TelecommunicationsIdentity & Access Engineer (IAM)
Back

Identity & Access Engineer (IAM)

  • Finova Technologies Private Limited
  • Salford, Manchester
  • 17/06/2026
Full time Information Technology Telecommunications

Job Description

Identity & Access Engineer (IAM) - Manchester Based (3 Days Hybrid) About Finova Finova is the UK's largest financial services technology provider, supporting one in every five mortgages nationwide. Our agile, cloud-native solutions enable over 60 banks, building societies, specialist lenders, equity release providers and a network of 2,400+ brokers to stay ahead in a competitive market.

Built on open architecture and backed by deep industry expertise, our platform is designed to scale. Each year, we process over £50 billion in loans, manage nearly £50 billion in savings, and support the digital servicing of more than 650,000 UK borrower accounts.

Be part of a team that's driving innovation, enabling growth and shaping the future of UK lending.

About the Role Finova is seeking a seasoned IAM Specialist to own the design and implementation of identity, access, and entitlements across a multi-cloud SaaS fintech platform.
  • Core Responsibility: Translate architectural choices into practical, automated, and secure IAM implementations spanning workforce, customer, and machine identities.
  • The Stack: Multi-cloud infrastructure across AWS, Azure, and GCP. Applications run on .NET with SQL Server-backed role systems.
  • Key Challenge: Enforce tenant isolation and strict least-privilege to satisfy regulators, while defining cutting-edge access boundaries for AI pipelines, vector databases, and automated decision engines.
  • Work Model: A highly collaborative, hands-on hybrid role. You will balance high-level access modeling with day-to-day configuration, such as writing OPA Rego rules or configuring Azure AD Conditional Access policies.
About You You are a highly analytical identity purist who recognizes that in a modern cloud ecosystem, identity is the actual security perimeter. You bridge the gap between application engineering, cloud infrastructure, and regulatory audit, acting as the subject matter expert on who-and what-has access to everything.

