Identity and Data Security Architect

Job Description

Job Description

Aqueduct Technologies is seeking an Identity and Data Security Architect to serve as a senior, customer-facing technical architect responsible for designing, enforcing, and operationalizing identity- and data-centric security controls that govern access to sensitive data across hybrid and cloud environments. This is an architect-level, player/coach role with a strong hands-on bias.

 

Operating above the infrastructure and network layers, you will focus on how human and non-human identities interact with data, applications, APIs, and AI systems. You will translate business risk, regulatory requirements, and governance policy into enforceable technical controls which you design, deploy, and optimize. In short, you will make who can access what enforceable everywhere.

Core Responsibilities:

• Data Visibility & Posture Management
• Lead DSPM-led data discovery and posture management deployments across cloud, SaaS, and data platforms
• Lead discovery engagements to identify where sensitive data resides, how it is accessed, and where controls break down
• Translate findings into prioritized technical roadmaps aligned to business impact and cyber risk

Identity & Access Architecture

• Own the data access control plane and operate alongside secure access and network security architectures
• Design controls that govern who can access sensitive data independent of how or where users connect, including SaaS, APIs, and AI workloads
• Define access models for human users, service accounts, and application and API workloads
• Implement conditional access, lifecycle governance, and identity controls tied directly to data sensitivity

IAM / IGA Platform Architecture & Configuration

• Architect and configure IAM and IGA platforms such as Microsoft Entra ID and Okta
• Personally architect, configure, and validate identity and data security platforms

Enforcement & Data Controls

• Translate DSPM findings into enforcement actions, including entitlement reduction, access governance changes, DLP and browser-based control updates, and API access restrictions
• Design and enforce DLP strategies for data at rest and data in transit, aligned to classification and identity context
• Implement browser- and endpoint-based data controls using secure access technologies as appropriate
• Architect API and non-human identity security models using identity-based authentication and authorization
• Reduce risk from token misuse, over-privileged APIs, long-lived secrets, and lateral data movement

Data Platform Security

• Secure data lakes, warehouses, and lakehouses using identity-aware access, classification, and policy enforcement

AI / ML & LLM Workload Security

• Design controls governing access to data used in analytics, AI/ML, and LLM-enabled workloads
• Address AI-specific risks including data leakage, unauthorized access, and model abuse

Delivery Leadership & Solution Quality

• Act as a player and coach on larger engagements, providing design leadership while contributing directly to execution
• Ensure solutions are functional, testable, and enforceable

Resilience, Incident Readiness & Recovery

• Design identity and data access controls that function during incidents, recovery events, and degraded operating states
• Align architectures with incident response, cyber recovery, and BC/DR plans

Internal Standards & Presales Support

• Develop internal reference architectures, patterns, and delivery standards for identity and data access security
• Support presales and solution shaping by articulating clear, outcome-based security approaches

Required Skills & Qualifications:

• 6+ years of progressive experience in identity, data security, or access governance roles, ideally within consulting, professional services, or complex enterprise environments
• Demonstrated ability to own outcomes end-to-end, from strategy through hands-on implementation
• Hands-on experience deploying and operationalizing DSPM platforms (Cyera, Laminar) as a core security control
• Strong experience with IAM and IGA platforms such as Entra ID, and Okta including access governance and enforcement
• Practical experience using tools such as Cyera, Laminar, BigID and Varonis to perform data discovery, classification, masking, DSPM, and DLP
• Solid understanding of identity-based API authentication and authorization
• Understanding of modern cloud, data platforms, and identity-aware application architectures
• Working knowledge of incident response, business impact analysis, and BC/DR concepts as they relate to identity and data access
• Strong customer-facing communication skills, comfortable with engineers and executive stakeholders
• Note: Experience focused primarily on network security or secure service edge platforms without meaningful exposure to data discovery and access governance is unlikely to be sufficient for this role.

Preferred Certifications:

• CISSP or CCSP
• Microsoft SC-100 (Cybersecurity Architect Expert)
• Okta Consultant or Administrator certification, or equivalent IAM certification

Aqueduct Technologies is committed to developing a diverse and talented team. We celebrate and support diversity and are committed to making an inclusive environment for all employees and applicants including women, minorities, individuals with disabilities, members of the LGBTQIA community, veterans, and any other legally protected group. We are an Equal Opportunity Employer and do not discriminate against any employee or applicant on the basis of any status protected by federal, state, or local laws.

 

Aqueduct Technologies is one of the largest IT solutions providers in the US, recognized for our relentless pursuit of customer satisfaction, our corporate culture, technology leadership, and our commitment to the local community. We pride ourselves on our world-class engineering, the investments we make in our employees and our systems, and on our loyal base of customers and manufacturers. Recognized as one of the fastest-growing, private companies in Massachusetts—and awarded the Best Place to Work in Boston for six, consecutive years—there is no better time to join Aqueduct than now!

We may use artificial intelligence (AI) tools to support parts of the hiring process, such as reviewing applications, analyzing resumes, or assessing responses and identifying potential inconsistencies or verification signals in application materials based on available information. These tools assist our recruitment team but do not replace human judgment. Final hiring decisions are ultimately made by humans. If you would like more information about how your data is processed, please contact us.