Privileged Access Management Engineer

Direct End Client: Metropolitan Transportation Authority

Job Title: PAM Engineer

Duration: 12 Months

Location: Onsite (2 Broadway NYC NY 10004)

Position Type: Contract

Hours Per Week: 37.5 Hr

Interview Type: In-Person or Web Cam

Ceipal ID: MTA_IAM063_SB

Job ID: 5063-1

**PLEASE NOTE THIS POSITION WILL ALLOW CONSULTANT TO WORK A HYBRID REMOTE SCHEDULE.

UPON START DATE CONSULTANT WILL BE REQUIRED TO WORK FIRST MONTH FULLY ONSITE. ONCE WORK CAPABILITY IS ESTABLISHED, CONSULTANT WILL BE ALLOWED TO WORK A HYBRID REMOTE SCHEDULE CONSISTING OF 3 DAYS ONSITE/ 2 DAYS REMOTE.

We are seeking a skilled Privileged Access Management (PAM) Engineer to join our cybersecurity team. This role will focus on securing privileged identities across Active Directory (AD), Entra ID, Linux, and major cloud platforms (Azure, AWS, and GCP). The PAM Engineer will design, implement, and maintain controls that ensure administrators and endpoints only have the access they need—at the right time and with the least privilege possible.

The ideal candidate will have strong expertise in vaulting platforms, endpoint privilege management, and zero-trust principles, with a proven track record of reducing attack surfaces and improving identity hygiene.

Responsibilities:

1. Administer and enhance the corporate vaulting platform to manage privileged credentials across AD, Entra, Linux, and cloud platforms (Azure, AWS, GCP).
2. Implement credential randomization for local/built-in administrator accounts, service accounts, and cloud root/admin accounts.
3. Ensure time-bound, approval-based access for administrators following least privilege and just-in-time (JIT) principles.
4. Implement and maintain endpoint least-privilege policies across Windows, Linux, and macOS environments.
5. Replace standing local admin rights with controlled privilege elevation workflows.
6. Apply application control and privilege granularity to reduce risks from malware, ransomware, and insider threats.
7. Partner with desktop engineering teams to improve usability while enforcing strong endpoint controls.
8. Lead local administrator cleanup projects and enforce removal of unauthorized admin rights.
9. Harden Entra ID and cloud tenant hygiene by monitoring stale accounts, privileged roles, and excessive permissions.
10. Apply ITDR (Identity Threat Detection & Response) practices to detect and mitigate suspicious privileged activity across on-prem and cloud platforms.
11. Contribute to enterprise Zero Trust architecture initiatives for hybrid and multi-cloud environments.
12. Align privileged access controls with NIST standards and organizational policies.
13. Drive adoption of pass wordless authentication, MFA, and SSO for both on-prem and cloud privileged identities.
14. Manage and monitor privileged roles and accounts in Azure AD (Entra ID), AWS IAM, and GCP IAM.
15. Implement least-privilege design for cloud workloads, service principals, keys, and secrets.
16. Integrate cloud platform identities with PAM vaulting, session recording, and access approval workflows.
17. Collaborate with IGA teams to automate provisioning, deprovisioning, and recertification of privileged accounts across on-prem and cloud.
18. Ensure privileged entitlements are tied to clear business justification and ownership.
19. Create and maintain technical runbooks, architecture diagrams, and operational procedures.
20. Provide reporting on privileged access usage, endpoint privilege management, hygiene metrics, and compliance results.
21. Partner with audit, compliance, and risk teams to demonstrate control effectiveness.

Required Skills:

1. 3–5 years of experience in PAM, IAM, or related security engineering roles.
2. Hands-on experience with AD, Entra ID, Linux, and at least one major cloud platform (Azure, AWS, or GCP).
3. Strong knowledge of vaulting technologies and endpoint privilege management practices (least privilege, privilege elevation, application control).
4. Proficiency with authentication methods: MFA, SSO, passwordless, Kerberos, and certificate-based access.
5. Familiarity with NIST 800-63B, Zero Trust frameworks, ITDR, and cloud security standards (CIS, CSA, etc.).
6. Strong scripting/automation skills (PowerShell, Python, Bash, Terraform, etc.).
7. Excellent documentation and communication abilities.

Preferred Skills:

1. Experience securing privileged access in multi-cloud environments (Azure, AWS, GCP).
2. Knowledge of Entra ID Conditional Access, PIM, AWS IAM policies, and GCP IAM roles.
3. Experience integrating PAM solutions with CI/CD pipelines, DevOps tools, or ITSM workflows.
4. Industry certifications are a Plus (SailPoint, CISSP, CISM, CCSP, Azure Security Engineer, AWS Security Specialty, GIAC, etc.).

Success in This Role Looks Like

1. Reduction of standing local administrator rights and adoption of endpoint least-privilege controls.
2. Demonstrated adoption of MFA, passwordless, vault-based workflows, and privilege elevation.
3. Improved audit and compliance posture with clear reporting of privileged activity and endpoint control enforcement.
4. Measurable reduction in attack surface through consistent identity hygiene and lifecycle management.

V Group Inc. is a NJ-based IT Services and Products Company with its business strategically categorized in various Business Units including Public Sector, Enterprise Solutions, Professional Services, Ecommerce, Projects, and Products. Within Public Sector business unit, we cater IT Professional Services to Federal, State and Local. We have multiple awards/ contracts with 30 states, including but not limited to NY, CA, FL, GA, MD, MI, NC, OH, OR, CO, CT, TN, PA, TX, VA, NM, VT, and WA.

If you are considering applying for a position with V Group, or in partnering with us on a position, please feel free to contact me for any questions you may have regarding our services and the advantages we can offer you as a consultant.

Please share my contact information with others working in Information Technology.

Website: https://www.vgroupinc.com/publicsector

LinkedIn: https://www.linkedin.com/company/v-group/

Facebook: https://www.facebook.com/VGroupIT

Twitter: https://www.twitter.com/vgroupinc