Alin is available for hire

Alin Ungurean

Verified Expert in Engineering

Security Architect and Developer

Toronto, ON, Canada

Toptal member since October 19, 2022

Expertise

LDAP Visio SAML OAuth Java Linux XML VMware Cybersecurity JSON Python Docker

Bio

Alin is a cybersecurity architect with a proven track record of building enterprise-scale solutions for identity and access management, data confidentiality and privacy, application protection, microservice resilience, network, virtualization, and infrastructure security. He also worked with in the cloud and on-premises environments. Alin has excellent threat modeling, and great analytical and problem-solving skills. He is self-motivated, ambitious, and focused on high-quality work.

Portfolio

Intelligenis

Python, PyTorch, Kubernetes, VMware NSX, Docker, Spark ML, Calico, NGINX...

Canadian Tire Corporation

Azure, Palo Alto Networks, VMware, Kubernetes, Web Application Firewall (WAF)...

Rogers Communications

Identity & Access Management (IAM)

Experience

LDAP - 18 years
Identity & Access Management (IAM) - 15 years
Cybersecurity - 10 years
SAML - 10 years
OpenID Connect (OIDC) - 7 years
OAuth 2 - 7 years
Layer7 API Gateway - 5 years
Azure - 5 years

Availability

Part-time

Preferred Environment

Azure, Architecture, Layer API

The most amazing...

...professional certifications I have include Azure Solutions Architect Expert, Azure Infrastructure Solutions Design, Azure Security Engineer, and (ISC)² CISSP.

Work Experience

Enterprise Architect

2021 - 2022

Intelligenis

Created neural network architectures for reinforcement learning using different topologies, such as dueling Q networks and double deep Q networks, with specific model stabilization techniques, such as experience replay and exploration decay.
Implemented several machine learning techniques for prediction and control, including temporal difference methods (TD-lambda, Monte-Carlo, SARSA) and multiple neural network topologies like convolutional neural networks and deep neural networks.
Constructed microservice clusters using Kubernetes, Calico/WeaveNet CNI, Istio service mesh, Prometheus, Grafana, Ngnix ingress, Kubernetes dashboard, Metal-LB, NFS storage provisioner, container registry, and Hashicorp Vault.
Built container images for workload pods running machine learning algorithms. These were implemented using Python, PyTorch, SparkML, Pandas, Numpy, Scikit-learn, Scipy, Matplotlib, SQL-Alchemy, and Pyodbc.
Integrated physical infrastructure with the software-defined network, using VMware NSX-T, edge cluster, distributed firewall, IDS/IPS, distributed load balancer, tier-0, and tier-1 gateways, network-defined virtual switches, OSPF, and BGP.
Defined entire network security infrastructure using Palo Alto firewall, including security policies, network security zones, IPsec tunnels for site-to-site VPN, remote access (Global Protect and OpenVPN), NAT, QoS, and DoS protection.
Designed the hardened VM templates for hosting the virtualization fabric of the microservice cluster infrastructure consisting of Kubernetes nodes using Docker, Linux, WLS, VMware, and Hyper-V.
Planned the entire physical infrastructure using type-1 hypervisors (ESXi and Hyper-V), DHCP, DNS, NTP, and ADCS PKI.

Technologies: Python, PyTorch, Kubernetes, VMware NSX, Docker, Spark ML, Calico, NGINX, HashiCorp, Palo Alto Networks, Microsoft Visio

