Security Engineer (MFA & PAM – Duo & Delinea Secret Server)

Please note – this role is not able to offer Visa transfer or sponsorship now or in the future
About The Role
As a
Security Engineer (MFA & PAM – Duo & Delinea Secret Server)
, you will be responsible for the engineering, administration, and day‑to‑day operations of our Multi‑Factor Authentication (MFA) and Privileged Access Management (PAM) platforms, with a primary focus on
Duo (MFA)
and
Delinea Secret Server (PAM)
.
You will partner with IT, infrastructure, and security teams, as well as external SOC partners, to improve identity assurance, reduce privileged access risk, and ensure resilient access during both routine operations and emergency scenarios. This role reports directly to the
Senior Manager of Identity and Access Management
.
In This Role, You Will
Operational Duties (Run)

• Administer, configure, and support Duo MFA for user, administrative, and remote access use cases, including SSO applications, VPN, RDP/Windows logon, and administrative portals.
• Administer, configure, and support Delinea Secret Server for password vaulting, privileged account onboarding, credential rotation, and access workflows.
• Maintain platform health and availability by monitoring service status, integrations, connectors, certificates, and authentication methods; perform routine upgrades and patching; and coordinate maintenance windows and stakeholder communications.
• Implement and maintain MFA and PAM policies and controls, including enrollment and exception handling, device‑ and risk‑based policies (where applicable), onboarding standards, and least‑privilege workflows.
• Integrate Duo and Delinea Secret Server with core identity and infrastructure components such as directory services, SSO/IdP platforms, SIEM, ITSM/ticketing systems, endpoint management, and remote access tooling.
• Provision and deprovision access in alignment with joiner, mover, and leaver processes; conduct periodic access reviews and vault hygiene activities, including ownership, naming conventions, metadata, and lifecycle management.
• Triage and resolve incidents and service requests related to authentication issues, MFA enrollment, device changes, vault access, and credential rotation failures; escalate to vendors when needed.
• Develop and maintain technical documentation, runbooks, and knowledge articles supporting common requests, troubleshooting, operations, and recovery procedures.
• Partner with Governance, Risk & Compliance (GRC) and audit stakeholders to provide evidence, demonstrate controls, and remediate MFA and PAM‑related findings.
• Contribute to continuous improvement through defined metrics such as MFA enrollment coverage, PAM onboarding progress, rotation success rates, and emergency access readiness.

Break‑Glass / Emergency Access Responsibilities (Respond)

• Design, implement, and maintain break‑glass and emergency access accounts for critical systems, ensuring access is secure, auditable, and usable under outage conditions.
• Ensure emergency access credentials are stored and protected appropriately, including vaulting, restricted access groups, strong authentication, time‑bound approvals, and monitoring and alerting.
• Define and test emergency scenarios, including IdP/SSO outages, MFA provider degradation, directory service failures, privileged credential compromise, and Secret Server service interruptions.
• Perform periodic break‑glass drills (e.g., quarterly), document outcomes, and remediate identified gaps.
• Execute authorized emergency access during incidents, including approval validation, access provisioning, usage monitoring, artifact collection, and coordination of containment and restoration.
• After emergency use, perform credential rotation, session and account review, log analysis, and post‑incident documentation; participate in root cause analysis and corrective action planning.
• Collaborate with Incident Response teams to ensure privileged actions are centrally logged (e.g., SIEM) and that high‑risk activity triggers alerts and follow‑up workflows.
• Maintain strict separation of duties and ensure emergency access is governed by documented authorization and an auditable trail.

Work model
We believe hybrid work is the way forward as we strive to provide flexibility wherever possible. Based on this role’s business requirements, this is a
hybrid position requiring 3 days a week in a Cognizant or client office in Cambridge, MA
. Regardless of your working arrangement, we are here to support a healthy work‑life balance through our various wellbeing programs.
The working arrangements for this role are accurate as of the date of posting. This may change based on the project you’re engaged in, as well as business and client requirements. Rest assured, we will always be clear about role expectations.
What You Need To Have To Be Considered

• 3+ years of hands‑on experience in security engineering, IAM, systems administration, or a related role with production operational ownership.
• Demonstrated experience administering Duo (or an equivalent MFA solution), including enrollment workflows, policy design, and authentication troubleshooting.
• Demonstrated experience administering Delinea Secret Server (or an equivalent PAM or vault solution), including privileged account onboarding and password rotation.
• Strong understanding of authentication and identity fundamentals, including MFA methods, SSO concepts, directory services, role‑based access control, and least‑privilege principles.
• Working knowledge of Windows and Linux administration and how privileged access is used across servers, infrastructure devices, and services.
• Experience with incident management, change management, and operational documentation such as runbooks, SOPs, and knowledge articles.
• Ability to participate in on‑call rotations or after‑hours change windows as required to support critical systems.
• Strong communication skills with the ability to translate security requirements into clear, operational processes.

These will help you stand out

• Experience integrating Duo with VPNs, VDI environments, Windows logon, RDP gateways, or administrative access workflows.
• Experience with advanced Delinea Secret Server features such as discovery, approvals, session proxy or recording, service accounts, APIs, or automation.
• Experience with SIEM tools such as Splunk or Azure Sentinel and building alerts or detections for privileged access and MFA anomalies.
• Scripting or automation experience using PowerShell or Python.
• Familiarity with cloud and hybrid identity environments, including Entra ID/Azure AD, AWS IAM, or Google Cloud IAM.
• Relevant security certifications such as Security+, SSCP, CISSP, GIAC, or vendor‑specific certifications.

Salary And Other Compensation
Applications will be accepted until May 21, 2026.
The annual salary for this position is between $84,000 - $134,000 depending on experience and other qualifications of the successful candidate.
This position is also eligible for Cognizant’s discretionary annual incentive program, based on performance and subject to the terms of Cognizant’s applicable plans.
Benefits: Cognizant offers the following benefits for this position, subject to applicable eligibility requirements:

• Medical/Dental/Vision/Life Insurance
• Paid holidays plus Paid Time Off
• 401(k) plan and contributions
• Long-term/Short-term Disability
• Paid Parental Leave
• Employee Stock Purchase Plan

Disclaimer: The salary, other compensation, and benefits information is accurate as of the date of this posting. Cognizant reserves the right to modify this information at any time, subject to applicable law.