Staff IAM Engineer

<div class="content-intro"><p><a href="https://www.sofi.com/sofi-employee-applicant-privacy-notice/" target="_blank"><strong>Employee Applicant Privacy Notice</strong></a></p> <p><strong>Who we are:</strong></p> <div> <p>Shape a brighter financial future with us.</p> <p>Together with our members, we’re changing the way people think about and interact with personal finance.</p> <p>We’re a next-generation financial services company and national bank using innovative, mobile-first technology to help our millions of members reach their goals. The industry is going through an unprecedented transformation, and we’re at the forefront. We’re proud to come to work every day knowing that what we do has a direct impact on people’s lives, with our core values guiding us every step of the way. <strong>Join us to invest in yourself, your career, and the financial world.</strong></p> </div></div><h2><span style="font-size: 12pt;"><strong>The Role</strong></span></h2> <p><span style="font-size: 10pt;">The Staff IAM Engineer is responsible for securing and managing all non-human identities&nbsp; including service accounts, application identities, machine credentials, APIs, bots, and workloads across on-prem, cloud, and crypto infrastructure. This role ensures that automated and machine-based identities follow the same governance, lifecycle, and least-privilege principles as human users. You will design systems that enable secure authentication, secrets management, and access provisioning for automated services, APIs, and DevOps pipelines. This role directly protects sensitive financial data, crypto custody environments, and transaction systems from privilege misuse, credential leakage, and insider or supply chain threats.</span></p> <p>&nbsp;</p> <p><span style="font-size: 12pt;"><strong>What You’ll Do</strong></span></p> <p><span style="font-size: 10pt;"><strong>Identity Architecture &amp; Engineering</strong></span></p> <ul> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Design, implement, and maintain a Non-Human Identity (NHI) framework governing all service accounts, API tokens, certificates, and machine credentials.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Implement centralized secrets management using tools such as HashiCorp Vault or AWS Secrets Manager,&nbsp;</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Build integrations with CI/CD pipelines and cloud services (AWS, GCP, Azure) to enforce automated credential rotation and JIT provisioning.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Define and implement tagging, ownership, and classification models for non-human identities.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Develop scalable onboarding processes for applications, workloads, and bots that require secure authentication.</span></li> </ul> <h3><span style="font-size: 10pt;"><strong>&nbsp;Lifecycle Management &amp; Governance</strong></span></h3> <ul> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Develop automated workflows for creation, rotation, deactivation, and certification of service accounts and API keys.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Partner with developers and DevOps to transition hard-coded credentials to secure vaults.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Establish policies for key rotation frequency, credential expiration, and certificate renewal.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Integrate NHI lifecycle into IAM governance tools (Okta).</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Support quarterly access reviews and certification campaigns for non-human identities.</span></li> </ul> <h3><span style="font-size: 10pt;"><strong>&nbsp;Automation &amp; Integration</strong></span></h3> <ul> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Build automation using APIs, Python, PowerShell, or Terraform to manage credentials and monitor access.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Integrate non-human identity telemetry into SIEM/SOAR platforms for anomaly detection.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Implement visibility dashboards to track total NHI inventory, owners, last use, and compliance status.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Deploy Just-in-Time (JIT) credential provisioning for ephemeral workloads and containers (Kubernetes, Lambda, ECS, etc.).</span></li> </ul> <h3><span style="font-size: 10pt;"><strong>&nbsp;Security &amp; Risk Management</strong></span></h3> <ul> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Enforce least privilege and zero-trust principles for machine access.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Monitor for unused or excessive service accounts and remediate over-permissioned credentials.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Support incident response teams with forensics on compromised API keys or tokens.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Define detection logic for credential misuse or non-standard access patterns.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Partner with Application Security to integrate secure NHI handling into SDLC.</span></li> </ul> <h3><span style="font-size: 10pt;"><strong>&nbsp;Compliance &amp; Audit</strong></span></h3> <ul> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Maintain audit trails for credential issuance, usage, and rotation events.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Produce compliance reports for SOX, SOC 2, PCI DSS, FFIEC, and crypto-custody audits.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Collaborate with internal audit and compliance teams to validate NHI control effectiveness.