Alin Ungurean, Security Architect and Developer in Toronto, ON, Canada
Alin Ungurean

Security Architect and Developer in Toronto, ON, Canada

Member since October 19, 2022
Alin is a cybersecurity architect with a proven track record of building enterprise-scale solutions for identity and access management, data confidentiality and privacy, application protection, microservice resilience, network, virtualization, and infrastructure security. He also worked with in the cloud and on-premises environments. Alin has excellent threat modeling, and great analytical and problem-solving skills. He is self-motivated, ambitious, and focused on high-quality work.
Alin is now available for hire



  • LDAP 18 years
  • Identity & Access Management (IAM) 15 years
  • SAML 10 years
  • Cybersecurity 10 years
  • OpenID Connect (OIDC) 7 years
  • OAuth 2 7 years
  • Azure 5 years
  • Layer7 API Gateway 5 years


Toronto, ON, Canada



Preferred Environment

Azure, Architecture, Layer API

The most amazing...

...professional certifications I have include Azure Solutions Architect Expert, Azure Infrastructure Solutions Design, Azure Security Engineer, and (ISC)² CISSP.


  • Enterprise Architect

    2021 - 2022
    • Created neural network architectures for reinforcement learning using different topologies, such as dueling Q networks and double deep Q networks, with specific model stabilization techniques, such as experience replay and exploration decay.
    • Implemented several machine learning techniques for prediction and control, including temporal difference methods (TD-lambda, Monte-Carlo, SARSA) and multiple neural network topologies like convolutional neural networks and deep neural networks.
    • Constructed microservice clusters using Kubernetes, Calico/WeaveNet CNI, Istio service mesh, Prometheus, Grafana, Ngnix ingress, Kubernetes dashboard, Metal-LB, NFS storage provisioner, container registry, and Hashicorp Vault.
    • Built container images for workload pods running machine learning algorithms. These were implemented using Python, PyTorch, SparkML, Pandas, Numpy, Scikit-learn, Scipy, Matplotlib, SQL-Alchemy, and Pyodbc.
    • Integrated physical infrastructure with the software-defined network, using VMware NSX-T, edge cluster, distributed firewall, IDS/IPS, distributed load balancer, tier-0, and tier-1 gateways, network-defined virtual switches, OSPF, and BGP.
    • Defined entire network security infrastructure using Palo Alto firewall, including security policies, network security zones, IPsec tunnels for site-to-site VPN, remote access (Global Protect and OpenVPN), NAT, QoS, and DoS protection.
    • Designed the hardened VM templates for hosting the virtualization fabric of the microservice cluster infrastructure consisting of Kubernetes nodes using Docker, Linux, WLS, VMware, and Hyper-V.
    • Planned the entire physical infrastructure using type-1 hypervisors (ESXi and Hyper-V), DHCP, DNS, NTP, and ADCS PKI.
    Technologies: Python, PyTorch, Kubernetes, VMware NSX, Docker, Spark ML, Calico, NGINX, HashiCorp, Palo Alto Networks, Microsoft Visio
  • Cybersecurity Architect

