PAM Engineer NYC NY

Join to apply for the PAM Engineer || NYC NY role at Kanak Elite Services

Job Title:

Privileged Access Management (PAM) Engineer

Location:

NYC NY (Hybrid). Start:
Consultant will work onsite for the first month; after capability is established, a hybrid schedule (3 days onsite / 2 days remote) is expected. Hours per week: 37.5.

Duration:
Contract

Experience:

10+ years

Role Overview

We are seeking a skilled Privileged Access Management (PAM) Engineer to join our cybersecurity team. This role will focus on securing privileged identities across Active Directory (AD), Entra , Linux, and major cloud platforms (Azure, AWS, and GCP). The PAM Engineer will design, implement, and maintain controls that ensure administrators and endpoints only have the access they need — at the right time and with the least privilege possible.

The ideal candidate will have strong expertise in vaulting platforms, endpoint privilege management, and zero-trust principles, with a proven track record of reducing attack surfaces and improving identity hygiene.

• Privileged Identity Security
• Administer and enhance the corporate vaulting platform to manage privileged credentials across AD, Entra, Linux, and cloud platforms (Azure, AWS, GCP).
• Implement credential randomization for local/built-in administrator accounts, service accounts, and cloud root/admin accounts.
• Ensure time-bound, approval-based access for administrators following least privilege and just-in-time (JIT) principles.

• Endpoint Privilege Management
• Implement and maintain endpoint least-privilege policies across Windows, Linux, and macOS environments.
• Replace standing local admin rights with controlled privilege elevation workflows.
• Apply application control and privilege granularity to reduce risks from malware, ransomware, and insider threats.
• Partner with desktop engineering teams to improve usability while enforcing strong endpoint controls.

• Identity Hardening & Hygiene
• Lead local administrator cleanup projects and enforce removal of unauthorized admin rights.
• Harden Entra  cloud tenant hygiene by monitoring stale accounts, privileged roles, and excessive permissions.
• Apply ITDR (Identity Threat Detection & Response) practices to detect and mitigate suspicious privileged activity across on-prem and cloud platforms.

• Security Architecture & Standards
• Contribute to enterprise Zero Trust architecture initiatives for hybrid and multi-cloud environments.
• Align privileged access controls with NIST standards and organizational policies.
• Drive adoption of passwordless authentication, MFA, and SSO for both on-prem and cloud privileged identities.

• Cloud Identity & Access
• Manage and monitor privileged roles and accounts in Azure AD (Entra ), AWS IAM, and GCP IAM.
• Implement least-privilege design for cloud workloads, service principals, keys, and secrets.
• Integrate cloud platform identities with PAM vaulting, session recording, and access approval workflows.
• Identity Lifecycle Management
• Collaborate with IGA teams to automate provisioning, deprovisioning, and recertification of privileged accounts across on-prem and cloud.
• Ensure privileged entitlements are tied to clear business justification and ownership.

• Documentation & Governance
• Create and maintain technical runbooks, architecture diagrams, and operational procedures.
• Provide reporting on privileged access usage, endpoint privilege management, hygiene metrics, and compliance results.
• Partner with audit, compliance, and risk teams to demonstrate control effectiveness.

• 3-5+ years of experience in PAM, IAM, or related security engineering roles.
• Hands-on experience with AD, Entra , Linux, and at least one major cloud platform (Azure, AWS, or GCP).
• Strong knowledge of vaulting technologies and endpoint privilege management practices (least privilege, privilege elevation, application control).
• Proficiency with authentication methods: MFA, SSO, passwordless, Kerberos, and certificate-based access.
• Familiarity with NIST 800-63B, Zero Trust frameworks, ITDR, and cloud security standards (CIS, CSA, etc.).
• Strong scripting/automation skills (Power Shell, Python, Bash, Terraform, etc.).
• Excellent documentation and communication abilities.

• Experience securing privileged access in multi-cloud environments (Azure, AWS, GCP).
• Knowledge of Entra l Access, PIM, AWS IAM policies, and GCP IAM roles.
• Experience integrating PAM solutions with CI/CD pipelines, Dev Ops tools, or ITSM workflows.
• Industry certifications are a plus (SailPoint, CISSP, CISM, CCSP, Azure Security Engineer, AWS Security Specialty, GIAC, etc.).

• Reduction of standing local administrator rights and adoption of endpoint least-privilege controls.
• Demonstrated adoption of MFA, passwordless, vault-based workflows, and privilege elevation.
• Improved audit and compliance posture with clear reporting of privileged activity and endpoint control enforcement.
• Measurable reduction in attack surface through consistent identity hygiene and…