PROFILE
IAM Manager & Digital Identity Leader
MAULIK
THAKKAR
CISSP · PMP · IAM ARCHITECT · IGA · PAM
IAM Leader  |  Cybersecurity Consultant  |  Mentorship  |  Helping organizations simplify identity and access at scale

I'm a strategic IAM leader with 24 years of enterprise IT experience and 15+ years dedicated to Identity & Access Management — partnering with CISOs, compliance teams, and delivery organizations at institutions like USAA, Toyota Motors, Boston University, CapitalOne, and the Commonwealth of Pennsylvania to move from fragmented identity landscapes to governed, scalable IAM programs.

I bring the strategic perspective to assess where an organization's identity posture needs to go, and the hands-on credibility to guide the team getting it there — whether that means developing a multi-year IAM roadmap, leading a governance framework aligned to FFIEC or NIST 800-53, or mentoring a delivery team through a complex SailPoint or CyberArk implementation. I hold active CISSP and PMP certifications and have led teams of 12+ across Healthcare, Finance, Government, and Higher Education.

20+
Years experience
11
Certifications
15+
IAM Programs Led
6
Industries served
MT
Maulik Thakkar
IAM MANAGER · DIGITAL IDENTITY LEADER
IAM Leader · Cybersecurity Consultant · Mentorship
Helping organizations simplify identity and access at scale
Location Frisco, TX
Current Role IAM Manager · Inspira Enterprise
Focus Areas SailPoint · CyberArk · Azure AD · IGA
🔗
LinkedIn linkedin.com/in/mauliknthakkar
CISSP PMP AWS-CCP ITIL V3 CEH ISO 27001
📄
Resume
View and download the full resume PDF — 20+ years of IAM experience formatted for recruiters and hiring managers.
→ VIEW RESUME
🛠
Skills Map
Technical proficiency across SailPoint, CyberArk, Azure AD, AWS cloud, identity protocols, and GRC compliance frameworks.
→ VIEW SKILLS
🔐
Cybersecurity
Knowledge base covering IGA, PAM, zero trust, threat intelligence, and compliance frameworks across regulated industries.
→ EXPLORE
🔑
Ping IAM Portfolio
Complete Ping Identity product landscape — 30+ products mapped across the enterprise IAM stack with architecture view.
→ PING IAM REFERENCE
✍️
Blog & Articles
Technical writing on SailPoint, CyberArk PAM, Azure AD B2C, Zero Trust, and enterprise IAM program management.
→ READ ARTICLES
STORY
Career Journey
24-year career evolution — 5 eras, skill progression, certifications, and the story behind each transition.
→ VIEW JOURNEY
NEW
📅
Career Timeline
Horizontal year-axis timeline — every role mapped across 2001–2025 with industry verticals and certification milestones.
→ VIEW TIMELINE
NEW
🗺
Career Pathway
Timeline + deep era breakdown — Key Shifts, modern relevance mapping, and positioning context for every career transition.
→ VIEW PATHWAY
● LIVE
🛡️
CISO Command Center
Full security leadership dashboard — Radar View, Operations, Vulnerabilities, Budget, Risk Register & Compliance posture intelligence.
→ OPEN COMMAND CENTER
6 SECTORS
🏭
Industry Experience
Deep-dive into 6 industry verticals — Healthcare, Finance, Government, Education, Automotive, and Telecom.
→ VIEW INDUSTRIES
// CURRICULUM VITAE
Resume

Cybersecurity & IAM Manager with 20+ years of experience — 15+ years focused on enterprise IGA, PAM, and workforce IAM across Healthcare, Finance, Government, Higher Education, and Technology sectors.

