• Review of SecDevOps Practices and PAM Implementation of current IT systems infrastructure and the so-called target architecture solution, covering Microservice, Kubernetes, Atlassian Eco system (Jira, Confluence), SNOW, Zero-trust, Service meshes, PAM, ML\AI (LLM) and CI\CD automation ensuring compliance with GxP and cGxP.
• Recommended and architected improvements on sustainable hybrid cloud architectures with lean, automated, and secure maintenance practices, ensuring high availability, resilience, scalability, and performance.
• Collaborated with senior stakeholders across Digital, OT, Enterprise Architecture, QA, and IT Security to drive DevOps culture through containerization, Usage of AI(LLM) and associated concept?s introduction.
• Improved, designed containerized solutions meeting GxP and cGXP requirements, IT security, and reliability standards, while defining cloud standards and frameworks for managing infrastructure lifecycle with DevOps techniques, including:
  • Secure throughout the software development lifecycle in order to minimize vulnerabilities in software code.
  • Proper function of the DevOps teams, including developers and operations teams.
  • Confirmed shared responsibility for following security best practices.
  • Evaluate efficiency and effectiveness of automated security checks at each stage of software delivery.
  • Recommend improvements on integrated security controls, tools, and processes into the DevOps workflow.
• Ensured designs complied with IT Security and QA standards through reviews and promoted cloud-native setups for forward-looking architectures and applications, ensuring Traceability, Accountability and Data integrity.
• Recommend implementation of new methodologies using modern agile approaches, driving continuous improvement and innovation within the organization.
• Identified and recommend infrastructure improvements for more efficient services, optimizing resource utilization and enhancing overall system performance and cost reduction.

• Orchestrated and executed security solutions, encompassing Zero Trust principles, for BASIS Administration, SAP IAS, IPS, MS Azure, S/4, public cloud, BTP, and Fiori applications, ensuring adherence to best practices and compliance standards transposed to SAP PCE
• Design proper integration patterns of S4C public cloud \ Private Cloud Edition (PCE)with HR platform, Salesforce and IAM\PAM solutions;
• Engineered and managed Business catalogues, Business Roles User Roles, Authorizations, and Profiles within S/4 HANA, BTP, and Fiori applications, using on-premise (PFCG and Fiori Lunch pad and cloud-based SAP systems, emphasizing Zero Trust access policies.
• Conducted security assessments, penetration tests, and vulnerability scans on Fiori applications and cloud-based SAP environments to fortify the Zero Trust model's implementation together with SAP cloud technologies (BTP, SaaS, PCE) in combination with Azure
• Collaborated cross-functionally to enforce robust access control, segregation of duties, and least privilege principles across different SAP platforms while adhering to the Zero Trust framework.
• Design infrastructure as a service and CI\CD pipelines integrating them with SAST\DAST solutions (Veracode) and Code Vulnerability Analyzer (CVA) security checks for ABAP custom code evaluations against Common Vulnerabilities and Exposures (CVE) and CVSs.
• Oversaw BASIS Administration tasks and performed system upgrades, patches, and maintenance in Azure-based SAP landscapes, ensuring a Zero Trust security environment.
• Provided expert consultation on role-based access control design, user provisioning, and security configurations for S/4, BTP, public cloud, Fiori applications, SAP IAS, IPS, and MS Azure within the Zero Trust model. And enabling:
  • API-based Integration: use SAP BTP API-based integration, allowing applications to expose their functionalities as APIs (Application Programming Interfaces). APIs enable seamless communication between different applications, services, and systems. SAP BTP provides tools like SAP API Management for managing, securing, and monitoring APIs.
  • Event-Driven Architecture: build Event-driven architecture (EDA), that enables real-time communication and data exchange between different components of a system. SAP BTP offers event-driven capabilities through services like SAP Event Mesh, which facilitates event-based communication across distributed systems.
  • Data Integration: use SAP BTP provides tools and services for data integration, enabling organizations to connect, transform, and synchronize data across various sources and applications. Services like SAP Data Intelligence and SAP Data Hub offer advanced data integration capabilities, including data orchestration, transformation, and governance.
  • Process Integration: use SAP`s BTP supports process integration, allowing organizations to streamline and automate business processes across different applications and systems. Services like SAP Integration Suite offer process orchestration capabilities, enabling organizations to design, execute, and monitor end-to-end business processes.
  • IoT Integration: leveraging IoT (Internet of Things) technologies, SAP BTP offers IoT integration capabilities to connect, manage, and analyze IoT data streams. Services like SAP IoT Application Enablement provide tools for IoT device management, data ingestion, and real-time analytics.
  • Hybrid Integration: explore SAP BTP`s supports on hybrid integration scenarios, enabling seamless communication between on-premises systems and cloud-based applications. Services like SAP Cloud Connector facilitate secure and reliable communication between on-premises systems and SAP BTP services running in the cloud.
  • Identity and Access Management (IAM) Integration: Define IAM integration, which is crucial for ensuring secure access to applications and services within the SAP ecosystem. SAP BTP provides identity services like SAP BTP Identity Authentication and SAP BTP Identity Provisioning for managing user identities, authentication, and authorization.
  • Integration with External Systems: Enable SAP BTP`s integration with external systems and third-party applications through standard protocols and connectors. Services like SAP BTP Open Connectors offer pre-built connectors and APIs for integrating with popular third-party applications and services.
• Analyzed and improved authorization concepts within S/4 HANA, BTP, and Azure environments to align with Zero Trust security practices, ? ensuring regulatory compliance and data protection.
• Supported the implementation and enforcement of security policies for Fiori applications, integrating strong authentication methods and secure communication protocols within Azure environments under the Zero Trust paradigm.
• Conducted training sessions and created documentation for end-users and administrators on S/4, BTP, Fiori, SAP IAS, IPS, and MS Azure security protocols and best practices emphasizing the Zero Trust model.

