Enterprise Architect2021 - 2022Intelligenis
Technologies: Python, PyTorch, Kubernetes, VMware NSX, Docker, Spark ML, Calico, NGINX, HashiCorp, Palo Alto Networks, Microsoft Visio
- Created neural network architectures for reinforcement learning using different topologies, such as dueling Q networks and double deep Q networks, with specific model stabilization techniques, such as experience replay and exploration decay.
- Implemented several machine learning techniques for prediction and control, including temporal difference methods (TD-lambda, Monte-Carlo, SARSA) and multiple neural network topologies like convolutional neural networks and deep neural networks.
- Constructed microservice clusters using Kubernetes, Calico/WeaveNet CNI, Istio service mesh, Prometheus, Grafana, Ngnix ingress, Kubernetes dashboard, Metal-LB, NFS storage provisioner, container registry, and Hashicorp Vault.
- Built container images for workload pods running machine learning algorithms. These were implemented using Python, PyTorch, SparkML, Pandas, Numpy, Scikit-learn, Scipy, Matplotlib, SQL-Alchemy, and Pyodbc.
- Integrated physical infrastructure with the software-defined network, using VMware NSX-T, edge cluster, distributed firewall, IDS/IPS, distributed load balancer, tier-0, and tier-1 gateways, network-defined virtual switches, OSPF, and BGP.
- Defined entire network security infrastructure using Palo Alto firewall, including security policies, network security zones, IPsec tunnels for site-to-site VPN, remote access (Global Protect and OpenVPN), NAT, QoS, and DoS protection.
- Designed the hardened VM templates for hosting the virtualization fabric of the microservice cluster infrastructure consisting of Kubernetes nodes using Docker, Linux, WLS, VMware, and Hyper-V.
- Planned the entire physical infrastructure using type-1 hypervisors (ESXi and Hyper-V), DHCP, DNS, NTP, and ADCS PKI.
Cybersecurity Architect2016 - 2021Canadian Tire Corporation
Technologies: Azure, Palo Alto Networks, VMware, Kubernetes, Web Application Firewall (WAF)
- Worked on many corporate initiatives, addressing enterprise security concerns in IAM, web access control, SSO, remote access (VPN), privileged access management, MFA, cloud security, risk and governance management, and PCI compliance.
- Defined the optimal security architecture for multiple enterprise solutions hosted in Azure cloud, on-prem datacenters, or hybrid, and integration with 3rd party SaaS providers, such as Snowflake, Exabeam, Okta, and Office 365.
- Performed threat modeling in ArchiMate and Visio using the STRIDE-LM methodology and applying the NIST Cybersecurity Framework, OWASP Top10, CIS benchmarks, and TOGAF.
- Implemented specific security architecture artifacts on assigned projects, using defense-in-depth, need-to-know, Zero Trust principles, and applied architectural patterns for available, protected systems.
- Identified the necessary IT security controls for configuration change monitoring, SIEM, authentication, authorization, data encryption, user access provisioning, user access review, network segregation, and threat and vulnerability management.
- Presented the proposed architectures in front of the technical review board forum, incorporating their feedback and maintaining active communication, both orally via phone, virtual conferences, and written via email and chat.
- Translated specific business requirements into accurate security policies for conditional access control, MFA, ID governance, and privileged access management across multiple identity providers such as Azure AD, B2B, B2C, Okta, ADFS, and AD.
- Collaborated with multiple external vendors and internal teams, such as information governance, PCI compliance, data privacy, risk management, solution architecture, technical review board, and business stakeholders of various lines of business.
- Identified security gaps related to technical debt and provided recommendations to reduce security gaps and minimize residual risks, such as eliminating generic accounts, upgrading to secure protocols, and implementing stronger data encryption.
- Conducted a feasibility study for the improvement of SDLC processes and a technical impact analysis for adopting Prisma Cloud technology, a unified workload protection platform across multiple cloud service providers.
IAM Expert | Security Architect2011 - 2020Rogers Communications
Technologies: Identity & Access Management (IAM)
- Provided SME with Identity and Access Management (IAM) security solutions with Broadcom Layer7 API Gateway 9.x 10.x OAuth Toolkit (OTK) 4.x, and CA SiteMinder, CA Directory. Ensured they met and complied with all architectural best practices.