Cybersecurity Architect

2016 - 2021

Canadian Tire Corporation

Worked on many corporate initiatives, addressing enterprise security concerns in IAM, web access control, SSO, remote access (VPN), privileged access management, MFA, cloud security, risk and governance management, and PCI compliance.
Defined the optimal security architecture for multiple enterprise solutions hosted in Azure cloud, on-prem datacenters, or hybrid, and integration with 3rd party SaaS providers, such as Snowflake, Exabeam, Okta, and Office 365.
Performed threat modeling in ArchiMate and Visio using the STRIDE-LM methodology and applying the NIST Cybersecurity Framework, OWASP Top10, CIS benchmarks, and TOGAF.
Implemented specific security architecture artifacts on assigned projects, using defense-in-depth, need-to-know, Zero Trust principles, and applied architectural patterns for available, protected systems.
Identified the necessary IT security controls for configuration change monitoring, SIEM, authentication, authorization, data encryption, user access provisioning, user access review, network segregation, and threat and vulnerability management.
Presented the proposed architectures in front of the technical review board forum, incorporating their feedback and maintaining active communication, both orally via phone, virtual conferences, and written via email and chat.
Translated specific business requirements into accurate security policies for conditional access control, MFA, ID governance, and privileged access management across multiple identity providers such as Azure AD, B2B, B2C, Okta, ADFS, and AD.
Collaborated with multiple external vendors and internal teams, such as information governance, PCI compliance, data privacy, risk management, solution architecture, technical review board, and business stakeholders of various lines of business.
Identified security gaps related to technical debt and provided recommendations to reduce security gaps and minimize residual risks, such as eliminating generic accounts, upgrading to secure protocols, and implementing stronger data encryption.
Conducted a feasibility study for the improvement of SDLC processes and a technical impact analysis for adopting Prisma Cloud technology, a unified workload protection platform across multiple cloud service providers.

Technologies: Azure, Palo Alto Networks, VMware, Kubernetes, Web Application Firewall (WAF), STRIDE

IAM Expert | Security Architect

2011 - 2020

Rogers Communications

Provided SME with Identity and Access Management (IAM) security solutions with Broadcom Layer7 API Gateway 9.x 10.x OAuth Toolkit (OTK) 4.x, and CA SiteMinder, CA Directory. Ensured they met and complied with all architectural best practices.
Led the design of multiple SSO solutions for residential users, business partners, and government customers, using OpenID Connect 1.0, OAuth 2.0, LDAP 3, SAML 2.0, 1.1, Kerberos 5, and SCIM protocols.
Implemented a wide range of security policies and enterprise web services for authentication, access control, session management, security token revocation, and threat protection using REST/SOAP API, JSON, WSDL/XML, and Swagger API/YAML.
Anticipated the optimum strategy and adopted the optimum approach for large-scale enterprise solutions that decoupled time-specific time constraints, which significantly contributed to the project's success.
Managed the onboarding of many enterprise applications managed internally and by 3rd party vendors while supporting the PKI infrastructure across multiple environments: DEV, IDT, QA, PET, and PROD.
Conducted the data migration of highly sensitive PII authentication security profiles for enterprise users as part of several major business initiatives, such as HR transformation, Rogers One Identity (R1ID), and Allstream cloud migration.
Worked with multiple external teams, leading integrations with strategic business partners: Google Home (IoT), Texture (now Apple News+), Comcast IPTV (xFI) surveillance (xHome).
Implemented an automated deployment process with zero downtime across multiple data centers, using Gateway Migration Utility (GMU) 1.5, 1.6.
Architected a complex on-prem multi-datacenter security infrastructure consisting of API Gateway, SiteMinder, CA directory and identity management, integrated with MySQL, MS Active Directory (LDAP and ADFS), Oracle database, F5, RSA, and DigiCert.
Facilitated smooth transition to respective environment owners through detailed architecture, design specifications, diagrams, documented method of procedure, release notes, training sessions, and practical hands-on assistance.

Technologies: Identity & Access Management (IAM)

Solution Architect

2009 - 2010

CSI

Architected a credit card tokenization vault and a PCI-compliant, highly secure credit card storage solution integrated with a mix of legacy batch and modern technologies, such as payment gateway, billing systems, and third-party vendors.
Established the optimum strategy for project delivery by splitting the implementation into three key phases: construction of the vault core services, building the integration layer, and data migration.
Designed the PKI-based credit card encryption, secure storage, and tokenization solution. The solution complies with the Payment Card Industry - Data Security Standard.
Led the design and implementation of the vault encrypted storage, secure API, and web-based administration UI with the external vendors CyberSource and Visa.
Led the design and oversaw the implementation of the integration layers (libraries, API, and file-based batch) with the external vendor Deloitte.
Led the integration with additional external service providers IBM and AmEx.
The solution proved solid through security audit, performance testing, and disaster recovery testing phases.

Technologies: Architecture

Application Architect

2006 - 2008

ESI Canada

Led the development team for the feed processing engine. The operational system supported 2.5 million customer users across Canada. The implementation was based on Oracle WebLogic Server, Java/Jakarta EE, SSH, and Linux.
Led the integration of the feed processing engine with the health claim solution system, with HIPAA and PIPEDA regulatory compliance.
Contributed to this large-scale solution that proved solid throughout the security audit, performance testing, and disaster recovery testing phases.