• Working with SwissRe's Cyber Risk team to ensure SwissRe's security standards are implemented. Documentation of the measures implemented
• Understand all infrastructure as code (IaC) artefacts in Azure DevOps, with specific focus on Kubernetes/AKS/EKS , Kafka, Zookeeper, NoSQL (e.g. Couchbase)/
• Act as a Subject Matter Expert (SME) on API Security for the wider technology community.
• Develop comprehensive knowledge of our products with a focus on solutions key to improving overall API Security relevant to REST, GRPC GraphQL APIs .
• Secure the CI/CD process for IaC and Microservice (Spring Boot, Python, Helm, Teraform) deployments
• Understand and oversee operations of wide scanning tools such as Aqua, NexusIQ, Qualys etc
• Support the development and maintenance of API Security guidelines, best practices and life-cycle phases for infrastructure and application teams across Swiss Re
• Define criteria and evaluate relevant API security solutions.
• Drive the adoption of new ideas and technologies in API security domain including discovery, management, anomaly detection and protection.
• Provide recommendations for improving automated security auditing and testing solutions for API?s and lead the implementation.
• Ensure compliance with requirements on Encryption at rest and in transit
• Design, implement and ensure best practices of AuthZ, eg via token rotation: both for human and non-human
• Design, implement and maintain secrets management
• Design and implement a security aspect for configuration management
• Work with developers to understand the security context of the apps and their interaction with Apache Kafka, candidate will design & own the implementation of how Kafka will be secured
• Secure the platform against unauthorized access: design and implement lifecycle (non-prod vs prod) for data
• Consult with infrastructure teams on network layouts and negotiate with other network teams on integration/segregation topics
• Support and give guidance on the test driven development practices and the implementation thereof in the pipelines in a DevSecOps style
• Efficiently leverage Azure services for addressing security concerns (i.e. WAF)
• Own the integration with Azure Active Directory and IAM
• Continuously work with the teams to improve all components as the use-cases grow more complex
• Facilitate pen-tests with an external partner
• Ensure compliance with the company wide digital governance framework, audit and various security technical standard
• Security Documentation for internal quality assurance and external audits
• Close collaboration with IT teams, design a security architecture framework (guidelines, technology reference models, guidelines, and training material)
• Assess and transpose embed security requirements into existing or new IT systems (business applications including SAP, IT infrastructure, on-prem and cloud systems).
• Perform cyber security architecture reviews and documentation of the security requirements in architecture handbooks in close collaboration, partnering and advising IT and business teams to implement a ?secure by design? strategy that provides the following - Regulatory compliance, Security policy enforcement etc
• Advise and design security solutions for implementation into complex customer IT environments which carry proprietary real-time life critical data and diagnostic quality images which require reliability and high availability output based on Cloud Native services
•  Employ DevSecOps, AIOps and Safe Code Practices. Ensuring that technical solutions are cohesive across the provisioning sub-teams and complete against business requirements. Allowing rapid:
  • Bootstrapping: create a Cloud Setups with corresponding resource hierarchy, and permissions for the initial CI/CD pipeline to deploy next stages.
  • Baseline the a set of configurations that allows the delivery of the security and compliance monitoring, alerting and as foundational guardrails.
  • Covering Business Specific Requirements: Delivers business specific components and integrations (such as SSO, monitoring etc);
  • Establishment of proper Workload services at Applications level running proper set of Application Infrastructure: Any of the many cloud services that form the business? platform for workloads (Servers, Storage, IAM\PAM, SIEM, SOAR etc). The final goal of the Landing Zone: to deliver value to the business
  • Validate, evaluate and technical sign-off of technical changes in capabilities and solutions proposed by external partners.
  • Oversee and guide deployment of security patches, enhancements and changes to the Windows\Linux IT Landscape (including PoCs, PoVs, Canary and Blue-Green deployments, Gold images, and Transfer-to Operations together with L2/L3 running everything as a code)