Career Evolution Timeline
24 years · 5 career eras · full skill progression view
Work Experience
IAM Manager
Jul 2025 – Present
◾ Inspira Enterprise
  • Michigan Medicine: Led IAM strategy, future-state architecture, roadmaps, and operating models; performed current-state assessment across multi-entity healthcare environment.
  • LAUSD: Serving as IAM Program Manager for large multi-workstream IAM program — defining program structure, timelines, KPIs, and execution governance.
  • Evaluated IAM products, led vendor selection, conducted feature analysis, and aligned solutions to client compliance mandates across Healthcare and Education sectors.
  • Managed internal/external stakeholders; resolved conflicting priorities and advised leadership with risk and financial impact assessments.
IAM StrategyProgram ManagementHealthcare IAMVendor Selection
Specialist Master / IAM Manager
Oct 2014 – May 2025
◾ Deloitte & Touché LLP · 10+ Years
  • UCSF (2024–25): Led 6-member team developing enterprise Unique ID Solution and IAM Registry on AWS (RDS, ECS, ECR); architected fuzzy matching logic reducing identity conflicts by 40%.
  • Getty Digital (2024): Conducted comprehensive IAM landscape assessment; developed future-state roadmap aligned with industry best practices.
  • Boston University (2021–23): Managed 10+ member team implementing SailPoint IIQ and Radiant Logic for IAM Modernization — processing 2 million user identities, decommissioning Mainframe solution.
  • USAA (2019–21): Led 12-member team developing FFIEC compliance security controls aligned with NIST CSF and 800-53 for the largest automobile insurance provider.
  • Toyota Motors NA (2018–19): Scrum Master for Azure AD B2E/B2C implementations; managed SAML 2.0, OIDC, OAuth 2.0 integrations; developed Azure B2C custom policies and SCIM provisioning.
  • CapitalOne (2017): Led SailPoint application onboarding for Commercial Line of Business; provided oversight for automated testing and cloud DevOps CI/CD.
  • Commonwealth of Pennsylvania (2014–17): Implemented MFA/Risk-Based Auth with CA Advanced Authentication; deployed CyberArk PAM; led SailPoint access certification project.
SailPoint IIQCyberArk PAMAzure AD B2CAWS CloudNIST CSFFFIECRBAC/ABAC
Security Architect
May 2011 – Oct 2014
◾ Tech Mahindra Ltd. · 3.5 Years
  • AT&T USA: Managed IAM lab with 20+ servers; implemented IBM ISAM 8, VMware, and OpenStack; led POC for cloud infrastructure and virtualization.
  • Bell Canada: Led implementation of CA Arcot AuthMinder and RiskMinder for retail fraud mitigation; managed multi-environment deployments with Apache, Tomcat, WebLogic, Oracle DB.
IBM ISAMCA ArcotOpenStackITIL
Security Delivery Specialist
Oct 2010 – Apr 2011
◾ IBM India Pvt. Ltd. · Vodafone India
  • Managed IAM processes for 1,000+ Windows and 2,000+ UNIX servers.
  • Oversaw SOX compliance for 30+ applications and 100+ database servers; led quarterly account attestation and risk assessment processes.
SOX ComplianceIAM OperationsAccess Attestation
Technology Architect
Nov 2004 – Oct 2010
◾ Infosys Ltd. · 6 Years
  • American Express: Migrated CA SiteMinder 6 to 12; led pilot implementation and go-live strategy.
  • Ameriprise Financial: Implemented Good Mobile solution and Intellisync for email/calendar sync.
  • Northwestern Mutual: Led E-Discovery solution vendor selection; assessed Symantec, IBM, CA products.
  • Additional: Bell Canada (CA Arcot AuthMinder/RiskMinder), Crown Prince Court Abu Dhabi (CA Identity Manager), AIG (IAM strategy).
CA SiteMinderCA Identity ManagerEnterprise Architecture
Education
Bachelor of Computer Engineering
2001
◾ Gujarat University
Diploma in Computer Engineering
1998
◾ Technical Education Board
Certifications
🏅
CISSP
Certified Information Systems Security Professional
Active
🏅
PMP
Project Management Professional
Active
🏅
AWS Cloud Practitioner
Amazon Web Services
2020
🏅
ITIL V3 Foundation
AXELOS
2015
🏅
CEH v7
Certified Ethical Hacker — EC-Council
2012
🏅
ISO 27001 Lead Auditor
Information Security Management
2011
🏅
SANS GPEN
Network Penetration Testing
2011
🏅
CSA CCSK
Cloud Security Knowledge
2011
🏅
Sun Java Certifications
SCJP · Mobile App Developer · Archer
Active
// Hands-On Tools & Products · Extracted from 24 Years of Delivery
Technology Stack
80+ tools across IAM · Cloud · Dev · Protocols · Infra · GRC · VAPT · Program Management
🔑 IAM / IGA / PAM Platforms 23 tools
SailPoint IIQ SailPoint NERM CyberArk PAM CyberArk Vault / PVWA / CPM / PSM CA SiteMinder 6 & 12 CA Arcot AuthMinder CA Arcot RiskMinder CA Advanced Authentication CA Identity Manager 12 CA Role & Compliance Manager CA Access Control & PUPM CA Federation Manager CA UARM IBM ISAM 8 IBM TAM 6.1.1 MS Forefront Identity Manager Radiant Logic Azure AD / Entra ID (B2E & B2C) Oracle IAM CA Enterprise Log Manager CA Role & Compliance Manager Saviynt EIC (Training) Ping Identity (Training)
☁️ Cloud & Infrastructure Platforms 10 tools
AWS ECS / ECR AWS RDS AWS Secrets Manager AWS Parameter Store AWS Application Load Balancer OpenStack (Ubuntu 12.04 POC) VMware vSphere / vCenter KVM Virtualization Intel Cloud Access 360 IBM QRadar (POC)
🔗 Identity Protocols & Standards 12 standards
SAML 2.0 OAuth 2.0 OIDC SCIM 2.0 LDAP / MS Active Directory REST API SOAP API WS-Federation SIP Protocol MFA / Risk-Based Auth SSL / Digital Certificates RBAC / ABAC / SOD Policies
💻 Development & Scripting 23 tools
Python Java / J2EE Spring Boot BeanShell (SailPoint) SQL React JS J2ME / MIDP 2.0 Symbian C++ Microsoft .NET CF MS SQL / Oracle DB 11g WMIC Scripts Linux OS Commands Fuzzy Matching Logic Jira (Sprint & Release Planning) DevOps CI/CD Agile / Scrum
🖥️ Middleware, Servers & OS 15 tools
Apache Web Server 2.2 Apache Tomcat 6 WebLogic 10.3.6 IBM WebSphere (IHS & WAS) Windows Server 2003 / 2016+ Linux (RHEL / Ubuntu / AIX) UNIX (AIX / Solaris) MS Active Sync Good Mobile Intellisync Avaya SAL 1.5 / OpenDS AS400 (iSeries) Fortify SCA (Static Analysis) IBM AppScan Archer Smart Suite / Certified Consultant
📋 GRC & Compliance Frameworks 11 frameworks
FFIEC NIST CSF NIST SP 800-53 SOX PCI DSS ISO 27001 CMS MARS-e HIPAA ITIL V3 (Incident / Change / Release) 20 Critical Controls (SANS) E-Discovery Assessment (NWM)
📊 Program Management & Process 8 methods / tools
Project Management (PMP) Agile / Scrum Master ITIL V3 Service Management Jira / Sprint Planning RFP Development & Vendor Scoring SLA Management SDLC (Full Lifecycle) Change & Release Management Core Java / J2EE / JAXB / JSP / Servlets Java Mail APIs J2ME Platform BREW Platform (Mobile Game Porting) Rational Rose (UML Modelling)
🛡️ Security Testing & VAPT Tools 12 tools
TCPDump NMAP Nessus Maltego Nikto JIKTO Paros (HTTP Proxy) Kismet Cain & Abel WMI (Recon) Google Dorking HTTP Proxy Tools
🔍 E-Discovery & Compliance Products Assessed 6 products
Symantec Enterprise Vault ZL Technologies Unified Discovery IBM eDiscovery Manager CA Records Manager Mimosa eDiscovery Archiving Autonomy eDiscovery
// TECHNICAL PROFICIENCY
Skills Map

