Principal IAM Engineer

This is a contract-based employment opportunity.

About EOTSS:

The Executive Office of Technology Services and Security (EOTSS) is the lead enterprise technology organization for the Commonwealth of Massachusetts. Charged with driving the ongoing alignment of business and technology across the Commonwealth’s Executive Branch, EOTSS oversees and manages the enterprise technology, digital infrastructure and services, as well as the Commonwealth Security Operations Center and an enterprise Standard Operating Environment that includes an information security and risk management framework for over 125 state agencies and over 43,000 state employees. We directly serve our constituents by providing digital services and tools that enable taxpayers, drivers, businesses, visitors, families and other citizens to do business with the Commonwealth in a way that makes every interaction with government easier, faster, and more secure.

Our Mission: We provide technology leadership across the Commonwealth to enhance the quality of public service and foster positive community outcomes.

About Mass Digital:

The Massachusetts Digital Service (Mass Digital), within EOTSS, partners with organizations across state government to transform how residents, visitors, businesses and government agencies interact with the Commonwealth. Mass Digital help our partners use the best technology, design, and data to make every interaction with Massachusetts government simpler, faster, and more meaningful.

Now, we’re turning our attention to a vision of statewide digital experiences that are more accessible, simple, and secure. Our roadmap calls for transforming state digital properties and content so that they meet the diverse needs of the people we serve. We’ll achieve this through initiatives to create a single identity and profile for users of Commonwealth services, expand channels of communication, and improve people’s integrated experience across different state services. We will develop new products and services, establish standards, and build capacity within agencies.

To make this vision a reality, we are expanding our engineering team to dedicate technical staff to each of these product initiatives.

About the Role:

Are you a proven technical leader who wants to work on a meaningful public-service software project? Are you an engineer with experience working on large, complex systems looking to step into a leadership role? Read on, this role may be for you.

We are looking for a Principal Identity and Access Management (IAM) Engineer to join our established IAM Team. The IAM team is responsible for creating and managing the infrastructure that provides people with a single account and password to sign in to all participating Massachusetts state services and applications.

What You’ll Do:

As Principal IAM Engineer you’ll be responsible for leading the review and design of new IAM B2C application integrations and deployments using Azure B2C to support the success of MyMassGov.

MyMassGov is the state’s constituent single-sign-on product, seeking to make it easier for Massachusetts constituents to access state services through a single set of credentials. Today, the site has over 550K active monthly users and is actively being rolled out to the state’s largest and most impactful digital experiences.

The Principal IAM Engineer is specifically focused on B2C application integrations (constituent-based applications) that service several thousand to millions of users. With evolving state agency needs & team structure within the IAM program, this position presents a unique opportunity for candidates to ideate creative engineering & architecture solutions focusing on ‘productizing’ deliverables. Our current focus touches areas of optimizing deployments, workflow/upgrade automation, homogenizing our reference stack, improving security of B2C application single sign-on to cloud apps amongst other priorities.

The Principal IAM Engineer will be responsible for prioritizing & defining engineering requirements, setting up Azure DevOps, and operational support with the adoption of next generation IAM and PAM solutions. The candidate will participate in projects & initiatives working with IAM team members, architecture, application development and agency specific engineering teams, service owners, and business stakeholders to provide enterprise IAM and PAM solutions that are scalable and adaptable. We value innovation and strive to continuously improve how we work and the services we provide; as a Principal IAM Engineer, you will have an opportunity to identify areas for improvement and to lead the efforts to refine and realize those improvements across our organization.

Your First Month:

You will spend your first few weeks paired with one of Mass Digital’s senior technical leaders who will help you learn Mass Digital and EOTSS engineering practices and standards, support you through integrating with your product engineering team, and provide any other guidance you need to help you be successful.

Where You’ll Work:

The primary work location for this role is 1 Ashburton Place Boston, Massachusetts 02108. The work schedule for this position is Monday - Friday, 9:00AM to 5:00PM EST. This position is expected to follow a hybrid model of reporting to work that combines in-office workdays and work from home days as needed. However, we are usually able to accommodate any reasonable requests regarding work location, such as fully remote work. This position is expected to perform after hours when needed.

Duties and Responsibilities:

• Work with EOTSS IAM team designing, deploying, supporting, and monitoring IAM solutions using Azure Active Directory or other similar tools.
• Work with EOTSS IAM team with designing, deploying, supporting, and monitoring PAM solutions using Azure DevOps, GitHub (version control and continuous integration), or other similar tools.
• Lead meetings to gather and document business requirements for IT Cyber Security and Compliance projects involving IAM, integration with Active Directory, Multi-factor Authentication (MFA), and Privileged Access Management (PAM).
• Work with business partners and application teams to understand their access and identity requirements and lead efforts to bring requirements in line with enterprise standards.
• Manage & monitor day-to-day issues, incidents & ensure issues are escalated and addressed, and processes are followed.
• Engage in the review & design of new IAM solutions and PAM solutions to ensure appropriate controls and tools are selected and operationalized.
• Act as a subject matter expert on key principles of IAM & PAM with an in-depth knowledge including Authentication and Authorization systems.
• Lead IAM projects & initiatives working with IAM team members, architectural, dev and engineering teams, service owners, and business stakeholders to provide enterprise IAM solutions that are scalable and adaptable with the ever-changing business needs and industry demands.

Preferred Knowledge, Skills, & Abilities:

• Eight (8) years of IAM related experience, with a strong background in engineering and operationally running large scale infrastructure.
• Eight (8) years of experience installing, integrating, and deploying IAM solutions such as Entra ID/Azure AD, SailPoint, Okta, Radiant Logic, CyberArk, Ping, or other similar tools at an enterprise level.
• Thorough experience with IAM principles, methodology, and solutions including access control (role-based and discretionary), authentication, authorization, provisioning, approvals, and workflows.
• Strong hands-on experience and knowledge in managing projects through the full development lifecycle – specifically IAM solutions.
• Strong experience with C# programming language and best practices.
• Understanding key IAM concepts of Least Privilege, Privileged Access, Roles & Data mining, Segregation of Duty (SOD), & Role Based Access Control (RBAC).
• Proficient knowledge of modern Authentication methods, standards, and protocols such as Single Sign On SAML, OAuth, OpenID, Kerberos, LDAP, FIDO2, PIM, PIV, and other relevant mechanisms.
• Proficient experience and advanced working knowledge of access management, Azure Active Directory (Azure AD) and Federated Identities, directory services, Multi-Factor Authentication (MFA) & upcoming technologies in the identity space.
• Experience capturing IAM use cases and defining IAM requirements and processes.
• Experience in managing IAM infrastructure, on-boarding of applications, health check monitoring, policy and password management, certifications, workflows, work items and rules.
• Experience developing IAM governance documentation such as policies, procedures, standards and guidelines, role creation and management, separation of duties, and access reviews.
• Experience and working knowledge of security frameworks and standards such as ISO 27001, NIST, and Zero Trust.
• Document current state and future state business processes/workflows using standard process modeling tools and process improvement methodologies.
• Strong verbal, interpersonal, and written skills with the ability to work directly with business application owners and technical stakeholders to gather requirements and information on application data through reviews, information gathering sessions and walkthroughs.
• Proven ability to translate business problems, existing processes, and technology into service and process requirements.
• Strong problem-solving and troubleshooting skills.

Certifications:

• Certified Identity & Access Manager (CIAM) or Certified Information Systems Security Professional (CISSP) Certification is a plus but not required.