Hashemi Salah-Uddin
Verified Expert in Engineering
IT Systems Architecture Developer
Edinburgh, United Kingdom
Toptal member since October 12, 2021
Hashemi is a multi-cloud disciplined cyber security architect with 15+ years of experience improving security posture by innovating secure solutions aligned with organizational strategies. He owns cloud threat landscape deep knowledge and knows how to mitigate technical designs for Cloud IaaS, PaaS, and SaaS services harnessing DevSecOps practices. Hashemi has a record of identifying cyber threats and transforming both mindsets and business processes to accelerate public cloud adoption securely.
Portfolio
Experience
Availability
Preferred Environment
Google Cloud Platform (GCP), Azure, Amazon Web Services (AWS)
The most amazing...
...project I've implemented is a cloud security monitoring capability to the gold standard that would be expected from a client of a global bank.
Work Experience
Lead Cloud Security Architect
WPP
- Led the cloud security strategy formulation for the Cloud Acceleration Program and established organization-wide cloud security standards for a new cloud hub function.
- Authored multi-cloud security designs that included Azure, AWS, and GCP and a solution alignment with cloud provider security best practices and reported to the head of cloud architecture.
- Evaluated a security charter and internal IT controls to establish baseline cloud environment policies aligned to Center for Internet Security (CIS) Benchmarks and NIST SP 800-53/171.
- Implemented a repeatable approach for cloud-native CSPM capabilities, i.e., Microsoft Defender for Cloud, AWS Security Hub, and Google Security Command Center across multiple operating companies, adhering to the cloud provider's best practices.
Lead Cloud Security Architect
Deutsche Bank
- Provided cloud security consultancy focused on establishing a secure multi-cloud adoption from a security operation perspective.
- Reported to a director of cyber threat analytics and cloud security monitoring, defined identification and remediation processes for Azure, Microsoft 365, and GCP threats, and aligned them with MITRE ATT&CK and CSA Cloud Control Matrix frameworks.
- Derived program deliverables and a workstream structure from the cloud security strategy.
- Evaluated an Azure AD solution design and provided remediation best practices against cyber threats related to Azure identity and access management (IAM) services.
- Designed a cloud service provider agnostic security monitoring and logging strategy, roadmap, and Azure and GCP reference architectures.
- Developed a security policy as code guardrails using Terraform Sentinel and Prisma Cloud for Azure and GCP.
- Assessed 50+ Azure native services and 70+ GCP native services to establish encryption requirements, guardrails, and security logging, monitoring, and incident response requirements aligned with NIST and CIS Benchmarks best practices.
- Implemented Azure Sentinel using Terraform Enterprise (TFE) to provide user and entity behavioral analytics (UEBA) and security orchestration, automation, and response (SOAR) capability while integrating with existing incident response processes.
- Acted as a subject matter expert to define, optimize, and train the security operations center (SOC) team on security monitoring use cases for Azure and GCP.
Cyber Security Architect
The Royal Bank of Scotland
- Engaged to provide cyber security consultancy for the strategic adoption of public cloud services, particularly AWS, Azure, and Office 365.
- Reported to the head of security architecture, owning all O365 security-related topics.
- Defined the penetration testing scope and end-to-end engagement of internal and third-party pen testers for mobile connectivity and cloud authentication services.
- Evaluated security controls taxonomy to identify required software as a service (SaaS) and platform as a service (PaaS) controls based on ISF standard of good practice (SoGP) and the UK NCSC cloud security guidance for AWS and O365 services.
- Provided risk-based evaluation of an entire suite of Microsoft cloud and on-premise security components to deliver the best value for enterprise-wide license purchasing decisions.
- Enforced cryptography requirements for cloud and on-premise traffic in line with the security policy.
- Defined a zero-trust Azure AD security model using privileged identity management (PIM).
- Implemented Azure Information Protection (AIP) for GDPR-compliant classification of sensitive data with integration to existing data loss prevention (DLP) and encryption solutions.
- Provided continuous security assurance and vulnerability assessment to enable additional functionality by DevOps engineers towards an agile project delivery.
- Defined an O365 security logging and monitoring roadmap using Microsoft Azure services to integrate existing security tooling and security operations center (SOC) processes.
