Identity & Access Engineer (IAM) in Salford

Finova is the UK’s largest financial services technology provider. Our agile, cloud-native solutions enable banks, building societies, and lenders to deliver digital experiences while maintaining regulatory compliance. We are seeking a seasoned IAM Specialist to own the design and implementation of identity, access, and entitlements across a multi-cloud SaaS fintech platform.

Responsibilities

• Translate architectural choices into practical, automated, and secure IAM implementations spanning workforce, customer, and machine identities.
• Work with multi-cloud infrastructure across AWS, Azure, and GCP.
• Enforce tenant isolation and least privilege to satisfy regulators, while defining access boundaries for AI pipelines, vector databases, and automated decision engines.
• Collaborate in a highly collaborative, hands-on hybrid role, balancing high-level access modeling with day-to-day configuration, such as writing OPA Rego rules or configuring Azure AD Conditional Access policies.

About you

You are a highly analytical identity purist who recognises that identity is the security perimeter in a cloud ecosystem. You bridge application engineering, cloud infrastructure, and regulatory audit as a subject matter expert on access control.

Key Attributes

• The Structural Architect: mapping complex business roles into automated framework permissions while avoiding privilege creep.
• Code-Driven Security Advocate: policy-as-code and auditable repositories with continuous testing for authorization logic.
• Pragmatic Problem Solver: using Just-In-Time elevation, automated provisioning, and SSO to balance security and usability.
• Rigorous Guard of Boundaries: strong focus on isolation details to defend against cross-tenant data leaks and broken access controls.

Experience

• 4–6 years in IAM, security engineering, or identity-focused cloud engineering with hands-on enterprise deployment.
• Entra ID Expertise: deep practical knowledge of Azure AD (Entra ID), including app registrations, Conditional Access, PIM, and federation configurations.
• Multi-Cloud Competency: hands-on experience with at least two major clouds (AWS IAM, Azure RBAC, or GCP IAM) and familiarity with all three.
• Application & DB IAM: experience implementing RBAC/ABAC in .NET / ASP.NET (Claims, ASP.NET Identity) and SQL Server access management (roles, RLS, data masking).
• Federation Protocols: SAML 2.0, OIDC, OAuth 2.0, and SCIM provisioning workflows.
• Policy-as-Code Skills: writing, testing, and deploying authorization policies (OPA/Rego, Azure Policy, or AWS SCPs) in CI/CD pipelines.
• Modern IAM Tooling: familiarity with PIM/PAM, CIEM concepts, secretless DevOps patterns (OIDC-based pipeline identity), and secrets managers (Azure Key Vault, HashiCorp Vault).
• SaaS Architecture: understanding multi-tenancy and identifying missing tenant contexts or authorization bypass risks.
• Communication: ability to articulate complex identity structures and compliance mandates to developers, architects, and auditors.

Nice-to-Have

• Fintech Experience: IAM in regulated domains such as banking, payments, or insurance.
• CIEM/IGA Platforms: familiarity with Entra Permissions Management, Ermetic, SailPoint, or Saviynt.
• AI Infrastructure Security: access controls for model training environments, feature stores, or LLM integrations.
• Certifications: SC-300, AWS Security Specialty, AZ-500, CISSP, or CCSP.
• Automation Scripting: PowerShell or Python for automating access reviews and IAM operations.
• Zero Trust Strategy: understanding of broader Zero Trust architectures integrating device, network, and identity decisions.

What you will be doing

• Identity Architecture & Federation: design and implement identity framework across workforce, customer, and machine identities.
• Primary IdP Management: configure and manage Azure AD (Entra ID) tenant structures, app registrations, Conditional Access, and directory sync.
• Enterprise Federation: implement SAML 2.0, OIDC, and WS-Federation patterns to onboard customer-managed IdPs for enterprise SSO.
• Automated Provisioning: design SCIM-based provisioning and deprovisioning workflows for SaaS tenants.
• Multi-Cloud Mapping: map Azure AD identities to AWS IAM roles and GCP Workforce Identity Federation to maintain a centralized access model.

Privileged Access & Entitlements Management

• PIM/PAM Operations: Just-In-Time access, time-bound elevation, and multi-stage approvals for sensitive roles.
• CIEM Right-Sizing: monitor and reduce standing privileges across AWS, Azure, and GCP.
• Access Certification: automated entitlement review campaigns for manager attestation.
• Break-Glass Procedures: emergency access workflows with automated expiration and audit trails.

Application-Level Access Control

• Layered Enforcement: cross-enforcement across ASP.NET middleware, API gateways, and SQL Server.
• Claims Mapping: map business roles to ASP.NET Identity and database permissions.
• Tenant Isolation: enforce tenant-scoped RBAC to prevent cross-tenant escalation.
• Policy-as-Code: Open Policy Agent (OPA) / Rego policies with version control, testing, and CI/CD rollout.

Multi-Cloud IAM Operations

• Cloud Hardening: manage AWS SCPs, Azure RBAC/Managed Identities, and GCP Organization Policy.
• Least-Privilege Verification: automated tooling to identify and remove unused access.
• Machine Identities: short-lived credentials and workload identity federation for service accounts.

DevOps & SQL Infrastructure Access

• Pipeline Security: secure CI/CD pipelines and artifact registries using federated workload identity.
• SQL Governance: manage SQL Server permissions, RLS, data masking, and Always Encrypted.
• Database DevOps: access controls for migration tools and analytics queries.
• Database Auditing: monitor privileged queries and schema changes.

AI & ML Pipeline Access Control

• Workload Identity: scoped, short-lived credentials for model training jobs and pipelines.
• AI Component Protection: access controls for vector databases, feature stores, and model registries.
• Endpoint Authorization: restrict who can invoke AI endpoints.
• Data Boundary Enforcement: collaborate with Data and AI teams to enforce isolation in ML pipelines.

AppSec & Compliance Integration

• Automated Evidence: align IAM with SOC 2 Type II, PCI-DSS, and regulatory mandates; automate evidence collection.
• Identity Auditing: unified audit logging for authentication events, authorizations, and policy updates.
• Threat Modeling: contribute to threat modeling against credential stuffing and token theft.
• AI Governance Integration: address access oversight for model deployments and AI decision logs.

What We Offer

• Hybrid working: flexible office/home balance.
• Private medical insurance, life assurance & income protection, and family-friendly policies.
• Work from anywhere (with approval) up to 4 weeks per year.
• Flexible holiday package: 25 days plus public holidays, holiday trading options.
• Company pension scheme with salary exchange.
• Employee assistance programme for confidential counselling.
• Electric car scheme with salary sacrifice.
• Health cash plan and gym discounts.
• Perks such as snacks and team socials.

Equal Opportunity Statement

We value diversity and are committed to an inclusive environment. If you’re passionate about this role but don’t meet all criteria, please reach out to discuss alignment with our needs.