Milpesh Anjan

Delivering IAM and Cybersecurity strategic and innovative solutions across Architecture, Engineering, and Security practices at Fortune 50 companies with 22+ years of progressive experience in dynamic and high-impact healthcare, financial, & retail organizations.

Milestones

• Executive leadership with creative problem-solving and analytical decision-making skills to deliver results with Master in Computer Science, CISSP, CISM, Harvard professional, and RLF Leadership.

• Reputation for transforming struggling operations into productive, efficient, and sustainable organizations by integrating expertise in Cybersecurity, Identity & Access Management (IAM), Data Protection, Enterprise Architecture, Cloud Adoption, and Application Architecture with process improvement and change management.

• Exhibits expertise, innovation, and creativity in leading large cross-functional, multi-level teams to enhance performance and efficiency; identifies process gaps, risk, vulnerability, cost-saving opportunities, and lead time compliance while aligning these with security policy and industry standard frameworks.

• Holds a stellar track record of collaborating with business leaders, demonstrating strategic leadership, strong organizational skills, and the ability to clearly explain complex ideas and concepts to a non-technical audience.

Career Summary

Professional Projects

CVS Health, Healthcare, Insurance, Retail

Lead Director, Identity and Access Management (IAM), Cybersecurity Architecture and Engineering

Jan 2021 - Present

IAM Strategy, Jan 2021 - Jan 2022:

Enterprise Identity and Access Management needed to be more cohesive. Multiple redundant products used unnecessary custom solutions that hardly met the business requirements. All products and services provided outdated solutions without any modern touch. For example, a password with OTP was used only for VPNs. There was no MFA for application—or system-level access.

As the chief IAM and Cybersecurity architect, I enabled modernization. To do this, I conducted a detailed review of the current environments, assessing the strengths and weaknesses of the different business lines and technology teams and engaging with key stakeholders. I also researched current market trends from Gartner, Forrester, and other leading organizations to ensure our strategies were always cutting-edge.

I proposed the IAM strategy based on the following inputs:

1. Current pain points

2. Business use cases and requirements

3. Industry trends

4. Market analysis

5. PCI, SOX, HIPPA, NIST, and other security requirements

6. 20+ years of personal IAM and Cybersecurity working experience

7. Design principle of agile framework with continuous improvement

I proposed the IAM strategy to redesign the framework with better products over the next 3-5 years.

To get support and alignment, I presented the strategy with a 5-year roadmap to stakeholders, from key to executive leadership.

CISO and CIO fully approved IAM Strategy as a program called "IAM Technology Modernization (ITM)."

IAM Technology Modernization - Part 1,  Jan 2022 - Present, $20M program:

We started our journey of IAM strategy with the following domains:

1. Identity Data Service: IAM consists of over five different databases to manage the data, which were out of sync and had poor data quality. I selected the modern Neo4J graph database to consolidate all IAM data into one place to enable quality and a complete data set. This data set consists of User Identity, Application Identity, User & Application accounts, and access to each account using entitlements and roles. This supports all IAM domains, including Authentication, Authorization, Identity Governance, and Access review.

2. Authentication & Access Management Service: I selected the PingIdentity service after gathering requirements and conducting multiple Proof of Concept (POC). The design is to build a no-code policy and data-driven Authentication and Access Management service. Ping Davinci, PingFederate, PingAccess, Ping Directory, PingOne MFA, and PingOne Protect products work harmoniously to provide an advanced solution with the integration of MDM, Zscaler, and Crowdstrike products.

3. Secret Management Service: Akeyless vendor was selected after a thorough production selection process of Hashicorp, BeyondTrust, and CyberARK. Akeyless service enables secret management solutions for all on-premises and five cloud (AWS, Azure, GCP, IBM, and Oracle) systems. Akeyless also provides centralized secret management for cloud-native key vaults (Azure, AWS, and GCP key vaults)

Solution enablement

Identity Data Service:

1. Consolidate all IAM data into Neo4J Graph DB from 5+ legacy databases with a data integrity schema model.

2. Integrate with Human Resources and the Company's asset management systems for identity data of users and applications/systems.

3. Enable real-time data access with the governance model using REST/SCIM and GraphQL interfaces.

Authentication Service:

1. Migrate around 1500+ applications from the legacy SiteMinder environment to the modern PingIdentity service.

2. Enable Federated Authentication using SAML, OIDC, and OAuth using PIngFederate product

3. Enable continuous authentication and access control using PingAccess Identity Gateway.

4. Enable multiple Multi-Factor Authentication options, including Passwordless MFA with Ping Mobile App and Yubikey FIDO2.

5. Enable a complete self-service portal for MFA registration.

6. Integrate Ping Davinci, Ping Protect, Microsoft Intune (MDM), Crowdstrike Falcon, and Zscaler services to enable risk and adaptive access control.

Secret Management Service:

1. The Akeyless vendor built environment as a SaaS in Azure and GCP with multi-clouds, multi-regions, and multi-availability zones to provide high availability and performance. Akeyless gateways were placed in each location where CVS applications are primarily hosted.

