Yaw Kusiappiah
Summary
Experience Security and infrastructure Engineer– Security, Active Directory Configuration, Network , Application Infrastructure with over a decade of experience. Knowledge / Experience in Component Hardening (CIS/NIST), CIMM program lead, and Application Control, applied at a large global enterprise level. Knowledge of Vulnerability Management, Patching, and Compliance enforcement for endpoints. Configured Ivanti for OSI Enterprise Patch Management. Familiarity with cloud and on-premises identity systems – AWS and Azure. Experience in administration and management of PKI /PIV infrastructure: Management of trusted root certificate chains in Active Directory. Working knowledge identity system and the implication and migration. Proficient in Standards-based authentication protocols (OIDC, OAuth, SAML etc) Experience with Directory Provisioning Tools (Azure AD Connect Sync and Azure AD Connect Cloud sync). Extensive working knowledge in the integration of applications and business services with IAM. Managed Used self-service IAM capabilities, such as Self-Service Password Resets and Self Service Group Management. Experience in HR-driven provisioning, Directory and Cloud -scale application provisioning. Strong Active Directory Background (Multiple /Forest / domains (/2008/2012/2016 and 2019). Experience with Privileged Access Management ( compliance and credential management) Experience configuring and implementing Azure AD B2B collaboration, B2B direct connect and Azure AD B2C. Experience working with and managing AWS services (S3, EC2, IAM, SECURITY HUB, VPC) Deep Understanding and knowledge of IT security standards and risk management practices. Working knowledge of Cybersecurity Tools (Rapid 7 , DarkTrace ) Experience with Proofpoint, Mimecast for email Gateway security). Knowledge of MITRE ATT&CK for Cyber Threat and mapping data to attacks.
Overview
4
4
years of professional experience
1
1
Certification
Work History
Lead Systems Engineer (Active Directory Services)
MGM Resort International
Las Vegas, NV
10.2024 - 11.2024
- Plan designed and implementation ADFS 3.0 and Azure AD connect for MGM enterprise Hybrid for (SSO) Office 365 project
- Task List
- Planned designed and implemented ADFS 3.0 Federation Farm for Single Sign On (Web Browser Profile SAML 2.0)
- Configured Server Authentication Certificate for Secure Communication and Token Signing and exported Federation Meta to the Service provider for authentication setup
- Configure Load Balancing for ADFS Farm / Configured internal DNS records/ Client configuration
- SQL server Configuration
- Build WAP Cluster
- Migrated Claims Rules between trusts from test to production
- Setup Service account and SPN for the federation Service
- Assisted and coordinated with application team with REST APIs in troubleshooting SSO Signing process
- Played a key role for the restructuring of MGM multiple AD forests and domains
- Consolidated domains and rebuilt OU structures and decommissioned domain /Forest
- Created scripts for DNS cleanup
- Upgraded domain controllers (2003/2008 to 2012R2)
- Perform routine audits to ensure compliance with MGM security policies and other industry standards (PCI, SOX) e.g., generating monthly and quarterly Group Policy Objects reports
- Played a key role in the Directory Services Group in the Implementation of the McAfee Web Gateway proxy Project, which replaced the Microsoft TMG and Bluecoat as the Enterprise Web proxy
- Plan and design a process for the enterprise rollout through security groups /GPO for All MGM properties in Las Vegas and remote locations
- (Incremental deployment)
- Provided advisory, reactive, and proactive level 3 tier support for MGM CE (junior Systems Engineers located onsite on all MGM properties local and remote sites globally
- Plan, design, and installed Change Auditor for multiple forest
- Upgraded Enterprise Certificate Authority 2003 servers to 2012R2
- (Project)
- Plan and prepared Solution Architecture Document, detailing procedures and steps that was presented to Change Management Board for approval
- Backed up the (PKI) CA database, private key, registry settings, and CAPolicy.inf on the 2003 Root Ca
- Removed the CA role from the 2003 Root CA
- Built a 2012 R2 server
- Restored the PKI (CA database) and configured it in 2012 R2
- Managed MGM Enterprise certificate issuance and administration with Venafi Certificate Management (All TYPE OF CERTS)
- Provided 24x7 On-call Escalation Support (rotation-based / full week support in collocation with Directory Services and messaging team members)
- Managed Kerberos Authentication and Troubleshooting (Klist, LDP.exe, ADSIEdit, Network traffic tools)