Senior Infrastructure Designer
Standard Life Aberdeen
- Engaged in delivering conceptual, logical, and physical infrastructure designs focused on advancing long-term infrastructure and cloud strategies for the operational IT business area. I reported to the senior program manager.
- Translated customer requirements into viable public cloud (AWS and Azure), private cloud (third-party managed IaaS), and on-premise infrastructure solutions.
- Led the implementation of the Payment Card Industry Data Security Standard (PCI-DSS) compliant cloud-based debit card payment solution.
- Designed an enterprise-wide logging and monitoring solution using Splunk SIEM and Dynatrace following evaluation of multiple products with a primary focus on existing technology integration.
- Owned principal approval for AWS and Azure infrastructure designs aligned to a cloud adoption strategy.
- Acted as the key stakeholder for assuring third-party platform as a service (PaaS) and software as a service (SaaS) solution designs hosted on public cloud platforms, primarily AWS and Azure.
- Devised an Office 365 capability-based enterprise roadmap working with Microsoft to provision Exchange, SharePoint, and Lync Online services for newly acquired business propositions.
- Worked closely with project and delivery managers to produce an estimation of infrastructure costs and resource requirements and business case summarization to enable business case approval.
- Acted as the key infrastructure stakeholder in currency and obsolescence (decommissioning and containment of legacy technologies and suppliers) and critical services (improving resilience) programs.
- Led design pattern standardization, network perimeter requirements, and public cloud adoption on Azure for several new business acquisitions based on a cloud-first services principal.
Lead Infrastructure Architect
Standard Life Aberdeen
- Engaged to directly support business teams migrating 2,000+ servers from the on-premise data center to a hybrid private cloud/infrastructure as a service (IaaS) platform underpinned by a long-term data center exit strategy.
- Reported to the senior portfolio delivery manager and managed the workload of a team with system analysts, business analysts, and test analysts.
- Presented service impact implications to non-technical senior business stakeholders.
- Liaised with a third-party networks partner (BT) to ensure design compliance and timely delivery of network changes aligned with the internal business team changes.
- Evaluated the existing physical infrastructure to establish cost savings achievable from virtualization and successfully P2V’d all suitable infrastructure.
- Drove decision-making within the technical direction team owning the corporate strategy.
- Led design activities to provide solutions for storage-related migration challenges and increased resilience to the existing systems.
Technology Architect — Infrastructure
Royal London Asset Management
- Hired to identify appropriate, cost-effective, and robust technical solutions to support business development, such as a data center exit design delivery providing cost savings of over £3.2 million/year for mainframe, Wintel, and telephony services.
- Designed the adoption of cloud solutions using a combination of infrastructure as a service (IaaS) on AWS and Azure, platform as a service (PaaS), and software as a service (SaaS) to securely provide dynamic service scalability and high availability.
- Evaluated the existing services to establish cost savings achievable from virtualization and cloud.
- Owned the design through approval, delivery, and review phases, including the oversight of subject matter expert-developed design work.
- Defined and implemented an enterprise mobility strategy encompassing corporate and bring your own device (BYOD).
- Led the migration of an Oracle and SQL infrastructure to a virtualized environment.
- Chaired and participated in technical design approval groups (TDAGs).
- Performed quality assurance (QA) of proposed designs and post-implementation reviews for infrastructure solutions.
- Worked with the IT security team to ensure full compliance with standards and the overall security strategy.
Solutions Designer | Project Technical Lead
The Royal Bank of Scotland
- Worked on the Active Directory (AD) remediation project, produced the complete design, and implemented a new global AD delegation, security, and group policy (GPO) model and the corresponding role-based access control (RBAC) matrix.
- Produced Infrastructure high-level designs (HLDs) for infrastructure solutions covering areas including options analysis, cost-benefit analysis, target operating model (TOM) design, and infrastructure cost estimates.
- Led end-to-end design of a new Dell/Quest Change Auditor infrastructure solution to track and audit all AD data and structure changes required for regulatory purposes.
- Analyzed the existing elevated AD privileges using advanced Microsoft Excel and Access—including an SQL Server back-end design, and database structure and SQL data analysis queries—to ensure the principal of least privilege's optimal implementation.
- Acted as a stakeholder influence and managed third-party vendors and internal teams.
- Managed the work stack and mentored senior technical analysts, technical analysts, business analysts, and communications analysts.
