keycloak).
3. Proficient in the entire PAM process: privileged account discovery, management, password changes, session recording, JIT elevation, and emergency break glass mechanisms.
4. Rich experience in account governance and permission cleanup, familiar with service account, machine identity management, and abnormal behavior analysis (UEBA).
5. Familiar with protocols such as LDAP, SAML, OAuth2, OIDC, SCIM, and master at least one cloud platform's (AWS/Azure/Alibaba Cloud/Huawei Cloud) IAM policies and access analysis.
6. Basic scripting skills (Python/Shell, etc.), with experience in SIEM (Splunk/ELK, etc.) log analysis and alert configuration. Ability to respond to alerts for security emergency response.
7. Good cross-departmental communication and risk balancing skills, with experience in security compliance for regulatory licensed institutions such as SFC and HKMA preferred.