Enterprise Architect
BMO (Bank of Montreal) IAM contract via Cognizan
مجموع سنوات الخبرة :17 years, 9 أشهر
Audit support of IAM (Identity Access Management) for over 65 from over 1600 banking applications based on various operating systems using TOGAF Enterprise Architecture Framework. Audit and reconciliations of IAM integrations with Microsoft Active Directory, Role Based Access Mgmt (RBAM) as well as IBM Mainframe z-OS banking applications using RACF-ID and MSA lists. Integrations of IAM correction automation from RSA Aveksa AFX (Access Fulfilment Express) and RSA-VIA Identity Governance and Lifecycle /certification process (IG&L) and PKI (Public Key Infrastructure) services. Take part in Internal and external auditing preparation of IAM for BMO and KPMG. Use of Splunk reporting and Pivot tools for IAM security policy violations investigations.
Implementation and securing of VueForge platform services for machine-driven Big Data implementation, supporting ADSA (Advanced Database Systems and Applications) verification and Transitioning to autonomous vehicles, implementation and securing IOT infrastructure and Electric Grid Asset Management. Integration of COMPASS error correction services into safety and security services using combination of satellite positioning and wireless communications to provide signallers with greatly improved visibility into network problems. Implementation and securing advanced data analytics gather information from a range of sources to allow safe and efficient passage of multiple vehicles through a temporary block working area.
QP (Qatar Petroleum) is key critical infrastructure industries in Qatar. With volatile middle-east security situation in mind I was engaged as Security architect “via BPC Plus” to restructure the company wide network to follow “Purdue Model for Oil and Gas industry” and create blue print for company wide applications to follow ITILv3 and on TOGAF. In addition I was to creating security services catalogue of QP with “Defense-in-Depth and Defense-in-Breadth” for ICS multiple-vender environment. The solutions were completed for following services: IAM, Asset and acquisition, Inventory Mgmt. End Point and Data Leak Protection, Third Party Vendor Mgmt, Vulnerability and Patch Mgmt, Privacy and Personal Identity Information (PII) protection Backup /Recovery, SLA Monitoring, Configuration Mgmt, Firewall, IPS and security policy Mgmt, Network and NOC Mgmt, Hiring, Personnel, Safety and Security Training Mgmt, Document Mgmt. Third Party Mgmt. Software License and Support Mgmt, SIEM /SOC, Triage Mgmt, Virtualization and cloud Resources Mgmt. Capacity Mgmt.
I was to provide infrastructure and security deployment “via Wipro” on following projects:
1 - Implement Passenger Analytics, estimation passenger throughput their duel-time within defined boundaries using Cisco Prime /MSE /WLC solution with WIFI and Bluetooth beacons.
2 - Expansion on existing Baggage Handling System (BHS) using Vunderlande products. The solution use SCADA managed belt, Fire /Safety Mgmt, to deliver baggage from Check-in desks to storage and planes through security-scanners with very high degree of accuracy, safety and security.
3 - ISP-Diversity and redundancy using BGP4 routing protocol.
I was engaged as ICS Security Specialist for securing DEWA Transmission, Distribution as well as Smart Grid programs integration. During my contract I delivered the following:
- Updating security policy to for OT /SCADA/ ICS, SCADA technologies for over 400 HV (100-400KV) and 6000 MV (33KV) Substations based on ISO27001/2, IEC62443, ISA 99, NISTIR 7628v4, SP800-53, 800-82, 800-83, NERC CIP002-009v3 /v5 frameworks.
- Restructure OT communication following (PURDUE Model for Electricity and Water industry) and hand on modification of routing, switching, SOA /Micro-Services and services orchestration.
- Design and implement new OT Data Centre isolating Operation from Smart Grid and IT. Following SABSA, COBIT-5 and TOGAF strategy, planning and roadmap using best of breed technologies (VBlock), (UCS, VMware /EMC), Micro-Segmentation and Public Cloud, NOC, service monitoring with scalable Solarwinds EOC, and improved physical and cyber-security policies and update procedures for OT production services.
