Cloud Security Architect & Information Security Consultant


Accomplished, motivated and versatile IT professional; Cloud Security Architect with several years of experience in the Cyber security landscape. Experienced in Cloud, LAN and WAN architectures as well as data centre scenarios. Extensive experience in Cyber security field with knowledge of threat landscape of client/servers, network and cloud environments. Certified teacher in most of the Cisco and Microsoft career paths, several years of experience in the IT industry. Customer obsession and quality delivery approach, works mostly with an international company and has good coordination and interaction skills. Known for a personable approach to clients and co-workers as well as for delivering and implementing IT solution, with security embedded in their lifecycle, seeks the opportunity to apply his knowledge and expertise to its customers. Is co-author of several publications and books (more information available on LinkedIn). Out of the box vision and driven, consistent over-achiever, excellent coordinator and organiser, responsible and efficient. Has a strong security vision on networks as well as a strong IT security background in the architecture, governance compliancy as well as hands on. CERTIFICATIONS AND SKILLS • Certified Information System Security Professional (CISSP 563603) • Certified Cloud Security Professional (CCSP) • Certificate of Cloud Security (CCSK-Plus) • TOGAF Open Security Architecture (O-ESA) • Open Security Architecture (OSA) • Data Driven Architecture Framework • ISO 27001 Lead implementer (ISO 27001) • ITIL v3 Foundation (ITILF v3) • ITIL v3 Service Operation (ITISO v3) • HP Tipping Point (IPS) system administrator • Cisco Network Professional Security (CCNP Security in progress): ISE certified • Cisco Network Security Associate (CCNA Security) • Cisco Certified System Instructor (CCSI - 31978) • Cisco Network Associate (CCNA Network) • Cisco Network Professional (CCNP) • Cisco Network Expert (CCIE Written) • Cisco Certified Sales Expert (CSE) • Juniper Network Certified Associate (JNCIA-JunOS) • Juniper Network Certified Specialist Security (JNCIA-SEC) • Microsoft Certified IT Professional (MCITP) • Microsoft Desktop Support Technician (MCDST) • Microsoft System Administrator (MCSA) • SonicWALL Certified Security Administrator (CCSA v5) • Ipanema Certified Operation and support Expert (ICOS) • Cloud Platforms: Azure, AWS IaaS, Office 365, Hybrid, Private Cloud, ad-Hoc cloud deployment • Network and Security architecture, Design, Documentation, Integration, Rollout and transition • Training deliver, training content delivery, video training • Project management, Team coordination, Team Leadership TECHNICAL EXPERTISE • Architecture models: TOGAF, SABSA, O-ESA, OSA, Data oriented Architecture, Data Models • Standards: ISO 27001 & controls, ITIL, COBIT(basic), NIST (800-53 and related controls) • Cloud Platforms: Azure(advanced), Office 365 (advanced), SharePoint PaaS, Amazon AWS (EC2 VM, S3 Storage, Firewall, Cloud Watch), Cloud Methodologies - IAAS, PAAS, SaaS, Hybrid/Cloud Boost • Firewalls: ASA, Pix, Juniper SRX/SSG, Source Fire, SonicWALL, Fortinet, Checkpoint • Monitoring/SIEM: Azure Security Center, Skybox, Splunk, MRTG, CACTI, WhatsUpGold, Solarwind, Manage Engine Netflow Analizer, Fluke Visual Performance Manager • Web Proxy: Forcepoint, Scansafe, Bluecoat, Microsoft ISA, iPrism • Security Appliances: ArcSight, SPLUNK SIEM, LogRhythm SIEM, CyberArk, HP Tipping point IPS, E-DMZ (Privilege User Management), Symantec NAC, Sophos NAC, Symantec EPPS, Sophos EPPS • Backup Solutions: Azure Backup, AVEPoint, NetBackup, • Programming language: Secure Code Review, Powershell, JSON, C, Java, Bash, Assembly (basic), • Systems: Linux (debian), Windows (client and server), MAC-OSX • Switching/Routing/WAN-LAN Routing Protocols/MPLS/ VoIP systems • WAN Accelerators/QoS/Shaper Riverbed, Ipanema, Exinda, Bluecoat Packeteer, F5 Big IP • Technologies: VPN, SSLVPN, MPLS, Active Directory, Network Scalability, WAN connectivity, Radius, NAC, VoIP, SIP, H323, SKINNY, RTP • Web Software/DB: TomCat, Apache, Oracle, MySQL • Telco Equipment: MPLS technologies, GGSN, SGSN, Infoblox, 3G, LTE, Roaming & GRX