- Provided administration/support of Exchange 2010
- Managed Domains in Office 365
- Implemented Directory Synchronization for the purpose of migration
- Deployed migration setup for multiple types of migration
- (Cut-Over, IMAP, Staged and Hybrid)
- On-Boarding and Off-Boarding mailboxes from Exchange Online Servers
- Migrated the Shared, Resource and Room Mailboxes to cloud and from cloud to On-Premises
- Handling post migrated issues like permissions and password issues for the users
- Supported, Create and modified certificate templates as needed by application owners
- Crafted and updated and documented policies and procedures for the directory Services and messaging team
- (IT Enterprise Collaboration Group)
- Participated in bridge calls for potential and ongoing outages and severity 1,2 and 3 incidents
- (MGM properties locally in Las Vegas and remote)
- Participated in daily bridge calls for Production and Change Review for ongoing projects changes throughout the Enterprise
- Verified the integrity and availability of all hardware, server resources, systems and key processes, reviewing system and application logs
- Provide Tier III/other support per request from various constituencies
- Investigate and troubleshoot issues
- Daily support utilizing Service Desk Manager to resolve Requests, Incidents and Problems
- Also processed and completed Change Orders for IT Enterprise and collaboration Team
- (Ticketing System)
- Used Service Desk Manager ticketing, and numerous internal tools for troubleshooting and investigation of incident and problem reported
- Provide Tier III/other support per request from various constituencies
- Investigate and troubleshoot issues
- Monitor and manage Active Directory and OKta identity Management system
- Managed AD integrated DNS (Created different record types, configure forward and reverse lookup zones) and resolved companywide DNS issues
- Provided support, and managed DNS and DHCP with Infoblox Appliance (IPAM)
- IP reservation (Manually and scripted imported csv files)
- Add, modify, and edit DNS records, CNAME, MX, TXT records and add Networks
- Create and Modify DHCP scopes (Phone systems and all enterprise systems)
- Manage Grid Master / Members and perform administrative tasks
- Used SCOM to maintain production and test servers (Microsoft System Center 2012 R2, Configuration Manager, Software Center) Server Reboots through Orchestrator RunbooK.
Systems Engineer Consultant
Air Lease Corporation
Los Angeles, CA
06.2024 - 09.2024
- Planned designed and configured Windows Server 2012R2 infrastructure / VMware Vpshere5.5/vcenter and storage
- Configured domain controllers (AD DS role)
- Installed and configured DFS namespaces and replication for business-critical file servers (Shared Folders)
- Created and managed Active Directory (AD)
- Design Organizational Units (OU) structure and create Group Policy Objects, users and groups
- Implemented Group policy for desktop security (e.g., Used Group Policy Preferences and implemented {Mapped drives, printers, shortcuts, Registry settings, Environment, Network shares, Schedule Tasks, data sources, and IE settings}
- Configured account Policies
- Installed and configured Unitrends Backup system
- Documented AD environment and developed AD S administration support document
- Implemented High Availability DHCP Scope Failover.
Active Directory Engineer
IBM Global Services
08.2024 - 09.2024
- Provided support and administration for DOW AD migration project from the Rohm and Hass Forest Migration
- Daily remote Administration task included running of script and diagnosing and troubleshooting of Dow.com DCs within the Active directory Enterprise/Global Infrastructure
- Performed Active Directory Meta data directory discovery
- Played a key role in MONITORING the dow.com global active directory infrastructure
- (Sites and subnets).
Systems Engineer
ADS Consulting
Los Angeles, CA
05.2024 - 08.2024
- Planned, designed, Migration of Active Directory for ADS clients
- Upgraded windows 2003 Domain environment to 2008R2 DCs
- Provided third level support for Clients network infrastructure (ESX, Exchange Active Directory and Backup systems Net Backup)
- Managed and provided support for ESX i 4.0 (VSphere) virtual infrastructure (Cluster Severs with vCenter and VI client)
- Created fully patched base image (VM template) for provisioning new virtual servers and created snap shots of VM backup
- Used vCenter for patch management (Update Manager) Vmotion, DSR and HA
- Administration and remote monitoring of infrastructure servers (Physical and virtual)
- Plan P2V installations and Vranger backups of vms and snap shorts
- Data store management and admiration of LUNs (Fiber and ISCSI SANS).