Customer Solutions Architect | Technical Team Manager
The Royal Bank of Scotland
- Reported directly to the Fujitsu program director, managing all client-based Fujitsu technical project resources, technical design, project delivery, and driving new business on the RBS managed service account.
- Owned line management and workload management of technical project teams— with 32 technical team members each working on multiple projects—including the complete formation of new sub-teams as determined by project and program requirements.
- Led a team on project work across the RBS strategic virtual desktop infrastructure (VDI) environment based on VMWare ESX infrastructure.
- Considered to be one of the few VDI subject matter experts at RBS.
- Produced low-level technical project designs (LLDs) for team members and RBS platform teams using industry best-practice methods in line with RBS governance, policies, and standards.
- Produced high-level technical project designs (HLDs) and statements of works (SoWs) for project managers in order for them to prepare budgets and bids.
- Guided project management and the delivery of multiple projects streams throughout the entire lifecycle across various RBS projects and programs, covering multiple infrastructures and delivering an average of 30 ongoing projects at once.
- Owned stakeholder management of third-party vendors, project managers, and program managers (both business and technology) to formulate detailed project plans.
- Spearheaded the detailed reporting of team resources, project financial forecasts, and end-of-month reconciliations to Fujitsu finance and project management office (PMO) teams.
Technical Team Lead
The Royal Bank of Scotland
- Delivered over 70 projects across RBS, undertaking project management and technical leadership roles on various projects.
- Acted as a key member in the design and implementation of the VDI solution for the RBS IT systems off-shoring program.
- Implemented and supported the new virtual desktop infrastructure (VDI) rollout of 7,800 virtual machines (VMs) using Windows XP based on a VMWare ESX and F5 Networks FirePass VPN infrastructure.
- Owned the analysis and remediation of server, client, and application issues for the entire VDI infrastructure.
- Led the migration from Windows Server to NetApp filer, successfully moving home and profile data for 10,000+ users.
- Migrated business-developed databases from Microsoft Access/SQL Server to an Oracle 8i/10g infrastructure.
- Developed bespoke Perl, VBS, VBA, and PowerShell scripts to automate bulk Active Directory activities.
- Led Active Directory and Exchange activities across multiple domains and forests and increased the overall team efficiency by 600%.
- Trained and mentored team members on RBS governance, policies and standards, and technical implementation methods.
Senior Technical Analyst
The Royal Bank of Scotland
- Delivered over 30 projects across RBS, often in technical lead roles, displaying deep-rooted knowledge of RBS legacy infrastructure and domains and their integration with current systems.
- Designed VBS and VBA scripts to implement and enhance the existing migration strategy and provided technical support for the migration of 6,000+ EMEA users.
- Designed the migration strategy, management, implementation, and support of a large project, migrating 7,000+ users from a Novell NetWare infrastructure to a Windows NT/2003 infrastructure within RBS insurance.
- Acted as the primary technical resource on implementing the new Aspect telephony products— Workforce Management, Perform (real-time adherence), and Empower—to integrate with Windows NT and Active Directory providing cost savings of over £3M/year.
- Designed and implemented a SAS module and technical audit installation throughout the entire RBS estate providing cost savings of over £10 million during subsequent contract negotiation.
- Provided third-line support to the back-office migration team of engineers for any escalations on the Windows NT 4.0 to Windows Vista rollout.
- Assumed third-line Active Directory/Exchange support to engineers for the migration of 1,500+ users across several domains onto a single domain on the UK business banking rollout.
Experience
Azure Landing Zone Design
As the lead cloud security architect, I ensured technical design alignment with organizational security standards, strategy, and MS best practices. I identified required IT policies and controls, defined secure-by-design DevSecOps requirements, aligned design decisions to the security strategy, devised cloud-first solutions to address security risks, and provided engineering guidance for security components. Also, I succeeded in delivering a productionized landing zone using infrastructure as code (IaC) within eight months.
Secure Finance Application Deployment
As the lead cloud security architect, I deployed isolated application architecture incorporating Azure Virtual Desktop. Also, I ensured adherence to regulatory controls, deployed the least-privilege RBAC model, implemented segmented network design, integrated 50+ Okta Identity Provider sources with Active Directory Domain Services (AD DS) and Azure AD cloud sync, and initiated an external pen test with no significant findings.
The project was successfully delivered within eight weeks from inception to go live.
