13 years enforcing access controls and protecting sensitive data in regulated environments. Now building the technical skills to formalize it: threat modeling, cloud security, and identity governance backed by real project work.
See My Work ↗
I spent 13 years in one of the most data-sensitive environments there is, managing PII for over 2,500 families, maintaining zero compliance violations, and keeping audit-ready documentation under HIPAA-adjacent requirements.
Now I'm translating that operational fluency into formal security practice: threat modeling, mTLS implementation, NIST control assessments, and cloud monitoring pipelines. Not theory. Documented, hands-on project work.
Governance and identity work across cloud and IoT environments. Framework-mapped, audit-ready, and grounded in real-world regulated experience.
Hands-on security work spanning threat modeling, architecture design, attack simulation, executive reporting, and policy authorship. Each project includes documentation mapped to recognized frameworks.
Full STRIDE analysis across 4 system components (IoT devices, cloud platform, web dashboard, remote controls) for a 500-room luxury hotel. Produced a risk-ranked assessment with critical/high/medium risk classification and prioritized mitigations for executive review.
Designed a hierarchical MQTT topic structure with QoS-level security reasoning for multi-site expansion. Then performed live reconnaissance, capturing 15+ messages via wildcard subscription. Documented 4 unmitigated vulnerabilities (no encryption, no auth, no authorization, no message verification) with evidence and remediation priorities.
Executive-facing security assessment demonstrating live eavesdropping risk, TLS protection effectiveness, and performance impact. Ran 4 tests: traffic interception, unauthorized device rejection, latency benchmarking (52ms avg), and load testing (10 to 100 msg/sec). Framed findings against real hotel breaches (Omni, Motel One, Marriott).
Configured mutual TLS with certificate-based device authentication on a Mosquitto broker. Analyzed 3 attack scenarios where one-way TLS fails (rogue broker, compromised sensor, insider bypass). Validated certificate rejection for missing, untrusted, and expired certs. Enforced identity-bound logging via certificate Common Name extraction.
Simulated 3 attack types (immediate, delayed, tampered replay) against a Python MQTT pipeline across 4 protection configurations. Measured rejection rates per configuration. Delivered findings to VP of Operations with plain-language analogies, quantified results, and a deployment recommendation. Referenced AWS IoT Core standards, IEC 62443, and MQTT v5.
Authored a complete security policy governing the full device certificate lifecycle: provisioning, rotation (60-day lead, annual cycle), revocation, decommissioning, and emergency response. Defined roles and responsibilities, inventory requirements, and record-keeping procedures. Aligned to IEC 62443 and NIST IoT guidance.
Governance-focused control assessment in a simulated AWS environment. Reviewed 10+ IAM role configurations for privilege creep, over-provisioned permissions, and missing boundary policies. Identified 5 control gaps and produced a risk-ranked remediation report with audit-style compliance artifacts (control narrative, gap analysis, evidence log).
Built an end-to-end audit logging pipeline monitoring sensitive credential access across AWS Secrets Manager, CloudTrail, and CloudWatch covering 100% of target access events. Engineered detective controls with log-based metrics, automated alarms, and SNS alerting under least-privilege IAM principles.
13 years across regulated environments enforcing access controls, administering RBAC, and maintaining audit-ready compliance records.
STRIDE threat modeling, MQTT architecture design, vulnerability assessment, mTLS implementation, replay attack simulation, executive security reports, and IoT provisioning policy authorship for a commercial hotel water-monitoring system. Findings mapped to IEC 62443 and NIST CSF 2.0.
Maintained audit-ready PII compliance with zero access control findings across all review cycles. Administered RBAC across a 3-person team, monitored phishing indicators, coordinated multi-stakeholder access governance, and delivered security awareness training to 12 staff.
Administered provisioning and deprovisioning workflows across mandated state digital systems. Drove a 20% improvement in process efficiency by tracking compliance metrics across 3 program KPIs.
Resolved credential access failures across 4+ regulated platforms for 100+ users. Sustained zero documentation errors across 6 years of state oversight reviews. Delivered access policy training to 15+ staff.
Open to GRC Analyst and IAM Governance roles. Based in New York, available for remote and hybrid.