Security Solution Architecture

Job Description

Overview

We are seeking an Enterprise Identity Architect with deep, hands-on expertise in Identity & Access Management (IAM) across complex, multitenant, and multiforest estates in the UK defence sector. The role will lead the unravelling of a complex identity landscape, establish a single authoritative master identity model spanning OFFICIAL to SECRET domains, and drive a secure, standards aligned roadmap built on Zero Trust and defence policy frameworks (including ASP 240 and relevant JSPs).

Key Outcomes (12–18 months)Master Identity Model Delivered: A formalised, documented and implemented authoritative identity data model with clear source of truth, lifecycle, and attribute governance across OFFICIAL and SECRET domains.Consolidation & Simplification: Reduced identity duplication and drift across multiple AD forests/tenants, clear trust/segregation boundaries, and evidence based access models (RBAC/ABAC) aligned to business roles/missions.Control Maturity Increase: Measured uplift in identity controls (MFA, PIM/PAM, password less, privileged isolation, just in time access) validated through defence audits and JSP/ASP control evidence.Assured Inter Domain Patterns: Approved cross domain identity patterns (e.g., credential brokerage, guardmediated flows, offline enclave procedures) with formal risk acceptance and assurance artefacts.Legacy Decommission: Defined and executed migration/decommission plans for legacy IdPs, ADFS, and brittle sync pipelines with documented rollback and operational runbooks.

Responsibilities

Enterprise Identity Architecture

• Define and own end to end IAM reference architectures for OFFICIAL and SECRET domains, including enclave segregation, trust models, and boundary controls.
• Design authoritative identity sources and golden record schemas (HR, ERP, clearance systems), lifecycle policies (joiner/mover/leaver), and attribute governance.
• Specify RBAC/ABAC models, entitlement catalogues, role mining, separation of duties (SoD) and privileged access patterns (PAW tiers, admin forest, bastion models).

Technical Strategy & Delivery

• Lead consolidation/modernisation across Microsoft Entra ID (Azure AD), on Prem AD, MIM/Entra ID Governance, and third-party IGA (SailPoint/Saviynt).
• Architect MFA/password less (FIDO2/YubiKey, smartcard/PIV equivalents), Conditional Access, risk based access, device trust, PIM and PAM (CyberArk/Beyond Trust).
• Own identity integration for critical apps (cloud, on Prem, legacy, air gapped) and cross domain access patterns via controlled brokers/guards.

Security, Compliance & Defence Governance

• Map designs and evidence to ASP 240 and applicable JSP guidelines (e.g., JSP 440 Security, JSP 604 Information/IA policies or successors), NCSC guidance, ISO/IEC 27001, and Zero Trust principles.
• Produce and maintain HLD/LLD, Control Matrices, Risk/Threat Models (STRIDE/ATT&CK), Security Cases, Transition Plans, and Operational Runbooks.
• Support audits, Design Reviews, IAO/SIRO approvals, security testing, and accreditation evidence.

Change & Stakeholder Leadership

• Run workshops to untangle legacy identity estates, discover shadow entitlements, and align business/mission owners to a single operating model.
• Coach engineering and operations teams; establish guardrails, patterns, and reference implementations; guide devsecops integration for identity.
  
  

Qualifications

Proven record of accomplishment leading largescale IAM transformations in the Defence Sector with mixed classification environments (OFFICIAL, OFFICIALSENSITIVE, SECRET).

Deep expertise with:

• Microsoft Entra ID (Azure AD), Entra Connect/Cloud Sync, MIM/Entra ID Governance, Conditional Access, PIM, tenant to tenant and hybrid patterns.
• Active Directory (multi‑forest consolidation, trusts, tiered admin, admin forests), DNS/PKI (enterprise and offline PKI, CRL/OCSP, HSMs FIPS 140‑2/3)
• .PIM , PAW and PAM.
• MFA/password less (FIDO2, smartcards, CAC/PIVstyle credentials), credential hygiene, Kerberos/NTLM deprecation strategies.
• Zero Trust identity controls, RBAC/ABAC, and policy as code approaches.

Aligning all Zero Trust / Master identity to Enterprise Service Model.

Demonstrable success unravelling complex identity estates (e.g., multiple AD forests, conflicting schemas, brittle sync, overlapping personas) and delivering a master identity model with clean source of truth and lifecycle automation.

Experience defining cross domain identity patterns for air gapped or highside environments, including guardmediated flows, brokers, one way trust, and offline credential issuance.

Strong documentation: HLD/LLD, architecture decision records, control mappings (JSP/ASP/NCSC), test plans, migration & decommission plans.

Defence Policy & Standards (Experience Expected)

Note: “ASP 240” nomenclature varies by organisation. Candidates must show experience aligning to ASP 240 (client/authority security policy 240) or equivalent Authority Security Policy requirements, plus:

• JSP 440 (security) and JSP 604 (information/IA) or successor policy frameworks.
• NCSC guidance (e.g., MFA, device identity, protective monitoring, cloud security), HMG SPF, ISO/IEC 27001, NIST SP 800‑63 (Digital Identity), NIST SP 800‑207 (Zero Trust).
• Evidence generation for assurance/accreditation, including control narratives, test evidence, residual risk statements, and operational handover.

Clearance Requirements

• Baseline: Active DV clearance required at starts
• Ability to work in secure facilities (up to SECRET), follow need to know, and comply with JSP/ASP handling procedures.
• Willingness to undergo additional customer specific vetting and adhere to personnel security obligations.

Nice to Have

• Cross domain solutions (CDS) exposure, data diodes/guards integration with identity.
• Logging & Threat Detection integration Experience migrating from ADFS and legacy IdPs to modern standards (OIDC/SAML)
• .Familiarity with supply chain and partner access hardening (B2B, external identities).
• Prior work with highside enclaves, break glass and operational segregation (PAW, tiering, jump hosts).

Ways of Working

• Pragmatic architect who can dive hands on to prove patterns, build reference implementations, and mentor engineers.
• Strong communicator with the ability to translate policy (ASP/JSP/NCSC) into actionable designs and audit ready evidence.
• Comfortable in multi‑supplier and secure programme environments with formal change, test, and release controls.
  
  

Example Deliverables

• Identity Target Operating Model (policy, process, RACI, service catalogue).
• Master Identity Data Model (attributes, schemas, authoritative sources, lifecycle).
• Reference Architectures & Patterns (OFFICIAL ↔ SECRET, cross domain access).
• Control Matrix & Evidence Pack mapped to ASP 240, JSPs, NCSC.
• Migration & Decommission Plan with success metrics and rollback.
• Operational Runbooks (privileged workflows, emergency access, DR/BCP for identity).
  

This position will be open for a minimum of 5 days, with applications accepted on an ongoing basis until the position is filled.

Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, citizenship, color, family or medical care leave, gender identity or expression, genetic information, immigration status, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran or military status, race, ethnicity, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable local laws, regulations and ordinances. If you need assistance with religious accommodations and/or a reasonable accommodation due to a disability during the application process, read more about requesting accommodations.