Technical proficiency across IGA, PAM, cloud IAM, identity protocols, development tools, and GRC/compliance frameworks — built over 20+ years of enterprise delivery.

🔑IGA / IAM Platforms
SailPoint IIQ / ISC97%
CyberArk PAM (Vault, PVWA, CPM, PSM)93%
Azure AD / Entra ID (B2E / B2C)90%
CA SiteMinder / Advanced Authentication85%
Ping ID / ForgeRock / Auth0 / Saviynt75%
☁️Cloud & DevOps
AWS (S3, ECS, ECR, RDS, Lambda, VPC)85%
Docker / ECS Containers80%
DevOps CI/CD (Jira, Agile/Scrum)82%
Terraform / CloudFormation (IaC)70%
HashiCorp Vault75%
🛡Identity Protocols & Dev
SAML 2.0 / OIDC / OAuth 2.095%
REST / SOAP APIs · LDAP / SCIM92%
Python / Java / Spring Boot80%
PowerShell / SQL78%
React JS (Web Applications)65%
📋GRC & Compliance
NIST CSF / NIST 800-5392%
FFIEC / SOX / PCI DSS88%
HIPAA / CMS MARS-E85%
ISO 2700188%
Project Management (PMP / Agile)95%
Technology Stack
SailPoint IIQ SailPoint ISC CyberArk PAM CyberArk Vault CyberArk PVWA CyberArk CPM / PSM Azure AD / Entra Azure B2C Ping ID / ForgeRock Auth0 / Saviynt Veza Radiant Logic CA SiteMinder IBM ISAM AWS S3 / RDS AWS ECS / ECR AWS Lambda AWS VPC / API Gateway HashiCorp Vault Docker Terraform / CloudFormation Splunk / ArcSight SAML 2.0 OAuth 2.0 / OIDC LDAP / SCIM REST / SOAP APIs RBAC / ABAC / SOD MFA / Risk-Based Auth JDBC / OOTB Connectors Python Java / Spring Boot React JS PowerShell / SQL NIST CSF / 800-53 FFIEC / SOX HIPAA / CMS MARS-E PCI DSS ISO 27001 Agile / Scrum / PMP ITIL V3
// KNOWLEDGE BASE
Cybersecurity

Knowledge base and reference materials across core cybersecurity domains — with a primary focus on enterprise IAM, IGA, PAM, and identity governance.