Key Skills
  • Cloud Security
  • Architecture models
  • Web Proxy
  • Security Appliances

Work Experience

Cloud Security Architect/Cloud Transformation Lead Architect

Charles Taylor InsureTech12 months

• Translation of the CISO’s cloud and branch security strategy into policies further reflected into architecture artefacts and technical controls. • Design of the Cloud Architecture for IaaS, PaaS and SaaS and Private Cloud/On-Premises integrating security and policy driven control in the fabric of the architecture. • Definition of policy Framework aligned with the cloud migration and generation of the following policy artefacts: infrastructure security policy, access management, physical security, remote access. • Identification of strategy to transform the enterprise from single customer to cloud based multi customer organization focusing on: security posture, identity management, security enforcement of policies and multi-tenant hosting solutions in Azure • Acting lead architect for the cloud transformation program with focus on Security solutions and infrastructure • Definition of the following architecture artefacts/models: enterprise security architecture, reference security architecture, cloud security architecture, identity and access management architecture, Enterprise Enrolment Model, Subscription models, IaaS/PaaS integration Models, Subscription Base service model • Standardization of the Enterprise Enrolment account structure, Subscription and integration of IaaS with PaaS and with the Private Cloud on Premises • Definition of Backup and Business Continuity strategy throughout the enterprise, integrating Azure backup solutions (NetBackup, Azure Backup, AWS), o365 and SharePoint Backups (o365, AWS, AVEPoint), and on Premises (NetBackup, Azure, AWS) • Integration of Multifactor Authentication solution trough tout the enterprise in alignment with the company with the policy requirements. • Identity and Access management strategy integrating a number of domains (user identity domain, management domains, customer identity domains) across the enterprise and cloud (Azure, O365) with the integration of external federation (B2B, B2C) • Redesign of existing Active directory, integration with Azure and office 365 identities; simplification of the OU structure and implementation of brand new set of Group Policies to enforce the security policies. • Strategy for Privileged access management with focus on consolidation of a Role Based Access control throughout various domains and Cloud Access management • Definition of Monitoring and Alerting Strategy to consolidate multiple log sources (Azure Logs, Azure OMS, Security, SIEM LogRhythm) into a minimum number of dashboards (Security Centre, LogRhythm…) identifying alerting mechanism, Actionable events and playbooks • Strategy to control Cloud interaction with external and internal API calls and delivery of guideline to secure Azure automation using principles and protecting API. • Security review of the Git Hub integration with Azure. Code review of the JSON and PowerShell script used for Azure VM provisioning • Server and workstation hardening guidelines and enforcement of the security policies at all stages of VM lifecycle using Azure automation, GPO, scripting, and secure application delivery. • Setup of the architecture authority practice, acting as lead architect, definition of process and procedures to enforce projects and design governance in line with the cloud transformation. • Definition of the architecture pre/during/post cloud transition, with focus on alignment to the security strategy; • Definition of template and models to aid the architecture and Design Authority process and procedures: requirement capture methodology, HLD and LLD templates, configuration blueprints • Lead implementer of ISO27001 controls and assistance in achieving the certification.

