Job Description
PKIaaS Delivery Partner - Insurance
We are currently recruiting for a Delivery Partner with PKIaaS project experience to join one of our Global Insurance Clients on a 6 month contract.
Please note this role is Inside IR35.
High Level Deliverable:
Work with the PKIaaS Vendor professional services and colleagues to: -
* Develop a RACI, detailing the shared responsibility between the SaaS vendor and areas of responsibility.
* Aid in determining the need for an owned Certificate policy (CP) and Certificate Practice Statement (CPS), or whether leveraging the SaaS providers’ will suffice. If the former, aid in its development.
* Provide best-practice advice in determining the CA infrastructure hierarchy, taking account of multiple tenants in Azure, as well as multi-cloud services in AWS and OCI.
* Work with colleagues and the PKIaaS vendors’, to write the remote Root key generation (RKG) ceremony scripts, using a shared/split key model, and test the RKG at the DR site.
* Work with colleagues to develop and test DR/BCP plans in relation to aspects of the service/infrastructure under controls
* Ensure simplified automated certificate management workflows, that enforce compliance to organisational policies, that enable both users and machine identities to request, retrieve and revoke PKI certificates via respective APIs/Connectors.
* Develop a set of controls and standard operational procedures for the secure implementation, integration, and management of the PKI certificate authorities and certificate lifecycle management services, to meet Standards and Control Objectives.
* The development of an appropriate RBAC model, ensuring implementation of a least-privilege access model, and the appropriate Separation of Duties and dual control for key CA and CLM operations. Working with IAM teams to define and ensure creation of the appropriate groups and entitlement access packages within Entra ID.
* Processes surrounding management of certificate profiles/templates.
* Approvals processes for certificate issuance and revocation (part of integration with ticketing system)
* Documented integration for key infrastructure for certificate issuance/lifecycle management.
* Integration of the PKIaaS with IdP (Entra ID) to facilitate SSO and MFA enforcement.
* Produce technical design of the PKIaaS, CLM and licensed features such as SSH certificates and Kubernetes integration
* Perform technical implementation of the PKIaaS, CLM, SSH certificates and Kubernetes integration, such that artefacts created during initial pilot phases can be reused to integrate technology teams’ infrastructure during subsequent wider rollout to teams
* Define and create IaC templates, that can be used by technology teams to facilitate the integration of the PKI and certificate lifecycle management with cloud deployed resources (Azure, AWS, OCI).
* Work with Security Defense team to identify security relevant alerts and integrate/push to Sentinel SIEM. Additional infrastructure elements (e.g. discovery scanners, CRL/OCSP) that need to be logged and alerted via SIEM should be identified, including relevant events, to ensure critical components are monitored.
* Work with the Vendor and team to integrate the PKI and CLM tooling with ticketing tool.
Skills and Experience Requirements
* Work with project management to agree priorities, detailed deliverables, and ensure successful delivery.
* Provide a lead architecture/engineer resource, to manage backlog of partner deliverables and deliver to requirements.
* Provide skilled resourced, as appropriate, to ensure success of deliverables.
* For the delivery of operating procedures and controls resources will have experience of modern PKI CAs and CLM operating practices, processes and compliance requirements.
* Alongside the experience/skills listed below, the partners’ resources will have experience of working with development teams, IaC, using modern agile ways of working and a wide range of DevOps tooling.
* At least, but not limited to, the following experience/skills to integrating PKI CA and CLM services and protocols with:
* Microsoft Intune, including SCEP
* Cloud Service Providers resources - Azure (majority of cloud workload), AWS and OCI. This includes integration with cloud native vaults in Azure, AWS, and OCI, as well as HashiCorp Vault.
* Networking and Wifi services, including Meraki APs, Cisco, PaloAlto GlobalProtect and other VPN services,
* Integration with Kubernetes, and ephemeral IaC/Certificates,
* Service Now automation and workflow,
* Services and protocols: SCEP, ACME, EST, OCSP and CRL, KMIP, CMPv2,
* Certificate file formats: PEM, DER, PFX/PKCS#12, PKCS#7, PKCS#10, PKCS#11
If this role is of interest to you or you would like to learn more, please apply now!