2. Designed the approach to create the micro-vault within Akeyless to manage secretes for applications that enabled the self-service model with governance.

3. To manage the secrets lifecycle, Akeyless was integrated with three clouds (Azure, GCP, AWS), Active Directories, PingIdentity, the Kubernetes platform, Kong API Gateway, DevOps tools, and business applications.

4. The applications integrated with Akeyless retrieve secrets in real-time.

IAM Technology Modernization, Part 2, June 2023 - Present, $15M program:

Identity Governance and Administration (IGA) Service: I selected SailPoint IdentityNow service after reviewing seven leading IGA products and services, including Saviynt. IGA service consists of Access Request, Access Provisioning, and Access Review.

Solution enablement:

1. Enable the data lake concept using the Neo4J graph database to keep the external authorization data for real-time data access.

2. Integrate with 10+ centralized account stores (Active Directories, LDAP, Neo4J, Mainframe, Clouds, etc.)  to enable real-time provisioning

3. Enable different solutions with data-driven workflows for access request, provisioning, and access review processes, including birthright access, privileged account lifecycle, etc.

4. Enable self-service for application onboarding

5. Enable self-service for access requests with the IdenityNow interface and ServiceNow.

6. Enable a solution to collect the data from disconnected systems to complete the data set for the Access Review process

7. Enable Artificial intelligence (AI) based solutions for Access review, provisioning, and access review.

Cybersecurity Zero Trust and Ransomware program, June 2023 - Present, $20M program:

I was one of the critical stakeholders in selecting Zscaler to enable zero-trust solutions across the organization. The first solution was to replace the legacy Cisco VPN solution. Many solutions are being enabled using ZIA and ZPA. My role is to guide the team in allowing the zero-trust framework using Zscaler by integrating with other products like Akeyless, SailPoint, Clouds, etc. CASB and data protection solutions are being designed to replace legacy systems.

CVS executives initiated a new program to protect against ransomware after many attacks on healthcare industries. I am working with SMEs of each security domain to build the best solution, including a secure vault for backup, to protect and recover from ransomware attacks.

Biometric Authentication, Jan 2024 - Present: 

A retail pharmacy requires frictionless and transactional-based authentication with an offline scenario when a store loses network connectivity due to disaster or other conditions. The Private Identity vendor was selected to enable facial biometric authentication on store-shared computers and mobile tablets. The vendor and IAM team developed a store component to keep the secure cache and allow the same authentication when a store loses network connectivity.

IAM Technology Modernization, Part 3, Jan 2024 - Present, work in progress:

Research and analysis are being done to select the modern solution for the following use cases.

1. Identity verification (proofing) using a document verification process

2. Privileged Access Management (PAM) modernization with the following critical requirements:

   1. MFA and passwordless access

   2. Just-in-time access without any standing credential

   3. Session management at enforcement and monitoring levels.

My role was to lead the IAM architecture team under Cybersecurity, focusing on modernizing and advancing solutions that enable our business operations.

I designed solutions for an ongoing program to modernize two IAM domains.

1. Identity Governance and Administration (IGA) with SailPoint IIQ: This project involved building the new infrastructure using SailPoint IIQ and automating different IGA solutions.

2. PAM Strategy & Design with CyberARK: The goal is to enable modern PAM solutions with just-in-time access, MFA, and session management capabilities

The Home Depot, Retail

Senior Manager, Identity and Access Management (IAM), Cybersecurity Architecture and Engineering

April 2020 - Jan 2021

My role was to lead the IAM architecture team under Cybersecurity, focusing on modernizing and advancing solutions that enable our business operations. I designed solutions for an ongoing program to modernize two IAM domains.

1.  Identity Governance and Administration (IGA) with SailPoint IIQ: This project involved building the new infrastructure using SailPoint IIQ and automating different IGA solutions.

2. PAM Strategy & Design with CyberARK: The goal is to enable modern PAM solutions with just-in-time access, MFA, and session management capabilities

UnitedHealth Group / Optum, Healthcare, Insurance

Director, Identity and Access Management (IAM) and Cybersecurity

April 2020 - Jan 2021

My ex-colleague contacted me to lead the IAM and Cybersecurity architecture team, an advancement of my previous E&Y role. During this period, I successfully delivered many programs to satisfy business requirements.

Modernize Authentication & Access Management, a $15M program:

1. Designed modern and agile authentication, federation, and SSO framework using PingFederate, PingAccess, PingDirectory, Active Directory and RSA Authentication.

2. We have enabled a smartcard solution for Windows and MAC laptops using the Yubikey smartcard solution, which was completely automated and integrated with the PKI environment.

3. Access Management solution was enabled across on-premises, Azure & GCP clouds, and SaaS applications.

4. Selected, designed, and implemented a new Privileged Access Management (PAM) solution using CyberARK and replaced the legacy solution.

5. Migrated over 1000 applications from SiteMinder to PingIdentity framework.

6. We selected the VMWare (Airwatch) Mobile Management solution and enabled SSO with the integration of PingIdentity using cert-based authentication, which was managed by the VMWare platform.

Cloud Enablement is an over 15M program:

The company started its journey to the cloud using Azure and GCP cloud providers. I played two roles in this program: IAM solution provider and Cybersecurity expert.

