Cyber Security, DevOps\DevSecOps, CI\CD, authomation
Aktualisiert am 07.06.2024
Profil
Freiberufler / Selbstständiger
Remote-Arbeit
Verfügbar ab: 07.06.2024
Verfügbar zu: 100%
davon vor Ort: 100%
Analytical Thinking and Problem-Solving:
Communication and Collaboration
Cloud
Technical Proficiency
Security Konzepte
IAM
PAM
Azure
Good Clinical Practice
AWS
DevOps
Bulgarian
Muttersprache
English
Fluent (C2)
Russian
Working proficiency (C1)
German
Grundkenntnisse
French
Grundkenntnisse
Danish
Elementary Knowledge (A1)

Einsatzorte

Einsatzorte

Deutschland, Schweiz, Österreich
möglich

Projekte

Projekte

4 months
2024-01 - 2024-04

SME of PAM&SecDevOps Practices as part of Annual IT Audit

External Auditor
External Auditor

  • Review of SecDevOps Practices and PAM Implementation of current IT systems infrastructure and the so-called target architecture solution, covering Microservice, Kubernetes, Atlassian Eco system (Jira, Confluence), SNOW, Zero-trust, Service meshes, PAM, ML\AI (LLM) and CI\CD automation ensuring compliance with GxP and cGxP.
  • Recommended and architected improvements on sustainable hybrid cloud architectures with lean, automated, and secure maintenance practices, ensuring high availability, resilience, scalability, and performance.
  • Collaborated with senior stakeholders across Digital, OT, Enterprise Architecture, QA, and IT Security to drive DevOps culture through containerization, Usage of AI(LLM) and associated concept?s introduction.
  • Improved, designed containerized solutions meeting GxP and cGXP requirements, IT security, and reliability standards, while defining cloud standards and frameworks for managing infrastructure lifecycle with DevOps techniques, including:
    • Secure throughout the software development lifecycle in order to minimize vulnerabilities in software code.
    • Proper function of the DevOps teams, including developers and operations teams.
    • Confirmed shared responsibility for following security best practices.
    • Evaluate efficiency and effectiveness of automated security checks at each stage of software delivery.
    • Recommend improvements on integrated security controls, tools, and processes into the DevOps workflow.
  • Ensured designs complied with IT Security and QA standards through reviews and promoted cloud-native setups for forward-looking architectures and applications, ensuring Traceability, Accountability and Data integrity.
  • Recommend implementation of new methodologies using modern agile approaches, driving continuous improvement and innovation within the organization.
  • Identified and recommend infrastructure improvements for more efficient services, optimizing resource utilization and enhancing overall system performance and cost reduction.
European Medicines Agency (EMA)-
6 months
2023-07 - 2023-12

SAP S/4HANA Cloud S4C pre project

SAP Security
SAP Security
  • Orchestrated and executed security solutions, encompassing Zero Trust principles, for BASIS Administration, SAP IAS, IPS, MS Azure, S/4, public cloud, BTP, and Fiori applications, ensuring adherence to best practices and compliance standards transposed to SAP PCE
  • Design proper integration patterns of S4C public cloud \ Private Cloud Edition (PCE)with HR platform, Salesforce and IAM\PAM solutions;
  • Engineered and managed Business catalogues, Business Roles User Roles, Authorizations, and Profiles within S/4 HANA, BTP, and Fiori applications, using on-premise (PFCG and Fiori Lunch pad and cloud-based SAP systems, emphasizing Zero Trust access policies.
  • Conducted security assessments, penetration tests, and vulnerability scans on Fiori applications and cloud-based SAP environments to fortify the Zero Trust model's implementation together with SAP cloud technologies (BTP, SaaS, PCE) in combination with Azure
  • Collaborated cross-functionally to enforce robust access control, segregation of duties, and least privilege principles across different SAP platforms while adhering to the Zero Trust framework.
  • Design infrastructure as a service and CI\CD pipelines integrating them with SAST\DAST solutions (Veracode) and Code Vulnerability Analyzer (CVA) security checks for ABAP custom code evaluations against Common Vulnerabilities and Exposures (CVE) and CVSs.
  • Oversaw BASIS Administration tasks and performed system upgrades, patches, and maintenance in Azure-based SAP landscapes, ensuring a Zero Trust security environment.
  • Provided expert consultation on role-based access control design, user provisioning, and security configurations for S/4, BTP, public cloud, Fiori applications, SAP IAS, IPS, and MS Azure within the Zero Trust model. And enabling:
    • API-based Integration: use SAP BTP API-based integration, allowing applications to expose their functionalities as APIs (Application Programming Interfaces). APIs enable seamless communication between different applications, services, and systems. SAP BTP provides tools like SAP API Management for managing, securing, and monitoring APIs.
    • Event-Driven Architecture: build Event-driven architecture (EDA), that enables real-time communication and data exchange between different components of a system. SAP BTP offers event-driven capabilities through services like SAP Event Mesh, which facilitates event-based communication across distributed systems.
    • Data Integration: use SAP BTP provides tools and services for data integration, enabling organizations to connect, transform, and synchronize data across various sources and applications. Services like SAP Data Intelligence and SAP Data Hub offer advanced data integration capabilities, including data orchestration, transformation, and governance.
    • Process Integration: use SAP`s BTP supports process integration, allowing organizations to streamline and automate business processes across different applications and systems. Services like SAP Integration Suite offer process orchestration capabilities, enabling organizations to design, execute, and monitor end-to-end business processes.
    • IoT Integration: leveraging IoT (Internet of Things) technologies, SAP BTP offers IoT integration capabilities to connect, manage, and analyze IoT data streams. Services like SAP IoT Application Enablement provide tools for IoT device management, data ingestion, and real-time analytics.
    • Hybrid Integration: explore SAP BTP`s supports on hybrid integration scenarios, enabling seamless communication between on-premises systems and cloud-based applications. Services like SAP Cloud Connector facilitate secure and reliable communication between on-premises systems and SAP BTP services running in the cloud.
    • Identity and Access Management (IAM) Integration: Define IAM integration, which is crucial for ensuring secure access to applications and services within the SAP ecosystem. SAP BTP provides identity services like SAP BTP Identity Authentication and SAP BTP Identity Provisioning for managing user identities, authentication, and authorization.
    • Integration with External Systems: Enable SAP BTP`s integration with external systems and third-party applications through standard protocols and connectors. Services like SAP BTP Open Connectors offer pre-built connectors and APIs for integrating with popular third-party applications and services.
  • Analyzed and improved authorization concepts within S/4 HANA, BTP, and Azure environments to align with Zero Trust security practices, ? ensuring regulatory compliance and data protection.
  • Supported the implementation and enforcement of security policies for Fiori applications, integrating strong authentication methods and secure communication protocols within Azure environments under the Zero Trust paradigm.
  • Conducted training sessions and created documentation for end-users and administrators on S/4, BTP, Fiori, SAP IAS, IPS, and MS Azure security protocols and best practices emphasizing the Zero Trust model.
Hilti
1 year
2022-07 - 2023-06