    2016 - 2021
    Canadian Tire Corporation
    • Worked on many corporate initiatives, addressing enterprise security concerns in IAM, web access control, SSO, remote access (VPN), privileged access management, MFA, cloud security, risk and governance management, and PCI compliance.
    • Defined the optimal security architecture for multiple enterprise solutions hosted in Azure cloud, on-prem datacenters, or hybrid, and integration with 3rd party SaaS providers, such as Snowflake, Exabeam, Okta, and Office 365.
    • Performed threat modeling in ArchiMate and Visio using the STRIDE-LM methodology and applying the NIST Cybersecurity Framework, OWASP Top10, CIS benchmarks, and TOGAF.
    • Implemented specific security architecture artifacts on assigned projects, using defense-in-depth, need-to-know, Zero Trust principles, and applied architectural patterns for available, protected systems.
    • Identified the necessary IT security controls for configuration change monitoring, SIEM, authentication, authorization, data encryption, user access provisioning, user access review, network segregation, and threat and vulnerability management.
    • Presented the proposed architectures in front of the technical review board forum, incorporating their feedback and maintaining active communication, both orally via phone, virtual conferences, and written via email and chat.
    • Translated specific business requirements into accurate security policies for conditional access control, MFA, ID governance, and privileged access management across multiple identity providers such as Azure AD, B2B, B2C, Okta, ADFS, and AD.
    • Collaborated with multiple external vendors and internal teams, such as information governance, PCI compliance, data privacy, risk management, solution architecture, technical review board, and business stakeholders of various lines of business.
    • Identified security gaps related to technical debt and provided recommendations to reduce security gaps and minimize residual risks, such as eliminating generic accounts, upgrading to secure protocols, and implementing stronger data encryption.
    • Conducted a feasibility study for the improvement of SDLC processes and a technical impact analysis for adopting Prisma Cloud technology, a unified workload protection platform across multiple cloud service providers.
    Technologies: Azure, Palo Alto Networks, VMware, Kubernetes, Web Application Firewall (WAF)
  • IAM Expert | Security Architect

    2011 - 2020
    Rogers Communications
    • Provided SME with Identity and Access Management (IAM) security solutions with Broadcom Layer7 API Gateway 9.x 10.x OAuth Toolkit (OTK) 4.x, and CA SiteMinder, CA Directory. Ensured they met and complied with all architectural best practices.
    • Led the design of multiple SSO solutions for residential users, business partners, and government customers, using OpenID Connect 1.0, OAuth 2.0, LDAP 3, SAML 2.0, 1.1, Kerberos 5, and SCIM protocols.
    • Implemented a wide range of security policies and enterprise web services for authentication, access control, session management, security token revocation, and threat protection using REST/SOAP API, JSON, WSDL/XML, and Swagger API/YAML.
    • Anticipated the optimum strategy and adopted the optimum approach for large-scale enterprise solutions that decoupled time-specific time constraints, which significantly contributed to the project's success.
    • Managed the onboarding of many enterprise applications managed internally and by 3rd party vendors while supporting the PKI infrastructure across multiple environments: DEV, IDT, QA, PET, and PROD.
    • Conducted the data migration of highly sensitive PII authentication security profiles for enterprise users as part of several major business initiatives, such as HR transformation, Rogers One Identity (R1ID), and Allstream cloud migration.
    • Worked with multiple external teams, leading integrations with strategic business partners: Google Home (IoT), Texture (now Apple News+), Comcast IPTV (xFI) surveillance (xHome).
    • Implemented an automated deployment process with zero downtime across multiple data centers, using Gateway Migration Utility (GMU) 1.5, 1.6.
    • Architected a complex on-prem multi-datacenter security infrastructure consisting of API Gateway, SiteMinder, CA directory and identity management, integrated with MySQL, MS Active Directory (LDAP and ADFS), Oracle database, F5, RSA, and DigiCert.
    • Facilitated smooth transition to respective environment owners through detailed architecture, design specifications, diagrams, documented method of procedure, release notes, training sessions, and practical hands-on assistance.
    Technologies: Identity & Access Management (IAM)
  • Solution Architect

    2009 - 2010
    • Architected a credit card tokenization vault and a PCI-compliant, highly secure credit card storage solution integrated with a mix of legacy batch and modern technologies, such as payment gateway, billing systems, and third-party vendors.
    • Established the optimum strategy for project delivery by splitting the implementation into three key phases: construction of the vault core services, building the integration layer, and data migration.
    • Designed the PKI-based credit card encryption, secure storage, and tokenization solution. The solution complies with the Payment Card Industry - Data Security Standard.
    • Led the design and implementation of the vault encrypted storage, secure API, and web-based administration UI with the external vendors CyberSource and Visa.
    • Led the design and oversaw the implementation of the integration layers (libraries, API, and file-based batch) with the external vendor Deloitte.
    • Led the integration with additional external service providers IBM and AmEx.
    • The solution proved solid through security audit, performance testing, and disaster recovery testing phases.
    Technologies: Architecture
  • Application Architect