🔑
Identity & Access
IGA, PAM, MFA, federation, and access governance — enterprise IAM posture with SailPoint, CyberArk, and Okta coverage.
▶ XRay View · Governance · PAM · MFA
💻
Endpoint Security
EDR coverage, device compliance, patch management, and application control across managed endpoints.
▶ XRay View · EDR · Patch · App Control
🌐
Network & Zero Trust
Perimeter defense, micro-segmentation, Zero Trust adoption progress, and network detection posture.
▶ XRay View · ZTA · Segmentation · NDR
☁️
Cloud Security
CSPM findings, cloud entitlements (CIEM), workload security, and container vulnerability tracking.
▶ XRay View · CSPM · CIEM · Containers
🗄️
Data Protection
Data classification coverage, DLP policy violations, encryption posture, and data access governance.
▶ XRay View · DLP · Encryption · DAG
🔒
Application Security
SAST/DAST findings, third-party dependency CVEs, API security coverage, and secure SDLC adoption.
▶ XRay View · SAST · DAST · API · SCA
🔍
SOC & Detection
MTTD/MTTR metrics, SIEM coverage, false positive rates, SOAR automation, and threat hunting maturity.
▶ XRay View · SIEM · SOAR · Threat Hunting
📋
GRC & Compliance
Control effectiveness, audit findings, framework coverage (NIST, SOC2, HIPAA, PCI) and risk register status.
▶ XRay View · NIST · SOC2 · HIPAA · PCI
🔑
Ping Identity IAM Reference
Complete product catalog of 30+ Ping Identity products mapped across the enterprise IAM stack — from cloud SSO and CIAM to on-prem federation, IGA, and PAM — plus a 30,000 ft architecture diagram.
Cybersecurity Identity & Access Management Ping Identity Reference
// CYBERSECURITY › IAM › PING IDENTITY
Ping Identity
Enterprise IAM Landscape

Complete reference of Ping Identity's product portfolio — 30+ products mapped across the Identity & Access Management spectrum with architecture diagrams and IAM pillar classifications.

