Irvine, California, United States
A dedicated security software engineer and architect with a passion for innovation and technology, I thrive on developing cutting-edge solutions that enhance both user experience and security. My extensive background in enterprise security, distributed systems and enterprise storage, combined with my commitment to fostering collaboration between cross-functional teams, allows me to effectively translate complex security requirements into actionable plans that drive product excellence and protect sensitive data.
Hands-on architect, individual contributor and project lead for the Identity and Access Management (IAM) team for NetApp's flagship ONTAP product line: º Bridge the gap between Product Management and Engineering development teams to identify and clarify security-related requirements. º Wrote architectural and functional specs, mentored engineers•Led the requirements, design and implementation OAuth 2.0 Service Provider (SP) in ONTAP. Identity Provider integrations include Keycloak, Microsoft ADFS and Entra ID, PingIdentity and Auth0. º Designed BlueXP SaaS advanced security features for centralized visibility and administration like Dynamic Authorization/Adaptive Authentication using Docker and Golang º Led the design and implementation for supporting groups in SAML 2.0 for ADFS and Microsoft Entra ID. º Worked with Product Management and initiated many features for Zero Trust technologies such as Just-in-Time Privilege Elevation (Principle of Least Privilege), Adaptive Authentication/Dynamic Authorization, phishing-resistant MFA (FIDO2/WebAuthn).
MapR Technologies is acquired by Hewlett-Packard Enterprise. MapR's Converged Data Platform is now HPE Ezmeral Data Fabric: • Proposed, architected, designed, and implemented the FIPS 140-2 Level 1 solution for the HPE Ezmeral Data Fabric platform, including HPE Ezmeral ecosystem components such as Spark, Hive, and Oozie. • Worked with security architects and engineers from multiple teams and partners like RedHat and SafeLogic • Architected, designed and implemented Dynamic Data Masking (DDM) for the HPE Ezmeral OJAI-compliant NoSQL MapR-DB • Designed and implemented enhancements to the MapR-SASL authentication protocol for cross-cluster authentication for applications like Apache Drill, Hive, and Oozie. This is a plug-in to the Java SASL framework using challenge-response authentication • Investigated and proposed Single Sign-on (SSO) integration options for Kerberos and Keycloak into the Ezmeral core platform. This includes OIDC/OAuth 2.0, and client certificate authentication • Proposed, architected, designed and implemented Dynamic Data Masking (DDM) for the NoSQL MapR-DB • Investigated integration solutions for Amazon IAM (Identity and Access Management) and STS (Security Token Service) into the HPE Ezmeral core platform • Architected, designed and developed the Key Management Interoperability Protocol (KMIP) client in HPE Ezmeral Data Fabric platform. Worked with KMIP partners to provide integrations to key management partners, including Utimaco ESKM, Gemalto SafeNet KeySecure, Vormetric DSM and HashiCorp Vault. • Integrated KMIP client to the Kubernetes-based HPE Ezmeral Container Platform (ECP), now called HPE Ezemeral Runtime Enterprise • Assess security vulnerabilities, perform consultations with various development teams, FIPS 140-2 compliance, recommend and/or provide security fixes in Emergency Break Fixes (EBFs).
As a Security Architect, my role is to ensure that MapR's flagship Big Data Converged Platform product meets the stringent security requirements for major corporations. I bridge the gap between Product Management and various engineering divisions to add or enhance security features in MapR's products. Most development is done using Java and C/C++: • Hands-on individual contributor in the MapR-FS (former) and MapR-DB team, contributing to the design and development of NoSQL distributed database features in Java and C/C++, including: - OJAI (Open JSON Application Interface) DB client and server side security enhancements • Enhanced MapR-DB to add policy-based security to control data access. This involves enhancing both the DB client and server operations such as PUT, SCAN and GET. • Enhance the MapR file system and Container Location Database (CLDB) to add security features, both on the client and server side. • Wrote scripts for configuring security across multiple clusters using MapR tickets, a lightweight and faster alternative to Kerberos tickets • Worked with various platform and ecosystem teams (including Apache Hadoop, Hive, Grafana, Kibana, Oozie) to enhance security features • Designed and developed client-side API for challenge-response REST authentication using MapR tickets. • Tested with Apache Oozie's REST server • Fixed various security-related bugs in areas such as AES encryption, PAM/jPAM, Apache Hive and Hive Metastore, Apache ZooKeeper, an Apache Hadoop • Worked with Product Management and other teams to define security architecture and new security product offerings using technologies such as NoSQL, Google protocol buffers, RPC, file systems, and data classification • Upgrade Apache ZooKeeper to add server-to-server authentication MapR SASL and the Java Authentication and Authorization Service (JaaS) • Use Docker containers with gradle and scons for builds, and Mercurial/Bugzilla/Git/JIRA.
• Provided technical leadership to the Enterprise Secure Key Manager (ESKM) product development team. Mentored junior engineers, liaised with management for release dates and features. • Worked with HP StoreOnce and other partners to integrate their storage products into the ESKM over KMIP (Key Management Interoperability Protocol) • Integrated the Key Management Interoperability Protocol (KMIP) into ESKM. Technologies include OpenSSL/AES/RSA and other cryptographic algorithms in C/C++, high availability/clustering, Postgres/MySQL databases as well as HTTP server and HTML/Javascript • Upgraded OpenSSL, OpenSSH and SNMP in ESKM • Investigate new products to add to our portfolio and develop prototypes. This includes integrations with Apache Hadoop using the KeyProvider API over KMIP, and HPE Helion (OpenStack) over Barbican/PKCS#11/KMIP in C/Python, and Oracle TDE/PKCS#11/KMIP in C/C++ • Led a high-profile project to develop a FIPS-140 Level 3 HSM key management appliance in Linux/C/C++ using the Cavium Nitrox HSM. Worked with security architects to ensure FIPS 140-2 Level 3 compliance • Initiated and led the development of the PKCS#11/KMIP library written in C/C++ to allow KMIP clients to integrate with ESKM over KMIP in Windows and Linux.