Identity Systems Engineer (CyberArk)

The Infrastructure Collaboration Engineering team is seeking a highly experienced Senior Identity & Privileged Access Management (PAM) Engineer with expertise in enterprise Identity and Access Management, with primary specialization in CyberArk.

This role will serve as the technical lead and subject matter expert for Privileged Access Management (PAM), responsible for designing, architecting, implementing, operating, and maintaining CyberArk solutions integrated across Entra ID, Active Directory, and Okta environments.

The ideal candidate will possess deep end-to-end identity expertise while maintaining advanced hands-on skills in CyberArk PAS, Privilege Cloud, EPM, Secrets Manager, and identity governance integration patterns.

• Proven expert knowledge of CyberArk Privilege Access Security (PAS) and/or Privilege Cloud architecture, deployment, and administration.
• Design, implement, and maintain CyberArk Vault, CPM (Central Policy Manager), PSM (Privileged Session Manager), and PTA (Privilege Threat Analytics).
• Manage safes, platforms, account onboarding, credential rotation policies, and access controls.
• Implement Just-in-Time (JIT) privileged access models integrated with Entra PIM and AD tiering.
• Secure and rotate domain admin, enterprise admin, service accounts, application accounts, SSH keys, and cloud credentials.
• Integrate CyberArk with Entra ID, Active Directory, and Okta for authentication and authorization workflows.
• Deploy and manage CyberArk Endpoint Privilege Manager (EPM) for least privilege enforcement.
• Implement CyberArk Secrets Manager / Conjur for DevOps and Kubernetes environments.
• Develop automation using REST APIs, PowerShell, and CyberArk tools.
• Design CyberArk disaster recovery and vault backup strategies.
• Integrate CyberArk logs with SIEM platforms and support audit/compliance requirements.
• Maintain alignment with Zero Trust security architecture principles.
• Stay current on CyberArk roadmap, new features, and evolving PAM security threats.

• Proven expert knowledge of Azure Entra ID capabilities such as Conditional Access Policies, Privileged Identity Manager and Application Registrations, integrated with CyberArk privileged access controls.
• Strong understanding of PIM and the assignment of roles / IAM permissions on Management Groups, Subscriptions and Resources, aligned with Just-in-Time access principles.
• Azure Infrastructure Management to include user accounts, groups, conditional policies, Intune management, mobile device management, and endpoint security.
• Strong understanding of App registration, Enterprise Apps, SPN’s and managed identities with the understanding of least privileged administration when it comes to MS Graph API allocation of permissions and secure credential storage in CyberArk.
• Strong understanding of multifactor authentication, SSPR and WHfB, ensuring secure privileged authentication workflows.
• Strong PowerShell scripting Skills, automation, and scheduling skills when working with data in Azure and integrating with CyberArk APIs.
• Good understanding of Intune policies management and autopilot.
• An individual that stays abreast of the latest Entra ID features, best practices, and security trends, and make recommendations for continuous improvement.

• Strong background in Active Directory covering domains that span geo locations with numerous DCs and a user base of 5000+.
• Strong understanding of DNS and GPOs, user object and OU administration.
• Solid understanding of Microsoft Tiering, IAM, and PAM concepts with CyberArk vaulting integration for Tier 0 accounts.
• Strong knowledge of server operating systems from Windows 2016 to Windows 2025.
• Strong understanding of the FSMO roles when it comes to maintaining the security and the integrity of the domain.
• Strong understanding of the delegation of permissions across the domain OU structure aligned with least privilege principles.
• Strong PowerShell scripting skills, automation, and scheduling skills including AD account onboarding into CyberArk.
• Solid understanding of the recovery steps needed to recover a domain in the event of a disaster.

• Able to demonstrate a strong understanding of IAM concepts, including identity federation, SSO, SAML, OAuth, OIDC, MFA, role-based access control (RBAC), and least privilege principles, integrated with CyberArk privileged authentication workflows.
• Able to provide Okta subject matter expertise to a variety of program stakeholders on application integration, IAM functionality, and Okta’s feature roadmap.
• Capable of designing and implementing Okta platform configurations to align with overall solution architecture and customer requirements while integrating CyberArk for privileged user authentication.
• Willing to collaborate with Solution Architects, other solution component SMEs and stakeholders to develop and refine solution requirements, ensuring secure and efficient access for on-premises and cloud-based applications and resources.
• Able to drive and support customer application integrations into Okta-based IAM solutions and align privileged access controls through CyberArk.
• Troubleshoot and resolve technical issues before, during and after application integration.

• Excellent troubleshooting, architectural, and documentation skills.
• Knowledge and experience with Rubrik advantageous.
• Microsoft, Azure or Okta certification are highly beneficial.

Tokio Marine HCC is a leading specialty insurance group with offices in the United States, the United Kingdom, Europe, and other locations. With the strength and stability that comes from being a member of the Tokio Marine group, and more than forty years of growth, profitability, and stability, we offer important insurance products that most people do not even know exist.

The Tokio Marine HCC Group of companies is an equal opportunity employer.