Key Attributes
  • The Structural Architect: You enjoy mapping complex business roles into clean, automated framework permissions, avoiding the technical debt of "privilege creep."
  • Code-Driven Security Advocate: You prefer policy-as-code over manual UI configurations, favoring auditable git repositories and continuous testing for authorization logic.
  • Pragmatic Problem Solver: You understand that security fails if it creates friction, meaning you are constantly looking for ways to use JIT elevation, automated provisioning, and SSO to make access seamless yet secure.
  • Rigorous Guard of Boundaries: You possess an uncompromising eye for isolation details, instinctively knowing how to defend against cross-tenant data leaks and broken access controls.
  • Experience: 4-6 years in IAM, security engineering, or identity-focused cloud engineering with hands-on enterprise deployment experience.
  • Entra ID Expertise: Deep practical knowledge of Azure AD (Entra ID), encompassing app registrations, Conditional Access, PIM, and federation configurations.
  • Multi-Cloud Competency: Hands-on experience with at least two major cloud providers (AWS IAM, Azure RBAC, or GCP IAM) and operational familiarity with all three.
  • Application & DB IAM: Experience implementing RBAC/ABAC models within .NET applications (Claims, ASP.NET Identity) alongside practical SQL Server access management (roles, RLS, data masking).
  • Federation Protocols: Strong capabilities with SAML 2.0, OIDC, OAuth 2.0, and SCIM provisioning workflows.
  • Policy-as-Code Skills: Experience writing, testing, and deploying authorization policies (OPA/Rego, Azure Policy, or AWS SCPs) directly within a CI/CD pipeline.
  • Modern IAM Tooling: Familiarity with PIM/PAM, CIEM concepts, secretless DevOps access patterns (OIDC-based pipeline identity), and secrets managers (Azure Key Vault, HashiCorp Vault).
  • SaaS Architecture Intuition: A strong understanding of multi-tenancy, with the ability to easily identify missing tenant contexts or authorization bypass vulnerabilities.
  • Communication: Ability to articulate complex identity structures and compliance mandates clearly to developers, architects, and non-technical auditors alike.
Nice-to-Have
  • Fintech Experience: Prior experience navigating IAM in highly regulated domains like banking, payments, or insurance.
  • CIEM/IGA Platforms: Familiarity with platforms like Microsoft Entra Permissions Management, Ermetic, SailPoint, or Saviynt.
  • AI Infrastructure Security: Experience building access controls explicitly tailored for model training environments, feature stores, or LLM integrations.
  • Certifications: SC-300 (Microsoft Identity Administrator), AWS Security Specialty, AZ-500, CISSP, or CCSP.
  • Automation Scripting: Competency in PowerShell or Python for automating access reviews, reporting, and IAM operations.
  • Zero Trust Strategy: Understanding of broader Zero Trust architectures, integrating device compliance and network trust factors with core identity decisions.
What Will You Be Doing? Identity Architecture & Federation
  • Platform Architecture: Design and implement the identity framework across workforce (employees/contractors), customer (tenant users/admins), and machine identities (services/AI pipelines).
  • Primary IdP Management: Configure and manage Azure AD (Entra ID) tenant structures, app registrations, Conditional Access policies, and directory sync.
  • Enterprise Federation: Implement SAML 2.0, OIDC, and WS-Federation patterns to smoothly onboard customer-managed IdPs like Okta, Ping, and ADFS for enterprise SSO.
  • Automated Provisioning: Design and operate SCIM-based provisioning and deprovisioning workflows to automate user lifecycles across SaaS tenants.
  • Multi-Cloud Mapping: Map Azure AD identities to AWS IAM roles and GCP Workforce Identity Federation to maintain a cohesive, centralized access model.
Privileged Access & Entitlements Management
  • PIM/PAM Operations: Implement Just-In-Time (JIT) access, time-bound elevation, and multi-stage approval workflows for sensitive administrator roles.
  • CIEM Right-Sizing: Utilize Cloud Infrastructure Entitlements Management concepts to monitor and reduce standing privileges or over-entitled accounts across AWS, Azure, and GCP.
  • Access Certification: Build automated entitlement review campaigns so business managers can attest to access appropriateness with minimal friction.
  • Break-Glass Procedures: Establish emergency access workflows equipped with automated expiration, full audit trails, and post-incident review requirements.
Application-Level Access Control (RBAC / ABAC)
  • Layered Enforcement: Design access models that cross multiple enforcement boundaries, including ASP.NET middleware, API gateways, and SQL Server database layers.
  • Claims Mapping: Maintain the mapping between business roles, ASP.NET Identity/Claims, and database-level permissions (such as SQL Server roles and Row-Level Security).
  • Tenant Isolation: Enforce tenant-scoped RBAC to ensure roles and claims are strictly bound to tenant context, architecturally preventing cross-tenant privilege escalation.
  • Policy-as-Code: Write Open Policy Agent (OPA) / Rego policies to centralize fine-grained authorization, utilizing version control, automated testing, and staged rollouts in CI/CD.
Multi-Cloud IAM Operations
  • Cloud Hardening: Manage cloud-native IAM mechanisms, including AWS SCPs and Permission Boundaries; Azure RBAC and Managed Identities; and GCP Organization Policy Constraints.
  • Least-Privilege Verification: Use automated tooling (permission analyzers, simulation tools) to discover and eliminate unused access before deployments go live.
  • Machine Identities: Enforce short-lived credentials, workload identity federation, and secretless patterns for service accounts and machine-to-machine authentication.
DevOps & SQL Infrastructure Access
  • Pipeline Security: Secure access to CI/CD pipelines (Azure DevOps, GitHub Actions), artifact registries, and IaC codebases using federated workload identity (OIDC) rather than static keys.
  • SQL Governance: Manage SQL Server database role hierarchies, schema-level permissions, Row-Level Security (RLS) policies, dynamic data masking, and Always Encrypted structures.
  • Database DevOps: Design access controls for migration tools, analytics queries, and read-replicas to empower engineering velocity without providing permanent production database access.
  • Database Auditing: Implement and monitor database audit logs to track privileged queries, schema alterations, and potential anomalous data access.
AI & ML Pipeline Access Control
  • Workload Identity: Ensure model training jobs, feature pipelines, and serving endpoints utilize scoped, short-lived credentials to access data.
  • AI Component Protection: Define and implement access controls for vector databases, feature stores, and model registries to secure training datasets and model artifacts.
  • Endpoint Authorization: Establish strict authorization policies controlling which roles or tenants can invoke AI endpoints, minimizing AI service account permissions.
  • Data Boundary Enforcement: . click apply for full job details
About Finova Technologies Private Limited
Apply Now