30+
Total Products
7
IAM Pillars
3
Deploy Models
Product Catalog
Architecture View
Product Type Core Usage IAM Function IAM Pillar
PingOne
Cloud Platform
CloudCentral cloud IAM platform — SSO, MFA, user lifecycle, B2B/B2C/workforce identity from a single SaaS control plane.Unified identity services: authentication, directory, policy, and integration hub.AuthenticationDirectoryLifecycle
PingOne Advanced Identity Cloud
Cloud Platform
CloudFull-featured cloud-native IAM (ForgeRock heritage) for workforce and CIAM with advanced journeys, governance, and full configuration control.Combines AM, IDM, DS, and IGA in a managed cloud; replaces on-prem platform for large enterprises.CIAMWorkforce IAMIGA
PingID
MFA / Strong Auth
CloudMobile-first MFA — push notifications, FIDO2, biometrics, OTP for workforce authentication.Adds strong, risk-adaptive second factor; reduces phishing/credential-theft risk.MFAPasswordless
PingOne DaVinci
Orchestration
CloudNo-code/low-code identity orchestration canvas — drag-and-drop flows connecting 150+ connectors across any vendor.Decouples identity logic from apps; enables composable authentication journeys and cross-vendor orchestration.OrchestrationCIAM
PingOne Authorize
Authorization
CloudExternalized, policy-based fine-grained authorization (ABAC/PBAC) as a cloud service.Moves authorization logic out of applications into a centralized policy engine; enforces least-privilege dynamically.Fine-Grained AuthZPBAC
PingOne Protect
Threat Detection
CloudAI/ML-driven risk engine — bot detection, credential stuffing, and account takeover prevention in real time.Injects risk scores to trigger step-up MFA or block sessions — zero-trust signal provider.Risk & FraudZero Trust
PingOne Verify
Identity Verification
CloudSelf-service identity proofing — document capture, liveness detection, biometric matching for onboarding.Establishes identity assurance at registration; prevents synthetic identity fraud before credential issuance.Identity ProofingCIAM
PingOne Credentials
Verifiable Credentials
CloudIssues and verifies W3C verifiable credentials / digital wallets — decentralized identity for portable attributes.Enables passwordless, privacy-preserving credential exchange; underpins decentralized IAM.Decentralized IDPasswordless
PingOne Identity Governance
IGA — Cloud
CloudCloud IGA — access certifications, role management, SOD policy, and automated provisioning/de-provisioning.Enforces access governance lifecycle; satisfies audit/compliance requirements (SOX, HIPAA, PCI).IGACompliance
PingOne Privilege
PAM — Cloud
CloudPAM as a service — vault, just-in-time elevation, session recording, and credential rotation.Eliminates standing privilege; provides vaulted, time-bounded access — reduces blast radius of breaches.PAMZero Trust
PingOne SSO
Single Sign-On
CloudCloud SSO — SAML 2.0, OIDC, OAuth 2.0 federation for workforce and customer app access.Centralizes authentication policy; eliminates per-app passwords; enables cross-domain access.SSOFederation
PingOne for Enterprise
Workforce SSO
CloudCloud SSO for enterprise workforce — AD-bridging, self-service portal, and SaaS app catalog.Bridges on-prem AD to cloud apps; workforce SSO without requiring on-prem PingFederate.Workforce IAMSSO
PingFederate
Federation Server
SoftwareEnterprise federation server — SAML, OIDC, OAuth 2.0, WS-Fed for SSO and API security on-prem or hybrid.Backbone of enterprise SSO — acts as IdP or SP; integrates with any standards-compliant SP or IdP.FederationSSOOAuth/OIDC
PingAccess
Access Gateway
SoftwarePolicy-enforcement proxy — secures legacy web apps, APIs, and microservices using token-based access.Enforces auth and coarse-grained authorization at network edge; protects apps without native OAuth/OIDC support.Access ProxyPolicy Enforcement
PingAM (Access Management)
Software — AM
SoftwareFull-featured AM — authentication trees, adaptive MFA, SAML, OIDC, UMA on-prem.On-prem/private cloud AM engine; handles complex authentication journeys and session management.AuthenticationSSOAM
PingIDM (Identity Management)
Software — IDM
SoftwareOn-prem identity lifecycle — automated provisioning, reconciliation, sync, workflows.Manages joiner-mover-leaver; synchronizes identities across HR, AD, LDAP, and SaaS targets.IGAProvisioningLifecycle
PingDirectory / PingDS
Directory Store
SoftwareHigh-performance LDAP/REST identity store — billions of entries, sub-millisecond reads, and schema flexibility.Authoritative identity repository; underpins AM/IDM lookups; scales to carrier-grade CIAM workloads.DirectoryIdentity Store
PingAuthorize
Fine-Grained AuthZ
SoftwareExternalized authorization engine — XACML/ALFA policy language, dynamic ABAC for APIs and apps.Decouples access-decision logic from apps; enforces row/field-level data security and consent-based access.Fine-Grained AuthZABAC
PingGateway
Identity Gateway
SoftwareReverse-proxy API gateway — token transformation, route-based policy, and protocol mediation.Bridges legacy apps to modern OIDC/OAuth flows; integrates with PingAM for session validation.API SecurityZero Trust
PingIntelligence for APIs
AI / API Security
SoftwareAI-powered API threat detection — behavioral baseline, anomaly detection, and automated blocking.Real-time API security telemetry; detects compromised tokens and shadow APIs bypassing gateway policies.API SecurityThreat Intel
Ping Identity Governance (On-Prem)
Software — IGA
SoftwareOn-prem IGA — role mining, access reviews, SOD enforcement, entitlement catalog.Governs who has access to what and why; satisfies audit requirements with granular entitlement visibility.IGAGRCProvisioning
Ping Autonomous Identity
AI / IGA
SoftwareAI-driven role discovery and access risk scoring — auto-generates role models and flags access outliers.Accelerates role engineering and access reviews; surfaces toxic access combinations manual IGA misses.IGAAI/MLRole Mgmt
PingCentral
Self-Service Portal
SoftwareDeveloper self-service portal for onboarding OAuth clients and managing OIDC/SAML connections to PingFederate.Delegates app-team administration; enforces guardrails while enabling developer agility.Developer PortalOAuth Mgmt
Ping Enterprise Connect
AD Connector
SoftwareOn-prem connector bridging Active Directory / LDAP to cloud PingOne without full directory migration.Hybrid identity — keeps AD as authoritative store while extending SSO/MFA policies to cloud apps.Hybrid IAMDirectory Bridge
Ping Government Identity Cloud
FedRAMP Cloud
CloudFedRAMP Moderate/High authorized IAM cloud for US federal agencies — FISMA, NIST 800-63, and ICAM.Compliant IAM for government — supports PIV/CAC, PKI, and agency-specific identity federation.Gov IAMFedRAMPICAM
Ping Terraform / Helm / DevOps
Developer — IaC
DevIaC tooling — Terraform providers, Helm charts, Docker images for automated Ping deployment.GitOps-driven IAM; brings identity configuration into CI/CD pipelines for auditable deployments.DevOps / IaCAutomation
Identity for AI
Developer — AI Identity
DevIdentity primitives and APIs for securing AI agents — OAuth for AI, MCP server identity, agentic access control.Brings IAM principles to AI/LLM agents — ensures AI workloads are authenticated, authorized, and auditable.AI IdentityAgentic AuthZ
// CYBERSECURITY › ZERO TRUST
Zero Trust Architecture

