Fasiuddin Khaja

Owned security architecture for UBSs enterprise remote access programme, covering 25, 000+ users across 40+
countries. Worked across the full architecture lifecycle, from initial threat modelling and pattern definition through to
HLD, LLD, engineering oversight and audit validation.
• Designed the remote access platform on Citrix ADC and Ivanti. Built ground up on Zero Trust principles, moving
away from implicit trust toward identity and context-based access, with integrated MFA, geo-aware conditional
access and jurisdiction-specific policy enforcement across 40+ countries.
• Produced reference architectures and security patterns for the programme that became the engineering baseline
across UBS globally. Architecture artefacts included HLDs, LLDs, network and data flow diagrams, trust boundary
analyses, threat models and risk assessments.
• Built the conditional access architecture using SAML, PKI, OAuth/OIDC and Azure AD/Entra ID. Role Based Access
Control, least privilege principles, Privileged Identity Management, Just-in-Time access and Workload Identity
Federation applied for regulated users across Switzerland, UK, US and APAC.
• Ran vendor evaluations and PoCs across Zscaler ZIA/ZPA, Citrix ADC and Ivanti. Used STRIDE and PASTA to model
the threat landscape first, then tested whether vendor solutions actually addressed it before any platform
decisions were made.
• Owned the penetration testing lifecycle for the remote access estate. Findings from Nessus and Qualys scored
against CVSS, mapped to MITRE ATT&CK and tracked through remediation with engineering and infrastructure
teams.
• Integrated IAM and access logs into Splunk SIEM with detection logic aligned to MITRE ATT&CK, improving
anomaly detection and forensic readiness across the estate.
• Contributed to the firm-wide network segmentation strategy, covering firewall zoning, micro-segmentation and
east-west traffic review, with NAC and WAF controls incorporated into the broader Zero Trust architecture.
• Embedded ISO 27001, PCI-DSS and NIST CSF controls into the architecture at design stage, supporting successful
audit cycles with zero critical findings.
• Represented security architecture in cross-divisional forums and architecture review boards, contributing to
Microsoft Defender for Cloud and Azure security baseline adoption across the hybrid estate.

• Served as Lead Security Architect / Advisor for global banking clients, including on-site and regional engagements in London, Zurich, and Singapore.
• Led the delivery of network security, secure access, and application delivery architectures across distributed client environments.
• Oversaw firewall and secure access platforms, ensuring availability, security, and audit alignment.
• Worked with client risk teams to remediate high-priority audit findings and vulnerability gaps.
• Mentored engineering teams and enforced consistent security standards and documentation.

Part of the banks network and security team, engineering secure remote access for the global estate using Check Point
SecurePlatform, Check Point Provider-1 and Nortel Contivity. Implemented MFA via RSA SecurID, PKI smart cards,
RADIUS and LDAP. Supported centralised firewall management, NAC, access reviews, Nessus vulnerability assessments,
patch management and audit reporting across the remote access estate.

Designed and deployed VPN and firewall infrastructures for client environments using Cisco ASA, Cisco PIX and Check
Point. Configured enterprise routing and switching using OSPF, EIGRP and RIP across Cisco routers and core switches.
Designed secure network zones and DMZ architectures for Offshore Development Centres, implemented IPsec and SSL
VPN connectivity and supported business continuity across distributed sites.