- Operation security management activities included hands on for IAM (Active Directory), ole Based Access Mgmt (RBAM), Firewall /IPS Policy Review and Remediation Mgmt (Checkpoint, Cisco, Palo-Alto, Tofin, Virtual Appliance and Security Gateway). Audit Mgmt, End Point Protection, Third Party Vendor Mgmt, Data Leak Protection, Vulnerability and Patch Mgmt, Privacy and Personal Identity Information (PII) protection, Hardening, Netflow, Avamar-Backup /Recovery and NSX.
- Deploy Azure-Cloud for services within QA, R&D and Training Environment where live data is not used deploying Role-Based-Access-Controls (RBAC) and with need-to-know bases with Azure AD two factor access and cloud based Authentication, CASB, SAML 2.0, OAUTH 2.0, Azure IAM, Azure Security integration, Security audit (NERC-CIP, PCI-DSS, ISO27001/2, SOC2 Reports).
- Design and hand on implement SOC (SP800.62v2), defining Use-Cases based on Prioritized Assessed Vulnerabilities, filter and correlated logs for SIEM (QRadar) and Remediation using integrating SAP Ticketing handled via Emergency Response team using Integrated Dashboard, Services Orchestration feed from SIEM log file. Cyber Security covered “Data in transit, Data at Rest and Data in memory”.
- OT services integration with Smart Grid infrastructure security for Smart Meters, DG (Distributed Generation), DR (Demand Response), EV (Electric Vehicle), and DA (Distributed Automation) by creating scalable PKI, base on UTD (Unified Threat Defence) above Substations as well as x30, 000 pocket Substations. Smart Grid network used 801.15.4g (Zigbee /6lopan) RF-Mesh as well as WDM-PON, TWDM-PON, GPON and Huawei OSN9800, OSN1800 fibre to home technology.
I was acting as Smart Grid IT Architect in Central Office (Ontario Project) as well as acting as a member of CoC team for Siemens Smart Grid development in Fredericton. Responsible for consultation and planning multi-year business transformation program for Siemens smart grid clients.
This included smart grid complete IT/OT/Infrastructure /Security Architecture restructuring using Siemens structured architecture framework. Estimating client’s transformation requirements using Capability Maturity Model Integration (CMMI). Deliver all planning phases and services using Siemens Smart-Grid Products for IT /OT / Security Architecture based on NERC CIP002-009 as well as pricing Business-Transformation-Program for multiple years.
Delivering Siemens Smart Grid transformation framework via which client goes through Smart Grid 360 degree capability maturity model consulting program that includes “Orientation” and “Destination” consulting studies via which clients of progress for IT/OT/Infrastructure is agreed upon. From above studies Gap-Analysis and maturity model diagram is created that compare with “as-it” with desired level of maturity. The final “Routing” study phase identifies Siemens relevant Smart-Grid Products customization based on NERC CIP002-009 client requirement and a Business-Transformation-Program is created and priced.
Reporting to IBM as IT Systems and Infrastructure Architect to ADS project; my responsibility is to Architect Network and Systems for the ADS (Advance Distribution Solution). Program implementation is based on ITIL, SOA /Micro-Services, Schneider Electric, General Electric, Telvent OASyS and ICCP (Inter-control Centre Communications Protocol IEC60870-6) and SCADA (supervisory control and data acquisition) concepts with maximum 2 seconds response time to events on Electrical Systems. The team consist of 60 IBM, Hydro-One, GE (General Electric) and Telvent personnel. As architect I support delivery of conceptual and logical design of network, security zone and “Management Services” required in services catalogues for ADS program based on ITIL SOA /Micro-Services. Key services are Microsoft Active Directory (IAM), MS Forefront Identity Manager, ole Based Access Mgmt (RBAM), HP SIEM (ArcSight), RSA, Radius, Citrix XenDesktop, Malware and End Point Protection, Update and Distribution, OS and Application Updated and Distribution, Backup /Recovery, Server Hardening, Services Orchestration Dashboards and Solar Winds management.
