Description

Job Description for Associate Director of Identity and Access Management

JOB SUMMARY

The Associate Director of Identity and Access Management is the authoritative architect and operational owner of the enterprise-wide identity fabric at NY Creates (NYC), responsible for the end-to-end design, implementation, hardening, integration, and lifecycle governance of hybrid identity systems encompassing on-premises Active Directory (AD), Microsoft Entra ID (Azure AD), and a mature Identity Governance & Administration (IGA) platform. This role drives the strategic convergence of authentication, authorization, privileged access, and compliance workflows across research labs, semiconductor cleanrooms, HPC clusters, cloud workloads (AWS, Azure, GCP), OT/ICS environments, and federated partner ecosystems.

With elite engineering depth in Kerberos, LDAP, OAuth 2.0/OIDC, SCIM provisioning, zero-trust policy enforcement, and IGA rule engines, the Associate Director of Identity and Access Management translates regulatory mandates (NIST 800-171, CMMC 2.0) and business requirements into scalable, automated identity controls while eliminating orphan accounts, enforcing least privilege, and enabling seamless just-in-time (JIT) access. The incumbent operates with forensic rigor during privilege escalations, automates at enterprise scale, mentors identity engineers, and serves as the final escalation for all authentication or entitlement anomalies.

Job Responsibilities include but are not limited to:

• Own the full Microsoft identity stack: on-premises Active Directory (multi-forest/domain, ADFS, AD CS), Entra ID (Conditional Access, Identity Protection, PIM), and Entra ID Connect synchronization with health monitoring and failover.
• Design and deploy enterprise IGA solution (SailPoint IdentityIQ/IdentityNow, Saviynt, OneIdentity, or Microsoft Identity Manager); implement birthright provisioning, access request portals, certification campaigns, and role-based access control (RBAC/ABAC).
• Engineer zero-trust authentication flows: passwordless (FIDO2, Windows Hello for Business), MFA (push, TOTP, certificate), and SSO federation (SAML 2.0, WS-Fed) for 100+ SaaS, custom, and legacy applications.
• Build and enforce privileged access management (PAM): JIT elevation via Entra ID PIM, CyberArk, BeyondTrust, or HashiCorp Vault; session recording, keystroke auditing, and credential rotation for service accounts and admin jump boxes.
• Automate SCIM/REST provisioning connectors to HRIS (Workday, UKG), CMDB, cloud platforms, and research tools; maintain 99.99% sync SLA with error-handling and rollback.
• Develop and operationalize identity risk analytics: UEBA via Entra ID Identity Protection, risky sign-in suppression, impossible travel detection, and anomalous token issuance.
• Lead annual access certification campaigns; design segregation-of-duties (SoD) matrices for finance, research IP, and fab operations; remediate violations with automated deprovisioning.
• Integrate IAM with SOAR for automated incident response: isolate compromised identities, force MFA reset, and quarantine devices via Intune/Endpoint Manager.
• Produce executive dashboards (Power BI, Entra ID reports) on identity hygiene metrics: orphan accounts, stale privileges, MFA adoption, and certification completion; support CMMC, NIST 800-171, and audit evidence.
• Conduct red-team validated privilege escalation exercises; harden GPOs, LDAP signing, Kerberos armoring, and Entra ID app consent policies.
• Author and enforce identity policies, standards, and procedures aligned to NIST 800-63B, NIST 800-53 AC/IA families, CIS AD benchmarks, and CMMC 2.0 IA.L2-3.5.x controls.
• Train and mentor Tier 1/2 analysts on AD forensics, Entra ID troubleshooting, and IGA workflow design; develop internal IAM certification path.
• Represent NYC in SUNY IAM working groups, Microsoft EAP programs, and CISA Identity Priority initiatives.
• Critical thinking to trace lateral movement via Golden Ticket, Pass-the-Hash, or token theft across hybrid environments.
• Ability to script complex identity transformations (PowerShell, Graph API, Python) for bulk operations and custom connectors.
• High degree of initiative, dependability, and 24×7 on-call for identity outages or credential compromise incidents.
• Effective oral & written communication skills, including board-level identity risk briefings, regulatory submission authorship, and technical RFCs.

Minimum Requirements for Associate Director of Identity and Access Management

• Minimum of eight (8) years of progressive identity engineering experience with at least five (5) years exclusively in enterprise IAM program leadership, hybrid AD/Entra ID architecture, and IGA platform ownership in regulated research, federal contractor, or critical manufacturing environments (5,000+ identities, multi-forest, cloud-native apps).
• Bachelor's degree in Cybersecurity, Computer Science, Information Systems, or a related STEM field from an accredited institution; master's degree preferred. Equivalent Microsoft Identity MVP or military cyber identity operations training accepted.
• Knowledge of information security management frameworks such as the NIST Cybersecurity Framework, NIST Special Publication 800-171, or CIS 18 Critical Security Controls.

This position is contingent on the satisfactory completion of a background check.

Preferred Requirements

Microsoft identity certifications Preferred:

• Microsoft Certified: Identity and Access Administrator Associate (SC-300)
• Microsoft Certified: Azure Security Engineer Associate (AZ-500) - IAM focus
• Microsoft Certified: Cybersecurity Architect Expert (SC-100)

IGA platform certifications preferred:

• SailPoint Certified IdentityIQ Engineer OR IdentityNow Professional
• Saviynt Certified Administrator
• OneIdentity Manager Certified Professional

Additional elite certifications strongly preferred:

• Certified Identity and Access Manager (CIAM)
• Certified Information Systems Security Professional (CISSP) - IAM domain
• GIAC Certified Windows Security Administrator (GCWN)

Don't meet every requirement? At NY Creates we are dedicated to building a welcoming workplace. If you are excited about working for NY Creates but your experience doesn't exactly align perfectly with the job description, we encourage you to apply anyway, you might still be a perfect fit or a fit for another role at NY Creates.

Benefits

• Medical, Vision, and Dental
• Competitive Pay and PTO
• Flexible Heath Spending and Dependent Care Accounts
• Basic / Optional Life Insurance
• Post-Retirement Health Insurance
• Employer contribution of 7% of earnings to a Basic Retirement plan after meeting one year of service.
• Optional employee contributed retirement account

Location: 257 Fuller Road, Albany, NY 12203

Salary Range: $120,000 - $175,000

**Posted salary rates are determined upon experience and education

NOTE: Some positions require access to export-controlled commodities, technical data, technology, software, or restricted programs where U.S. Government authorization may be required.

For positions requiring such access, offers of employment are contingent upon the employer being able to obtain the necessary authorization, including, if required, an export license from the U.S. Department of Commerce's Bureau of Industry and Security, the U.S. Department of State's Directorate of Defense Trade Controls, or other government agencies. The decision to pursue an export license application is at The Research Foundation for SUNY's sole discretion. Proof of status may be required prior to employment in connection with necessary authorizations.

Employment is with the Research Foundation for SUNY. The Research Foundation is an Equal Opportunity Employer, including individuals with disabilities and protected veterans.

In compliance with the Americans with Disabilities Act (ADA), if you have a disability and require a reasonable accommodation to apply please call Human Resources at 518-437-8686.

PI280387338