Technologies: Architecture

Senior Technical Consultant

2004 - 2006

Bell Canada

Led the architecture, design, and implementation of the Retail Vision IRIS portal, a large-scale web-based application for the distribution channel of Bell Canada stores.
Designed a large integration for user access provisioning, including Enterprise Directory, Identity Manager, Provisioning Server, Vision21, CRM, ASMS, LDAP, CA-SSO, Oracle e-SSO, RACF, and AD.
Identified key design gaps with the old provisioning system integrated with Peoplesoft and proposed enhancements in the design of the new HR system based on HCM, which allowed switching from a batch-only mode of operation to a real-time solution.
Initiated data cleansing ahead of the migration to eliminate stale records, reduce volume size, and improve the data quality, which increased the effectiveness and scalability of the transition.
Designed the process flow for the migration and data conversion of corporate employees from the old Peoplesoft to the new HR HCM implementation using LDAP, SQL, and Unix Bash scripts.
Integrated the solution with the Sales and Services Portal (SSP), supporting the entire retail chain for corporate stores, franchises, and retail partners across Canada.
Developed a fully automated data feed processor for HR user provisioning using SQL*Plus and PowerShell.
Incorporated disaster recovery capabilities into the solution and conducted disaster recovery testing to ensure that the implementation met the SLA for failover and failback according to its strategic objectives.

Technologies: Architecture, Design, Java, LDAP, JavaScript

Experience

Enterprise Security System for Rogers Communications

Architected a company-wide geo-redundant solution for the vital enterprise identity infrastructure, consisting of secure authentication policy servers, access management and provisioning servers, enterprise directories, secure API management, and governance systems.

I migrated highly sensitive security data, including confidential personal identifiable information and authentication security profiles, for business transformation initiatives, using strong encryption, one-way hashing, and digital signatures.

I also designed the API security management with the Layer7 API Gateway and conducted robust performance testing using BlazeMeter or JMeter and Docker. I introduced an innovative patch and lifecycle strategy with zero downtime of most critical infrastructure, designed a fully automated deployment process, and incorporated automated testing into the build pipeline using the Ready API suite.

Education

1989 - 1994

Hon. Bachelor's Degree in Computer Science

Polytehnics University of Bucharest - Bucharest, Romania

Certifications

NOVEMBER 2022 - PRESENT

Microsoft Certified – Azure Solutions Architect Expert

Microsoft

OCTOBER 2022 - PRESENT

AZ-305: Microsoft Azure Infrastructure Solutions Design

Microsoft

JANUARY 2020 - PRESENT

AZ-500: Microsoft Azure Security Engineer

Microsoft

JUNE 2015 - MAY 2018

Certified Information Systems Security Professional (CISSP)

(ISC)²

Skills

Libraries/APIs

PyTorch, Layer API, Spark ML

Tools

Visio, Microsoft Visio, VMware, NGINX, HashiCorp

Languages

SAML, Java, Python, XML, SQL, C++, JavaScript

Frameworks

OAuth 2

Platforms

CA SiteMinder, Azure, Docker, Linux, Kubernetes, ReadyAPI

Industry Expertise

Cybersecurity

Storage

JSON, Azure Active Directory

Other

Layer7 API Gateway, LDAP, OpenID Connect (OIDC), IT Security, Security, CISSP, Palo Alto Networks, SCIM, Threat Modeling, NIST, YML, Web Application Firewall (WAF), VMware NSX, Okta, Computer Science, Identity & Access Management (IAM), BlazeMeter, Architecture, VMware vCenter, Deep Reinforcement Learning, Deep Neural Networks (DNNs), Machine Learning, Convolutional Neural Networks (CNNs), Active Directory Federation, PKI, Firewalls, F5 Networks, Calico, Design, STRIDE

Collaboration That Works

How to Work with Toptal

Toptal matches you directly with global industry experts from our network in hours—not weeks or months.

Share your needs

Discuss your requirements and refine your scope in a call with a Toptal domain expert.

Choose your talent

Get a short list of expertly matched talent within 24 hours to review, interview, and choose from.

Start your risk-free talent trial

Work with your chosen talent on a trial basis for up to two weeks. Pay only if you decide to hire them.

Top talent is in high demand.

Start hiring