Privileged Access Management (PAM) Engineer

QED National•New York, NY

41d•Hybrid

About The Position

Seneca Resources is seeking a Privileged Access Management (PAM) Engineer to support a leading transportation organization in strengthening its cybersecurity posture. This role plays a key part in protecting privileged identities across Active Directory (AD), Entra ID (Azure AD), Linux, and major cloud platforms including Azure, AWS, and GCP. The PAM Engineer will be responsible for designing, implementing, and maintaining identity protection controls that align with Zero Trust, least privilege, and just-in-time (JIT) access principles. The ideal candidate will bring deep technical expertise in vaulting platforms, endpoint privilege management, and identity hygiene, with a proven ability to reduce attack surfaces and improve organizational resilience. This hybrid role offers the opportunity to work on enterprise-level identity security initiatives while collaborating with forward-thinking cybersecurity and cloud engineering teams.

Requirements

3-5+ years of experience in PAM, IAM, or security engineering roles.
Hands-on experience with Active Directory, Entra ID (Azure AD), Linux, and at least one major cloud provider (Azure, AWS, or GCP).
Strong understanding of vaulting technologies, endpoint privilege management, and least privilege access models.
Expertise with MFA, SSO, passwordless authentication, Kerberos, and certificate-based access methods.
Familiarity with NIST 800-63B, Zero Trust, CIS benchmarks, CSA guidelines, and ITDR practices.
Proficiency in automation or scripting tools such as PowerShell, Python, Bash, or Terraform.
Strong written and verbal communication, documentation, and cross-team collaboration skills.

Nice To Haves

Experience managing privileged access in multi-cloud environments (Azure, AWS, GCP).
Knowledge of Entra ID Conditional Access, PIM, AWS IAM policies, and GCP IAM roles.
Experience integrating PAM with CI/CD pipelines, DevOps tools, or ITSM workflows.
Industry certifications such as CISSP, CISM, CCSP, GIAC, SailPoint, Azure Security Engineer, or AWS Security Specialty are a plus.

Responsibilities

Administer and enhance vaulting platforms to manage privileged credentials across AD, Entra ID, Linux, and cloud (Azure, AWS, GCP).
Implement credential randomization for administrator, service, and root accounts.
Enforce time-bound, approval-based access for admins using JIT and least privilege principles.
Lead local administrator rights cleanup and enforce removal of unauthorized admin access.
Monitor and remediate stale or over-privileged accounts across cloud and on-prem environments.
Apply Identity Threat Detection & Response (ITDR) to identify and mitigate suspicious privileged activity.
Contribute to Zero Trust and hybrid cloud security architecture.
Align PAM controls with NIST, CIS, and organizational standards.
Support adoption of passwordless authentication, MFA, and SSO for privileged identities.
Manage privileged roles and accounts across Azure AD (Entra ID), AWS IAM, and GCP IAM.
Implement least-privilege access for service principals, workloads, and secrets.
Integrate cloud identity with PAM tools, session recording, and workflow approvals.
Partner with IGA teams to automate provisioning, deprovisioning, and recertification of privileged accounts.
Ensure privileged entitlements are tied to business justification and ownership.
Maintain documentation, diagrams, and operational procedures for PAM controls.
Generate reports on privileged access, hygiene metrics, and compliance posture.
Collaborate with audit and risk teams to demonstrate control effectiveness and maturity.