IAM Engineer - PAM & PKI in London

Music is Universal. It’s the passionate and dedicated team at Universal Music who help make us the world’s leading music company. From A&R to finance, legal to digital, sales to marketing, Universal Music is the place to grow and develop your career within a truly commercial and innovative business that leads in everything it does. Everyone is welcome to apply for our roles, and we are determined to ensure that no applicant or employee receives less favourable treatment because of gender, race, disability, sexual orientation, religion, belief, age, marital status, background, pregnancy, or caring responsibilities. We also recognise the importance of diversity of thought within our teams and are fully committed to embracing the talents of people with autism, dyslexia, ADHD, and other forms of neurocognitive variation. We will always seek to make appropriate adjustments to recruitment, workplaces, and work processes to be fully inclusive to people with different needs and working styles.

Job Summary: We are currently seeking an Identity & Access Management Engineer with specialization in CyberArk and Public Key Infrastructure (PKI) to join UMG’s global Tech Security & Identity organization. Reporting to the Manager, PAM & PKI this is a hands‑on engineering role responsible for designing, implementing, and operating enterprise‑grade privileged access and certificate‑based security capabilities across a global, hybrid environment. This engineer will play a critical role in securing privileged user access, service accounts, application credentials, and machine identities through CyberArk, while also engineering and operating global PKI services that secure and establish trust across infrastructure, applications, automated workloads, and all of UMG’s public facing websites. The role emphasizes deep technical execution, automation, and operational excellence, partnering closely with infrastructure, security, and application teams to reduce risk and strengthen identity security at scale.

Job Functions:

• Design, engineer, deploy, and operate Privileged Access Management solutions using CyberArk, 1Password, Hashicorp Vault, and other privileged tooling across the enterprise.
• Administer and enhance CyberArk components including Vault, CPM, PVWA, PSM, and related integrations.
• Implement and manage privileged access controls for users, service accounts, application credentials, and non-human identities.
• Engineer and operate enterprise PKI services, including certificate issuance, renewal, revocation, and lifecycle management.
• Administer and enhance PKI platforms such as Microsoft AD Certificate Services (ADCS), DigiCert, and Keyfactor certificate lifecycle management tooling.
• Manage and support public and private certificates used for infrastructure, applications, and secure service-to-service communication.
• Integrate CyberArk and PKI capabilities into applications, platforms, and cloud environments to enable secure privileged and machine‑based access.
• Develop and maintain automation for CyberArk and PKI workflows using scripting and API‑based integrations (e.g., PowerShell, Python).
• Partner with infrastructure, cloud, and application teams to onboard systems into CyberArk and PKI services and remediate security gaps.
• Troubleshoot and resolve complex CyberArk‑and PKI‑related issues, including credential failures, certificate outages, and access disruptions.
• Ensure PAM and PKI services meet availability, resiliency, and operational performance requirements in a global environment.
• Support audit, compliance, and security review activities related to privileged access and cryptographic controls.
• Maintain technical documentation, configuration standards, and operational runbooks to support scalable operations.
• Continuously improve privileged access and PKI maturity through automation, platform enhancements, and process optimization.

Job Requirements:

Essential Qualifications:

• 5+ years of hands‑on experience in Identity & Access Management or Security Engineering roles, with strong focus on CyberArk and PKI.
• Demonstrated enterprise experience implementing and operating CyberArk PAM solutions.
• Strong hands‑on experience with PKI concepts and technologies, including certificate lifecycle management, trust models, and cryptographic standards.
• Experience administering Microsoft AD Certificate Services (ADCS) and managing public SSL/TLS certificates.
• Solid understanding of privileged access concepts including credential vaulting, session management, and least privilege.
• Proficiency in scripting and automation using tools such as PowerShell or Python.
• Experience integrating CyberArk and PKI solutions with Active Directory, cloud platforms (Azure and/or AWS), and enterprise applications.
• Ability to independently own complex technical implementations while collaborating across a global organization.
• Strong troubleshooting, documentation, and communication skills.

Desirable Qualifications:

• Bachelor’s degree in Computer Science, Information Security, Engineering, or a related technical discipline.
• CyberArk certifications such as CyberArk Defender or equivalent.
• Experience with certificate management platforms such as Keyfactor or Venafi.
• Experience integrating PAM or PKI into CI/CD pipelines, DevOps workflows, or secrets management solutions.
• Familiarity with security and compliance frameworks such as SOX, ISO 27001, or NIST.
• Experience operating IAM or security platforms within a large, global, or highly regulated enterprise.

About UMG UK: We are Universal Music Group UK – the UK’s leading music‑based entertainment company. We exist to shape culture through the power of artistry. We help UK artists produce, distribute and promote the most critically acclaimed and commercially successful music to inspire and entertain fans at home and around the world.

Bonus Tracks: Your Benefits:

• Group Personal Pension Scheme (between 3% and 9%)
• Private Medical Insurance
• 25 paid days of annual leave
• Interest Free Season Ticket Loan
• Holiday Purchase scheme
• Dental and Travel Insurance options
• Cycle to Work Scheme
• Salary Sacrifice Cars
• Subsidised Gym Membership
• Employee Discounts (Reward Gateway)

Just So You Know… The company presents this job description as a guide to the major areas and duties for which the jobholder is accountable. However, the business operates in an environment that demands change and the jobholder's specific responsibilities and activities will vary and develop. Therefore, the job description should be seen as indicative and not as a permanent, definitive, and exhaustive statement.