ZICC Identity & Access Management (IDAM) MFA, PKI, Certificate, Encryption Engineer

POSITION SUMMARY

Zoetis, Inc. is the world's largest producer of medicine and vaccinations for pets and livestock. The Zoetis Tech & Digital (ZTD) Global Technology Risk Management Organization is a key building block of ZTD.

Join us at Zoetis India Capability Center (ZICC) in Hyderabad, where innovation meets excellence. As part of the world's leading animal healthcare company, ZICC is at the forefront of driving transformative advancements and applying technology to solve the most complex problems. Our mission is to ensure sustainable growth and maintain a competitive edge for Zoetis globally by leveraging the exceptional talent in India.

At ZICC, you'll be part of a dynamic team that partners with colleagues worldwide, embodying the true spirit of One Zoetis. Together, we ensure seamless integration and collaboration, fostering an environment where your contributions can make a real impact. Be a part of our journey to pioneer innovation and drive the future of animal healthcare.

The global Identity, Directory & Access Management (IDAM) team defines and enforces policies, executes processes, and enables systems to ensure appropriate access management across Zoetis' digital ecosystem. Key IDAM functions at Zoetis include Identity Governance & Administration (IGA), Directory & Authentication Services, Multi-Factor Authentication (MFA), Public Key Infrastructure (PKI), Customer Identity & Access Management (CIAM), and Privileged Access Management (PAM), among others.

The IDAM Multi-Factor Authentication (MFA), Public Key Infrastructure (PKI) Certificate Encryption Engineer is responsible for the day-to-day management, maintenance, and support of the Microsoft PKI infrastructure including Certificate Authority servers, Hardware Security Modules (HSMs) and expert support for SafeNet Multi-Factor Authentication (MFA) solutions, with a strong emphasis on troubleshooting MFA tokens and related SafeNet components. This role ensures the secure issuance, renewal, and revocation of digital certificates using internal Microsoft PKI and our external partner to support enterprise security requirements and compliance standards. This role also involves resolving user token authentication issues, managing token lifecycle, and ensuring smooth operations of MFA infrastructure to support enterprise security requirements.

This role ensures secure and seamless operation of systems that protect Zoetis's global digital ecosystem. By leveraging encryption technologies and authentication frameworks, the engineer designs solutions that safeguard data, verify user identities, and enable secure resource access. The role requires deep technical expertise in security protocols, encryption standards, and certificate management, along with a proactive approach to resolving security issues. Collaborating across teams and projects, the engineer drives innovation and operational excellence while ensuring compliance with security goals. Additionally, the position demands expertise in IAM-enabled business processes and strong stakeholder collaboration to deliver impactful results.

POSITION RESPONSIBILITIES

Percent of Time

* Manage and maintain Microsoft Certificate Authority (CA) servers, including installation, configuration, patching, and upgrades.
* Administration of Hardware Security Modules (HSMs) used for secure key generation, storage, and cryptographic operations in the PKI environment.* Upgrade and Maintain of CRL, OCSP Services in the PKI environment.* Perform key ceremony activities for CRL Refresh, HSM Refresh and new partition creation activities.* Automate and maintain lifecycle management of digital certificates issued via Microsoft CA and DigiCert platforms, including enrollment, renewal, revocation, and auditing.* Proactively ensure that website administrators receive timely and consistent notifications about SSL certificate expiration, following up regularly to ensure renewal actions are completed.* Maintain documentation of PKI architecture, HSM configurations, certificate inventories, SafeNet authentication service SAS configuration and operational procedures.* Administer and configure SaaS-based Multi-Factor Authentication (MFA) solutions to ensure secure and seamless user authentication processes.* Install, configure, and maintain SafeNet Authentication Service MFA related components - LDAP Sync, Remote Logging agent, Windows Logging agent.* Configure Thales SAS platform per MFA best practices and coordinate with vendor for any issues/outages.* Collaborate with security, network, and application teams to troubleshoot certificate-related issues, token authentication issues for enterprise applications such as VPN.* Monitor CA, HSM health and optimize system performance, ensuring maximum uptime, scalability, and security of the platforms.* Stay updated on enhancements, updates, and changes to current platforms, technological advancements, and potential future platforms that may be considered as the organization evolves and scales, ensuring proactive planning to maintain optimal performance across the Zoetis ecosystem.* Monitor the performance, scalability, and security of all in-scope platforms, stepping in to address critical issues or escalations while collaborating with the team on day-to-day management.* Provide Level 2 (L2) and Level 3 (L3) support for service-related issues, troubleshooting certificate, user authentication problems, delivering high-quality user experiences, and ensuring efficient operations for IDAM services.* Participate in shift rotations to deliver 16x5 operations for IDAM services, while offering off-hours escalation support for high-priority incidents (P1, P2).* Ensure close collaboration between the ZICC IDAM team and Service Desk, Site Services, and Security Operations teams to enhance IAM support processes and optimize cross-team workflows.* Ensure compliance with global IDAM policies, processes, and regulatory requirements, delivering secure and efficient access to Zoetis information systems for all users. 100%