IETV Program

Platform Security Engineer
Platform Security Engineer

  • Working with SwissRe's Cyber Risk team to ensure SwissRe's security standards are implemented. Documentation of the measures implemented
  • Understand all infrastructure as code (IaC) artefacts in Azure DevOps, with specific focus on Kubernetes/AKS/EKS , Kafka, Zookeeper, NoSQL (e.g. Couchbase)/
  • Act as a Subject Matter Expert (SME) on API Security for the wider technology community.
  • Develop comprehensive knowledge of our products with a focus on solutions key to improving overall API Security relevant to REST, GRPC GraphQL APIs .
  • Secure the CI/CD process for IaC and Microservice (Spring Boot, Python, Helm, Teraform) deployments
  • Understand and oversee operations of wide scanning tools such as Aqua, NexusIQ, Qualys etc
  • Support the development and maintenance of API Security guidelines, best practices and life-cycle phases for infrastructure and application teams across Swiss Re
  • Define criteria and evaluate relevant API security solutions.
  • Drive the adoption of new ideas and technologies in API security domain including discovery, management, anomaly detection and protection.
  • Provide recommendations for improving automated security auditing and testing solutions for API?s and lead the implementation.
  • Ensure compliance with requirements on Encryption at rest and in transit
  • Design, implement and ensure best practices of AuthZ, eg via token rotation: both for human and non-human
  • Design, implement and maintain secrets management
  • Design and implement a security aspect for configuration management
  • Work with developers to understand the security context of the apps and their interaction with Apache Kafka, candidate will design & own the implementation of how Kafka will be secured
  • Secure the platform against unauthorized access: design and implement lifecycle (non-prod vs prod) for data
  • Consult with infrastructure teams on network layouts and negotiate with other network teams on integration/segregation topics
  • Support and give guidance on the test driven development practices and the implementation thereof in the pipelines in a DevSecOps style
  • Efficiently leverage Azure services for addressing security concerns (i.e. WAF)
  • Own the integration with Azure Active Directory and IAM
  • Continuously work with the teams to improve all components as the use-cases grow more complex
  • Facilitate pen-tests with an external partner
  • Ensure compliance with the company wide digital governance framework, audit and various security technical standard
  • Security Documentation for internal quality assurance and external audits
  • Close collaboration with IT teams, design a security architecture framework (guidelines, technology reference models, guidelines, and training material)
  • Assess and transpose embed security requirements into existing or new IT systems (business applications including SAP, IT infrastructure, on-prem and cloud systems).
  • Perform cyber security architecture reviews and documentation of the security requirements in architecture handbooks in close collaboration, partnering and advising IT and business teams to implement a ?secure by design? strategy that provides the following - Regulatory compliance, Security policy enforcement etc
  • Advise and design security solutions for implementation into complex customer IT environments which carry proprietary real-time life critical data and diagnostic quality images which require reliability and high availability output based on Cloud Native services
  •  Employ DevSecOps, AIOps and Safe Code Practices. Ensuring that technical solutions are cohesive across the provisioning sub-teams and complete against business requirements. Allowing rapid:
    • Bootstrapping: create a Cloud Setups with corresponding resource hierarchy, and permissions for the initial CI/CD pipeline to deploy next stages.
    • Baseline the a set of configurations that allows the delivery of the security and compliance monitoring, alerting and as foundational guardrails.
    • Covering Business Specific Requirements: Delivers business specific components and integrations (such as SSO, monitoring etc);
    • Establishment of proper Workload services at Applications level running proper set of Application Infrastructure: Any of the many cloud services that form the business? platform for workloads (Servers, Storage, IAM\PAM, SIEM, SOAR etc). The final goal of the Landing Zone: to deliver value to the business
    • Validate, evaluate and technical sign-off of technical changes in capabilities and solutions proposed by external partners.
    • Oversee and guide deployment of security patches, enhancements and changes to the Windows\Linux IT Landscape (including PoCs, PoVs, Canary and Blue-Green deployments, Gold images, and Transfer-to Operations together with L2/L3 running everything as a code)
Swiss Re
6 months
2022-08 - 2023-01

Cyber Arc (PAM) advisory

As Technology Partner in FIS Global I am responsible for building and developing the Digital Identity Practice as part of Cyber Security services. The Digital Identity practice consists of PAM (Privileged Access Management), IGA (Identity Governance and Administration) and CIAM (Customer IAM). The current toolset in use for the following topics are as follows: IGA ? SailPoint IIQ, OMADA, MIM 2016, PAM ? CyberArk, CIAM ? ForgeRock and Transmit Security Microsoft Based Security ? On-Premise and Azure Cloud As part of the company leadership team, I am responsible for building, developing and administrating a team of 20+ people across Central and Eastern Europe. Daily, I am taking management and architectural role in various projects covering services such as assessment, design, implementation, and managed service across Europe with the technology stacks mentioned above. I have experience in various industries and expert knowledge in IAM/PAM best practices and compliance standards across widely regulated and non-regulated businesses. In the past 10+ years I have been involved in projects taking various roles from Implementation Engineer to Solution Architect for businesses in any size ? from small to large global companies spanned across the globe. My expertise and understanding of the overall IT Infrastructure and in-depth knowledge in Authorization, Authentication and Security allowed me to successfully deliver all those projects regardless of the project complexity, timeline, location or size. My strongest features are my devotion to work and desire to solve complex challenges with the highest quality, ability to lead teams and coordinate activities, ability to consult and discuss on every level from top management level through enterprise architecture down to in-depth technical discussions and low-level solution specific conversations with developers and engineers. In my current role, my main responsibilities include driving the line of business forward by developing new client relationships and delivering complex projects from Management and Architectural perspective including but not limiting to:

  • Roadmap design HLD, LLD and Pilot implementation of Companywide PAM solution as a Service provided from a market leader.
  • Close collaboration with IT teams, design a security architecture framework (guidelines, technology reference models, guidelines, and training material)
  • Assess and transpose embed security requirements into existing or new IT systems (business applications including SAP, IT infrastructure, on-prem and cloud systems including Microsoft office 365).
  • Perform cyber security architecture reviews and documentation of the security requirements in architecture handbooks in close collaboration, partnering and advising IT and business teams to implement a ?secure by design? strategy that provides the following - Regulatory compliance, Security policy enforcement, Support of ?bring your own device? (BYOD), Remote control of device updates, Application control, Automated device registration & Data backup
  • Advise and design security solutions for implementation into complex customer IT environments which carry proprietary real-time life critical data and diagnostic quality images which require reliability and high availability output based on GCP Native services like (Access Transparency, Assured Workloads, Binary Authorization, Cloud Asset Inventory, Cloud Data Loss Prevention, Cloud Key Management, to manage encryption keys on Google Cloud, Confidential Computing, Firewalls, Secret Manager to store API keys, passwords, certificates, and other sensitive data, Security Command Center, Shielded VMs, VPC Service Controls, BeyondCorp Enterprise for Scalable zero trust platform with integrated threat and data protection, Cloud Identity, Identity and Access Management, Identity-Aware Proxy, Policy Intelligence, Titan Security Key for MFA, etc.
    • Employ DevSecOps, AIOps and Safe Code Practices. Ensuring that technical solutions are cohesive across the provisioning sub-teams and complete against business requirements. Allowing rapid:
    • Bootstrapping: create a Cloud Setups with corresponding resource hierarchy, and permissions for the initial CI/CD pipeline to deploy next stages.
    • Baseline the a set of configurations that allows the delivery of the security and compliance monitoring, alerting and as foundational guardrails.
    • Covering Business Specific Requirements: Delivers business specific components and integrations (such as SSO, monitoring etc);
    • Establishment of proper Workload services at Applications level running proper set of Application Infrastructure: Any of the many cloud services that form the business? platform for workloads (Servers, Storage, IAM\PAM, SIEM, SOAR etc). The final goal of the Landing Zone: to deliver value to the business
    • Validate, evaluate and technical sign-off of technical changes in capabilities and solutions proposed by external partners.
    • Oversee and guide deployment of security patches, enhancements and changes to the Windows\Linux IT Landscape (including PoCs, PoVs, Canary and Blue-Green deployments, Gold images, and Transfer-to Operations together with L2/L3 running everything as a code)
Galderma
1 year 4 months
2021-01 - 2022-04

Architecting of APIMv2 heterogenic platform-based SaaS microservices

APIM CTO Lead Architect
APIM CTO Lead Architect
  • Enable Open banking for BMW Bank, allowing access and control of consumer banking and financial accounts through third-party applications.
  • Architecting of APIMv2 heterogenic platform-based SaaS microservices (Kubernetes).
  • Enabling migration from heterogenic (mix of on-prem and SaaS solution) to Cloud first \ Cloud only (AZURE and AWS). Clearing the path for BMW`s IT eco to become API driven and BMW to become a Tech Company.
  • Employing DevSecOps and Safe Code Practices, Running everything as a code
  • Enhancement of IT & Security Risk control mechanism of GCP, AWS and Azure based APIM platform.
  • Responsible for Creation of security standard based on IT and security frameworks (Such as OWASP10, ISO 23167:2020, ISO 23188:2020, ISO 23029:2020, ISO27001/2, NIST 500, NIST 800,GxP, CIS and COBIT);
  • Development of security concept and road map for achievement of desirable future state.
  • Interact with senior stakeholders across departments and will reach and influence a wide range of people across larger teams and communities
  • Research and apply innovative Cloud and Security architecture solutions to new or existing problems
  • Work out subtle Cloud and Security needs and will understand the impact of decisions, balancing requirements and deciding between approaches.
  • Design and plan a cloud solution architecture, produce particular patterns and support quality assurance, and is the point of escalation for architects below them
  • Post bridge assessment and validation of execution for AD and AAD
  • Designing and Implementation of AD Tiering model
  • Migration to tiering model
  • Designing AD Concept for Application and Server administration
  • Designing AD Concept for self-evolution of rights
  • Developing PAM Program
  • Designing CyberArk Core PAS Solution
  • Implementing CyberArk Core PAS
  • Designing Client specific use cases for CyberArk EPM
  • Implementation of CyberArk EPM
  • Manage and provision the cloud solution infrastructure
  • Design for security and compliance
  • Analyse and optimize technical and business processes
  • Manage implementations of cloud architecture
  • Ensure solution and operation reliability
  • Configure access within a cloud solution environment
  • Ensure data protection
  • Manage operations within a cloud solution environment
  • Ensure compliance and reliability
BMW Group\BMW Bank
1 year 2 months
2020-11 - 2021-12

Enhancing Perimeter security of Hilti Cloud

  • Conceptualizing defense in deep approach for HILTI Cloud ? EMEA, APAC, Nord America, and China Mainland.
  • Creation of road map for implementation of layered defence-in-depth strategy. Technology stack including WAF (Web Application firewall),
  • Leading the VRM process selection and setting up of Vendor battles
  • Performing of POCs with shortlisted vendors.
  • Setting up criteria and Perform interoperability, regression, and Unity testing of the selected stack with the existing Hilti eco system
Hilti
4 months
2020-09 - 2020-12

Integration of existing IAM platform

Governance Consultant/Architect
Governance Consultant/Architect

  • DB Access gate (OneIM) with Wealth Management Platform (WME) dedicated to automate user lifecycle (access provisioning and deprovisioning) and to allow usage of hybrid identities of Wealth management Eco system (300+) applications.
  • Architecting (HLD, LLD, API contracts) for fleet of Rest Full APIs, dedicate to overcome One- IM Constrains and limitations. 

