Senior Privileged Access Management Engineer

Position Overview

Senior Privileged Access Management (PAM) Engineer – Team Lead
Overview

We are seeking a highly skilled and motivated Senior PAM Engineer – Team Lead to join the Identity and Access Management (IAM) team. This is a hands-on technical leadership role, ideal for someone who thrives in dynamic environments and is passionate about Security, PAM, Automation, and Machine Identity Management.

This role will focus on CyberArk Privilege Cloud and Venafi TLS certificate management, supporting a hybrid enterprise environment spanning Active Directory, Azure, and AWS.

Key Responsibilities

• Manage and enhance privileged access lifecycle capabilities using CyberArk Privilege Cloud, including credential vaulting, session management, privileged session monitoring, and Just-in-Time (JIT) access.

• Design and implement PAM solutions aligned with organizational security standards, including least privilege enforcement, credential rotation, session isolation, and privileged access workflows across enterprise systems.

• Lead engineering initiatives to integrate PAM controls across infrastructure and applications, including Active Directory, Azure AD, AWS IAM, and cloud-native services.

• Develop and maintain machine identity management solutions using Venafi, including TLS certificate lifecycle management, automation of certificate issuance/renewal, and integration with enterprise platforms and DevOps pipelines.

• Architect and implement automation frameworks and accelerators to streamline PAM and certificate management processes, improving scalability, auditability, and operational efficiency.

• Analyze and troubleshoot PAM and certificate management system issues, conducting root cause analysis and implementing durable solutions to improve system reliability and security posture.

• Collaborate with infrastructure, security, DevOps, and application teams to onboard systems into CyberArk and Venafi, ensuring consistent enforcement of privileged access and certificate policies.

• Monitor PAM and machine identity platforms to ensure performance, availability, and compliance with organizational policies and SOPs. Lead response efforts for critical incidents involving privileged accounts or certificate outages.

• Provide technical leadership and mentorship to junior engineers, promoting best practices in PAM, automation, and secure design.

• Drive continuous improvement by researching emerging PAM and machine identity trends, including secrets management, workload identity, and cloud-native privilege models.

• Develop and maintain documentation including architecture diagrams, onboarding guides, SOPs, and knowledge base articles for PAM and certificate management operations.

Qualifications

• Proven experience implementing and managing CyberArk Privilege Cloud in an enterprise environment, including vaulting, CPM, PSM, and session management.

• Hands-on experience with Venafi (or similar certificate lifecycle management platforms) for managing TLS/SSL certificates at scale.

• Strong understanding of PAM principles, including least privilege, credential management, session monitoring, JIT access, and privileged threat mitigation.

• Experience working in hybrid environments with Active Directory, Azure AD, and AWS IAM.

• Proficiency in scripting and automation (e.g., PowerShell, Python) and experience with automation platforms (e.g., Azure Automation, AWS Lambda, CI/CD pipelines).

• Familiarity with authentication and authorization mechanisms, including Kerberos, LDAP, SAML, OAuth, OpenID Connect, and secrets/token-based authentication.

• Experience integrating PAM solutions with enterprise systems using REST APIs, secure authentication methods, and service accounts.

• Strong understanding of TLS/SSL, PKI concepts, certificate authorities, and cryptographic standards.

• Excellent communication and collaboration skills, with the ability to work across technical and business teams.

• Ability to lead technical initiatives and deliver results without direct managerial authority.

Preferred Qualifications

• CyberArk certifications (e.g., CyberArk Defender, Sentry, or Guardian).

• Experience with DevOps and secrets management tools (e.g., HashiCorp Vault, Kubernetes secrets, Azure Key Vault, AWS Secrets Manager).

• Familiarity with compliance and regulatory frameworks (e.g., SOX, HIPAA, PCI-DSS, NIST).

• Experience with cloud-native PAM capabilities (e.g., Azure Privileged Identity Management (PIM), AWS IAM Access Analyzer).

• Knowledge of containerized and microservices environments and their impact on privileged access and certificate management.

Base Salary Range

At Zelis we are committed to providing fair and equitable compensation packages. The base salary range allows us to make an offer that considers multiple individualized factors, including experience, education, qualifications, as well as job-related and industry-related knowledge and skills, etc. Base pay is just one part of our Total Rewards package, which may also include discretionary bonus plans, commissions, or other incentives depending on the role.

Zelis’ full-time associates are eligible for a highly competitive benefits package as well, which demonstrates our commitment to our employees’ health, well-being, and financial protection. The US-based benefits include a 401k plan with employer match, flexible paid time off, holidays, parental leaves, life and disability insurance, and health benefits including medical, dental, vision, and prescription drug coverage.

Equal Employment Opportunity  
Zelis is proud to be an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. 
 
We welcome applicants from all backgrounds and encourage you to apply even if you don’t meet 100% of the qualifications for the role. We believe in the value of diverse perspectives and experiences and are committed to building an inclusive workplace for all. 

Accessibility Support 
We are dedicated to ensuring our application process is accessible to all candidates. If you are a qualified individual with a disability or a disabled veteran and require a reasonable accommodation with any part of the application and/or interview process, please email [email protected]. 

Disclaimer 

The above statements are intended to describe the general nature and level of work being performed by people assigned to this classification. They are not to be construed as an exhaustive list of all responsibilities, duties, and skills required of personnel so classified. All personnel may be required to perform duties outside of their normal responsibilities, duties, and skills from time to time.