Systems Engineer Identity Management / Active Directory
Loyola Marymount University
Los Angeles, CA
09.2024 - 06.2024
- Researched planned tested and deploy (added) 3 winnows 2012 domain controllers in lumen forest and decommissioned windows 2003 DCS
- Managed, Plan and Built an Active Directory test lab as an exact replica of the production environment
- TOOLS (CSV, LDIF POWERSHEL, VMWARE, GPO Scripting and VBScript)
- Troubleshoot, managed and maintained shared/folder access for faculty/staff and students in the Enterprise Active Directory environment
- Management and administration of FORE FRONT IDENTITY MANAGER 2010 with Active Directory, Employee/faculty staff and Student Registrar Databases as data sources, for LMU identity management solution
- Managed and supported Enterprise Active directory with fore front identity management 2010 R2
- Diagnosed and resolved common Messaging Systems problems with the DAG, mailbox access related to FIM provisioning
- (Homed attributes) pertaining to Exchange 2010
- Provided Administration/design planning and support for Active Directory (2003/2008) exchange 2010 Mailbox Servers/DAG maintenance in the LMU campus enterprise systems (Tools: PowerShell, UDT, Hyena, Service Now Help desk ticket systems)
- Forefront Identity Management Operational Administration and support: Manage existing Management Agents
- Identified and resolved sync errors in Synchronization Service Manager for Management agents, Verifying Accounts Are Provisioned Correctly in the FIM portal
- Created new Management Agents to integrate new Target systems
- Manage provisioning and De-provisioning of user’s objects and make changes per business requirements
- Documented FIM portal provisioning procedure for staff/faculty and consultants
- Resetting MPR (Management Policy Rules to resolve) to resolve Sets criteria members to provisioned correctly
- Monitoring and resolving Management agent Delta cycle errors in Synchronization Manager
- Stopping and restarting FIM related services to resolve running workflow instances if exceeds vital number.
Systems Engineer (Active Directory Engineer)
IBM Global Services
09.2024 - 06.2024
- Part of the team providing AD design planning/support and maintenance for Global Active Directory Enterprise infrastructure for Jones Lang Lasallle
- JLLNET.COM and sub domains
- Provided assessment of current design and recommended changes and modifications for AD structure for optimization
- Monitoring and supporting objects using ADS Edit, LDP and other native AD tools
- Managed redesign OU structure and GPOs links
- Periodic troubleshooting of replication, sites, subnet trust and connectivity
- Played a key role in researching JLL SSO Project using Microsoft Active Directory Federation Services..
- Designed a POS for ADFS and documented the configuration of the JLL test federation server to issue tokens to the and the process of federated trust enabling it to accept and issue tokens respectively from partner federation servers
- Responsible for providing support for AD infrastructure (servers/applications) based on business requirements and needs
- Assisted in the analysis/Remediation Plan of Microsoft Premier Support ADRAP exercise focusing on the JLLNET Forest DC infrastructure
- Key factors of the health check report
- Failed to Replicate Past Tombstone Lifetime
- DCs not in Domain Controllers OU
- AD Replication Halted Due to Lingering Object
- NC Failed to Replicate Multiple Times
- Possibly due to poor network connectivity
- No Global Catalogs in a couple of sites
- Infrastructure FSMO is a GC
- Some DNS misconfigurations.