Deutsche Bank
10 months
2019-12 - 2020-09

evaluation of the current setup, of the Hybrid Cloud deployment

Governance Consultant/Architect
Governance Consultant/Architect
External governance consultant responsible for evaluation of the current setup, of the Hybrid Cloud deployment, HA, Security of network infrastructure, ITGCs of EHRs, i.e. electronic health records (German: Patientenakte, ePA), system development program. EHR`s records are hailed as the key to increasing the quality of care. This project is result of the Appointment Service and Supply Act (TSVG), adopted on 14th March 2019, requires the German statutory health insurance funds to provide policyholders with electronic health records from 1st January 2021 onwards. Effectively applying CYBER KILL CHAIN models (MItre ATT&CK framework, SANS Diamond Model For Intrusion Analysis, CEH) Putting all the cybersecurity products to the test in a structured and methodical way and assessing whether or not the security product is fulfilling its duty or not (Vendor Battles). Lead Breach & Attack Simulation and Filling the gaps in security
  • Define the product strategy for the business considering technology constraints
  • Coordinate the technology related efforts to deliver it within the project and with 3rd party subcontractors.
  • Business application ownership and management of book of work for certain front-to-back processes and applications in GRC and Security areas
  • Development and optimization of the ISMS (Information Security Management System) according to ISO27001
  • Business architecture, process and requirements design and definition as product subject matter expert in control definition ? ITGC, compensative and detective controls
  • Product responsibility (IT team to deliver product, deliver manager to oversee and steer direction)
  • Close collaboration with IT as CRC product owner in an agile working framework
  • Provide transparent, timely and accurate information to senior stakeholders and peers
  • Cryptographic knowledge including encryption, key exchange, certificate handling and protocols (x509, PKCS12 etc)
  • Security Control Frameworks e.g. ISO27001 and practical experience in their implementation
  • Security Architecture principles, generic best practices
  • Network security devices
  • Endpoint defense solutions
  • Exposure to malware infection vectors and defence methods
  • Endpoint and Server hardening principles, best practices
  • Web application firewalls, network load balancers, proxy systems
  • Network, Endpoint and Application logging concepts, best practice and monitoring systems including SIEM
  • Active Directory Security including federated solutions using ADFS, SAML etc
  • Exposure to cloud security models including public, private and hybrid concepts
  • Application security including web applications, SaaS services etc
  • Data handling principles, protective marking/tagging and data security knowledge
IBM
2 months
2019-10 - 2019-11

Architecting FCP POC

Cloud Architect
Cloud Architect

  • Creating a Roadmap for migrating of on-prem OpenShift platform to the cloud (AZURE - ARO, CGP - GKE and AWS ? ECS, EKS, Fargate ) aiming utilization of cloud native approach
  • Participates in and contributes thought leadership and strategic direction during ISRM leadership team meetings and executive workshops
  • Prepares strategic updates and vision documents, briefings, and reports, and demonstrates excellent communication skills and executive presence in presentations to TR executives, customers, and partners
  • PaaS DevOps consulting on the migration of existing IT applications to the PaaS solution
  • Analysis of existing IT applications, defining Changes in the software architecture on High and Low Level
  • Architecting Data flow relaying on GCP\AWS\Azure out of the box services and enabling usage of GraphQL as super positioned touch point.
  • Own the security architecture process, enabling the development and implementation identity and security solutions and capabilities enterprise wide, clearly aligned with business, technology and threat drivers. Translating security policies and directives into specific requirements, procedures, standards and guidelines
  • Defining architectural principles, Consulting of project and line organizations regarding the implementation of safety requirements, ensure that company-wide security requirements are correctly implemented
  • Develops hybrid cloud strategy and governance to meet future business requirements, with a focus on containerization and microservice architectures
  • Develops infrastructure identity and security strategy plans, roadmaps and other architecture artifacts based on sound enterprise architecture practices.
  • Participates as a consultant in application and infrastructure projects to provide infrastructure & security-planning advice
  • Determines baseline infrastructure configuration standards for operating systems (e.g., OS hardening), network segmentation, and identity and access management (IAM) platforms and capabilities.
  • Validates IT infrastructure and other reference architectures for security best practices and recommend changes to enhance security and reduce risks, where applicable.
  • Reviews network segmentation strategy (also in a containerized environment) to ensure least privilege for network access, ensures this translates to a new software defined data canter offering.

Generali
Zurich Switzerland
1 year 2 months
2018-08 - 2019-09

Development of identity and security strategy plans

Cloud Security Architect
Cloud Security Architect
  • Own the security architecture process, enabling the development and implementation identity and security solutions and capabilities enterprise wide, clearly aligned with business, technology and threat drivers. Translating security policies and directives into specific requirements, procedures, standards and guidelines
  • Defining architectural principles, Consulting of project and line organizations regarding the implementation of safety requirements, Ensure that company-wide security requirements are correctly implemented
  • Development of identity and security strategy plans and roadmaps ensuring Confidentiality Integrity and Availability of resources based on sound enterprise architecture practices.
  • Development and maintenance of identity and security architecture artifacts (e.g., models, templates, standards and procedures) that can be used to leverage security capabilities in projects and operations.
  • Provides strategic technical and architectural guidance to senior management, business technology project teams and functional organizations
  • Designs and builds security models and capabilities as it relates to network, cloud, endpoint, identity, and data security domains; authors and drives compliance with enterprise security policies and standards
  • Leads technical defense-in-depth reviews of TR?s product portfolio to evaluate the application of security controls and identify opportunities to enhance the product?s security posture
  • Guides teams in defining future state end-to-end architectures, platforms, products, tools and solutions to advance security capabilities in the business
  • Develops and drives the ISRM technology roadmap, defining current and future security platform lifecycles (candidate, POC, deployed, pending decommission) to continuously improve TR?s security controls posture
  • Work closely with internal teams to effectively deliver internal change capability
  • Clearly define programme requirements and ensure clear communication at all times
  • Consulting the automation DevOps lead on network layouts and negotiating with other network teams on integration and segregation topics Performing application vulnerability and security assessments
  • Performing application security risk assessments
  • Performing code review across a variety of programming languages
  • Defining application security controls (ITGCs)
  • Performing application security design activities
  • Performing assessments of SDLC and DevOps processes, Promoting DevSecOps and safe code practices;
  • Developing and delivering application security training and outreach
  • Creating gap analysis and client improvement program recommendations
  • Other security-related projects that may be assigned according to skills
  • Review and evolve customer and internal access management technologies. Create the IAM policies and technical standards. Advise technical teams on the control design and perform risk assessments and define the IAM related security requirements.
  • Translating clients' risk, security, and compliance requirements into specific Cloud security solutions and design patterns
  • Set up Security Baselining and ensure compliance with State authorities
  • Utilizing Modern technology (DevOps, DevSecOps, CI\CD) trends Security
  • Security PO directly responsible for:
  • iptiQ PnC Security Concept;
  • Identification of the Critical assets - Our in-depth reference architectural model, is based on ISO/IEC 17789 and NIST 500-292
  • Development and optimization of the ISMS (Information Security Management System) according to ISO27001, GDPR and FINMA requirement
  • Appling of Passwordless authentication techniques (MFA, OATH, FIDO2, SSO, Yubikey)
  • Cloud Compute and Workload security protecting Software defined networking, Virtual machines/Instances, containers, Platform-based workloads and Serverless computing;
  • Defining Key risks and controls
  • Centralized Authentication/authorization - utilization of Managed services for authentication and authorization (Okta) together with LDAP DS, and dedicated Oath 2 platforms
  • System integrity, System administration, and Software deployment via Terraform, CloudFormation and Ansible Scrips (DevSecOps).
  • Security patch management via Immutable Workloads Enable Security - Nexus IQ
  • Automatic identification of OSS\TP component and risk modeling in accordance with Risk Appetite.
  • Malware\edge Protection via a combination of managed services (WAFs) ?CloudFlare and edge NGxFW (Palo Alto network)
  • System hardening, performance tuning and patch management;
  • Tenant segregation, multiple VPC
  • RBAC of Technical Users and business users, role definition certification and enforcement;
  • KMS management Private keys, envelope encryption Securing data at rest, and in transit and pseudo-anonymization via tokens;
  • Enforcing Safe code security practice and monitoring of OSS\TP components in use;
  • Attack surface and treat modeling, Static Code Scanning and Free and Open Source Scanning., Appling measures to prevent OWASP 10 vulnerabilities, Code repository security (Nexus IQ) together with Sonar cube
  • Service continuity, disaster recovery
    • Business Continuity Within the Cloud Provider
    • Business Continuity for Loss of the Cloud Provider
    • BC\DR Remediation Actions
  • Propper security monitoring logic (Events & Time Series) via Cloud Watch, Cloudtrail and Panorama
  • Integrating with 3rd party SOC Providers, enablement paging deuties
  • Backup orchestration to another cloud vendor;
  • IT Cyber Security Metrics,
  • Implementation of Advanced End Point Protection
iptiQ PnC Swiss Re
Zurich Switzerland