As Technology Partner in FIS Global I am responsible for building and developing the Digital Identity Practice as part of Cyber Security services. The Digital Identity practice consists of PAM (Privileged Access Management), IGA (Identity Governance and Administration) and CIAM (Customer IAM). The current toolset in use for the following topics are as follows: IGA ? SailPoint IIQ, OMADA, MIM 2016, PAM ? CyberArk, CIAM ? ForgeRock and Transmit Security Microsoft Based Security ? On-Premise and Azure Cloud As part of the company leadership team, I am responsible for building, developing and administrating a team of 20+ people across Central and Eastern Europe. Daily, I am taking management and architectural role in various projects covering services such as assessment, design, implementation, and managed service across Europe with the technology stacks mentioned above. I have experience in various industries and expert knowledge in IAM/PAM best practices and compliance standards across widely regulated and non-regulated businesses. In the past 10+ years I have been involved in projects taking various roles from Implementation Engineer to Solution Architect for businesses in any size ? from small to large global companies spanned across the globe. My expertise and understanding of the overall IT Infrastructure and in-depth knowledge in Authorization, Authentication and Security allowed me to successfully deliver all those projects regardless of the project complexity, timeline, location or size. My strongest features are my devotion to work and desire to solve complex challenges with the highest quality, ability to lead teams and coordinate activities, ability to consult and discuss on every level from top management level through enterprise architecture down to in-depth technical discussions and low-level solution specific conversations with developers and engineers. In my current role, my main responsibilities include driving the line of business forward by developing new client relationships and delivering complex projects from Management and Architectural perspective including but not limiting to:

• Roadmap design HLD, LLD and Pilot implementation of Companywide PAM solution as a Service provided from a market leader.
• Close collaboration with IT teams, design a security architecture framework (guidelines, technology reference models, guidelines, and training material)
• Assess and transpose embed security requirements into existing or new IT systems (business applications including SAP, IT infrastructure, on-prem and cloud systems including Microsoft office 365).
• Perform cyber security architecture reviews and documentation of the security requirements in architecture handbooks in close collaboration, partnering and advising IT and business teams to implement a ?secure by design? strategy that provides the following - Regulatory compliance, Security policy enforcement, Support of ?bring your own device? (BYOD), Remote control of device updates, Application control, Automated device registration & Data backup
• Advise and design security solutions for implementation into complex customer IT environments which carry proprietary real-time life critical data and diagnostic quality images which require reliability and high availability output based on GCP Native services like (Access Transparency, Assured Workloads, Binary Authorization, Cloud Asset Inventory, Cloud Data Loss Prevention, Cloud Key Management, to manage encryption keys on Google Cloud, Confidential Computing, Firewalls, Secret Manager to store API keys, passwords, certificates, and other sensitive data, Security Command Center, Shielded VMs, VPC Service Controls, BeyondCorp Enterprise for Scalable zero trust platform with integrated threat and data protection, Cloud Identity, Identity and Access Management, Identity-Aware Proxy, Policy Intelligence, Titan Security Key for MFA, etc.
  • Employ DevSecOps, AIOps and Safe Code Practices. Ensuring that technical solutions are cohesive across the provisioning sub-teams and complete against business requirements. Allowing rapid:
  • Bootstrapping: create a Cloud Setups with corresponding resource hierarchy, and permissions for the initial CI/CD pipeline to deploy next stages.
  • Baseline the a set of configurations that allows the delivery of the security and compliance monitoring, alerting and as foundational guardrails.
  • Covering Business Specific Requirements: Delivers business specific components and integrations (such as SSO, monitoring etc);
  • Establishment of proper Workload services at Applications level running proper set of Application Infrastructure: Any of the many cloud services that form the business? platform for workloads (Servers, Storage, IAM\PAM, SIEM, SOAR etc). The final goal of the Landing Zone: to deliver value to the business
  • Validate, evaluate and technical sign-off of technical changes in capabilities and solutions proposed by external partners.
  • Oversee and guide deployment of security patches, enhancements and changes to the Windows\Linux IT Landscape (including PoCs, PoVs, Canary and Blue-Green deployments, Gold images, and Transfer-to Operations together with L2/L3 running everything as a code)