A practical guide to Zero Trust principles, frameworks, and implementation patterns — drawing from 20+ years of enterprise security experience across Financial Services, Healthcare, and Government sectors.

Core Principle: Never Trust, Always Verify
Zero Trust is not a product — it is a security strategy and framework that assumes breach, verifies explicitly, and enforces least-privilege access. Every request, user, device, and workload must be authenticated and authorized regardless of network location.
NIST SP 800-207 Zero Trust Pillars
🔑
Identity
Strong identity verification for every user, service account, and workload. MFA, risk-based auth, and continuous session validation.
💻
Device
Device health and compliance validated before access granted. MDM integration, device posture checks, and certificate-based auth.
🌐
Network
Micro-segmentation, encrypted communications, and software-defined perimeter. No implicit trust based on network location.
📦
Workload
Application and API security, container security, and workload identity. mTLS between services, OAuth2 for M2M.
🗄
Data
Data classification, DLP, encryption at rest and in transit. Fine-grained access controls down to field and row level (ABAC).
📊
Visibility & Analytics
Continuous monitoring, SIEM integration, UEBA, and telemetry across all pillars. Real-time risk scoring and anomaly detection.
IAM's Role in Zero Trust
🔐
Strong Authentication
Replace passwords with phishing-resistant MFA (FIDO2/WebAuthn). Adaptive authentication triggers step-up based on risk signals — implemented using PingID, Azure AD Conditional Access, and CyberArk for privileged accounts.
⚖️
Least Privilege Access
Every user, service, and device gets minimum access required. Enforced through RBAC/ABAC policies in SailPoint IGA, PingAuthorize, and CyberArk JIT elevation eliminating standing privilege.
🔄
Continuous Verification
Session trust is not permanent. Risk signals from PingOne Protect continuously re-evaluate trust — anomalous behavior triggers re-authentication or session termination automatically.
📋
Access Governance
Continuous access certification ensures entitlements are reviewed and revoked when no longer needed. SailPoint IIQ access reviews, SOD policy enforcement, and automated de-provisioning close the loop.
Zero Trust Maturity Model (CISA)
1
Traditional
Perimeter-based security, implicit trust inside network, manual processes, static policies
LEGACY
2
Initial
MFA deployed, some attribute-based policies, initial device compliance checks, basic SIEM logging
COMMON
3
Advanced
Risk-based adaptive auth, IGA with automated access reviews, PAM with JIT, micro-segmentation in progress
TARGET
4
Optimal
Fully automated policy enforcement, AI-driven anomaly detection, continuous access evaluation, zero standing privilege
ASPIRATIONAL
Tools & Technologies
PingOne Protect PingAuthorize CyberArk PAM SailPoint IIQ Azure AD Conditional Access FIDO2 / WebAuthn mTLS / PKI HashiCorp Vault Splunk / ArcSight NIST SP 800-207
// CYBERSECURITY › THREAT INTELLIGENCE
Threat Intelligence

Identity-focused threat intelligence — MITRE ATT&CK mappings, credential theft TTPs, and detection strategies for IAM-specific attack vectors based on real-world incident response experience.