Aus- und Weiterbildung

Aus- und Weiterbildung

BS, IT Science

PU Paisii Hilendarsky


BSc, eng. in Aeronautic

TU Sofia


Certifications

  • ITIL v4
  • ITILv4 Managing Professional (MP)
  • ITILv4 Strategic Leader (SL)
  • LeSS Prcticioner
  • Certified Product Owner (CSPO)


2016

SAFe4


2009

CISA


2015

PMP


2012

TOGAF foundation


ITIL Lifecycle and Capability (ITIL® ATO Accredited Trainings)

  • ITIL Foundation v3
  • ITIL® 2011:
    • Service Strategy
    • Service Design
    • Service Transition
    • Service Operation
    • Continual Service Improvement
    • Operational Support & Analysis
    • Planning, Protection & Optimizations
    • Release, Control and Validation
    • Service Offerings and Agreements
    • Managing Across the Lifecycle

Kompetenzen

Kompetenzen

Top-Skills

Analytical Thinking and Problem-Solving: Communication and Collaboration Cloud Technical Proficiency Security Konzepte IAM PAM Azure Good Clinical Practice AWS DevOps

Produkte / Standards / Erfahrungen / Methoden

Profile

  • Engineer with extensive experience in the Cloud Security and especially in Identity and Access Management, with good knowledge of functional and non-functional aspects of Designing and Implementation of Digital and UX Platforms, target operating models B2B/B2C, DevSecOps automation with extensive experience in the Financial industry, open Banking and related Security domains, Identity access management and Regulatory requirements (PCI DSS&GDPR), and E2E knowledge.
  • Dedicated and experienced in Secure access consistently across cloud estates and Implement Zero Standing Privileges in Hybrid and multi-cloud estate without impacting productivity focusing on Native Access to Cloud, Define Access Policies Global, Zero Standing Privileges, Dynamic Break-Glass Access, Seamless integration within the Zero Trust security framework.
  • Profitability and Quality champion who explores all possibilities to find the most elegant and cost-effective solution able to define interfaces that support the information and process flows and the approach to implement the interfaces. Rare combination of expert-level technology and business skill sets. Trusted advisor to senior business stakeholders. Expert in Sstrategy definition, Development of target architectures and integration of data, Architecture reviews, advising stakeholders on the definition of new solutions in the technical SAP environment, Requirements gathering incl. technical assessments, Coordination with internal/external partners and service providers
  • Strong advocate for utilizing domain-specific languages, patterns, and concepts to express domain logic directly in the codebase, enhancing software comprehensibility and maintainability. Adept at leading cross-functional teams and fostering collaboration between domain experts, architects, and developers to deliver high-quality software solutions that meet business objectives. Dedicated to continuous learning and staying abreast of emerging trends and best practices in Domain-Driven Architecture and software engineering in the specific context of corporate crisis management solutions following requirements of NIS2, DORA NIST 500, NIST SCF, NIST 800-53, SP1800, ISO27001, ISO 27005, CIS Controls CSA framework etc
  • Expert in conceptualization, development, and implementation of tailor-made IAM\PAM solutions for large, international companies (One Identity/ex Dell advisory/, Ping Federate, Omada, CyberArc and more), performing IAM integration projects in on-prem and cloud (AWS/Azure/GCP).
  • Hands on expertise with Access Management, Workforce Access, Single Sign-On, Multi-Factor Authentication, Workforce Password Management, Secure Web Sessions, Secure Browser, Customer Access, B2B Identity, Identity Governance and Administration,
  • Identity Compliance Lifecycle Management, Identity Flows IAM (Ping ID, Sailpoint IQ, Okta, Q1IM\Dell1IM\OneIM)\PAM (CyberArc, BeyondTrust ) integration. Privileged Access (N-Tier User Model), Privileged Access Management, Vendor Privileged Access, Secrets Management, Multi-Cloud Secrets, Secrets Hub, Credential Providers, Endpoint Privilege Security, Endpoint Privilege Management, Secure Desktop, etc.
  • On boarding applications with expertise in installation and version upgrade of Dell One Identity Manager, Cyber Ark and Beyond trust, Applying patches, Design and end-to-end implementation of complex IAM solutions, developing custom interfaces with various applications like Windows, AD, Linux, SAP, enabling API driven fabrics.
  • Expert in infrastructure technologies, running Infrastructure-as-code (DevOps\SecDevOps), Code & Configuration(Terraform, cloud formation) Release Pipeline, Credential management (CF/CredHub & Vaulting), API management (AWS API Gateway, MS- Azure API Management, Google-Endpoints & Apigee, WSO2), Formulating a Migration Strategy (6 Rs), implementing the security strategy for the Database Activity Monitoring team, taking into consideration all database-related policies, Service Quality, Service Capacity Usage, Service Profitability, Service Efficiency, Service Availability (SLA), Max Serviceable Customer Capacity, Service Critical Incident Count using agile software development methodologies. Strong knowledge of all information security domains including Zero Trust networks, Passwordless authentication techniques (MFA, OATH, FIDO2, SSO, Yubikey, NGWF appliances, Risk management, Data Privacy, and regulation / governance. Implement solutions, policies, and defined standards on IAM, Authentication, Directory Services, PKI and IT Infrastructure Security Domain Platforms, Microsoft PKI\ IAM\PAM. Certain understanding and solution architecture capabilities of the industry IT application scenarios, PAM (CyberArk, Beyond trust) \IAM Role & Authorization Management),
  • Know how to employ DevSecOps, AIOps and Safe Code Practices. Ensuring that technical solutions are cohesive across the provisioning sub-teams and complete against business requirements. Allowing rapid:
    • Bootstrapping: create a Cloud Setups with corresponding resource hierarchy, and permissions for the initial CI/CD pipeline to deploy next stages. Enable N tier Landscape (dev, test, preprod, N and prod).
    • Baseline the set of configurations that allows the delivery of the security and compliance monitoring, alerting and as foundational guardrails. Use Jenkins as Scheduler, Source control tools (Gitea, GIT, Azure Bucket, Gitlab) and Crucible for code review, benefiting from SAP Cloud ALM to ensure proper Backup Binaries and Source Code, Code inspection and quality control, Release management, Certificates expiration, Automated Testing, Documentation and Code Review.
    • Covering Business Specific Requirements: Delivers business specific components and integrations (such as SSO, Service & Event meshes, Propper monitoring, etc);
    • Establishment of proper Workload services at Applications level running proper set of Application Infrastructure: Any of the many cloud services that form the business? platform for workloads (Servers, Storage, IAM\PAM, SIEM, SOAR etc). The final goal of the Landing Zone: to deliver value to the business
    • Validate, evaluate and technical sign-off of technical changes in capabilities and solutions proposed by external partners.
    • Oversee and guide deployment of security patches, enhancements and changes to the Windows\Linux IT Landscape (including PoCs, PoVs, Canary and Blue-Green deployments, Gold images, and Transfer-to Operations together with L2/L3 running everything as a code

  • Adept at Cost Optimization based on proposer Implement cloud financial management via adopting a consumption model.
  • Measurement of overall efficiency create an understanding of gains Company make from increasing output, increasing functionality, and reducing cost, and at the same time preventing company from spending money on undifferentiated heavy liftings via applying analyze and attribute expenditures. 


Additional IT Experience

08/2017 - 10/2017

Role: Enterprise Architect 

Customer: UBS AG, Zurich Switzerland


Tasks:

IAM/PAM Sustainability Program


02/2017 - 11/2018

Role: Senior Program Manager\Lead Architect 

Customer: VMWare 


05/2016 - 02/2017

Customer: SME IAM Maersk Oil&Gas Copenhagen, Denmark 


06/2015 - 04/2016

Role: Infosys Team Lead\SME 

Customer: Deutsche Bank S.A. Frankfurt am Main, Eschborn Germany 


04/2014 - 11/2015

Role: Infrastructure Delivery Manager 

Customer: UniCredit S.A, Frankfurt am Main, Milano


09/2013 - 04/2014

Role: Director Performance &Technology 

Customer: on request


11/2009 - 08/2013

Role: Senior Director, (Technology and Risk Advisory Service lines) 

Customer: on request


04/2007 - 10/2009

Role: Informational Risk Manager (CISO) 

Customer: ProCredit Bank Holding S.A.


Tasks:

  • ProCredit Bank Holding S.A. 21 growing banks operating in transition economies and developing countries in Eastern Europe, Latin America, and Africa.
  • Currently ProCredit Bank Bulgarian bank holds position in top 10 on Bulgarian Market.