Sr Systems Engineer
Center for Autism and Related Disorders
12.2024 - 05.2024
- Planned and configured Azure AD Connect to integrate with Okta for single sign for multiple cloud applications including office 365 (hybrid environment)
- Developed a plan for the migration of 2008R2 AD server (DCs) to 2016 and 2019
- Assisted with the planning of Workday HCM Integration with Active directory for ERP migration project for HR
- (Identified optional and mandatory attributes)
- Prepared Office 365 Exchange Online Migration Design Document (Recommended Microsoft security optimization Assessment on office 365
- Discovered and cleaned up DNS / AD domain infrastructure (stale objects, old DNS zones, and stale records) and migrated DNS service to Route 53 AWS Hosted Zones
- Identified and removed unlinked GPOs and implemented a least privileged policy for support technician
- Participated as a Team member for migrating prod servers to CARD AWS EC2 Instances and configured permission set for (S3 buckets)
- Implemented Multifactor Authentication (MFA) for Okta and office 365Designed a change management policy and implemented the process
- (Develop a workflow and implemented a change request / approval process for the IT infrastructure team with Atlassian JIRA application (ITIL standards)
- Used SolarWinds to monitor the network and Hyper – v cluster and storage environment.
Snr Systems Engineer (Consultant)
E Centric (Emblem health Single Sign on Project)
08.2024 - 05.2024
- Planned designed and implemented ADFS 2.0 Federation Farm for Emblem Health Single Sign On (Web Browser Profile SAML 2.0)
- Configured Server Authentication Certificate for Secure Communication and Token Signing and exported Federation Meta to the Service provider for authentication setup
- Migrated Claims Rules between trusts from test to production
- Setup Service account and SPN for the federation Service
- Configured Success Factor as a Relying Party (Claims Consumer) and Emblem health as an IDP (identity Provider and SAML issuer)
- Using Active Directory as the attribute store
- Setup Relying Party Trust and configured Consumer Service rules
- Configured Claims Rules for subject assertion for the Relying party (Service Provider) as SAMAccountName attribute in Active Directory
- Configured virtual Lab VMWARE (VMs) ESX 4.0 (VSphere) Environment for testing and POC
- Configured custom attribute store and claim rule to RP's Issuance Transform Rules
- Implemented Relay State by configuring a custom IIS HTTP Response
- Filter and modify the output stream of the ADSF generated redirection to include Relay state Parameters
- (Also modified elements in the Web
- Config file)
- Authored an AD Health Check Procedure.
Sr. Active Directory Analyst Consultant
Providence Health Provider
06.2023 - 12.2023
- Conducted an in-depth discovery and assessment of the current state of ad.providence.org (On-premises) Active Directory and Azure Active Directory, with a focus on the hp.providence.org domain tree
- Evaluated the health and configuration of the Forest and Domain Trust, Replications, Network Infrastructure, Logical Structure, Directory Objects, Service Accounts, and SPNs
- Analyzed domain controllers both on-premises and in Microsoft Azure, including VMs
- Examined Azure Active Directory Microsoft Entrap ID configuration and settings for the ad.providence.org hybrid environment
- Investigated the authentication mechanism and integration of Single Sign-On (SSO) solutions, such as Auth0 and Azure AD, for various PHP applications, ensuring seamless access for customers and clients
- Identified and addressed gaps in the current Active Directory and Azure Active Directory setup
- Provided recommendations for improvements in Forest and Domain Trust, Replication, Network Infrastructure, and Security
- Streamlined the management of Service Accounts and SPNs, optimizing security and performance
- Facilitated the integration of SSO solutions for improved user access and authentication
- Collaborated with cross-functional teams to implement recommended changes and enhancements
- Prepared a comprehensive set of reports outlining the findings and recommendations from Phase I of the project
- Played a pivotal role in ensuring the security, stability, and efficiency of the hybrid environment.
Sr. Active Directory Systems Engineer/IAM/Security Engineer
OSI Systems Inc.