Top Identity-Based Attack Vectors
🎭 Credential Stuffing
Automated injection of breached username/password pairs to gain unauthorized access. Exploits password reuse across services.
MITRE ATT&CK: T1110.004
Detection: Velocity checks, impossible travel, PingOne Protect risk signals
🎣 Phishing / MFA Bypass
Adversary-in-the-middle attacks that capture OTP codes and session tokens in real time, bypassing traditional MFA.
MITRE ATT&CK: T1566, T1557
Detection: FIDO2 hardware keys, number matching MFA, anomalous login patterns
👑 Privileged Account Abuse
Compromise or misuse of admin/service accounts with excessive standing privilege to move laterally and escalate access.
MITRE ATT&CK: T1078.003
Detection: CyberArk session recording, JIT access controls, PAM vault alerts
🔓 Token Theft / Replay
Stealing OAuth access tokens or session cookies to authenticate as legitimate users without needing credentials.
MITRE ATT&CK: T1528, T1539
Detection: Token binding, short-lived tokens, PingIntelligence API anomaly detection
🤖 Service Account Compromise
Targeting non-human identities — service accounts, API keys, and automation credentials — which often have excessive permissions and no MFA.
MITRE ATT&CK: T1078.004
Detection: HashiCorp Vault secret rotation, service account vaulting in CyberArk
😈 Insider Threat
Malicious or negligent insiders abusing legitimate access. Often detected through behavioral anomalies and access pattern analysis.
MITRE ATT&CK: T1078, T1213
Detection: UEBA, SailPoint access reviews, Splunk behavior analytics
IAM Defense Controls by Attack Type
Attack Prevention Detection Tool
Credential Stuffing MFA enforcement, CAPTCHA, IP reputation filtering PingOne Protect
Phishing / MFA Bypass FIDO2/WebAuthn, number matching, phishing-resistant MFA PingID + Azure AD
Privileged Account Abuse JIT access, vault credentials, session recording CyberArk PAM
Token Theft Short-lived tokens, token binding, mTLS PingIntelligence
Service Account Abuse Secret rotation, vault storage, least privilege HashiCorp Vault
Insider Threat Access certification, SOD enforcement, behavioral baselines SailPoint + Splunk
Key Insight from 20+ Years in IAM Security
Over 80% of breaches involve compromised identity — either stolen credentials, misconfigured access, or abused privileges. The most effective defense combines phishing-resistant MFA + privileged access vaulting + continuous access certification. These three controls alone eliminate the majority of identity-based attack surfaces.
// CYBERSECURITY › GRC & COMPLIANCE
GRC & Compliance

Governance, Risk, and Compliance frameworks with IAM control mappings — drawn from delivery experience across Financial Services (FFIEC), Healthcare (HIPAA), Government (NIST), and Insurance (SOX/PCI-DSS) sectors.

Key Compliance Frameworks
🏦
NIST CSF / 800-53
National Institute of Standards and Technology Cybersecurity Framework. Used across federal agencies and financial institutions. NIST 800-53 provides 1,000+ security controls organized by families.
Key IAM Controls:
AC-2 (Account Mgmt) · AC-6 (Least Privilege) · IA-2 (MFA) · IA-5 (Authenticator Mgmt) · AC-17 (Remote Access)
Experience: USAA (NIST CSF + 800-53)
🏥
HIPAA / HITRUST
Health Insurance Portability and Accountability Act. Governs protection of Protected Health Information (PHI). HITRUST CSF maps HIPAA requirements to specific controls.
Key IAM Controls:
§164.312(a)(1) Access Control · §164.312(d) Person Auth · §164.312(a)(2)(i) Unique User ID · §164.308(a)(4) Access Management
Experience: NYU Langone · Michigan Medicine · UCSF
🏛
FFIEC / SOX
Federal Financial Institutions Examination Council guidelines for financial institutions. Sarbanes-Oxley Act mandates access controls and audit trails for financial reporting systems.
Key IAM Controls:
Access provisioning/deprovisioning · Segregation of Duties · Privileged access management · Quarterly access certifications · Audit logging
Experience: USAA · CapitalOne · Commonwealth of PA
💳
PCI DSS
Payment Card Industry Data Security Standard. Applies to any organization handling cardholder data. Strict IAM requirements around privileged access, MFA, and audit logging.
Key IAM Controls:
Req 7 (Least Privilege) · Req 8 (Unique IDs + MFA) · Req 10 (Audit Logs) · Req 12.3 (Privileged Access Review)
Experience: Commonwealth of PA · Infosys clients
IAM Control Matrix — Cross-Framework
IAM Control NIST HIPAA SOX PCI Tool
Multi-Factor Authentication PingID · Azure AD
Access Certification / Reviews SailPoint IIQ
Privileged Access Management CyberArk PAM
Segregation of Duties (SOD) SailPoint IIQ
Audit Logging & SIEM Splunk · ArcSight
Auto Provisioning/Deprovisioning SailPoint IIQ · PingIDM
Audit Preparation Tips — From the Field
Start access certification cycles 90 days before audit — last-minute certifications raise red flags with auditors.
Automated evidence collection (SailPoint reports, CyberArk session logs) dramatically reduces audit prep time from weeks to hours.
SOD violations that cannot be remediated need compensating controls documented — never leave them unexplained.
Orphaned accounts (terminated employees with active access) are the #1 finding across all compliance frameworks — automate deprovisioning first.
// BLOG & ARTICLES
Insights & Articles

Technical writing on Identity & Access Management, cybersecurity strategy, and enterprise IAM implementation — drawing from 20+ years of hands-on delivery experience.