05/2006 - 08/2006

Role: IT Administrator 

Customer: Deloitte SSA


03/2003 - 05/2006

Role: LAN Administrator 

Customer: Piraeus Bank 

Einsatzorte

Einsatzorte

Deutschland, Schweiz, Österreich
möglich

Projekte

Projekte

4 months
2024-01 - 2024-04

SME of PAM&SecDevOps Practices as part of Annual IT Audit

External Auditor
External Auditor

  • Review of SecDevOps Practices and PAM Implementation of current IT systems infrastructure and the so-called target architecture solution, covering Microservice, Kubernetes, Atlassian Eco system (Jira, Confluence), SNOW, Zero-trust, Service meshes, PAM, ML\AI (LLM) and CI\CD automation ensuring compliance with GxP and cGxP.
  • Recommended and architected improvements on sustainable hybrid cloud architectures with lean, automated, and secure maintenance practices, ensuring high availability, resilience, scalability, and performance.
  • Collaborated with senior stakeholders across Digital, OT, Enterprise Architecture, QA, and IT Security to drive DevOps culture through containerization, Usage of AI(LLM) and associated concept?s introduction.
  • Improved, designed containerized solutions meeting GxP and cGXP requirements, IT security, and reliability standards, while defining cloud standards and frameworks for managing infrastructure lifecycle with DevOps techniques, including:
    • Secure throughout the software development lifecycle in order to minimize vulnerabilities in software code.
    • Proper function of the DevOps teams, including developers and operations teams.
    • Confirmed shared responsibility for following security best practices.
    • Evaluate efficiency and effectiveness of automated security checks at each stage of software delivery.
    • Recommend improvements on integrated security controls, tools, and processes into the DevOps workflow.
  • Ensured designs complied with IT Security and QA standards through reviews and promoted cloud-native setups for forward-looking architectures and applications, ensuring Traceability, Accountability and Data integrity.
  • Recommend implementation of new methodologies using modern agile approaches, driving continuous improvement and innovation within the organization.
  • Identified and recommend infrastructure improvements for more efficient services, optimizing resource utilization and enhancing overall system performance and cost reduction.
European Medicines Agency (EMA)-
6 months
2023-07 - 2023-12

SAP S/4HANA Cloud S4C pre project

SAP Security
SAP Security
  • Orchestrated and executed security solutions, encompassing Zero Trust principles, for BASIS Administration, SAP IAS, IPS, MS Azure, S/4, public cloud, BTP, and Fiori applications, ensuring adherence to best practices and compliance standards transposed to SAP PCE
  • Design proper integration patterns of S4C public cloud \ Private Cloud Edition (PCE)with HR platform, Salesforce and IAM\PAM solutions;
  • Engineered and managed Business catalogues, Business Roles User Roles, Authorizations, and Profiles within S/4 HANA, BTP, and Fiori applications, using on-premise (PFCG and Fiori Lunch pad and cloud-based SAP systems, emphasizing Zero Trust access policies.
  • Conducted security assessments, penetration tests, and vulnerability scans on Fiori applications and cloud-based SAP environments to fortify the Zero Trust model's implementation together with SAP cloud technologies (BTP, SaaS, PCE) in combination with Azure
  • Collaborated cross-functionally to enforce robust access control, segregation of duties, and least privilege principles across different SAP platforms while adhering to the Zero Trust framework.
  • Design infrastructure as a service and CI\CD pipelines integrating them with SAST\DAST solutions (Veracode) and Code Vulnerability Analyzer (CVA) security checks for ABAP custom code evaluations against Common Vulnerabilities and Exposures (CVE) and CVSs.
  • Oversaw BASIS Administration tasks and performed system upgrades, patches, and maintenance in Azure-based SAP landscapes, ensuring a Zero Trust security environment.
  • Provided expert consultation on role-based access control design, user provisioning, and security configurations for S/4, BTP, public cloud, Fiori applications, SAP IAS, IPS, and MS Azure within the Zero Trust model. And enabling:
    • API-based Integration: use SAP BTP API-based integration, allowing applications to expose their functionalities as APIs (Application Programming Interfaces). APIs enable seamless communication between different applications, services, and systems. SAP BTP provides tools like SAP API Management for managing, securing, and monitoring APIs.
    • Event-Driven Architecture: build Event-driven architecture (EDA), that enables real-time communication and data exchange between different components of a system. SAP BTP offers event-driven capabilities through services like SAP Event Mesh, which facilitates event-based communication across distributed systems.
    • Data Integration: use SAP BTP provides tools and services for data integration, enabling organizations to connect, transform, and synchronize data across various sources and applications. Services like SAP Data Intelligence and SAP Data Hub offer advanced data integration capabilities, including data orchestration, transformation, and governance.
    • Process Integration: use SAP`s BTP supports process integration, allowing organizations to streamline and automate business processes across different applications and systems. Services like SAP Integration Suite offer process orchestration capabilities, enabling organizations to design, execute, and monitor end-to-end business processes.
    • IoT Integration: leveraging IoT (Internet of Things) technologies, SAP BTP offers IoT integration capabilities to connect, manage, and analyze IoT data streams. Services like SAP IoT Application Enablement provide tools for IoT device management, data ingestion, and real-time analytics.
    • Hybrid Integration: explore SAP BTP`s supports on hybrid integration scenarios, enabling seamless communication between on-premises systems and cloud-based applications. Services like SAP Cloud Connector facilitate secure and reliable communication between on-premises systems and SAP BTP services running in the cloud.
    • Identity and Access Management (IAM) Integration: Define IAM integration, which is crucial for ensuring secure access to applications and services within the SAP ecosystem. SAP BTP provides identity services like SAP BTP Identity Authentication and SAP BTP Identity Provisioning for managing user identities, authentication, and authorization.
    • Integration with External Systems: Enable SAP BTP`s integration with external systems and third-party applications through standard protocols and connectors. Services like SAP BTP Open Connectors offer pre-built connectors and APIs for integrating with popular third-party applications and services.
  • Analyzed and improved authorization concepts within S/4 HANA, BTP, and Azure environments to align with Zero Trust security practices, ? ensuring regulatory compliance and data protection.
  • Supported the implementation and enforcement of security policies for Fiori applications, integrating strong authentication methods and secure communication protocols within Azure environments under the Zero Trust paradigm.
  • Conducted training sessions and created documentation for end-users and administrators on S/4, BTP, Fiori, SAP IAS, IPS, and MS Azure security protocols and best practices emphasizing the Zero Trust model.
Hilti
1 year
2022-07 - 2023-06

IETV Program

Platform Security Engineer
Platform Security Engineer

  • Working with SwissRe's Cyber Risk team to ensure SwissRe's security standards are implemented. Documentation of the measures implemented
  • Understand all infrastructure as code (IaC) artefacts in Azure DevOps, with specific focus on Kubernetes/AKS/EKS , Kafka, Zookeeper, NoSQL (e.g. Couchbase)/
  • Act as a Subject Matter Expert (SME) on API Security for the wider technology community.
  • Develop comprehensive knowledge of our products with a focus on solutions key to improving overall API Security relevant to REST, GRPC GraphQL APIs .
  • Secure the CI/CD process for IaC and Microservice (Spring Boot, Python, Helm, Teraform) deployments
  • Understand and oversee operations of wide scanning tools such as Aqua, NexusIQ, Qualys etc
  • Support the development and maintenance of API Security guidelines, best practices and life-cycle phases for infrastructure and application teams across Swiss Re
  • Define criteria and evaluate relevant API security solutions.
  • Drive the adoption of new ideas and technologies in API security domain including discovery, management, anomaly detection and protection.
  • Provide recommendations for improving automated security auditing and testing solutions for API?s and lead the implementation.
  • Ensure compliance with requirements on Encryption at rest and in transit
  • Design, implement and ensure best practices of AuthZ, eg via token rotation: both for human and non-human
  • Design, implement and maintain secrets management
  • Design and implement a security aspect for configuration management
  • Work with developers to understand the security context of the apps and their interaction with Apache Kafka, candidate will design & own the implementation of how Kafka will be secured
  • Secure the platform against unauthorized access: design and implement lifecycle (non-prod vs prod) for data
  • Consult with infrastructure teams on network layouts and negotiate with other network teams on integration/segregation topics
  • Support and give guidance on the test driven development practices and the implementation thereof in the pipelines in a DevSecOps style
  • Efficiently leverage Azure services for addressing security concerns (i.e. WAF)
  • Own the integration with Azure Active Directory and IAM
  • Continuously work with the teams to improve all components as the use-cases grow more complex
  • Facilitate pen-tests with an external partner
  • Ensure compliance with the company wide digital governance framework, audit and various security technical standard
  • Security Documentation for internal quality assurance and external audits
  • Close collaboration with IT teams, design a security architecture framework (guidelines, technology reference models, guidelines, and training material)
  • Assess and transpose embed security requirements into existing or new IT systems (business applications including SAP, IT infrastructure, on-prem and cloud systems).
  • Perform cyber security architecture reviews and documentation of the security requirements in architecture handbooks in close collaboration, partnering and advising IT and business teams to implement a ?secure by design? strategy that provides the following - Regulatory compliance, Security policy enforcement etc
  • Advise and design security solutions for implementation into complex customer IT environments which carry proprietary real-time life critical data and diagnostic quality images which require reliability and high availability output based on Cloud Native services
  •  Employ DevSecOps, AIOps and Safe Code Practices. Ensuring that technical solutions are cohesive across the provisioning sub-teams and complete against business requirements. Allowing rapid:
    • Bootstrapping: create a Cloud Setups with corresponding resource hierarchy, and permissions for the initial CI/CD pipeline to deploy next stages.
    • Baseline the a set of configurations that allows the delivery of the security and compliance monitoring, alerting and as foundational guardrails.
    • Covering Business Specific Requirements: Delivers business specific components and integrations (such as SSO, monitoring etc);
    • Establishment of proper Workload services at Applications level running proper set of Application Infrastructure: Any of the many cloud services that form the business? platform for workloads (Servers, Storage, IAM\PAM, SIEM, SOAR etc). The final goal of the Landing Zone: to deliver value to the business
    • Validate, evaluate and technical sign-off of technical changes in capabilities and solutions proposed by external partners.
    • Oversee and guide deployment of security patches, enhancements and changes to the Windows\Linux IT Landscape (including PoCs, PoVs, Canary and Blue-Green deployments, Gold images, and Transfer-to Operations together with L2/L3 running everything as a code)
Swiss Re
6 months
2022-08 - 2023-01