Cloud Security Monitoring Capability
As the lead cloud security architect, I defined a cloud-agnostic cloud security logging, monitoring, and incident response long-term strategy accompanied by Azure and GCP reference architectures. I deployed both Azure and GCP infrastructure as code via Terraform for enterprise and policy compliance via Terraform Sentinel and Prisma Cloud. I also succeeded in delivering a cloud-native Azure UEBA and SOAR capability and a GCP security management platform integrated with on-premise SIEM.
Microsoft Office 365 Security Controls Evaluation
As the lead cloud security architect, I reviewed all existing controls and defined cloud-relevant security controls. I provided expert guidance on the Microsoft Office 365 control plane and Azure AD security configuration, conducted a risk-based analysis of phased security controls deployment, undertook a post-implementation review, and provided remediation actions. Also, I ensured timely delivery of a secure Microsoft Office 365 and Azure AD tenant within tight business-need-driven timescales.
Microsoft Security Tooling Evaluation
As a cyber security architect, I evaluated 20+ Azure security components to enable license purchasing. I gathered control requirements from security and business teams, identified relevant security components and validated them with MS product experts, conducted multiple POCs to determine component suitability, and produced business-risk-based justifications to adopt shortlisted components. I also succeeded in obtaining a senior stakeholder agreement for procurement.
Logging and Performance Monitoring Capability
As a senior infrastructure designer, I deployed an enterprise-wide logging and performance monitoring framework. I evaluated SIEM and APM products for middleware system integration, designed the infrastructure HLD, implemented using the Agile Scrum framework, guided cybersecurity tooling integration, provisioned infrastructure to maximize DevOps continuous integration and delivery, and trained operational and development staff. I also succeeded in containing and decommissioning several non-strategic technologies.
Infrastructure as a Service (IaaS) Migration
As the lead infrastructure architect, I provided service assurance to senior stakeholders. I devised the migration schedule minimizing service impact, drove the technical direction team's decision-making, designed an unidentified systems eDiscovery toolset, and re-designed the existing infrastructure improving resilience. I successfully migrated all servers to achieve industry-leading 99.982% infrastructure availability – pivotal in the System Integration Project of the Year industry award win.
Network IP Address Transformation
As a customer solutions architect, I designed an automated IP migration process to reduce engineering requirements, designed tools to migrate Windows servers and print queues using VBScript, developed a robust communication mechanism using SharePoint Services, implemented an automated change management system, and trained PMs and engineers to ensure a smooth system transition. I also succeeded in reducing on-site engineer resource requirements by 60%.
Enterprise Mobility Strategy
As a technology architect, I defined a viable 3-year enterprise mobility strategy. I evaluated the technical suitability of AirWatch, MobileIron, and Good for enterprise on BYOD and corporate devices, produced the infrastructure HLD, led cost-modeling production to obtain senior stakeholder buy-in, and trained the existing team to become subject matter experts. I also succeeded in delivering a stakeholder-approved strategy that provided £200,000 per year in cost savings.
Virtual Desktop Infrastructure (VDI) Provisioning
As the technical team lead, I implemented the VDI solution in a compressed timeframe. I built the VDI on VMware infrastructure using App-V and XenApp virtualized apps, led a group of six to undertake all VDI project work for customized application sets, directed application troubleshooting for UAT sign-off with business users, and guided a build of 7,800 VMs with defined reusable building blocks. I also succeeded in delivering a complex offshoring program on time and within budget.
Technical Analyst Team Expansion
As a customer solutions architect, I led the team's growth in a short timeframe. I identified, interviewed, and recruited key technical talent, set up three sub-teams to operate over 24-hour periods, evaluated individual technical strengths to distribute resources across 20 projects, and reinvigorated existing processes by implementing program efficiencies. I also successfully built a core team from six to 32 in under two months while increasing overall margins by 12%.
Active Directory Scripting
As the technical team lead, I scripted everyday Active Directory and Exchange activities for 32 domains covering 250,000 users. I reviewed existing manual processes to eliminate time-intensive activities, developed robust modular ETL tools using Visual Basic, advised senior support teams on obtaining tool approval, and trained BAU teams on tools usage. I also succeeded in delivering time-efficient AD management mechanisms, which improved activity timescales by 600%.