• Enable Open banking for BMW Bank, allowing access and control of consumer banking and financial accounts through third-party applications.
• Architecting of APIMv2 heterogenic platform-based SaaS microservices (Kubernetes).
• Enabling migration from heterogenic (mix of on-prem and SaaS solution) to Cloud first \ Cloud only (AZURE and AWS). Clearing the path for BMW`s IT eco to become API driven and BMW to become a Tech Company.
• Employing DevSecOps and Safe Code Practices, Running everything as a code
• Enhancement of IT & Security Risk control mechanism of GCP, AWS and Azure based APIM platform.
• Responsible for Creation of security standard based on IT and security frameworks (Such as OWASP10, ISO 23167:2020, ISO 23188:2020, ISO 23029:2020, ISO27001/2, NIST 500, NIST 800,GxP, CIS and COBIT);
• Development of security concept and road map for achievement of desirable future state.
• Interact with senior stakeholders across departments and will reach and influence a wide range of people across larger teams and communities
• Research and apply innovative Cloud and Security architecture solutions to new or existing problems
• Work out subtle Cloud and Security needs and will understand the impact of decisions, balancing requirements and deciding between approaches.
• Design and plan a cloud solution architecture, produce particular patterns and support quality assurance, and is the point of escalation for architects below them
• Post bridge assessment and validation of execution for AD and AAD
• Designing and Implementation of AD Tiering model
• Migration to tiering model
• Designing AD Concept for Application and Server administration
• Designing AD Concept for self-evolution of rights
• Developing PAM Program
• Designing CyberArk Core PAS Solution
• Implementing CyberArk Core PAS
• Designing Client specific use cases for CyberArk EPM
• Implementation of CyberArk EPM
• Manage and provision the cloud solution infrastructure
• Design for security and compliance
• Analyse and optimize technical and business processes
• Manage implementations of cloud architecture
• Ensure solution and operation reliability
• Configure access within a cloud solution environment
• Ensure data protection
• Manage operations within a cloud solution environment
• Ensure compliance and reliability

• Conceptualizing defense in deep approach for HILTI Cloud ? EMEA, APAC, Nord America, and China Mainland.
• Creation of road map for implementation of layered defence-in-depth strategy. Technology stack including WAF (Web Application firewall),
• Leading the VRM process selection and setting up of Vendor battles
• Performing of POCs with shortlisted vendors.
• Setting up criteria and Perform interoperability, regression, and Unity testing of the selected stack with the existing Hilti eco system

• DB Access gate (OneIM) with Wealth Management Platform (WME) dedicated to automate user lifecycle (access provisioning and deprovisioning) and to allow usage of hybrid identities of Wealth management Eco system (300+) applications.
• Architecting (HLD, LLD, API contracts) for fleet of Rest Full APIs, dedicate to overcome One- IM Constrains and limitations. 

• Creating a Roadmap for migrating of on-prem OpenShift platform to the cloud (AZURE - ARO, CGP - GKE and AWS ? ECS, EKS, Fargate ) aiming utilization of cloud native approach
• Participates in and contributes thought leadership and strategic direction during ISRM leadership team meetings and executive workshops
• Prepares strategic updates and vision documents, briefings, and reports, and demonstrates excellent communication skills and executive presence in presentations to TR executives, customers, and partners
• PaaS DevOps consulting on the migration of existing IT applications to the PaaS solution
• Analysis of existing IT applications, defining Changes in the software architecture on High and Low Level
• Architecting Data flow relaying on GCP\AWS\Azure out of the box services and enabling usage of GraphQL as super positioned touch point.
• Own the security architecture process, enabling the development and implementation identity and security solutions and capabilities enterprise wide, clearly aligned with business, technology and threat drivers. Translating security policies and directives into specific requirements, procedures, standards and guidelines
• Defining architectural principles, Consulting of project and line organizations regarding the implementation of safety requirements, ensure that company-wide security requirements are correctly implemented
• Develops hybrid cloud strategy and governance to meet future business requirements, with a focus on containerization and microservice architectures
• Develops infrastructure identity and security strategy plans, roadmaps and other architecture artifacts based on sound enterprise architecture practices.
• Participates as a consultant in application and infrastructure projects to provide infrastructure & security-planning advice
• Determines baseline infrastructure configuration standards for operating systems (e.g., OS hardening), network segmentation, and identity and access management (IAM) platforms and capabilities.
• Validates IT infrastructure and other reference architectures for security best practices and recommend changes to enhance security and reduce risks, where applicable.
• Reviews network segmentation strategy (also in a containerized environment) to ensure least privilege for network access, ensures this translates to a new software defined data canter offering.