Cyber Arc (PAM) advisory

As Technology Partner in FIS Global I am responsible for building and developing the Digital Identity Practice as part of Cyber Security services. The Digital Identity practice consists of PAM (Privileged Access Management), IGA (Identity Governance and Administration) and CIAM (Customer IAM). The current toolset in use for the following topics are as follows: IGA ? SailPoint IIQ, OMADA, MIM 2016, PAM ? CyberArk, CIAM ? ForgeRock and Transmit Security Microsoft Based Security ? On-Premise and Azure Cloud As part of the company leadership team, I am responsible for building, developing and administrating a team of 20+ people across Central and Eastern Europe. Daily, I am taking management and architectural role in various projects covering services such as assessment, design, implementation, and managed service across Europe with the technology stacks mentioned above. I have experience in various industries and expert knowledge in IAM/PAM best practices and compliance standards across widely regulated and non-regulated businesses. In the past 10+ years I have been involved in projects taking various roles from Implementation Engineer to Solution Architect for businesses in any size ? from small to large global companies spanned across the globe. My expertise and understanding of the overall IT Infrastructure and in-depth knowledge in Authorization, Authentication and Security allowed me to successfully deliver all those projects regardless of the project complexity, timeline, location or size. My strongest features are my devotion to work and desire to solve complex challenges with the highest quality, ability to lead teams and coordinate activities, ability to consult and discuss on every level from top management level through enterprise architecture down to in-depth technical discussions and low-level solution specific conversations with developers and engineers. In my current role, my main responsibilities include driving the line of business forward by developing new client relationships and delivering complex projects from Management and Architectural perspective including but not limiting to:

  • Roadmap design HLD, LLD and Pilot implementation of Companywide PAM solution as a Service provided from a market leader.
  • Close collaboration with IT teams, design a security architecture framework (guidelines, technology reference models, guidelines, and training material)
  • Assess and transpose embed security requirements into existing or new IT systems (business applications including SAP, IT infrastructure, on-prem and cloud systems including Microsoft office 365).
  • Perform cyber security architecture reviews and documentation of the security requirements in architecture handbooks in close collaboration, partnering and advising IT and business teams to implement a ?secure by design? strategy that provides the following - Regulatory compliance, Security policy enforcement, Support of ?bring your own device? (BYOD), Remote control of device updates, Application control, Automated device registration & Data backup
  • Advise and design security solutions for implementation into complex customer IT environments which carry proprietary real-time life critical data and diagnostic quality images which require reliability and high availability output based on GCP Native services like (Access Transparency, Assured Workloads, Binary Authorization, Cloud Asset Inventory, Cloud Data Loss Prevention, Cloud Key Management, to manage encryption keys on Google Cloud, Confidential Computing, Firewalls, Secret Manager to store API keys, passwords, certificates, and other sensitive data, Security Command Center, Shielded VMs, VPC Service Controls, BeyondCorp Enterprise for Scalable zero trust platform with integrated threat and data protection, Cloud Identity, Identity and Access Management, Identity-Aware Proxy, Policy Intelligence, Titan Security Key for MFA, etc.
    • Employ DevSecOps, AIOps and Safe Code Practices. Ensuring that technical solutions are cohesive across the provisioning sub-teams and complete against business requirements. Allowing rapid:
    • Bootstrapping: create a Cloud Setups with corresponding resource hierarchy, and permissions for the initial CI/CD pipeline to deploy next stages.
    • Baseline the a set of configurations that allows the delivery of the security and compliance monitoring, alerting and as foundational guardrails.
    • Covering Business Specific Requirements: Delivers business specific components and integrations (such as SSO, monitoring etc);
    • Establishment of proper Workload services at Applications level running proper set of Application Infrastructure: Any of the many cloud services that form the business? platform for workloads (Servers, Storage, IAM\PAM, SIEM, SOAR etc). The final goal of the Landing Zone: to deliver value to the business
    • Validate, evaluate and technical sign-off of technical changes in capabilities and solutions proposed by external partners.
    • Oversee and guide deployment of security patches, enhancements and changes to the Windows\Linux IT Landscape (including PoCs, PoVs, Canary and Blue-Green deployments, Gold images, and Transfer-to Operations together with L2/L3 running everything as a code)
Galderma
1 year 4 months
2021-01 - 2022-04

Architecting of APIMv2 heterogenic platform-based SaaS microservices

APIM CTO Lead Architect
APIM CTO Lead Architect
  • Enable Open banking for BMW Bank, allowing access and control of consumer banking and financial accounts through third-party applications.
  • Architecting of APIMv2 heterogenic platform-based SaaS microservices (Kubernetes).
  • Enabling migration from heterogenic (mix of on-prem and SaaS solution) to Cloud first \ Cloud only (AZURE and AWS). Clearing the path for BMW`s IT eco to become API driven and BMW to become a Tech Company.
  • Employing DevSecOps and Safe Code Practices, Running everything as a code
  • Enhancement of IT & Security Risk control mechanism of GCP, AWS and Azure based APIM platform.
  • Responsible for Creation of security standard based on IT and security frameworks (Such as OWASP10, ISO 23167:2020, ISO 23188:2020, ISO 23029:2020, ISO27001/2, NIST 500, NIST 800,GxP, CIS and COBIT);
  • Development of security concept and road map for achievement of desirable future state.
  • Interact with senior stakeholders across departments and will reach and influence a wide range of people across larger teams and communities
  • Research and apply innovative Cloud and Security architecture solutions to new or existing problems
  • Work out subtle Cloud and Security needs and will understand the impact of decisions, balancing requirements and deciding between approaches.
  • Design and plan a cloud solution architecture, produce particular patterns and support quality assurance, and is the point of escalation for architects below them
  • Post bridge assessment and validation of execution for AD and AAD
  • Designing and Implementation of AD Tiering model
  • Migration to tiering model
  • Designing AD Concept for Application and Server administration
  • Designing AD Concept for self-evolution of rights
  • Developing PAM Program
  • Designing CyberArk Core PAS Solution
  • Implementing CyberArk Core PAS
  • Designing Client specific use cases for CyberArk EPM
  • Implementation of CyberArk EPM
  • Manage and provision the cloud solution infrastructure
  • Design for security and compliance
  • Analyse and optimize technical and business processes
  • Manage implementations of cloud architecture
  • Ensure solution and operation reliability
  • Configure access within a cloud solution environment
  • Ensure data protection
  • Manage operations within a cloud solution environment
  • Ensure compliance and reliability
BMW Group\BMW Bank
1 year 2 months
2020-11 - 2021-12

Enhancing Perimeter security of Hilti Cloud

  • Conceptualizing defense in deep approach for HILTI Cloud ? EMEA, APAC, Nord America, and China Mainland.
  • Creation of road map for implementation of layered defence-in-depth strategy. Technology stack including WAF (Web Application firewall),
  • Leading the VRM process selection and setting up of Vendor battles
  • Performing of POCs with shortlisted vendors.
  • Setting up criteria and Perform interoperability, regression, and Unity testing of the selected stack with the existing Hilti eco system
Hilti
4 months
2020-09 - 2020-12

Integration of existing IAM platform

Governance Consultant/Architect
Governance Consultant/Architect

  • DB Access gate (OneIM) with Wealth Management Platform (WME) dedicated to automate user lifecycle (access provisioning and deprovisioning) and to allow usage of hybrid identities of Wealth management Eco system (300+) applications.
  • Architecting (HLD, LLD, API contracts) for fleet of Rest Full APIs, dedicate to overcome One- IM Constrains and limitations. 

