Customer Identity & Access Management (CIAM) Security Architecture Lead
IDEXX · Worcester, MA · 5 days ago
RemoteRemoteArt & Creative$160k–$180k/yrFull-time
About the role
IDEXX’s Cyber Security and Information Security teams enable a resilient, adaptable, and security-aware enterprise—supporting the technology that delivers trusted products and solutions to customers worldwide. The Customer Identity & Access Management (CIAM) Security Architecture Lead is a senior, high-impact role within the Information Security organization, serving as the primary architectural authority and technical visionary for customer identity across IDEXX’s customer-facing ecosystem.
Responsibilities
- Serve as the security architecture authority for customer identity and access management across all customer-facing products
- Assess the existing Auth0 deployment and lead remediation, reconfiguration, and architectural improvements to meet enterprise security and scale requirements
- Design and evolve an enterprise CIAM architecture that remains portable across other CIAM platforms (e.g., Okta CIAM, Ping Identity, ForgeRock, Microsoft Entra ID)
- Establish CIAM security standards, reference architectures, control requirements, and guardrails aligned with Zero Trust principles and enterprise security strategy
- Develop and maintain a multi-year CIAM roadmap aligned with enterprise goals and digital transformation initiatives
- Define future-state capabilities including SSO, MFA, passwordless authentication, adaptive authentication, modern RBAC/ABAC models, and expansion across B2B and B2C use cases
- Ensure the roadmap addresses remediation of current-state gaps while enabling long-term scalability and consistency
- Architect and govern secure authentication and authorization patterns across diverse customer use cases
- Design and implement federated identity integrations using OIDC, OAuth 2.0, and SAML
- Support customer-managed and federated identity scenarios, including trust boundary definition, assurance levels, and delegated administration models
- Architect secure multi-tenant CIAM models supporting multiple products, customers, and environments
- Design layered administrative and delegated access controls for internal operations and customer administrators
- Ensure administrative access adheres to least privilege, separation of duties, and strong auditability
- Architect CIAM solutions supporting both human customer identities and system, service, and integration accounts
- Define secure API authentication, token lifecycle management, system to system (internal and external) authentication patterns and non-interactive access patterns
- Define security controls, configurations, and assurance requirements for CIAM implementations
- Ensure CIAM solutions integrate with the broader security ecosystem including SIEM/SOAR, IAM/IGA, monitoring, and fraud detection platforms
- Partner with GRC, Security Operations, and Product Security teams to perform threat modeling, support audits, and reduce identity-related risk
- Cross-functional leadership & communication
- Act as the primary CIAM security advisor to Product, Marketing, IT, Engineering, and Platform teams
- Translate complex identity and security requirements into clear, consumable architectural guidance
- Communicate CIAM strategy, risk posture, and progress to VP-level and executive leadership
Requirements
- 8+ years of experience in CIAM/IAM with at least 3 years in a lead or security architecture capacity
- Deep hands-on experience with Auth0 and at least one additional Tier-1 CIAM platform (e.g., Okta CIAM, Ping Identity, ForgeRock, Microsoft Entra ID)
- Expertise in OIDC, OAuth 2.0, SAML, FIDO2/WebAuthn, and SCIM
- Strong understanding of modern application architectures (SPAs, microservices, mobile APIs) and cloud platforms (AWS preferred)
- Proven ability to translate identity risk and architectural gaps into actionable remediation and roadmap decisions
- Strong understanding of Zero Trust principles, identity threat models, logging, monitoring, and auditability
- Proven ability to communicate complex security concepts to technical and non-technical stakeholders
- Proven ability to navigate a matrixed organization to accomplish goals
Qualifications
- Security certifications such as CISSP-ISSAP, CISM, or senior vendor certifications (e.g., Okta or Auth0 Certified Architect)
- Experience with Identity-as-Code, CI/CD pipelines, and Terraform
- Experience integrating CIAM with fraud detection, bot mitigation, or risk-based authentication engines
- Experience supporting CIAM in regulated or high-trust environments such as healthcare or life sciences
- Programming or scripting experience (Python, Java, Go, etc.)
- Experience applying analytics or AI/ML to identity security or anomaly detection
Skills
- Strong understanding of modern application architectures (SPAs, microservices, mobile APIs) and cloud platforms (AWS preferred)
- Proven ability to translate identity risk and architectural gaps into actionable remediation and roadmap decisions
- Strong understanding of Zero Trust principles, identity threat models, logging, monitoring, and auditability
- Proven ability to communicate complex security concepts to technical and non-technical stakeholders
- Proven ability to navigate a matrixed organization to accomplish goals
Benefits
- Base annual salary target: $160000 - $180000
- Opportunity for annual cash bonus and yearly equity award
- Health / Dental / Vision Benefits
- Day-One 5% matching 401k
- Additional benefits including but not limited to financial support, pet insurance, mental health resources, volunteer paid days off, employee stock program, foundation donation matching, and much more!