1. Designed the end-to-end solutions for each cloud access control, including provisioning, authentication, authorization, access management, and governance.

2. Reviewed security posture for all cloud services to the company's security and compliance requirements, including HITRUST, PCI, NIST, and other standards.

Zero Trust product selection:

Initially, the primary focus was on selecting CASB and data protection solutions. We expanded the scope of the project with a zero-trust concept to include network segmentation, Web Application Firewall (WAF), and VPN-less access. 

We collected all use cases and requirements and followed the "Request for Proposal (RFP)" process. The product selection process includes many business and technical discussions with key stakeholders. We selected the final two products, Zscaler and Netscape, per discussions for the "Proof of Concept (POC)" to further verify technical capabilities. Netscape was selected as the company's final product.

Authorization Data Service: MongoDB and REST APIs, a $5M project:

Authorization data was embedded within the business systems. This created an issue about governance and complexity, including higher costs. I proposed a centralized authorization data lake for the enterprise with "Return on Investment (ROI)" to reduce complexity. The company's executive leadership, CISO, CTO, and many other stakeholders officially approved this plan.

Solution enablement:

1. I selected the MongoDB database that inherently supports the dynamic schema and JSON data structure.

2. We designed the data schema to manage the different data sets, "Identities and Accounts of users and applications," "Access with Roles and Entitlements including permissions," and business fine-grained authorization data.

3. A custom REST API interface with a security and governance model was developed to enable real-time access for business applications.

4. Some IAM products, such as PingFederate, CyberARK, and VMWare, were integrated to enable authorization with the Authentication and Access Management service.

Ernst and Young (EY), Audit, Advisory

Assistant Director, Identity and Access Management (IAM) and Cybersecurity

March 2015 - Sep 2016

Enterprise authentication and access management capabilities were enabled using SiteMinder products, which created many challenges, including a lack of support for modern features and the complexity of managing thousands of web agents. I created a "Release for Proposal (RFP)" document after collecting business requirements and current issues and applying modern technology trends to enable the right solutions. PingIdentity products, PingFederate, PingAccess, and PingDirectory were selected.

Solution Enablement:

1. The focus in phase 1 is to build the framework using PingFederate, PingAccess, and PingDirectory products by integrating with RSA SecurID, Active Directories, and SiteMinder products.

2. Enable modern solutions using SAML, OIDC, OAuth, and proxy-based integration.

3. Multi-factor authentication was enabled by integrating the RSA SecurID product with PingFederate.

4. The SiteMinder migration solution provided seamless access between SiteMinder and PingIdentity applications until all applications were migrated to the PingIdentity framework.

Citigroup (Citi), Finance

Senior Vice President, Identity and Access Management (IAM) Architecture and Engineering

Dec 2003 - March 2015

While working at Blue Cross Blue Shield in Chicago, I wanted to move south of the USA to avoid the cold. I received two positions, one in Texas and another in Florida.

I joined Citigroup at the Tampa, Florida, location. My journey in Citigroup:

1. Joined as consultant in Dec 2003

2. Became Full-time employee with "Assistant Vice President" role in Oct 2005

3. Promoted to "Vice President"

4. Promoted to "Senior Vice President"

Authentication and Single Sign On (SSO) Service:

I joined as a consultant to design, build, and support SiteMinder infrastructure from an Architecture and Engineering perspective. I provided Authentication and Single Sign-On solutions to all enterprise applications using Oracle LDAP and SafeWORD OTP solutions.

1. We enabled SSO according to the different risk tiers of applications: low, medium, and high. We also enabled step-up authentication for accessing applications from lower to higher risk tiers.

2. Applications with critical risk were isolated using the session segmentation mechanism.

3. Built the automated process to continue to upgrade infrastructure and agents

4. Audit and compliance requirements were fully supported.

Identity Federation Service:

1. We received the requirements to enable SSO for external applications. Initially, we built SAML federated authentication and SSO with the SiteMinder environment, but we hit major roadblocks with a lack of critical features and performance issues.

2. I researched the market and selected the PingFederate product to provide federated single sign-on by integrating it with the existing SiteMinder environment.

Citi Multi-Factor Authentication (MFA) Service:

1. Citigroup received FFIEC and other compliance requirements to enable Multi-Factor Authentication for Consumer and Institutional clients applications.

2. After market research, we built a custom web service framework to provide API-based MFA service for applications.

3. The One Time Password (OTP) was delivered through SMS and Voice provider company.

4. Hardware OTP solution was enabled using Vasco and SafeWORD environments.

5. The solution was enabled for applications running in over 100 countries for Consumer and Institutional clients businesses.

CitiSAFE - Custom centralized authorization services:

1. A centralized custom authorization service was developed to support specific business requirements.

2. Authorization data and policy were managed in custom RDBMS database .

3. The policy engine was built in Java to enable the authorization service.

4. The solution was successfully enabled for 100s of business applications.

Connect with me:

Email: maact7@gmail.com

Phone: +1 813 527 8527

LinkedIn: https://www.linkedin.com/in/milpesh