Verified Expert in Engineering
Andrew is a highly motivated, versatile, and skilled DevOps and DevSecOps. He's delivered numerous large-scale infrastructure implementations with cost-effective approaches. Andrew excels in high load, availability, and security using AWS, Kubernetes (EKS), and Terraform, and implementing infrastructure-as-code and configuration-as-code approaches. Andrew is also brilliant at managing compliance, security, and company-wide documentation for health and payment data (HIPAA and PCI DSS).
Amazon Web Services (AWS), IT Security, CI/CD Pipelines, Linux, HIPAA Compliance, PCI DSS, DevSecOps, DevOps, Terraform, Kubernetes
The most amazing...
...projects I've done were the ones that helped MDDX to be acquired by Bioclinica, after hard work and successful HIPAA and FDA audits.
DevOps and DevSecOps Engineer
- Executed PCI-DSS compliant AWS infrastructure-as-code with Terraform, packer, Elasticsearch, Cognito, Inspector, Guardduty, Fluentd, OSSEC, Wazuh, Nginx, many others of the AWS services.
- Implemented container infrastructure as code and worked with Kubernetes (EKS), Fluentd, Fluent Bit, Istio, and Docker.
- Accomplished numerous security reviews and hardenings. Implemented secured VPN as code deployed with Terraform (compliant with PCI-DSS, multi-node cluster, and integrated Google MFA).
DevOps and DevSecOps Engineer
- Developed the modern system architecture and implemented Amazon Web Services and EKS infrastructure.
- Handled cloud security and compliance configuration for the majority of the services present on AWS (Terraform and CloudFormation).
- Implemented EKS (local environment with minikube, development, staging, and production clusters) including performance monitoring and event management implementation.
- Executed Kubernetes security hardenings, role-based access control (RBAC), and secrets management.
- Implemented CI/CD without downtimes and user's interruptions using CircleCI.
- Reviewed compliance requirements and mapped them to the current security state; handled PCI, DSS, SAQ, D, and security.
- Implemented missing security controls, such as vulnerability assessments, VPN, WAF, SSO, secure SDLC, event management, proper roles, access matrix, and others.
DevOps and DevSecOps Engineer
MDDX Research and Informatics (acquired by Bioclinica)
- Led and managed two contractors delegated with the following responsibilities: system operations, 24-hour support, monitoring, HIPAA compliance documentation, and execution of different check-ups.
- Implemented Amazon Web Services cloud infrastructure including integrating infrastructure-as-code approaches and implementing cloud security and HIPAA compliance (HITECH and FDA 21 CFR PART 11).
- Executed initial Kubernetes setup sustainable for very high spikes. Configured Kubernetes event management, monitoring, multiple environment, extra security.
- Integrated vulnerability assessments and fixes, system security hardenings, CIS compliance, security policies, FW, WAF, IPS, HIDS, VPN, integrity controls, file encryptions, security and event management, secure SDLC, and network security.
- Developed backup plans, business continuity & disaster recovery plans, worked on performance fixes and achieved significant cost optimizations.
- Implemented numerous custom solutions using Shell and Python scripting; extensively used regular expressions.
Tech and Security Lead
ОАО «Электронная Москва
- Led and managed a small engineering team (2-3 persons); organized the work with more than ten contractors which included assignment tracking, standups, report reviews, action plans, and results tracking.
- Designed the architecture and implemented the complex subsystems for different enterprise-level projects. (with more than 120 equipment racks and more than 500 bare-metal servers).
- Implemented various systems including firewalls and VPNs, intrusion prevention, vulnerability assessment, security, information, event management, IAM, and WAF.
- Performed vulnerability scans and created business continuity, disaster recovery, and backup plans.
Lead Information Security Specialist
CJSC Svyaznoy Bank
- Implemented and maintained complex IT systems and applications; organized and managed work with about ten contractors.
- Worked on the bank's compliance; did penetration testings, log analysis, forensic investigations, and reporting. This work resulted in providing the foundation for the new security infrastructure.
- Implemented various subsystems including firewalls and VPNs, content filtering, proxy, anti-spam, anti-virus, data and access protection systems, and the implementation and integration of security policies.
Lead Information Security Engineer
- Defined the technical and organizational requirements for IT and information security projects.
- Designed the architecture for complex information systems.
- Implemented various setups including firewalls, different Linux environments, different Windows Server setups, HSM, AV protections, Cisco projects, and intrusion detection systems.
- Implemented various Linux and Windows Server setups.
- Maintained systems and executed monitoring and event management.
- Implemented Jira task management which included record-keeping and fixing emergency incidents.
OpenVPN Setup with MFA (Terraform, Ansible, and Packer)https://github.com/accesskeeper/openvpn-pcidss-terraform
1. Created an AWS AMI image using Packer.
2. Generated offline CA, server, and client keys.
3. Deployed the infrastructure using Terraform, which creates S3 buckets, instances, IAM, security groups, and runs AWS Systems Manager (Ansible Playbook) on the instances.
By default, it creates one master and one slave node. It is possible to slightly adjust the code to create one master and multiple slaves.
Camping Site That Can Handle High-load Spikeshttps://campdror.com
Terraform, Elasticsearch, and Cognito Project with MFA-compliant PCI-DSS and HIPAAhttps://github.com/accesskeeper/pcidss-elasticsearch-vpc-cognito
Two roles were deployed for admin and developer to access various kinds of log streams. It is possible to add more users for example security staff. It has 2-factor authentication configured with phone SMS. so you need to provide your number when you create an incognito new user.
This setup could be used for payment and health data, security, and app data logs.
Bash Script, Bash, PHP, SQL, Python
Terraform, Packer, Fluentd, OSSEC, Amazon EKS, VPN, OpenVPN, CircleCI, Nessus, Ansible, Shell, Helm, Grafana, NGINX, PHP-FPM, Docker Compose, Splunk, Git, Amazon Cognito, AWS CloudFormation, AWS Systems Manager, GitLab CI/CD, Hyper-V, VMware
DevOps, DevSecOps, HIPAA Compliance, Penetration Testing, Continuous Delivery (CD), Continuous Integration (CI), Management
Kubernetes, Docker, Linux, Windows Server, Windows, Amazon Web Services (AWS), AWS Lambda, Amazon EC2, Unix, Burp Suite, Azure, DigitalOcean
MySQL, Amazon S3 (AWS S3), Amazon DynamoDB, Elasticsearch, MongoDB, MSSQLCE, PostgreSQL
Information Security, IT Systems Architecture, System Administration, Network Administration, IT Security, PCI DSS, Web Application Firewall (WAF), Vulnerability Assessment, IT Infrastructure, Shell Scripting, Vendor Management, Business Continuity & Disaster Recovery (BCDR), SIEM, Firewalls, Security Policies & Procedures, Data Protection, Intrusion Detection Systems (IDS), Prometheus, Host-based Intrusion Prevention, HAProxy, Vulnerability Management, AWS Cloud Architecture, Architecture, AWS DevOps, Linux Server Administration, Amazon Cognito User Pools, Linux Administration, Infrastructure, Security, Networking, Scripting, TCP/IP, Okta, Software Development Lifecycle (SDLC), CI/CD Pipelines, OWASP Top 10, Site Reliability Engineering (SRE), Performance Testing, Leadership, Amazon Kinesis
Master's Degree in Information Security
MEPhI | Moscow Engineering and Physics Institute - Moscow, Russia