IAM ARCHITECT

Montefiore is ranked among the top hospitals nationally and regionally by U.S. News & World Report. For more than one hundred years we have been innovating new treatments, procedures, and approaches to patient care, producing stellar outcomes, and raising the bar for academic medical centers in the region and around the world. Our work to improve health outcomes in underserved communities is unparalleled in the United States. Our workforce is among the most diverse in the US: Montefiore associates speak 60 languages.

We are seeking an Identity and Access Management (IAM) Architect to serve as the technical expert and strategic planner for Montefiore's enterprise IAM solutions. This individual will lead the design, implementation, and management of frameworks that enhance organizational security, streamline user access, and ensure compliance with regulatory requirements. This role calls for a thought leader with deep technical expertise, capable of translating complex business requirements into secure, scalable, and resilient IAM solutions. The IAM Architect will serve as a key advisor to executive leadership, providing guidance on risk management, identity governance, authentication, authorization, and emerging technologies.

In office 4-6 times a year, or as needed.

Responsibilities include:
* Design, develop, and implement secure IAM architecture that align with security architecture and strategy, business goals and regulatory standards.
* Establish and maintain IAM frameworks, including identity lifecycle management, role-based access control (RBAC), and attribute-based access control (ABAC).
* Lead the development of reusable design patterns and blueprints for IAM services.
* Mature the implementation of our privileged access management (PAM) solution, Delinea, to secure and monitor privileged accounts, ensuring compliance with least-privilege principles and reducing insider threats.
* Integrate identity federation, single sign-on (SSO), and multi-factor authentication (MFA) with enterprise systems and cloud services.
* Develop and enforce policies for secure privileged access, including automated password rotation, credential vaulting, and fine-grained access controls.
* Architect solutions for identity provisioning and de-provisioning across on-premises, cloud, and hybrid environments.
* Collaborate with stakeholders to implement governance models for identity compliance, PAM, and access certifications.
* Design and oversee encryption strategies for sensitive identity, privileged, and certificate data at rest, in transit, and in use.
* Integrate IAM, PAM, and PKI solutions with security information and event management (SIEM) tools for enhanced threat detection and monitoring.
* Ensure IAM architecture comply with relevant regulations (e.g., HIPAA, HITECH, NYSDOH 405.46, HITRUST, etc.) and industry standards.
* Provide thought leadership in emerging IAM, PAM, and PKI technologies and practices, staying ahead of the latest trends.
* Continuously improve the organization's IAM architecture to address evolving security challenges.

Requirements include:

* 8 years of experience in IAM, PAM, and PKI, with a focus on architecture and leadership.
* Leadership: Proven ability to lead IAM, PAM, and PKI initiatives and cross-functional teams in complex environments.
* Solution Design: Hands-on experience designing and implementing IAM, PAM, and PKI solutions in large enterprises.
* Deep expertise in IAM, PAM, and PKI principles, including authentication, authorization, privileged session management, and certificate management.
* Extensive experience with IAM, PAM, and PKI technologies such as SailPoint, Delinea, Microsoft Azure AD, or similar.
* Proficiency in IAM protocols (e.g., SAML, OAuth, OpenID Connect, SCIM), PAM best practices, and PKI standards (e.g., X.509, OCSP, CRL).
* Strong understanding of regulatory compliance requirements related to IAM.
* Ability to lead large-scale IAM, PAM, and PKI initiatives, translating business needs into actionable strategies.
* Excellent communication skills for both technical and non-technical audiences.
* Strong interpersonal skills to build relationships and influence stakeholders across all organizational levels.
* Experience in security architecture, solution design, and integration with enterprise and cloud platforms.
Certifications (Preferred but not required):
* Certified Information Systems Security Professional (CISSP)
* Certified Identity and Access Manager (CIAM)
* Microsoft Certified: Identity and Access Administrator Associate
* AWS Certified Security - Specialty
* GIAC Certified Enterprise Defender (GCED)
* GIAC Certified Public Key Infrastructure Professional (GPKI)
* Delinea Privileged Access Management certification or equivalent

Department: Montefiore Information Technology Bargaining Unit:Non UnionCampus:YONKERS Employment Status:Regular Full-TimeAddress:3 Odell Plaza, Yonkers
Shift:DayScheduled Hours:8:30 AM-5 PMReq ID:222404Salary Range/Pay Rate:$150,000.00-$200,000.00

For positions that have only a rate listed, the displayedrate is the hiringrate but could be subject to change based on shift differential, experience, education or other relevant factors.

To learn more about the "Montefiore Difference" - who we are at Montefiore and all that we have to offer our associates, please clickhere.

Diversity, equity and inclusion are core values of Montefiore. We are committed to recruiting and creating an environment in which associates feel empowered to thrive and be their authentic selves through our inclusive culture. We welcome your interest and invite you to join us.

Montefiore is an equal employment opportunity employer. Montefiore will recruit, hire, train, transfer, promote, layoff and discharge associates in all job classifications without regard to their race, color, religion, creed, national origin, alienage or citizenship status, age, gender, actual or presumed disability, history ofdisability, sexual orientation, gender identity, gender expression, genetic predisposition or carrier status, pregnancy, military status, marital status,or partnership status, or any other characteristic protected by law.

SF-DICE-MIT; LI-SC1-REDIRECT