UST
Website:
ust.com
Job details:
Role Description
Identity Security Engineer
Function: Security Architecture & Engineering
Reports to: Identity Security Architect & IGA Service Owner
Location: India (Trivandrum, Bangalore or Hyderabad)
Role Overview
UST is looking for an Identity Security Engineer to own the engineering and operational delivery of identity security controls across the enterprise. Identity is UST's primary security control plane -this role exists to make it robust, resilient, and difficult to abuse.
This is not just an IGA administration role. The focus is security: closing identity-based attack paths, enforcing least privilege, eliminating orphaned and over-privileged accounts, securing non-human and AI-driven identities, and ensuring that identity signals are feeding detection and response. The platforms - IGA, IAM, NHI controls are the means to that end.
The engineer works directly under the Identity Security Architect & IGA Service Owner and is the primary technical resource responsible for building, automating, and operating identity security controls across the full identity lifecycle. This is a build-and-operate role - ownership includes both engineering delivery and the ongoing security integrity of what is built. The expectation is engineering-led operations: automation-first, security-outcome-focused, with continuous improvement built in.
Key Responsibilities
- IGA - Identity Lifecycle Security
Engineer The IGA Platform To Enforce Secure Identity Lifecycle Controls. The Goal Is Not a Functioning Workflow Engine - It Is Zero Orphaned Accounts, Enforced Least Privilege, And Audit-ready Access Governance
- Build and automate Joiner-Mover-Leaver controls ensuring access is granted only when it should be, scoped correctly, and revoked without delay
- Engineer SoD rule enforcement and automated violation detection- reducing the window between a violation occurring and being closed
- Implement access certification campaigns that are meaningful, not ceremonial - right reviewers, right scope, automated remediation of uncertified access
- Build provisioning connectors with security controls embedded - least privilege defaults, approval gates, and deprovisioning automation
- Engineer repeatable evidence collection for audit and compliance - access reviews, provisioning logs, and certification completion rates
- Own platform change and release engineering - ensuring changes are tested, controlled, and do not introduce access regressions
- IAM - Authentication & Access Security
- Engineer and harden IAM integrations across Entra ID and other identity providers -with a focus on reducing authentication attack surface, not just enabling access
- Implement and validate federation and SSO configurations (SAML, OAuth 2.0, OIDC) - including token security, claim scoping, and session controls
- Build and maintain SCIM provisioning integrations - ensuring over-provisioning is structurally prevented, not just periodically reviewed
- Engineer Conditional Access and identity protection policies - risk-based controls, not blanket policies
- Build automation for directory hygiene - stale account detection, group membership enforcement, and privilege creep remediation
- Non-Human Identity (NHI) Security
- Engineer controls to reduce the NHI attack surface - service accounts, API keys, workload identities, bots, and automation credentials are a primary lateral movement vector and must be treated accordingly
- Build lifecycle governance for NHIs: ownership enforcement, automated rotation, and decommissioning -eliminating the long-lived, unowned credential as a risk class
- Integrate secrets vaults into application and workload pipelines - replacing static credentials with dynamic, short-lived secrets
- Implement workload identity federation for cloud-native workloads - removing the need for stored credentials entirely where possible
- Engineer detection for NHI abuse - identifying stale, over-privileged, or anomalously behaving machine identities before they are exploited
- AI & Agentic Identity Security
- Implement security controls for AI agent and copilot identities - scoped credentials, token lifecycle management, and enforced least privilege
- Build data access governance controls for AI pipelines - ensuring AI systems access only what they need, with full auditability
- Engineer controls to prevent and detect API key sprawl, over-permissioned AI service accounts, and credential misuse by AI systems
- Identity Threat Detection & Response
- Engineer identity signal feeds into SIEM, UEBA, and EDR/XDR platforms - ensuring identity events are visible and actionable in detection workflows
- Build and tune detection logic for identity-based attack patterns: credential abuse, privilege escalation, service account misuse, and impossible travel
- Investigate identity-related security events and support incident response - tracing access paths, containing compromised identities, and remediating the root cause
- Proactively hunt for identity risk: over-privileged accounts, dormant credentials, shadow access, and SoD violations
- Security Compliance & Access Risk
- Engineer evidence collection and access review processes to support ISO 27001, SOC 2, and applicable regulatory requirements - automated and repeatable, not manual and point-in-time
- Identify and close access risk gaps: orphaned accounts, excessive entitlements, SoD violations, and uncertified access
- Contribute to risk reporting by surfacing identity risk metrics - not just activity logs
- Documentation & Engineering Standards
- Maintain build documentation, runbooks, and operational procedures for all identity security controls owned
- Document integration patterns and security configuration standards to ensure consistency across the identity ecosystem
- Feed operational insight back to the Identity Security Architect - surfacing gaps, emerging risks, and improvement opportunities from the engineering layer
Required Experience
- 5+ years in IT/security, with at least 3 years in hands-on identity security engineering -not IAM administration
- Proven experience implementing enterprise IGA platforms - SailPoint Or Savyint strongly preferred
- Practical experience with Entra ID, Okta, or equivalent IAM platforms - security configuration, not helpdesk-level administration
- Working knowledge of SAML, OAuth 2.0, OIDC, and SCIM - able to implement and troubleshoot, not just describe
- Experience securing non-human identities - service accounts, API keys, secrets vaults, workload identity
- Scripting or automation capability (PowerShell, Python, or equivalent) - used to eliminate manual identity operations, not just run reports
- Understanding of identity-based attack techniques: credential abuse, privilege escalation, lateral movement via service accounts
- Familiarity with Cloud IAM across at least one of AWS, Azure, or GCP
- Experience producing compliance evidence and supporting security audits
What Good Looks Like
The right person thinks like a security engineer who specialises in identity - not an IAM engineer who handles security on the side. They understand how identity gets abused: credential theft, privilege escalation, lateral movement through service accounts, SoD bypass. They build controls with that threat model in mind, automate away the manual work, and feed signal back into detection. They are not waiting for the architect to tell them something is a risk they are finding it, flagging it, and fixing it.
Preferred Qualifications
- SailPoint Or Savyint certifications
- Experience with PAM platforms (e.g., CyberArk, Beyondtrust) and privileged access security controls
- Hands-on experience with SIEM or UEBA platforms from an identity threat detection perspective
- Understanding of identity attack techniques - MITRE ATT&CK coverage across credential access, privilege escalation, and lateral movement
- Exposure to Zero Trust architecture and how identity security controls underpin it
Skills
Identity governance and administration,zero trust security,powershell,python,scim,oidc,oauth 2.0,
Click on Apply to know more.