Role Overview

We are looking for a Senior IT Infrastructure Engineer to own and mature our internal IT infrastructure, endpoint management, identity and access management (IAM), network security, and cloud networking operations. This is a hands-on senior role where you will be expected to make architectural decisions, define security best practices, and drive the evolution of our IT operations from reactive support to a proactive, policy-driven function.

You will be a key decision-maker on how IQZ secures, provisions, and supports its employee technology stack across a distributed, hybrid workforce.

Key Responsibilities

1.      Endpoint Management & Laptop Provisioning

·        Own the end-to-end device lifecycle: procurement, imaging, configuration, shipping to remote employees, and decommissioning.

·        Manage and optimize our device management software for patch management, software deployment, remote troubleshooting, and asset tracking across the Windows and macOS fleet.

·        Establish and enforce standard operating environments (SOEs) for Windows (including WSL2/Debian configurations for developers) and macOS (for designers).

·        Design and implement automated provisioning workflows to reduce new-joinee onboarding time.

·        Provide Tier 2/3 troubleshooting support for employee machines, escalating hardware issues to vendors as needed.

2.      Identity & Access Management (IAM)

·        Administer and maintain the hybrid identity infrastructure: on-premises Active Directory synchronized with Microsoft Entra ID (Azure AD) via Azure AD Connect.

·        Define and enforce access control policies, Conditional Access rules, and MFA configurations across the organization.

·        Manage user lifecycle operations: onboarding, role changes, offboarding, and periodic access reviews.

·        Integrate Entra ID with SaaS applications for SSO/SAML/OIDC-based authentication.

·        Troubleshoot sync issues between on-prem AD and Entra ID, including password hash sync, pass-through authentication, and federation services.

·        Administer the Microsoft 365 tenant: manage Exchange Online mailboxes, distribution lists, mail flow rules, and Teams policies. Ensure M365 services are governed by appropriate Conditional Access and data loss prevention (DLP) policies.

3.      Network Security & Remote Access (SASE / VPN)

·        Architect and implement a proper remote access strategy using the existing Netskope SASE platform - configure Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA) policies.

·        Evaluate, rationalize, and potentially consolidate the existing VPN setup with Netskope's ZTNA capabilities.

·        Define network segmentation and access policies for remote employees accessing cloud-hosted applications and on-premises resources.

·        Integrate Netskope with Microsoft Entra ID for user provisioning, SSO, and policy enforcement based on user identity and device posture.

4.      Cloud Networking & Infrastructure

·        Manage and troubleshoot cloud networking across GCP (primary), Azure, and AWS - including VPCs/VNets, firewall rules, peering, DNS, and load balancers.

·        Support connectivity between on-premises infrastructure and cloud environments (site-to-site VPN, ExpressRoute/Cloud Interconnect where applicable).

·        Collaborate with the platform engineering team to ensure network configurations align with application deployment requirements.

·        Monitor and optimize cloud network performance, cost, and security posture.

·        Advisory capacity (not day-to-day ownership): Maintain working knowledge of the organization's cloud infrastructure - compute instances, Kubernetes clusters, and IaC pipelines - to effectively review security implications, advise on IAM policies and service account configurations, and participate in architectural discussions with the platform engineering team.

·        Review and advise on cloud IAM configurations: service account permissions, role bindings, workload identity federation, and least-privilege policies across GCP, Azure, and AWS.

·        Serve as the security and compliance voice in cloud infrastructure decisions - ensuring changes to compute, storage, or orchestration align with ISO 27001 controls and IQZ's security policies.

5.      Security Policy & Guidelines

·        Design and document security policies covering: endpoint hardening, acceptable use, data classification, incident response, and remote work security.

·        Implement device compliance policies via ManageEngine and/or Entra ID Conditional Access (e.g., disk encryption, OS version, antivirus status).

·        Conduct periodic security assessments of the IT environment and recommend improvements.

·        Lead or participate in security incident response and root cause analysis.

·        Evaluate and recommend tooling improvements (e.g., EDR/XDR solutions, SIEM integration).

·        Maintain and continuously improve IQZ's ISO 27001 Information Security Management System (ISMS): ensure IT infrastructure controls (Annex A) remain effective, manage the risk treatment plan for infrastructure-related risks, and maintain evidence/documentation for internal and external audits.

·        Support ISO 27001 surveillance and recertification audits by preparing evidence packages, coordinating with auditors on infrastructure-related controls, and driving timely closure of non-conformities and observations.

Required Qualifications

Technical Skills

·        Strong hands-on experience with Windows Server and Active Directory: Group Policy, DHCP, DNS, sites and services, organizational units.

·        Proven experience with Microsoft Entra ID (Azure AD): Conditional Access, Azure AD Connect/Cloud Sync, SSO/SAML integration, application registrations.

·        Microsoft 365 administration: Exchange Online (mailbox management, mail flow rules, spam/phishing policies), Teams administration (policies, guest access, compliance), and SharePoint Online. Familiarity with M365 Admin Center, Security & Compliance Center, and Microsoft Purview.

·        Experience with endpoint management platforms - ManageEngine DesktopCentral preferred; familiarity with Intune or Jamf is a plus.

·        Working knowledge of SASE/SSE platforms (Netskope strongly preferred) including SWG, CASB, and ZTNA configuration.

·        Cloud networking fundamentals across at least two of: GCP, Azure, AWS - VPCs, firewall rules, IAM, DNS, load balancing, interconnects.

·        Experience with both Windows (including WSL2 environments) and macOS endpoint support and management.

·        Understanding of network protocols and security: TCP/IP, DNS, DHCP, TLS/SSL, 802.1X, RADIUS.

·        Hands-on experience with ISO 27001 ISMS: familiarity with Annex A controls relevant to IT infrastructure (access control, operations security, communications security, asset management), risk assessment processes, and supporting internal/external audit cycles.

Non-Technical Skills

·        Ability to independently assess security posture and design access control policies with minimal guidance.

·        Strong documentation skills - ability to write clear security guidelines, runbooks, and architectural decision records.

·        Experience supporting a distributed/remote workforce at scale (150+ employees).

·        Excellent troubleshooting methodology and root cause analysis skills.

·        Strong communication skills - ability to explain technical decisions to non-technical stakeholders.

Preferred Qualifications

·        Relevant certifications: ISO 27001 Lead Implementer or Lead Auditor, Microsoft 365 Certified: Administrator Expert (MS-102), Microsoft Certified: Identity and Access Administrator Associate (SC-300), Azure Administrator Associate (AZ-104), Google Cloud Professional Cloud Network Engineer, CompTIA Security+, or Netskope Certified Cloud Security Administrator (NCCSA).

·        Experience with Infrastructure as Code tools (Terraform, Ansible) for managing cloud network resources.

·        Familiarity with scripting/automation: PowerShell, Bash, Python for IT automation tasks.

·        Experience with additional compliance frameworks (SOC 2, GDPR, NIST CSF) and cross-framework audit preparation.

·        Prior experience in a fast-growing company transitioning from ad hoc IT to structured operations.

·        Experience evaluating or implementing EDR/XDR solutions (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint).