A solid and extensive background in process development, architecting, engineering, operating and fully supporting diverse infrastructures (physical and logical), particularly Active Directory. Key discipline and success surrounds architecting, engineering and providing capacity planning designs for such enterprise environments which significantly reduces short and long term business-wide ownership costs.Mainly specialize in Active Directory, and as a secondary Exchange, infrastructure and administrative analysis, determining business requirements, discovery, enlightenment and implementation of inherent business standards (i.e. security, naming, service, object/resource model, etc) and graceful phasing-out of unusual, typically of long duration, technical practices while simultaneously substituting these with best known practices. If not already established, scoping and training of affluent technical team to support and maintain their infrastructure. Most importantly gauging the delivery of technical findings and recommendation to the (usually diverse) appropriate audiences.

Security workload team lead (member) of the global M365 cloud deployment project. As security lead, responsible for a multitude of duties across several internal and client facing work streams. Security and lead duties consist of a.) in-depth and complex client-facing design collaboration meetings consisting of discovery and deliverables (spanning multi-affiliates consisting of differing and conflicting business rules, processes, policies, governance, etc.) b.) delivery of over a dozen high and low level designs consisting of normalizing standard and privileged identities, security practices for objects, password policies, governing threat protection, telemetry and reporting for Cloud Application Security, Advanced Threat Protection, integration of M365 stack, etc. c.) Alignment and collaboration with internal business group in defining project goals & scope, and d.) lead (hands on) and coordinate with security team and client implementation of Azure AD Connect (spanning multiple affiliates), Azure AD Password Protection, Azure Advanced Thread Protection, Azure Information Protection, Conditional Access, Privileged Identity Management and MCAS (Microsoft Cloud Application Security). As the security team lead, interface with client along with other technical architects to design and align implementation details across multiple workstreams.

Member of the global cloud & security architect team. Collaboration with and between multiple on-premise and cloud focused business units (including O365, endpoint security, mobility, etc.) defining security and operational standards along, with present and future strategic business goals, IT cloud governance, requirements and standards surrounding Azure identities, Office 365 SaaS webapps, authentication/authorization, security boundaries, etc.Additional responsibilities and tasks include: 1.) Lead and mentoring for both onshore / offshore teams defining playbooks and standards, troubleshooting document and standard operating procedures (SOP), 2.) Create and drove definition-standards for change management processes 3.) Define, implement, secure and fully document installation and upgrade paths for Azure AD Connect (AADC) and Active Directory Federation Services (ADFS), along with AAD health monitoring and alerting (coupled into SCOM and Azure Monitor), while at the same time standardizing / reducing security exposure and risk, 4.) Research, fully document, disseminate (via lunch & learn brown bag sessions), mentoring, troubleshooting/remediating and driving business SOPs and initiatives to safely and securely remediate insecure TLS protocols across the entire enterprise (100k workstations, 2,500k applications, 15k servers) - i.e..NET compiled applications, SCHANNEL TLS Client & Server settings, strong cryptography, etc.), 4.) define standards and lead documentation efforts internally across entire cloud practices.

Member of global architectural team, overseeing, defining business requirements (justifications, security, etc.) and coordinating multiple domestic/international architectural projects, including Exchange transitions/migration for 27 differing international entities, designing and presenting multiple Azure Proxy Applications solutions (B2B), designing/testing/implementing hardening of governance restrictions for users/devices (strict Device Compliance, Conditional Access & Application Controls).Parallel to business-wide MFA efforts & core-business Exchange Online (EOL) migration, identifying and remediating identity inconsistencies across business multiple Directory Infrastructures (e.g. CA, AzureAD & AD, etc.). Significant efforts level against AzureAD (1a. Identity/Principal cleanup (orphan objects, disjointed objects, etc.), 1b. significant remediation of synchronization health (duplicate attributes, data mismatch, illegal attributes, etc.), 1c. automation of reports & alerts (powershell modules), 1d. optimization of several homegrown cloud identity management scripts & Active Directory (2a. level-set directory & object accuracy & consistency for 350k objects, 2b.) identify, coordinate and safe-reduction of nearly 150k stale principals, 2c.) classification/identification of user principals (productivity, business partners, contractors, service accounts, resources, privileged, etc.), 2d. design of separation of duties, 2e.) redesign of IDM delegation forest design.

Principal Microsoft Architect driving and coordinating two significant work streams across multiple teams, business units (including PMs) and technologies. Each effort involved directly developing comprehensive risk assessments, educating teams, presenting and vetting architectural options and directions (audience-appropriate content) to a myriad of stakeholders and business units, developing fully documented test, staged and implementation plans/designs, driving and achieving rigorous timelines/deliverables, and overall increasing holistic stability across the enterprise. In addition, duties required the creation a team of engineers and document writer for: Work stream 1.) Stabilization for the whole of Active Directory - Stabilization efforts have spanned across multiple core and remote secure zones; encompassed planning, scoping, vetting and stabilizing Forest/Realm Trusts, Forest wide replication (root/child domains), replacing NTFRS with DFSR for Sysvol replication, IPSec implementation for Domain Controller comm, full optimization of a.) AD site topology & b.) client site coverage. Additional stabilization efforts included working with multiple teams to draft/publish Active Directory documentation artifacts for managing a.) Active Directory (Sites & Services, object models, naming convention, etc.) & b.) full DC Lifecycle operations playbook. The second work stream included security remediation. Work stream 2.) Security Remediation for the whole Active Directory. This work stream included 3 milestones. Milestone A.) Remediation of a list of 355 security related items (from an off-line RAP), including aligning internal and external teams for planning/scoping, driving Kerberos Golden Ticket reset risk analysis, test scenarios, and performing the two-stage reset. Efforts also included remediation of various AD Infrastructure elements, AD Objects (including delegation, cleanup of privileged groups, SDAdmin holder, etc.) and more.

On going contractual projects: Design and Remediate Active Directory and Wintel Infrastructure

On going contractual projects: Design and Maintain NWP AD and Wintel Infrastructure

DTS Contractual Project: Active Directory Infrastructure Design and Remediation

Predicated on recent IPO and segmentation drivers, energies and responsibilities divided into (3) three deliverables – (a) gathering and documenting business, technical and security requirements (holistic understanding of challenges and opportunities), (b) current state service, application, security and process discovery (on-going effort) and (c) architectural design and recommendation alignment from both produced from requirements and current state discovery.Gather, simplify and socialize requirements to internal stakeholders and business units. Paralleling requirement gathering process, constructed cooperative framework between internal & parent Co. counterparts and teams to drive and simplify current state standards on discovery efforts (Application Security/Compliance, Computing, Data Center, End User, Networking services and User Provisioning). From discovered data, drive standards to simplify classification/categorization of current state services and applications - (1) obsolesces, (2) transition (future state), (2a) hosted and/or (2b) cloud based. Implement deep-dive assessment framework for services and software to build and drive future state technical requirements. Alignment of both business and technical requirements to build and drive standards for future environment (security framework, identity management, provisioning, role based access controls, etc.). Architecting future managed & unmanaged infrastructure, between on-premise, hosted and a federated cloud environment (SaaS services: Office 365, STARS, SurePay, Training, etc.).Between current state (include Active Directory) and future anticipated/adopted state of IdMaaS, cloud SaaS and hosted PaaS/IaaS, architecting underlying models for client’s forest/domain, privileged access, PKI/CA hierarchy (supporting multiple trusts), IPSec/host-based firewalls, role based access (RBA), GPO, OUs, objects, attributes, etc.

Global DMZ deRisk remediation project. Mandated by compliance guidelines, BofA has undergone a face lift to global DMZ communications controls, including their management components, customer facing and internal applications, Active Directory and, most notably, security design. Project responsibilities broken into multiple phases and deliverables (a) discovery of global environment & recommendations (b) design and execute expansion and optimization playbook for domestic, AMRS, EMEA and APAC DMZ communication controls, footprint for Active Directory (sites, w2k8/12, schema, etc.), new operating systems (Microsoft/Linux/AIX) and applications, (c) coordination with global application teams to identify and remediate management and security gaps of DMZ AD environment (d) drive migration playbook (from W2k3 to W2k8) (e) act as coordination point for global teams (including PMO) to newer W2k8 IPSec & Host Based Hardening Active Directory rule model, (f) identify, educate, vet, document and drive improvements (e.g. CA/Certs, IPSec Security associations, firewall rules, physical firewall footprint, naming standards, GPO, directory objects, etc.) (g) maintain project timelines and scope (h) develop Forest/Domain build playbook.

Multi-forest/site global PCI Active Directory present and future environ remediation & standards engagement, replete with analysis, planning, staging, build-out and implementation of guidelines, massive 200k non-compliant object cleanup and preparatory migration actions of existing legacy Win2k native AD environment, audit and cleanup of privileged accounts/groups, including application concentric FIPs/PCI compliance efforts against existing dilapidated and newly built/pristine Win08 R2 environment. Architectural/engineering responsibilities include: steering of authentication and authorization designs, concepts and fast-tracked of implementation, providing triage to known faults in and around hundreds of home grown applications, divorce/offloading of core enterprise service roles from AD to varying platforms (e.g. MSDNS+I to Infoblox). Additional responsibilities include audit and remediation of non-compliant AD objects and services, including identified hits to LDAP versioning, authentication (LMCompat family, Kerberos, Certificates, etc.), account userAccountControl flags (e.g. UF_PASSWD_NOTREQD), removal of various non-compliance FIPs items, etc. Additional responsibilities include developing logical plans and writing powershell scripts/reusable libraries for various automation & reporting requirements (account bit flags/ACEs, local services/tasks, etc.), providing 1on1 training and recommendations of best known standards for GPOs/AD object models, PKI security design, and more.

Holistic (architectural duties encompass) redesign, restructure and migration of client’s current international SUN LDAP DMZ environment to Active Directory. Primary & ancillary duties include: DMZ functional/structure requirement gathering, cross group collaborative vetting of existing infrastructure and anticipated technological needs to business standards, policies and best known practices, generate (from requirements) prioritized tasks and additional touch points with/to international groups. Driven by prioritized requirements, coupled with collaborative efforts across multiple business/technical/security platforms: provide proposal design docs/drawings, build-out of lab infrastructure to best meeting requirements while adhering to standards (business, technology, global security, infrastructure, et al.), continuous adjustments to key integration and technical standards, principals and scope, seeking and developing internal/external opportunities, working with the security and technical teams to development and raise awareness on standards for authentication rules (Out of Band Network, PKI , Kerberos, NTLM, cert, etc), NameSpace (forest, security, etc), DMZ infrastructure footprint (hardened designs/systems), services (Monitoring/Patching, IPSec, DNS, RODCs, AD, GPOs, custom Schema objects (500k objects), etc), technical approaches and methodology.

DTS Contractual Project: Active Directory Infrastructure Design and Remediation

DTS Contractual Project: Active Directory Infrastructure Design and Remediation

DTS Contractual Project: Active Directory Infrastructure Design and Remediation

DTS Contractual Project: Active Directory Infrastructure Design and Remediation

DTS Contractual Project: Active Directory Infrastructure Design and Remediation

Infrastructure Design and Remediation Project

DTS Contractual Project: Active Directory Infrastructure Design and Remediation

DTS Contractual Project: Exchange & Active Directory Infrastructure Design and Remediation