ORGANIZATIONAL RELATIONSHIPS

* Reports to ZICC Directory & Authentication Technology Lead, with dotted line to US-based Head of IDAM and IDAM Operations & Directory Services Leads
* Be part of the global Technology Risk Management organization, which reports to the Chief Information Security Officer (CISO).* Collaborate regularly with ZTD application, business partner, and infrastructure teams.* Interact with external vendors or partners providing software, services, or APIs that require integration with IDAM systems, including establishing requirements, negotiating contracts, and facilitating technical integration.* Collaborate with implementation partners responsible for deploying, configuring, or maintaining integrated solutions within Zoetis' IT landscape.

EDUCATION AND EXPERIENCEEducation:

TECHNICAL SKILLS REQUIREMENTS

This is a detailed, hands-on technical role. The ideal candidate will demonstrate proficiency in these areas and provide leadership with respect to specific technologies:

* PKI & Digital Certificate Services
o Expert-level experience with Microsoft PKI and SSL Certificate management, particularly Microsoft Certificate Services.o Strong expertise with Hardware Security Modules (HSMs) administration, such as SafeNet Luna or equivalent.o Proven experience conducting PKI ceremonies, including root and issuing certificate authority events.o Comprehensive knowledge of certificate lifecycle management, including proactive renewal and expiry prevention.o Experience operating certificate services as a core infrastructure offering.o Extensive knowledge of SSL/TLS certificates, Certificate Authorities (CAs), and secure key management best practices.

* Multi-Factor Authentication (MFA), o Expertise in enterprise MFA platforms such as SafeNet MobilePass or similar solutions.o Hands-on experience integrating MFA with enterprise applications, VPNs, and cloud platforms.

* Encryption & Key Managemento Practical experience with key management systems, such as Thales Cipher Trust, Azure Key Vault, and other similar platforms.o Deep understanding of encryption methodologies for protecting data at rest and in transit.

* Additional Technical Skills o Solid understanding of networking concepts, especially as it relates to load balancing, DNS, web hosting, network segmentation.o Proficiency in PowerShell scripting for automation, troubleshooting, and administrative tasks, with additional expertise in Python and Bash scripting for hybrid directory operations.

* End-User and Technology Team Support:o Experience providing or supervising Level 2 (L2) and Level 3 (L3) support for identity and authentication issues for end users and technology teams.o Knowledge of troubleshooting authentication failures and collaborating with application teams to resolve availability issues.o Familiarity with incident response and root cause analysis for authentication service outages, identity synchronization issues, and cybersecurity events.o Experience working with Service Desk, Site Services, and Security Operations teams to enhance IAM support processes.

* Desirable Skills & Additional Expertise:o Familiarity with certificate life cycle automation using VenaFi or KeyFactoro Familiarity with scripting to automate the certificate life cycle management process.o Familiarity with Password less Authentication methods, such as FIDO2 and biometric-based solutions, for enhancing enterprise security.o Privileged Access Management (PAM): Experience with tools like Delinea Secret Server and Netwrix for Just-in-Time Access JITA is highly desirable.o Identity Governance & Administration (IGA): Knowledge of SailPoint IdentityIQ for Identity Lifecycle, Access Request & Recertification, and User Provisioning/Deprovisioning is a plus.o Microsoft Power Apps: Experience building or customizing forms and applications to enhance identity-related workflows is advantageous.o Database & Data Analytics: Experience with SQL, Alteryx, and data warehousing concepts to streamline workflows and troubleshoot data-related issues is a plus.

* Must be fluent in both written and spoken English, with the ability to clearly communicate across technical and non-technical audiences.

PHYSICAL POSITION REQUIREMENTS

Availability to work between 1 PM IST to 10 PM IST, ensuring a minimum of 3 hours of daily overlap with the US Eastern Time zone. Flexibility to provide off-hours escalation support for high-priority incidents (P1, P2) as needed.

About Zoetis

Global Job Applicant Privacy Notice