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Document architecture, data flows, SOPs, and exception processes for NHI management.</span></li> </ul> <h3><span style="font-size: 10pt;"><strong>&nbsp;Innovation &amp; Continuous Improvement</strong></span></h3> <ul> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Evaluate emerging NHI management solutions (e.g., SPIFFE/SPIRE, workload identity federation, cloud-native secrets stores).</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Lead proof-of-concepts to modernize credentialless or short-lived identity methods.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Advocate for security automation and the reduction of static credentials across the enterprise.</span></li> </ul> <p>&nbsp;</p> <p><span style="font-size: 12pt;"><strong>What You’ll Need</strong></span></p> <p><span style="font-size: 10pt;"><strong>Education &amp; Experience</strong></span></p> <ul> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Bachelor’s degree in Computer Science, Cybersecurity, or related discipline.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">3–6 years of experience in IAM, DevSecOps, or Security Engineering roles.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Hands-on experience with non-human identity or secrets management tools</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Familiarity with cloud IAM concepts (AWS IAM Roles, Azure Managed Identities, GCP Service Accounts).</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Experience integrating IAM or secrets systems with CI/CD pipelines and DevOps tools.</span></li> </ul> <h3><span style="font-size: 10pt;"><strong>&nbsp;Technical Skills</strong></span></h3> <ul> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Proficiency in automation and scripting (Python, PowerShell, or Bash).</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Strong understanding of authentication standards (OIDC, OAuth 2.0, SAML, JWT).</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Knowledge of API security, key rotation policies, and service-to-service authentication.</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Familiarity with container and workload identities (Kubernetes, ECS, Lambda).</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Understanding of Zero Trust, machine identity, and certificate lifecycle management.</span></li> </ul> <h3><span style="font-size: 10pt;"><strong>&nbsp;Preferred Certifications</strong></span></h3> <ul> <li style="font-size: 10pt;"><span style="font-size: 10pt;">HashiCorp Certified Vault Associate</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">AWS Certified Security – Specialty</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">Okta Certified Professional or Administrator</span></li> <li style="font-size: 10pt;"><span style="font-size: 10pt;">(ISC)² Certified Identity and Access Manager (CIAM) or CISSP</span></li> </ul><div class="content-conclusion"><div class="gmail_default"><strong>Compensation and Benefits</strong></div> <div class="gmail_default">The base pay range for this role is listed below. Final base pay offer will be determined based on individual factors such as the candidate’s experience, skills, and location.&nbsp;</div> <div class="gmail_default">&nbsp;</div> <div class="gmail_default">To view all of our comprehensive&nbsp;and competitive&nbsp;benefits, visit our&nbsp;<strong><a href="https://sofietyinfo.sofi.com/sofi-benefits" target="_blank" data-saferedirecturl="https://www.google.com/url?q=https://sofietyinfo.sofi.com/sofi-benefits&amp;source=gmail&amp;ust=1667318410571000&amp;usg=AOvVaw0ZqbRtznVe1JsWWUOWQUnN">Benefits at SoFi</a>&nbsp;</strong>page!</div> <h5 style="text-align: center;"><span style="font-weight: 400;">SoFi provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion (including religious dress and grooming practices), sex (including pregnancy, childbirth and related medical conditions, breastfeeding, and conditions related to breastfeeding), gender, gender identity, gender expression, national origin, ancestry, age (40 or over), physical or medical disability, medical condition, marital status, registered domestic partner status, sexual orientation, genetic information, military and/or veteran status, or any other basis prohibited by applicable state or federal law.</span></h5> <h5 style="text-align: center;"><span style="font-weight: 400;">The Company hires the best qualified candidate for the job, without regard to protected characteristics.</span></h5> <h5 style="text-align: center;"><span style="font-weight: 400;">Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.</span></h5> <h5 style="text-align: center;"><a href="https://dol.ny.gov/system/files/documents/2022/02/ls740_1.pdf" target="_blank"><span style="font-weight: 400;">New York applicants: Notice of Employee Rights</span></a></h5> <h5 style="text-align: center;"><span style="font-weight: 400;">SoFi is committed to an inclusive culture. As part of this commitment, </span><span style="font-weight: 400;">SoFi </span><span style="font-weight: 400;">offers reasonable accommodations to candidates with physical or mental disabilities. If you need accommodations to participate in the job application or interview process, please let your recruiter know or email </span><a href="mailto:accommodations@sofi.com" target="_blank">accommodations@sofi.com.</a></h5> <h5 style="text-align: center;"><span style="font-weight: 400;">Due to insurance coverage issues, we are unable to accommodate remote work from Hawaii or Alaska at this time.</span></h5> <div class="gmail_default"><strong>Internal Employees</strong></div> <div class="gmail_default">If you are a current employee, do not apply here - please navigate to our Internal Job Board in Greenhouse to apply to our open roles.</div></div>