- Led the design of multiple SSO solutions for residential users, business partners, and government customers, using OpenID Connect 1.0, OAuth 2.0, LDAP 3, SAML 2.0, 1.1, Kerberos 5, and SCIM protocols.
- Implemented a wide range of security policies and enterprise web services for authentication, access control, session management, security token revocation, and threat protection using REST/SOAP API, JSON, WSDL/XML, and Swagger API/YAML.
- Anticipated the optimum strategy and adopted the optimum approach for large-scale enterprise solutions that decoupled time-specific time constraints, which significantly contributed to the project's success.
- Managed the onboarding of many enterprise applications managed internally and by 3rd party vendors while supporting the PKI infrastructure across multiple environments: DEV, IDT, QA, PET, and PROD.
- Conducted the data migration of highly sensitive PII authentication security profiles for enterprise users as part of several major business initiatives, such as HR transformation, Rogers One Identity (R1ID), and Allstream cloud migration.
- Worked with multiple external teams, leading integrations with strategic business partners: Google Home (IoT), Texture (now Apple News+), Comcast IPTV (xFI) surveillance (xHome).
- Implemented an automated deployment process with zero downtime across multiple data centers, using Gateway Migration Utility (GMU) 1.5, 1.6.
- Architected a complex on-prem multi-datacenter security infrastructure consisting of API Gateway, SiteMinder, CA directory and identity management, integrated with MySQL, MS Active Directory (LDAP and ADFS), Oracle database, F5, RSA, and DigiCert.
- Facilitated smooth transition to respective environment owners through detailed architecture, design specifications, diagrams, documented method of procedure, release notes, training sessions, and practical hands-on assistance.
Solution Architect2009 - 2010CSI
- Architected a credit card tokenization vault and a PCI-compliant, highly secure credit card storage solution integrated with a mix of legacy batch and modern technologies, such as payment gateway, billing systems, and third-party vendors.
- Established the optimum strategy for project delivery by splitting the implementation into three key phases: construction of the vault core services, building the integration layer, and data migration.
- Designed the PKI-based credit card encryption, secure storage, and tokenization solution. The solution complies with the Payment Card Industry - Data Security Standard.
- Led the design and implementation of the vault encrypted storage, secure API, and web-based administration UI with the external vendors CyberSource and Visa.
- Led the design and oversaw the implementation of the integration layers (libraries, API, and file-based batch) with the external vendor Deloitte.
- Led the integration with additional external service providers IBM and AmEx.
- The solution proved solid through security audit, performance testing, and disaster recovery testing phases.
Application Architect2006 - 2008ESI Canada
- Led the development team for the feed processing engine. The operational system supported 2.5 million customer users across Canada. The implementation was based on Oracle WebLogic Server, Java/Jakarta EE, SSH, and Linux.
- Led the integration of the feed processing engine with the health claim solution system, with HIPAA and PIPEDA regulatory compliance.
- Contributed to this large-scale solution that proved solid throughout the security audit, performance testing, and disaster recovery testing phases.
Senior Technical Consultant2004 - 2006Bell Canada
- Led the architecture, design, and implementation of the Retail Vision IRIS portal, a large-scale web-based application for the distribution channel of Bell Canada stores.
- Designed a large integration for user access provisioning, including Enterprise Directory, Identity Manager, Provisioning Server, Vision21, CRM, ASMS, LDAP, CA-SSO, Oracle e-SSO, RACF, and AD.
- Identified key design gaps with the old provisioning system integrated with Peoplesoft and proposed enhancements in the design of the new HR system based on HCM, which allowed switching from a batch-only mode of operation to a real-time solution.
- Initiated data cleansing ahead of the migration to eliminate stale records, reduce volume size, and improve the data quality, which increased the effectiveness and scalability of the transition.
- Designed the process flow for the migration and data conversion of corporate employees from the old Peoplesoft to the new HR HCM implementation using LDAP, SQL, and Unix Bash scripts.
- Integrated the solution with the Sales and Services Portal (SSP), supporting the entire retail chain for corporate stores, franchises, and retail partners across Canada.
- Developed a fully automated data feed processor for HR user provisioning using SQL*Plus and PowerShell.
- Incorporated disaster recovery capabilities into the solution and conducted disaster recovery testing to ensure that the implementation met the SLA for failover and failback according to its strategic objectives.