    2006 - 2008
    ESI Canada
    • Led the development team for the feed processing engine. The operational system supported 2.5 million customer users across Canada. The implementation was based on Oracle WebLogic Server, Java/Jakarta EE, SSH, and Linux.
    • Led the integration of the feed processing engine with the health claim solution system, with HIPAA and PIPEDA regulatory compliance.
    • Contributed to this large-scale solution that proved solid throughout the security audit, performance testing, and disaster recovery testing phases.
    Technologies: Architecture
  • Senior Technical Consultant

    2004 - 2006
    Bell Canada
    • Led the architecture, design, and implementation of the Retail Vision IRIS portal, a large-scale web-based application for the distribution channel of Bell Canada stores.
    • Designed a large integration for user access provisioning, including Enterprise Directory, Identity Manager, Provisioning Server, Vision21, CRM, ASMS, LDAP, CA-SSO, Oracle e-SSO, RACF, and AD.
    • Identified key design gaps with the old provisioning system integrated with Peoplesoft and proposed enhancements in the design of the new HR system based on HCM, which allowed switching from a batch-only mode of operation to a real-time solution.
    • Initiated data cleansing ahead of the migration to eliminate stale records, reduce volume size, and improve the data quality, which increased the effectiveness and scalability of the transition.
    • Designed the process flow for the migration and data conversion of corporate employees from the old Peoplesoft to the new HR HCM implementation using LDAP, SQL, and Unix Bash scripts.
    • Integrated the solution with the Sales and Services Portal (SSP), supporting the entire retail chain for corporate stores, franchises, and retail partners across Canada.
    • Developed a fully automated data feed processor for HR user provisioning using SQL*Plus and PowerShell.
    • Incorporated disaster recovery capabilities into the solution and conducted disaster recovery testing to ensure that the implementation met the SLA for failover and failback according to its strategic objectives.
    Technologies: Architecture, Design, Java, LDAP, JavaScript


  • Enterprise Security System for Rogers Communications

    Architected a company-wide geo-redundant solution for the vital enterprise identity infrastructure, consisting of secure authentication policy servers, access management and provisioning servers, enterprise directories, secure API management, and governance systems.

    I migrated highly sensitive security data, including confidential personal identifiable information and authentication security profiles, for business transformation initiatives, using strong encryption, one-way hashing, and digital signatures.

    I also designed the API security management with the Layer7 API Gateway and conducted robust performance testing using BlazeMeter or JMeter and Docker. I introduced an innovative patch and lifecycle strategy with zero downtime of most critical infrastructure, designed a fully automated deployment process, and incorporated automated testing into the build pipeline using the Ready API suite.


  • Languages

    SAML, Java, Python, XML, SQL, C++, JavaScript
  • Frameworks

    OAuth 2
  • Tools

    Visio, Microsoft Visio, VMware, NGINX, HashiCorp
  • Platforms

    CA SiteMinder, Azure, Docker, Linux, Kubernetes, ReadyAPI
  • Industry Expertise

    IT Security, Security, Cybersecurity
  • Other

    Layer7 API Gateway, LDAP, OpenID Connect (OIDC), CISSP, Palo Alto Networks, SCIM, Threat Modeling, NIST, YML, Web Application Firewall (WAF), VMware NSX, Okta, Computer Science, Identity & Access Management (IAM), BlazeMeter, Architecture, VMware vCenter, Deep Reinforcement Learning, Deep Neural Networks, Machine Learning, Convolutional Neural Networks, Active Directory Federation, PKI, Firewalls, F5 Networks, Calico, Design
  • Storage

    JSON, Azure Active Directory
  • Libraries/APIs

    PyTorch, Layer API, Spark ML


  • Hon. Bachelor's Degree in Computer Science
    1989 - 1994
    Polytehnics University of Bucharest - Bucharest, Romania


  • Microsoft Certified – Azure Solutions Architect Expert
  • AZ-305: Microsoft Azure Infrastructure Solutions Design
  • AZ-500: Microsoft Azure Security Engineer
  • Certified Information Systems Security Professional (CISSP)
    JUNE 2015 - MAY 2018

To view more profiles

Join Toptal
Share it with others