Data Center Migration
As a technology architect, I designed DevOps-oriented test and production environments. I analyzed the existing physical estate to identify virtualization opportunities, established software-defined networking to pilot migration of Wintel, mainframe, and telephony platforms, devised Avaya IP telephony to replace Cisco CallManager, and designed the entire DR solution of VMWare estate within business service line RPO/RTOs. I also succeeded in delivering £3.2 million per annum in savings.
Insurance Claims System Replacement
As a customer solutions architect, I migrated users, desktops, and data to enable cost savings from the insurance CSR system. I ran an entire discovery exercise on the business app and data usage, led project estimation workshops to engage relevant technical stakeholders, designed a new exchange infrastructure, and devised three-year SAN capacity forecasts for 8,000 users. I also successfully delivered user and data migration, which enabled £30 million in yearly savings.
Active Directory Remediation
As the project technical lead, I produced the design and migration strategy. I designed a PCI-DSS-compliant ChangeAuditor infrastructure for auditing privileged AD activities, analyzed elevated AD privileges for 32 domains using SQL database tools, produced and managed project plans using Microsoft Project, and mentored senior technical analysts on AD scripting. I also succeeded in achieving SOX compliance by reducing admin-level AD access from 1,500 to 15 users.
Education
Bachelor's Degree in Computer Science
University of Aberdeen - Aberdeen, Scotland, UK
Certifications
Microsoft Certified: Cybersecurity Architect Expert
Microsoft
Microsoft Azure Solutions Architect Expert
Microsoft
GCP Professional Cloud DevOps Engineer
Google Cloud
GCP Professional Network Engineer
Google Cloud
GCP Professional Cloud Security Engineer
Google Cloud
GCP Professional Cloud Architect
GCP
AWS Certified Solutions Architect Professional
Amazon Web Services Training and Certification
Microsoft Azure Security Engineer Associate
Microsoft
Certified Information Systems Security Professional (CISSP)
(ISC)2
AWS Certified Security — Specialty
Amazon Web Services
AWS Certified Solutions Architect Associate
AWS
MCITP: Enterprise Administrator Windows Server
Microsoft
MCITP: Server Administrator on Windows Server
Microsoft
MCSE: Microsoft Windows Server
Microsoft
MCITP: Virtualization Admin Windows Server
Microsoft
VMware Certified Professional
VMware
ITIL Foundation
AXELOS
PRINCE2 Practitioner
AXELOS
Skills
Tools
Terraform, Prisma, Microsoft Exchange, Logging, Microsoft App-V, Citrix XenApp, VMware, Novell NetWare, Microsoft Project
Paradigms
Role-based Access Control (RBAC), Software-defined Networking (SDN), DevSecOps, Penetration Testing, Agile, DevOps, Automation, ETL
Platforms
Google Cloud Platform (GCP), Azure, Amazon Web Services (AWS), Windows Server, Microsoft, Windows, SharePoint, Oracle, Windows Vista
Storage
Azure Active Directory, Google Cloud, NetApp
Industry Expertise
Cybersecurity
Frameworks
Windows PowerShell
Languages
SQL, VBScript, TOM, Perl, SAS
Other
Architecture, Cloud Security, Solution Architecture, Certified Information Systems Security Professional, Office 365, IT Infrastructure, IT Systems Architecture, Incident Response, Infrastructure as a Service, Strategy, Design, Disaster Recovery Plans (DRP), PCI DSS, Identity & Access Management (IAM) Development, IT Security, Security Architecture, Cloud Architecture, Microsoft 365, Computer Science, Networks, Engineering, Enterprise, Server Administration, Virtualization Technology, IT Project Management, Active Directory Programming, SIEM, Infrastructure as Code (IaC), Proof of Concept (POC), Virtual Desktop Infrastructure (VDI), IT Recruitment, Interviewing, Process Improvement, Data Center Migration, IP Telephony, Cloud Telephony, Estimations, Data Migration, Group Policy Management, F5 Networks, Azure VDI, Statistics, VMware ESXi, IT Service Management (ITSM), Monitoring, Controls, eDiscovery, IT Networking, Enterprise Mobility Management (EMM), Mainframe, Avaya Software, SANs, SOX Compliance, Okta
How to Work with Toptal
Toptal matches you directly with global industry experts from our network in hours—not weeks or months.
Share your needs
Choose your talent
Start your risk-free talent trial
Top talent is in high demand.
Start hiring