Deutsche Bank
10 months
2019-12 - 2020-09

evaluation of the current setup, of the Hybrid Cloud deployment

Governance Consultant/Architect
Governance Consultant/Architect
External governance consultant responsible for evaluation of the current setup, of the Hybrid Cloud deployment, HA, Security of network infrastructure, ITGCs of EHRs, i.e. electronic health records (German: Patientenakte, ePA), system development program. EHR`s records are hailed as the key to increasing the quality of care. This project is result of the Appointment Service and Supply Act (TSVG), adopted on 14th March 2019, requires the German statutory health insurance funds to provide policyholders with electronic health records from 1st January 2021 onwards. Effectively applying CYBER KILL CHAIN models (MItre ATT&CK framework, SANS Diamond Model For Intrusion Analysis, CEH) Putting all the cybersecurity products to the test in a structured and methodical way and assessing whether or not the security product is fulfilling its duty or not (Vendor Battles). Lead Breach & Attack Simulation and Filling the gaps in security
  • Define the product strategy for the business considering technology constraints
  • Coordinate the technology related efforts to deliver it within the project and with 3rd party subcontractors.
  • Business application ownership and management of book of work for certain front-to-back processes and applications in GRC and Security areas
  • Development and optimization of the ISMS (Information Security Management System) according to ISO27001
  • Business architecture, process and requirements design and definition as product subject matter expert in control definition ? ITGC, compensative and detective controls
  • Product responsibility (IT team to deliver product, deliver manager to oversee and steer direction)
  • Close collaboration with IT as CRC product owner in an agile working framework
  • Provide transparent, timely and accurate information to senior stakeholders and peers
  • Cryptographic knowledge including encryption, key exchange, certificate handling and protocols (x509, PKCS12 etc)
  • Security Control Frameworks e.g. ISO27001 and practical experience in their implementation
  • Security Architecture principles, generic best practices
  • Network security devices
  • Endpoint defense solutions
  • Exposure to malware infection vectors and defence methods
  • Endpoint and Server hardening principles, best practices
  • Web application firewalls, network load balancers, proxy systems
  • Network, Endpoint and Application logging concepts, best practice and monitoring systems including SIEM
  • Active Directory Security including federated solutions using ADFS, SAML etc
  • Exposure to cloud security models including public, private and hybrid concepts
  • Application security including web applications, SaaS services etc
  • Data handling principles, protective marking/tagging and data security knowledge
IBM
2 months
2019-10 - 2019-11

Architecting FCP POC

Cloud Architect
Cloud Architect

  • Creating a Roadmap for migrating of on-prem OpenShift platform to the cloud (AZURE - ARO, CGP - GKE and AWS ? ECS, EKS, Fargate ) aiming utilization of cloud native approach
  • Participates in and contributes thought leadership and strategic direction during ISRM leadership team meetings and executive workshops
  • Prepares strategic updates and vision documents, briefings, and reports, and demonstrates excellent communication skills and executive presence in presentations to TR executives, customers, and partners
  • PaaS DevOps consulting on the migration of existing IT applications to the PaaS solution
  • Analysis of existing IT applications, defining Changes in the software architecture on High and Low Level
  • Architecting Data flow relaying on GCP\AWS\Azure out of the box services and enabling usage of GraphQL as super positioned touch point.
  • Own the security architecture process, enabling the development and implementation identity and security solutions and capabilities enterprise wide, clearly aligned with business, technology and threat drivers. Translating security policies and directives into specific requirements, procedures, standards and guidelines
  • Defining architectural principles, Consulting of project and line organizations regarding the implementation of safety requirements, ensure that company-wide security requirements are correctly implemented
  • Develops hybrid cloud strategy and governance to meet future business requirements, with a focus on containerization and microservice architectures
  • Develops infrastructure identity and security strategy plans, roadmaps and other architecture artifacts based on sound enterprise architecture practices.
  • Participates as a consultant in application and infrastructure projects to provide infrastructure & security-planning advice
  • Determines baseline infrastructure configuration standards for operating systems (e.g., OS hardening), network segmentation, and identity and access management (IAM) platforms and capabilities.
  • Validates IT infrastructure and other reference architectures for security best practices and recommend changes to enhance security and reduce risks, where applicable.
  • Reviews network segmentation strategy (also in a containerized environment) to ensure least privilege for network access, ensures this translates to a new software defined data canter offering.

Generali
Zurich Switzerland
1 year 2 months
2018-08 - 2019-09

Development of identity and security strategy plans

Cloud Security Architect
Cloud Security Architect
  • Own the security architecture process, enabling the development and implementation identity and security solutions and capabilities enterprise wide, clearly aligned with business, technology and threat drivers. Translating security policies and directives into specific requirements, procedures, standards and guidelines
  • Defining architectural principles, Consulting of project and line organizations regarding the implementation of safety requirements, Ensure that company-wide security requirements are correctly implemented
  • Development of identity and security strategy plans and roadmaps ensuring Confidentiality Integrity and Availability of resources based on sound enterprise architecture practices.
  • Development and maintenance of identity and security architecture artifacts (e.g., models, templates, standards and procedures) that can be used to leverage security capabilities in projects and operations.
  • Provides strategic technical and architectural guidance to senior management, business technology project teams and functional organizations
  • Designs and builds security models and capabilities as it relates to network, cloud, endpoint, identity, and data security domains; authors and drives compliance with enterprise security policies and standards
  • Leads technical defense-in-depth reviews of TR?s product portfolio to evaluate the application of security controls and identify opportunities to enhance the product?s security posture
  • Guides teams in defining future state end-to-end architectures, platforms, products, tools and solutions to advance security capabilities in the business
  • Develops and drives the ISRM technology roadmap, defining current and future security platform lifecycles (candidate, POC, deployed, pending decommission) to continuously improve TR?s security controls posture
  • Work closely with internal teams to effectively deliver internal change capability
  • Clearly define programme requirements and ensure clear communication at all times
  • Consulting the automation DevOps lead on network layouts and negotiating with other network teams on integration and segregation topics Performing application vulnerability and security assessments
  • Performing application security risk assessments
  • Performing code review across a variety of programming languages
  • Defining application security controls (ITGCs)
  • Performing application security design activities
  • Performing assessments of SDLC and DevOps processes, Promoting DevSecOps and safe code practices;
  • Developing and delivering application security training and outreach
  • Creating gap analysis and client improvement program recommendations
  • Other security-related projects that may be assigned according to skills
  • Review and evolve customer and internal access management technologies. Create the IAM policies and technical standards. Advise technical teams on the control design and perform risk assessments and define the IAM related security requirements.
  • Translating clients' risk, security, and compliance requirements into specific Cloud security solutions and design patterns
  • Set up Security Baselining and ensure compliance with State authorities
  • Utilizing Modern technology (DevOps, DevSecOps, CI\CD) trends Security
  • Security PO directly responsible for:
  • iptiQ PnC Security Concept;
  • Identification of the Critical assets - Our in-depth reference architectural model, is based on ISO/IEC 17789 and NIST 500-292
  • Development and optimization of the ISMS (Information Security Management System) according to ISO27001, GDPR and FINMA requirement
  • Appling of Passwordless authentication techniques (MFA, OATH, FIDO2, SSO, Yubikey)
  • Cloud Compute and Workload security protecting Software defined networking, Virtual machines/Instances, containers, Platform-based workloads and Serverless computing;
  • Defining Key risks and controls
  • Centralized Authentication/authorization - utilization of Managed services for authentication and authorization (Okta) together with LDAP DS, and dedicated Oath 2 platforms
  • System integrity, System administration, and Software deployment via Terraform, CloudFormation and Ansible Scrips (DevSecOps).
  • Security patch management via Immutable Workloads Enable Security - Nexus IQ
  • Automatic identification of OSS\TP component and risk modeling in accordance with Risk Appetite.
  • Malware\edge Protection via a combination of managed services (WAFs) ?CloudFlare and edge NGxFW (Palo Alto network)
  • System hardening, performance tuning and patch management;
  • Tenant segregation, multiple VPC
  • RBAC of Technical Users and business users, role definition certification and enforcement;
  • KMS management Private keys, envelope encryption Securing data at rest, and in transit and pseudo-anonymization via tokens;
  • Enforcing Safe code security practice and monitoring of OSS\TP components in use;
  • Attack surface and treat modeling, Static Code Scanning and Free and Open Source Scanning., Appling measures to prevent OWASP 10 vulnerabilities, Code repository security (Nexus IQ) together with Sonar cube
  • Service continuity, disaster recovery
    • Business Continuity Within the Cloud Provider
    • Business Continuity for Loss of the Cloud Provider
    • BC\DR Remediation Actions
  • Propper security monitoring logic (Events & Time Series) via Cloud Watch, Cloudtrail and Panorama
  • Integrating with 3rd party SOC Providers, enablement paging deuties
  • Backup orchestration to another cloud vendor;
  • IT Cyber Security Metrics,
  • Implementation of Advanced End Point Protection
iptiQ PnC Swiss Re
Zurich Switzerland