07.2020 - 06.2023
- Performed AD Discovery and Recommendation for Microsoft security best practices
- (Hardening) Restructured and cleaned up OSI domain OUs (eg Security Group and service accounts in Built-in OU containers, and Multiple duplicated OUs for different sites
- Used a 3 tiered (tier0, tier1,tier2) for least-privilege administrative model and privilege security group and account protection, to enforce absolute minimum privileges and also discovered, reviewed and audit privilege identifies: EASE (Enhance Security Admin Environment) (Privilege Access Management) Generated reports on privileged user access and activity
- Reduced OUs in the root of the main domain to just 3 and configured a Three Tier for identity and for (Administrative Accounts, Manage Devices, Admin Security Groups, Unprivileged Security Groups)
- Configured controls for Built-in Administrative account
- Investigated researched and resolved hybrid authentication and synchronization issues of Azure AD connect sync: (duplicate, blank and invalid UserPrincipalName, ProxyAddress, givenName and other attributes
- Performed Health check with IdFix t, ADModify.Net, ADSIEdit, Azure AD connect Wizard
- Monitored and identified and resolved sync error issues and services with Azure AD Connect Health
- Used Azure AD Admin Center to also monitor sign in logs
- Secured Local Administrator accounts and Groups through GPO configuration (to mitigate pass-the-hash and other credential attacks)
- Configured GPOs seatings to restrict OSI domain’s Administrator accounts on domain use on domain joined systems
- Periodic Patch management, with Ivanti software Scanning and software update
- Generated and presented executive summary and management reports
- Managed Rapid 7 (MDR) and VMInsight for endpoint protection, liaison with the SOC team
- To (Performed investigation and triage on suspected alerts of attack and also Prioritized remediation efforts
- Implemented LAPS (local Admin Password Protection) for automatic local admin change to ensure every computer has a unique password
- Planned and coordinated with user community, OSI departments/Businesses Units, configured and implemented Companywide Muti Factor Authentication (MFA) and Self-service Password Reset(SSPR)
- Monitored privileged sessions to support investigative audits
- Analyzed unusual privileged activity that might be harmful to your organization
- PKI experience: implemented Certificate auto enrollment for policy
- Modified exiting web application templates for and configured for OSI WEB servers
- Managed different type of certificate request (Web enrollment, MMC, Auto enrollment and Certreq.exe or offline)
- CEP(Cert enrollment policy) and CES (Cert enrollment services)
- Researched and assisted with the resolution of failures related to OSI PKI (Active Directory Certificate Server)
- Added Custom attributes to AD Schema and Configured / AD Custom computer Attributes that stores the logged in user’s samaccountname
- To identify computer to a logged in user
- Created baseline GPOs and applied them to all and configured scoping properly: Reviewed Microsoft Security Compliance and used as guideline
- Planned and coordinated with service support team Migrated and Decommissioned NPS, File and Print services and ADDS from our 2012 R2 Servers to 2019 within the enterprise: (NPS with SonicWall as radius Client for VPN / Microsoft/MFA)
- Retired and decommissioned FTP on premises servers/Services for our customers and partners and migrated the service to (SSO) SaaS SFTP (Actelion Kite works)
- Collaborated with the SOC Team and monitored OSI Gov Cloud and Commercial Cloud account and services (IAM, EC2, RDS, VPC, Config, S3 buckets and remediated failed security controls (AWS Security Hub: CIS AWS Foundation Benchmark v1.20) (Highly secured and regulated OSI environment)
- Managed request on JIRA ticketing systems for AWS Services (Build new EC2 instances, and provided access to S3 bucket for different Organization accounts (using permission policies and permission sets)
- Used Ivanti Patch Management Software to scan, patch assets and present executive management summary report periodically
- Used Azure AD built-in RBAC roles to limit admin privileges (Least privilege practice)
- Configured DUO MFA for administrative privilege account to domain server and domain controllers
- Configured Conditional using MS Best Practices to Block Legacy authentication and CA to require MFA for Azure management and required MFA or complaint devices for to Access All cloud apps.(Excluded Brake Glass Accounts)
- Configured and deployed user provisioning for various applications for OSI from the Application gallery
- Configured various mobile devices with Intune in OSI using Azure AD device management
- Planed, configured and supported AWS with on premises AD to provide SSO access for S3 access for large file transfers for OSI inter-regional location
- Collaborated closely with stakeholders to build catalog of Azure IaaS templates using native Microsoft tools [PowerShell / CLI / ARM], Azure
- Supported exchange online 0365 and Azure AD management
- Planed, configured and supported AWS with on premises AD to provide SSO access for S3 access for large file transfers for OSI inter-regional locations
- Provide daily monitoring, management, troubleshooting and issue resolution to systems and services hosted on cloud resources (ASW and Azure Services)
- Worked with executive team members, decision makers, and stakeholders to define business requirements and systems goals, and identified and resolved business systems issues (Architected and provisioned a new AD structure for Business Division related to their Assets and Portfolio management in the product development department)
- Security Zone for Cybercity regulation and compliant
- Ensured secure, reliable, performance system operation of all servers, shared software, and other applications
- Created and maintained documentation as it relates to system configuration, mapping, processes, and service records (AWS and Azure Services)
- Performed cost-benefit and return on investment analyses for proposed systems to aid management in making implementation decisions
- POS Project (Analyzed PKI and PIV -I requirements, policies, and procedures that helped to integrate PIV - Smart cards into OSI confidential enterprise environment).
