PAM CyberArk Architect

Position:- PAM CyberArk Architect

Location:- Bay Area, CA (5 Days onsite/Week)

Job Type:- Contract

JD:-

Privilege Access Management Migration Engineer

Role Summary:

• We are seeking a highly skilled PAM Engineer to lead a critical migration project moving our Privileged Access Management infrastructure from Centrify (Delinea) to CyberArk.
• The successful candidate will manage the end-to-end migration across six distinct environments, including FedRAMP, Engineering, and Corporate.
• This role requires deep expertise in both Centrify and CyberArk architectures to ensure zero downtime and strict security compliance.

Key Responsibilities:

Architecture & Strategy

• Environment Assessment: Conduct comprehensive requirements gathering to identify all systems (Windows/Linux, Databases) managed by Centrify and document current authentication methods, MFA usage, and service accounts.
• CyberArk Design: Design and plan the CyberArk architecture, including the placement and configuration of PVWA, PSM, CPM, and Vault components.
• Network Planning: Identify and document required network and firewall rule changes to support the new infrastructure.

Platform Deployment & Configuration

• Component Installation: Install and configure core CyberArk components: Vault, PVWA, CPM, and PSM / PSM for SSH.
• Policy Implementation: configure foundational policies including Safe structures, platform settings, password rotation policies, and dual control approval workflows.
• Access Control: Define Safe owners, auditors, and privileged user access controls.

Migration Operations (Centrify to CyberArk)

• Data Extraction & Mapping: Export Centrify UNIX profiles, role assignments, and AD bridging rules, and map Centrify Zones to CyberArk Safes.
• Account Migration: Execute privileged account discovery and auto-detection, compare inventories for gaps, and import accounts into CyberArk Safes.
• SSH & Service Accounts: Migrate Centrify-managed SSH keys and Service Accounts, ensuring application credentials use CyberArk AIM/PAM-API.
• RBAC Conversion: Convert Centrify Roles, Zones, and Authorization Profiles into CyberArk Safe permissions and LDAP group assignments.

Server & Agent Management

• Agent Transition: Plan and execute the phased removal of Centrify agents (CentrifyDC, CentrifyDA) and deployment of CyberArk components (AIM, EPM, PSM SSH Proxy).
• Privilege Elevation: Migrate Centrify RBAC profiles to sudoers or CyberArk PSM policies, replacing adedit scripting with CyberArk CLI where necessary.

Testing & Cutover

• Validation: Perform functional testing for PVWA login, PSM RDP/SSH connections, and password rotation validation.
• Security Auditing: Confirm session recording, audit log capture, and session isolation capabilities .
• Cutover Management: execute parallel runs, manage system group cutovers in waves, and decommission legacy Centrify infrastructure.

Required Qualifications

• Subject Matter Expertise: Proven experience migrating from Centrify (Delinea) to CyberArk.
• CyberArk Proficiency: Hands-on experience installing and configuring Vault, PVWA, CPM, PSM, and AIM/CP.
• Linux/Unix Depth: Strong understanding of Linux identity management, specifically migrating sudoers and handling SSH key management.
• Identity Integration: Experience integrating PAM solutions with IdPs (specifically Okta) and MFA systems.
• Scripting: Ability to replace legacy scripts (e.g., adedit) with CyberArk CLI automation.
• Government/Compliance Experience: Experience working in regulated environments such as FedRAMP (Moderate/High) and DoD IL5 is highly desirable given our deployment scope.
• Global Deployment: Experience managing infrastructure in diverse regions (e.g., China).
• Application Identity: Experience modifying application credentials to utilize PAM-API calls.

Disclaimer: We respect your online privacy. If you would like to be removed from our mailing list please reply with "Remove" in the subject and we will comply immediately. We apologize for any inconvenience caused. Please let us know if you have more than one domain. The material in this e-mail is intended only for the use of the individual to whom it is addressed and may contain information that is confidential, privileged, and exempt from disclosure under applicable law. If you are not the intended recipient, be advised that the unauthorized use, disclosure, copying, distribution, or the taking of any action in reliance on this information is strictly prohibited. We are an equal opportunity employer with a diverse workforce. Note : Any resume submitted by Siriinfo is presented with the understanding that the candidate is being considered for your direct end-client (end-client is the company where the work will be performed). If there is any other company involved between the end-client and your company, please do not submit this resume without our written approval. If you submit the resume to another third party, Siriinfo reserves the right to work with the third party directly.\