- My responsibility as Network Architect in TAQA is integrating acquired assets, network infrastructure, and create support-mechanisms and unified services and turn them into unified global architecture following ITILv3 standard and design. My activities include following concepts: IP restructuring, VoIP global unification, creating Video-conferencing facilities, building network and services redundancy, delivering QoS (Quality of Service) to deliver Voice, Video and Data across acquired networks, implement CWDM (Corse Wavelength Division Multiplexers technology), build global Data Centre, Disaster Recovery using SAN /Brocade, FC, FCIP, FCoE, NetApp communication, NetApp Storage Management System, Nexus 10G, Server Virtualization, L3 Load Balancing using F5 BIG IP LTM /GTM (Local /Global Traffic Management), Riverbed 7500 accelerator, WebSense Global Security solution, MS Active directory, ole Based Access Mgmt (RBAM), Citrix NetScaler, Citrix XenApp, VM-Ware, ESXi, vSphere, vCenter, Citrix XenDesktop virtualization, Firewall-Security-Zones, Firewall Policy Review and Remediation, Firewall Policy Audit and restructuring, End Point Protection, Global Service Design Delivery and Monitoring, IT Procedure definitions, Telepresence, Cisco Unified-Communication Service-Deployment - and unified Hierarchical Network Management, Monitoring using Solarwinds EOC etc.
- (LAN, WAN, DWDM, CDWM, Routing, Switching, OSPF, EIGRP, BGP4) projects - Clients use Full-Mesh-MPLS-VPN or Hub/Spoke MPLS-VPN with Disaster Recovery and Managed Multi-Zone-Firewall Services.
I was acting as the Network Specialist for Cisco 124xx and 76xx Switches and Juniper based Routing /switching products. I helped to upgrade the connections of Hospitals to SSHA Core network Clients via newly developed MPLS-VPN infrastructure via VRF technology.
Securing the Ministry Network and Databases from misuse and terrorism is considered a vital role in this project. Acting as the Security Consultant for Juniper Based Network (Firewalls and IDPs) devices.
- (LAN, WAN, DWDM, CDWM, Routing, Switching, OSPF, EIGRP, BGP4) (1) In BW-Management project I helped prevent Peer-to-Peer application use most of core network bandwidth and deployed 120 Cisco Deep Inspection Engine (SCE) and its associated 40 Collection Managers Servers (Sun Netra-240) control and manage Rogers Internet services usage at a cost of 30M $CAN. (2) In IPSec Extranet project I help to use Cisco IOS-FW, Authentication-Proxy and Inspection-Technology to provide safe and large scale Network-to-Network access for Vendors; enabling them to reaching deployed Servers in Rogers’s network for support purposes with minimal risk to Rogers using Gated-Access-Technology. (3) In HD VOD (High Definition - Video On Demand) project I have evaluated the upgrade path for re-architecture of Roger HD VOD Services using Multicast MPLS-VPN and PIM-SSM technologies with Sea Change and Tandberg VOD Server and Services. This enabled Rogers to deliver HD and VOD services later to its 3 million customers.
LAN, WAN, DWDM, CDWM, Routing, Switching, OSPF, EIGRP, BGP4) (1) In BW-Management project I helped prevent Peer-to-Peer application use most of core network bandwidth and deployed 120 Cisco Deep Inspection Engine (SCE) and its associated 40 Collection Managers Servers (Sun Netra-240) control and manage Rogers Internet services usage at a cost of 30M $CAN. (2) In IPSec Extranet project I help to use Cisco IOS-FW, Authentication-Proxy and Inspection-Technology to provide safe and large scale Network-to-Network access for Vendors; enabling them to reaching deployed Servers in Rogers’s network for support purposes with minimal risk to Rogers using Gated-Access-Technology. (3) In HD VOD (High Definition - Video On Demand) project I have evaluated the upgrade path for re-architecture of Roger HD VOD Services using Multicast MPLS-VPN and PIM-SSM technologies with Sea Change and Tandberg VOD Server and Services. This enabled Rogers to deliver HD and VOD services later to its 3 million customers.
Honours II/II degree Electrical and Electronics Degree with specialized in Automation and Telecommunication systems.