Education
B.S. Electrical Engineer -
Howard University School of Engineering
Skills
- Security and infrastructure engineering
- Active Directory configuration
- Network and application infrastructure
- Component hardening (CIS/NIST)
- CIMM program lead
- Application control
- Vulnerability management
- Patching
- Compliance enforcement
- Ivanti configuration for OSI Enterprise Patch Management
- Cloud and on-premises identity systems (AWS and Azure)
- PKI/PIV infrastructure management
- Identity system knowledge and migration
- Standards-based authentication protocols (OIDC, OAuth, SAML)
- Directory provisioning tools (Azure AD Connect Sync, Azure AD Connect Cloud sync)
- Integration of applications and business services with IAM
- Self-service IAM capabilities (password resets, group management)
- HR-driven provisioning
- Privileged access management
- Azure AD B2B collaboration and B2C
- AWS services (S3, EC2, IAM, Security Hub, VPC)
- IT security standards and risk management practices
- Cybersecurity tools (Rapid7, DarkTrace)
- Proofpoint and Mimecast for email gateway security
- MITRE ATT&CK for Cyber Threat
- Security CompTIA certification
- AWS Certified Solution Architect Associate certification
- Microsoft Azure Administrator certification
- Microsoft Certified Technology Specialist (Active Directory Configuration, Network Infrastructure, Application Infrastructure)
- MCSE Messaging certification
- Microsoft Excel
- Technical Analysis
- Query Tools
- Microsoft Visio
- Data Mapping
- Analytical Problem Solving
Certification
- SECURITY + COMPTIA, COMP001003478771
- AWS Certified Solution Architect Associate, AWS01567634
- Microsoft Azure Administrator, MS0428644488
- Microsoft Certified Technology specialist – Active Directory Configuration, Network Infrastructure, Application Infrastructure, Microsoft Certified Technology Specialist (AD)
- MCSE Messaging
Timeline
Sr Systems Engineer
Center for Autism and Related Disorders
12.2024 - 05.2024
Lead Systems Engineer (Active Directory Services)
MGM Resort International
10.2024 - 11.2024
Systems Engineer Identity Management / Active Directory
Loyola Marymount University
09.2024 - 06.2024
Systems Engineer (Active Directory Engineer)
IBM Global Services
09.2024 - 06.2024
Snr Systems Engineer (Consultant)
E Centric (Emblem health Single Sign on Project)
08.2024 - 05.2024
Active Directory Engineer
IBM Global Services
08.2024 - 09.2024
Systems Engineer Consultant
Air Lease Corporation
06.2024 - 09.2024
Systems Engineer
ADS Consulting
05.2024 - 08.2024
Sr. Active Directory Analyst Consultant
Providence Health Provider
06.2023 - 12.2023
Sr. Active Directory Systems Engineer/IAM/Security Engineer
OSI Systems Inc.
07.2020 - 06.2023
B.S. Electrical Engineer -
Howard University School of Engineering
Similar Profiles
Kylie KeysKylie Keys
Front Desk Agent at MGM Resort InternationalFront Desk Agent at MGM Resort International
Katie HollandKatie Holland
Lounge Server at MGM Resort InternationalLounge Server at MGM Resort International
Denise HammondDenise Hammond
Security Officer at MGM Resort InternationalSecurity Officer at MGM Resort International
Kristina DavisKristina Davis
Hotel Front Desk Agent at MGM Resort InternationalHotel Front Desk Agent at MGM Resort International
Brian GoughBrian Gough
Active Directory Systems Engineer at Bank Of America, N.A.Active Directory Systems Engineer at Bank Of America, N.A.