🔑
FEATURED · IAM
Identity & Access Management · 15 min read
SailPoint IIQ at Scale: Lessons from a 2 Million Identity Migration at Boston University
A practitioner's deep-dive into modernizing a university's identity infrastructure — decommissioning a 30-year-old Mainframe solution, designing birthright access models for multi-persona users (students, faculty, staff, alumni), and performance-tuning SailPoint IIQ to process 2 million identity records without degrading production systems. Covers aggregation optimization, connector failure handling, and cutover planning for zero-downtime go-live.
All Articles
01
IGA · SailPoint
SailPoint IIQ at Scale: Lessons from a 2 Million Identity Migration
Boston University · Mainframe decommission · Performance tuning · 15 min read
02
PAM · CyberArk
Designing a CyberArk PAM Architecture: Vault, PVWA, CPM, PSM and DR Strategy
Enterprise PAM design · Safe models · Master Policy · Disaster Recovery · 12 min read
03
Healthcare · HIPAA · AWS
Building a Unique ID Solution on AWS: Fuzzy Matching for Healthcare Identity Deduplication
UCSF · AWS ECS/RDS · Python APIs · React JS · 40% conflict reduction · 13 min read
04
Azure AD · CIAM · B2C
Azure B2C Custom Policies at Enterprise Scale: Toyota's Multi-BU IAM Rollout
SAML 2.0 · OIDC · OAuth 2.0 · SCIM provisioning · Claim mapping · 10 min read
05
Compliance · FFIEC · NIST
FFIEC Compliance Through IAM: How USAA Mapped NIST CSF Controls to Identity Security
NIST 800-53 · Control mapping · Design effectiveness · Operating effectiveness · 11 min read
06
IGA · Access Governance
The Joiner-Mover-Leaver Process: Why Manual IAM Fails and How to Automate It Right
SailPoint IDM · Workday HR integration · 90% provisioning time reduction · 9 min read
07
Zero Trust · IAM Strategy
From Perimeter to Zero Trust: A Practical IAM Transformation Roadmap for Enterprise Leaders
CISA maturity model · Phased approach · Quick wins · Long-term architecture · 14 min read
08
IAM Program Management · Leadership
Running Multi-Workstream IAM Programs: Governance, KPIs, and Stakeholder Management at Scale
LAUSD · Program structure · Executive reporting · Risk management · PMP framework · 8 min read
Get New Articles
New articles on IAM, cybersecurity strategy, and identity architecture delivered to your inbox.
// AI SKILLS & PROFICIENCY
AI Competency

AI capabilities developed through hands-on usage of Gemini — spanning prompt engineering, visual direction, strategic synthesis, and data governance.

VIEW AI PROJECTS  →
Capability
Prompt Engineering
Advanced
Complex, multi-step instructions for proposal writing.
Capability
Visual Direction
Specialist
Guiding AI to create infographics and graphic recordings.
Capability
Strategic Synthesis
Expert
Converting technical IAM specs into business value models.
Capability
Data Governance
High
Managing privacy through active anonymization commands.
🧠
Skills Developed Through Gemini
Practical AI collaboration — from ideation to delivery, leveraging generative AI across strategy, content, and data workflows.
VIEW AI PROJECTS  →
// AI-POWERED BUILDS
AI Projects

Personal and hobby applications built with the help of AI — exploring practical use cases beyond the enterprise.

Sr. No. Project Description Project Category Key Features
01 NaamJaap — Chanting Made Easy
Hobby App  ·  Bhaj Govindam...
Lifestyle Spirituality
Voice Enable Chanting Dashboard History Color & Image Selection
02 AWS Non-Human Identity Discovery
Security Tool  ·  AWS
IAM NHI AWS
Credential Discovery
03 Visual Vachanamrut
Hobby App  ·  Scripture Visualisation  ·  EN / ગુજ
Lifestyle Spirituality
Visual Bilingual EN / ગુજ Illustrated Scripture
04 Divine Padharamani
Event App  ·  Spirituality
Spirituality Routing
Registration Route Optimization Data Cleanup Post Event
05 AWS Cloud Inventory Discovery
Cloud Tool  ·  Cloud Inventory Scanning
Cloud Asset Inventory Visibility IT Asset Understanding Cost Analysis
Cloud Inventory Scanning
06 Cybersecurity Oversight
Security Tool  ·  Cybersecurity Program Management
vCISO vCIO vCTO Business Priorities
Cybersecurity Program Management
✦ AI Integration Advisor
IAM Architecture AI

Ask about IAM architecture, integration patterns, identity security, or how any product fits your enterprise stack.