Aus- und Weiterbildung

Aus- und Weiterbildung

BS, IT Science

PU Paisii Hilendarsky


BSc, eng. in Aeronautic

TU Sofia


Certifications

  • ITIL v4
  • ITILv4 Managing Professional (MP)
  • ITILv4 Strategic Leader (SL)
  • LeSS Prcticioner
  • Certified Product Owner (CSPO)


2016

SAFe4


2009

CISA


2015

PMP


2012

TOGAF foundation


ITIL Lifecycle and Capability (ITIL® ATO Accredited Trainings)

  • ITIL Foundation v3
  • ITIL® 2011:
    • Service Strategy
    • Service Design
    • Service Transition
    • Service Operation
    • Continual Service Improvement
    • Operational Support & Analysis
    • Planning, Protection & Optimizations
    • Release, Control and Validation
    • Service Offerings and Agreements
    • Managing Across the Lifecycle

Kompetenzen

Kompetenzen

Top-Skills

Analytical Thinking and Problem-Solving: Communication and Collaboration Cloud Technical Proficiency Security Konzepte IAM PAM Azure Good Clinical Practice AWS DevOps

Produkte / Standards / Erfahrungen / Methoden

Profile

  • Engineer with extensive experience in the Cloud Security and especially in Identity and Access Management, with good knowledge of functional and non-functional aspects of Designing and Implementation of Digital and UX Platforms, target operating models B2B/B2C, DevSecOps automation with extensive experience in the Financial industry, open Banking and related Security domains, Identity access management and Regulatory requirements (PCI DSS&GDPR), and E2E knowledge.
  • Dedicated and experienced in Secure access consistently across cloud estates and Implement Zero Standing Privileges in Hybrid and multi-cloud estate without impacting productivity focusing on Native Access to Cloud, Define Access Policies Global, Zero Standing Privileges, Dynamic Break-Glass Access, Seamless integration within the Zero Trust security framework.
  • Profitability and Quality champion who explores all possibilities to find the most elegant and cost-effective solution able to define interfaces that support the information and process flows and the approach to implement the interfaces. Rare combination of expert-level technology and business skill sets. Trusted advisor to senior business stakeholders. Expert in Sstrategy definition, Development of target architectures and integration of data, Architecture reviews, advising stakeholders on the definition of new solutions in the technical SAP environment, Requirements gathering incl. technical assessments, Coordination with internal/external partners and service providers
  • Strong advocate for utilizing domain-specific languages, patterns, and concepts to express domain logic directly in the codebase, enhancing software comprehensibility and maintainability. Adept at leading cross-functional teams and fostering collaboration between domain experts, architects, and developers to deliver high-quality software solutions that meet business objectives. Dedicated to continuous learning and staying abreast of emerging trends and best practices in Domain-Driven Architecture and software engineering in the specific context of corporate crisis management solutions following requirements of NIS2, DORA NIST 500, NIST SCF, NIST 800-53, SP1800, ISO27001, ISO 27005, CIS Controls CSA framework etc
  • Expert in conceptualization, development, and implementation of tailor-made IAM\PAM solutions for large, international companies (One Identity/ex Dell advisory/, Ping Federate, Omada, CyberArc and more), performing IAM integration projects in on-prem and cloud (AWS/Azure/GCP).
  • Hands on expertise with Access Management, Workforce Access, Single Sign-On, Multi-Factor Authentication, Workforce Password Management, Secure Web Sessions, Secure Browser, Customer Access, B2B Identity, Identity Governance and Administration,
  • Identity Compliance Lifecycle Management, Identity Flows IAM (Ping ID, Sailpoint IQ, Okta, Q1IM\Dell1IM\OneIM)\PAM (CyberArc, BeyondTrust ) integration. Privileged Access (N-Tier User Model), Privileged Access Management, Vendor Privileged Access, Secrets Management, Multi-Cloud Secrets, Secrets Hub, Credential Providers, Endpoint Privilege Security, Endpoint Privilege Management, Secure Desktop, etc.
  • On boarding applications with expertise in installation and version upgrade of Dell One Identity Manager, Cyber Ark and Beyond trust, Applying patches, Design and end-to-end implementation of complex IAM solutions, developing custom interfaces with various applications like Windows, AD, Linux, SAP, enabling API driven fabrics.
  • Expert in infrastructure technologies, running Infrastructure-as-code (DevOps\SecDevOps), Code & Configuration(Terraform, cloud formation) Release Pipeline, Credential management (CF/CredHub & Vaulting), API management (AWS API Gateway, MS- Azure API Management, Google-Endpoints & Apigee, WSO2), Formulating a Migration Strategy (6 Rs), implementing the security strategy for the Database Activity Monitoring team, taking into consideration all database-related policies, Service Quality, Service Capacity Usage, Service Profitability, Service Efficiency, Service Availability (SLA), Max Serviceable Customer Capacity, Service Critical Incident Count using agile software development methodologies. Strong knowledge of all information security domains including Zero Trust networks, Passwordless authentication techniques (MFA, OATH, FIDO2, SSO, Yubikey, NGWF appliances, Risk management, Data Privacy, and regulation / governance. Implement solutions, policies, and defined standards on IAM, Authentication, Directory Services, PKI and IT Infrastructure Security Domain Platforms, Microsoft PKI\ IAM\PAM. Certain understanding and solution architecture capabilities of the industry IT application scenarios, PAM (CyberArk, Beyond trust) \IAM Role & Authorization Management),
  • Know how to employ DevSecOps, AIOps and Safe Code Practices. Ensuring that technical solutions are cohesive across the provisioning sub-teams and complete against business requirements. Allowing rapid:
    • Bootstrapping: create a Cloud Setups with corresponding resource hierarchy, and permissions for the initial CI/CD pipeline to deploy next stages. Enable N tier Landscape (dev, test, preprod, N and prod).
    • Baseline the set of configurations that allows the delivery of the security and compliance monitoring, alerting and as foundational guardrails. Use Jenkins as Scheduler, Source control tools (Gitea, GIT, Azure Bucket, Gitlab) and Crucible for code review, benefiting from SAP Cloud ALM to ensure proper Backup Binaries and Source Code, Code inspection and quality control, Release management, Certificates expiration, Automated Testing, Documentation and Code Review.
    • Covering Business Specific Requirements: Delivers business specific components and integrations (such as SSO, Service & Event meshes, Propper monitoring, etc);
    • Establishment of proper Workload services at Applications level running proper set of Application Infrastructure: Any of the many cloud services that form the business? platform for workloads (Servers, Storage, IAM\PAM, SIEM, SOAR etc). The final goal of the Landing Zone: to deliver value to the business
    • Validate, evaluate and technical sign-off of technical changes in capabilities and solutions proposed by external partners.
    • Oversee and guide deployment of security patches, enhancements and changes to the Windows\Linux IT Landscape (including PoCs, PoVs, Canary and Blue-Green deployments, Gold images, and Transfer-to Operations together with L2/L3 running everything as a code

  • Adept at Cost Optimization based on proposer Implement cloud financial management via adopting a consumption model.
  • Measurement of overall efficiency create an understanding of gains Company make from increasing output, increasing functionality, and reducing cost, and at the same time preventing company from spending money on undifferentiated heavy liftings via applying analyze and attribute expenditures. 


Additional IT Experience

08/2017 - 10/2017

Role: Enterprise Architect 

Customer: UBS AG, Zurich Switzerland


Tasks:

IAM/PAM Sustainability Program


02/2017 - 11/2018

Role: Senior Program Manager\Lead Architect 

Customer: VMWare 


05/2016 - 02/2017

Customer: SME IAM Maersk Oil&Gas Copenhagen, Denmark 


06/2015 - 04/2016

Role: Infosys Team Lead\SME 

Customer: Deutsche Bank S.A. Frankfurt am Main, Eschborn Germany 


04/2014 - 11/2015

Role: Infrastructure Delivery Manager 

Customer: UniCredit S.A, Frankfurt am Main, Milano


09/2013 - 04/2014

Role: Director Performance &Technology 

Customer: on request


11/2009 - 08/2013

Role: Senior Director, (Technology and Risk Advisory Service lines) 

Customer: on request


04/2007 - 10/2009

Role: Informational Risk Manager (CISO) 

Customer: ProCredit Bank Holding S.A.


Tasks:

  • ProCredit Bank Holding S.A. 21 growing banks operating in transition economies and developing countries in Eastern Europe, Latin America, and Africa.
  • Currently ProCredit Bank Bulgarian bank holds position in top 10 on Bulgarian Market.


05/2006 - 08/2006

Role: IT Administrator 

Customer: Deloitte SSA


03/2003 - 05/2006

Role: LAN Administrator 

Customer: Piraeus Bank 

Vertrauen Sie auf GULP

Im Bereich Freelancing
Im Bereich Arbeitnehmerüberlassung / Personalvermittlung

Fragen?

Rufen Sie uns an +49 89 500316-300 oder schreiben Sie uns:

Das GULP Freelancer-Portal

Direktester geht's nicht! Ganz einfach Freelancer finden und direkt Kontakt aufnehmen.