• Own the security architecture process, enabling the development and implementation identity and security solutions and capabilities enterprise wide, clearly aligned with business, technology and threat drivers. Translating security policies and directives into specific requirements, procedures, standards and guidelines
• Defining architectural principles, Consulting of project and line organizations regarding the implementation of safety requirements, Ensure that company-wide security requirements are correctly implemented
• Development of identity and security strategy plans and roadmaps ensuring Confidentiality Integrity and Availability of resources based on sound enterprise architecture practices.
• Development and maintenance of identity and security architecture artifacts (e.g., models, templates, standards and procedures) that can be used to leverage security capabilities in projects and operations.
• Provides strategic technical and architectural guidance to senior management, business technology project teams and functional organizations
• Designs and builds security models and capabilities as it relates to network, cloud, endpoint, identity, and data security domains; authors and drives compliance with enterprise security policies and standards
• Leads technical defense-in-depth reviews of TR?s product portfolio to evaluate the application of security controls and identify opportunities to enhance the product?s security posture
• Guides teams in defining future state end-to-end architectures, platforms, products, tools and solutions to advance security capabilities in the business
• Develops and drives the ISRM technology roadmap, defining current and future security platform lifecycles (candidate, POC, deployed, pending decommission) to continuously improve TR?s security controls posture
• Work closely with internal teams to effectively deliver internal change capability
• Clearly define programme requirements and ensure clear communication at all times
• Consulting the automation DevOps lead on network layouts and negotiating with other network teams on integration and segregation topics Performing application vulnerability and security assessments
• Performing application security risk assessments
• Performing code review across a variety of programming languages
• Defining application security controls (ITGCs)
• Performing application security design activities
• Performing assessments of SDLC and DevOps processes, Promoting DevSecOps and safe code practices;
• Developing and delivering application security training and outreach
• Creating gap analysis and client improvement program recommendations
• Other security-related projects that may be assigned according to skills
• Review and evolve customer and internal access management technologies. Create the IAM policies and technical standards. Advise technical teams on the control design and perform risk assessments and define the IAM related security requirements.
• Translating clients' risk, security, and compliance requirements into specific Cloud security solutions and design patterns
• Set up Security Baselining and ensure compliance with State authorities
• Utilizing Modern technology (DevOps, DevSecOps, CI\CD) trends Security
• Security PO directly responsible for:
• iptiQ PnC Security Concept;
• Identification of the Critical assets - Our in-depth reference architectural model, is based on ISO/IEC 17789 and NIST 500-292
• Development and optimization of the ISMS (Information Security Management System) according to ISO27001, GDPR and FINMA requirement
• Appling of Passwordless authentication techniques (MFA, OATH, FIDO2, SSO, Yubikey)
• Cloud Compute and Workload security protecting Software defined networking, Virtual machines/Instances, containers, Platform-based workloads and Serverless computing;
• Defining Key risks and controls
• Centralized Authentication/authorization - utilization of Managed services for authentication and authorization (Okta) together with LDAP DS, and dedicated Oath 2 platforms
• System integrity, System administration, and Software deployment via Terraform, CloudFormation and Ansible Scrips (DevSecOps).
• Security patch management via Immutable Workloads Enable Security - Nexus IQ
• Automatic identification of OSS\TP component and risk modeling in accordance with Risk Appetite.
• Malware\edge Protection via a combination of managed services (WAFs) ?CloudFlare and edge NGxFW (Palo Alto network)
• System hardening, performance tuning and patch management;
• Tenant segregation, multiple VPC
• RBAC of Technical Users and business users, role definition certification and enforcement;
• KMS management Private keys, envelope encryption Securing data at rest, and in transit and pseudo-anonymization via tokens;
• Enforcing Safe code security practice and monitoring of OSS\TP components in use;
• Attack surface and treat modeling, Static Code Scanning and Free and Open Source Scanning., Appling measures to prevent OWASP 10 vulnerabilities, Code repository security (Nexus IQ) together with Sonar cube
• Service continuity, disaster recovery
  • Business Continuity Within the Cloud Provider
  • Business Continuity for Loss of the Cloud Provider
  • BC\DR Remediation Actions
• Propper security monitoring logic (Events & Time Series) via Cloud Watch, Cloudtrail and Panorama
• Integrating with 3rd party SOC Providers, enablement paging deuties
• Backup orchestration to another cloud vendor;
• IT Cyber Security Metrics,
• Implementation of Advanced End Point Protection