Architect - IAM PKI Sustain - Gandipet Mandal / Hyderabad, India

PKI SME will be responsible for managing the end-to-end digital certificates and lifecycle management solution across all supporting components. This role includes Engineering, Integrations, Operations and maintaining the global PKI environment at par with industry standard and best practices.

• Lead the digital certificate services space, a digital form of identification where consumers, businesses and organizations can exchange data securely, using public key infrastructure (PKI), Enterprise Key and Certificate Lifecycle management (EKCM), Hardware Security Modules (HSM) solutions for global PepsiCo.
• Drive technical discussions to understand digital certificate services requirements while partnering with application teams who design and implement solutions.
• Ensure digital certificate services provided align with PepsiCo’s security standards and align with industry best practices.
• Manage the engineering and operations teams (people and work) for digital certificate services by mentoring junior members, ensuring SLAs are met, and ensuring tasks are properly completed.
• Manage the certificate services space end-to-end from designing solutions for services for new integrations and patterns, to implementing projects in the certificate services space, and providing sustained support across all products in the certificate services space.
• Drive automation initiatives for certificate services including certificate provisioning and monitoring for digital certificate services by identifying opportunities for enhancements and implementation with no issues.
• Maintain and enhance global solutions for the digital certificate area ensuring high availability and disaster recovery across regions with resiliency including planning and delivering upgrades.
• Provide guidance, educate key stakeholders on certificate life cycle processes and procedures.
• Lead incident management for digital certificate services across the solution stack driving root cause and resolution within service level agreement.

Responsibilities

• Engineering and solutioning PKI design and cross functional integrations
• Assisting users on submitting SSL certificate requests
• Working on Incidents, alerts, service requests in ITSM
• Issuing and managing both Internal and external CA certificates using cert management tool
• Assisting users to download the certificate from cert management tool.
• Domain management for issuing external (Entrust) SSL certificates.
• Provisioning (pushing SSL certificates into server) of SSL certificates to AWS, Java JKS and Windows servers.
• Provide support on installation of SSL certificates in Windows IIS, JAVA JKS, Unix/Linux, Apache, Tomcat, Azure Key vault, AWS ALB/ELB, F5’s etc.
• Provide support on generating a CSR or converting certificate formats using open SSL.
• Maintaining data and sending follow up emails on certificates expiry, before they get expired, to avoid warnings and outages.
• Preparing and presenting weekly and monthly reports on Service requests, Incidents, and alerts
• Follow up with users for closure of pending tickets.
• Providing end to end operational support to internal customers.
• Managing certificate and key ownership data and keeping it up to date
• Working Knowledge of ITSM process (Request management, change management, Incident management) on tools such as SNOW.
• Configuring and managing ADCS, CRL and OCSP Services
• Document all key generation and management activities.
• Creating and maintaining CPS, architecture, Process and Run book documents.
• Communicate progress, findings, and ensure successful handoff of deliverables to program and operational teams.
• Provide detailed project Status to stakeholders. 
• Collect feedback from stakeholders and users of security capabilities and incorporate that feedback into service.

Years of Experience

• Overall IT Experience – 10+ years
• Security experience - 8+ years
• PKI, EKCLM - 7+ years
• Power shell scripting - 7+ years
• Cloud platforms (Azure, AWS)- 5+ years
• API development and integration - 5+ years
• BS/BTech in Engineering

Mandatory Technical Skills

• Good working knowledge of cryptographic and modern auth protocols
• Well versed with Certificate based authentication and device trust.
• In depth knowledge of Active Directory Certificate Services (AD CS)
• In depth knowledge of CRL and OCSP and their functionality
• Familiarity with PKI and cryptographic terminology and management
• Knowledge of CLM tool such as Venafi, AppviewX, Keyfactor added advantage.
• Hands on experience and Working knowledge of Thales HSM
• Hands on experience and working knowledge of public CA.
• Good working knowledge of cloud platforms (Azure and AWS) and SaaS offerings for PKI and EKCLM
• Knowledge of Active Directory domain service
• Knowledge of scripting languages such as PowerShell, API based automation.
• Knowledge of ITSM processes like request, incident, change management etc.

Mandatory Non-Technical Skills

• Strong oral and written communications skills
• Ability to work within project timelines.
• Deliver outcomes with a little supervision, must be a self-starter and self-motivator.
• Proactive approach and enthusiasm for problem identification and solving.
• Ability to think strategically and suggest creative solutions.
• Ability to synthesize complex requirements into simple business practices.
• Flexible and able to adapt to changing priorities.

Differentiating Competencies

• Knowledge of various Identity and Access Management technologies and platforms
• Working knowledge of Active Directory Domain services
• Working knowledge of Modern Auth protocols and single sign on
• Good to have knowledge of Quantum cryptography and PQC protocols.
• God to have knowledge of concepts like Device Trust, zero trust and password less authentication.