Enterprise Security Architect

HCA International UK 3 months

• Baseline the current security posture of HCA network via audit. Built reference security architecture (conceptual, logical and physical). Proposed architectural improvement in line with tactical and strategic security goals. • Architectural model to integrate the AwS and Azure cloud platform into existing Datacentre (AD, Federated Identity, SSO with Cloud services) • Definition with senior management of the tactical and strategic goals in line with the defined and prioritized risks. • Audit on assets and services and pattern provide input on improvement according to industry best practice and risk mitigation strategy. • Identification of Architecture pattern/blueprint/artefacts, assessment of their current status and security posture and provide recommendations. • Assessment of the security posture and maturity of the control. Recommendation report for control improvement based on industry best practice and specific organization requirements and risks mitigation. • Defined Baseline and tailored to HCA requirements, Mapping the security controls to ISO 27001, COBIT, ITIL and NIST. • Definition of template to aid the architecture and Design Authority process and procedures: requirement capture methodology, HLD and LLD templates, configuration blueprints • Support for new initiative integrating the Security Architecture in project lifecycle and integrating security requirement whenever needed. • Defined reference architecture for SIEM monitoring, refined the log sources and type of log collected. • Definition of log sources audit policy for logging: Windows, Active Directory, Network, IDS/IPS, HIDS/HIPS and End Point Protection • Migration of Websense Web filtering, DLP, and E-mail filtering in the Cloud; integration of the Websense cloud with Egress E-mail Encryption • Security SME for Projects: Symantec EPPS, AirWatch MDM, ForcePoint/Websense Content Filtering/E-Mail filtering, Azure VM, Citrix 6.5 NetScaler and VDI, Egress E-mail Encryption, AD Federation with SSO/ SAML using F5 APM, F5 APM/LTM/GTM modules.

Security Architect/Cloud Architect

British Telecom UK 2 Years

• Integrated the new service in the customer’s network (workshops, consultancy to define new service’s requirements, HLD/LLD, Implementation Plans reviews) • Security contribution to the migration strategies from classic datacentre to cloud IAAS providers. • Consultancy and risk assessment for IAAS provider integration with the customer’s legacy and existing infrastructure. • Strategic security and infrastructure changes to comply with PCI-DSS v3 requirements. • Provided Consultancy on IAM technologies and strategies of migration and integration from legacy services to CyberArk. Secure Deployment of the IAM solution in line with the business risk profile. • Strategic support in the SIEM program with the migration from old Log collector technique to new SIEM platforms (SPLUNK). Integration of multiple 3rd parties with risk analysis depending on responsibility divisions (PAAS and IAAS providers). Secure Integration of SPLUNK frontend with 3rd parties log analysis providers. • Analysed firewall and logs from various SIEM technologies (MLR, SPLUNK, Skybox) to provide service flow analysis and recommendations on protocol to securely allow in the infrastructure. • Provided support in the deployment of virtualized SIEM and SPLUNK solution. • Integrated and controlled the interaction with CDN network (Akamai) for Wireless. • Penetration test scope and evaluation for new services in multiple scenarios (black box, grey box etc.). Impact assessment and risk analysis of the penetration test report with recommendation on the changes necessary to comply with the penetration report. • Disaster recovery and backup strategy for mixed environment (physical and virtualized) with multiple DR sites (using NetBackup platform).

Security Consultant and Architect

Vodafone Group UK 9 months

• Reviewed and amended high level security policy and strategy for Network Zoning • Zoning documentation framework with designed guidelines to segment the network into Zones, details on the Zones interaction, process and procedures to map existing and new services into Zones, and identification of the Zone’s technical security controls to mitigate security risks. • Security audit of datacentres for telecom equipment and hosted service and proposed recommendations on the following areas: DDoS (Arbor), WAF, Proxy, SIM card protections, Voicemail protection. Interaction with SME, service owners, and datacentre SPOC to lead and coordinate the implementation of recommended security controls.

IT Security Consultant/ Security Architect

Technet5 Years

• Architecting and reviewing identity and access management • Architecting Datacentre and branch office transformations • Designing WAN and LAN connectivity solution with acceleration, security and resiliency embedded • Network and Security Instructor specialised in Cisco and Microsoft training;