WHY DO YOU WANT THIS JOB

Are you in love with Identity Access Management (IAM), but can't stand the way the security industry implements it? Do you think IAM can be more than simply churning access requests and saying no to users? Us too. Here at Plurilock, we think IAM should be about access enablement and an integral part of our incident response program. If you have a vision for what IAM can be, we want you to own our IAM and build the program you've always wanted with us.

WHAT IS THIS JOB

Plurilock is a start up with a one of kind behavioral biometrics solution that provides a continuous authentication signal indicating that the correct user is behind an identity without affecting the user experience. We're building a security team from the ground up and want an IAM program that utilizes our own technology on a foundational level. Specifically, we’re looking to enable entities (users and computers) to access whatever they need to get their jobs done, so long as we are 100% sure it's the right entity behind the identity.

As the founder of IAM at Plurilock you will be responsible for designing security policies that govern how we authenticate and authorize users and computers. Your policies should achieve both security and compliance by following these principles:

  • Ask once, authenticate continuously
  • Allow authorized users to do their jobs
  • Put privilege in the process

The Security team takes a customer service approach to providing security at Plurilock. Your customers are all internal users and system owners who are ultimately accountable for the security of their departments. As the sole provider of IAM services, you will offer customers either a Full Service or Do it Yourself model.

In the Full Service model, you will simply implement IAM for your customers to provide them with the access they need to perform their work and ensure they comply with your standards. In the Do it Yourself model, you will provide detailed guidance to customers on how to implement your policies in their systems followed by a thorough audit to ensure they are compliant. Regardless of the model your customer chooses, they must buy into implementation.

On a day-to-day basis you will be responsible for designing, implementing, and monitoring the processes that govern the following security objectives:

  1. Provisioning and Deprovisioning Access – Grant and revoke access in an auditable, objective, and business friendly manner.
  2. Least Privilege – Make critical tasks more secure by taking privileges from humans and putting them into definable and auditable automated systems.
  3. Separation of Duties - Streamline business workloads by embedding security controls into their environments.
  4. Single Sign On – Identify all identity domains and work towards subordinating them all to a single behavioral biometric identity for a true SSO experience.

WHO ARE WE LOOKING FOR

The ideal candidate for this position has a customer first attitude. Your customers should view you as someone they come to for access solutions, not permission to perform their jobs. You should have worked in a large corporate environment with strict regulations around IAM, not so you can repeat their mistakes, but so you know what wrong looks like.

You should be the IAM engineer who asked,

  • Do my controls actually stop hackers inside the network from stealing identities?
  • Do my controls actually stop hackers who have valid credentials?
  • How could my controls help the incident response team detect and respond to credential theft in my environment?

With that being said, you should have a clear idea of how access should be granted to users and systems so that it does not expand our attack surface more than necessary.

On the technical side, you should have experience working with multiple identity providers such as AWS, Okta, and Active Directory and more importantly, linking them together to achieve SSO. You should also be able to govern access in a 100% remote work from home environment to SaaS and cloud infrastructure. The Security team as a whole will map the attack surface and help identify all the domains we need to secure, but you will be the primary architect for how we govern authentication and access.

NOTE: This position is only open to U.S. and Canadian citizens due to the highly sensitive nature of the work

Skills Required

  1. AWS IAM – We are a cloud company and your world will largely revolve around AWS.
  2. Okta – Our primary IdP is Okta and you will be the primary owner of the application.
  3. NIST 800-53 and 800-207 – Our security framework of choice is NIST 800-53 and our SOC 2 compliance is predicated on it. Our goal is to implement a true zero trust architecture based on 800-207, which has IAM at its center.
  4. AWS Well Architected Framework – Getting past traditional notions of least privilege and separation of duties requires adoption of new cloud native frameworks. You will need to speak this framework and recommend architectures based on it.
  5. Kill Chains – IAM will not be a bystander during threat detection, you should understand how to design IAM policies to deny, deceive, and degrade intruders.
  6. Reporting – You will be responsible for knowing how to gather all of the data regarding who has access to what and how they are using it across all our systems.

Bonus Skills

  • IAM in Google Cloud and Azure
  • Splunk
  • Python programming
  • Terraform or Cloud Formation

COMPENSATION

  • Base Salary
  • Sales Bonus
  • 401K
  • Health and Dental
  • Stock Options