Title: Privileged Access Management (PAM) Engineer Location: Westbrook United States Job Description: IT accelerates the success of IDEXX employees and customers by providing scalable, secure, and innovative technology solutions. As a global organization supporting critical systems across cloud and onprem environments, we are committed to maturing our identity and security posture-particularly in the area of Privileged Access Management (PAM). The PAM Engineer plays a pivotal role in ensuring secure, compliant, and tightly governed privileged access across the enterprise. This role is responsible for planning, implementing, and operating our PAM platform (e.g., CyberArk Privilege Cloud), supporting our strategy to reduce risk, strengthen identity governance, and meet audit and regulatory requirements. This position partners closely with Security, Infrastructure, Cloud Engineering, Application teams, and IAM functions to enforce best practices, monitor privileged activity, and support the operational lifecycle of privileged accounts across servers, endpoints, cloud platforms, network devices, and SaaS environments. If you are passionate about reducing privileged-access risk and enabling secure operations through automation, governance, and modern PAM tooling, we encourage you to apply. In this role, you will be responsible for: Privileged Access Platform Administration - Deploy, configure, and maintain the enterprise PAM platform (e.g., CyberArk) including credential vaulting, session management, password rotation, and just In time (JIT) access. - Manage platform components such as vault servers, connectors, session recording infrastructure, credential providers, and privileged session gateways. - Ensure high availability, performance optimization, and adherence to operational SLAs. Privileged Account & Credential Lifecycle Management - Onboard and maintain privileged accounts across Windows, Linux, network devices, databases, cloud platforms (Azure, AWS, GCP), and SaaS admin consoles. - Implement automated password rotation, check-in/checkout workflows, and lifecycle governance for service accounts, application credentials, and secrets. - Maintain least privilege standards, including enforcement of cloud only admin accounts and removal of unnecessary or stale privileged principals. JIT Access, PIM/PAM Integration & Access Elevation - Administer justintime elevation policies for cloud roles (e.g., Entra PIM) and integrate them with the enterprise PAM strategy. - Configure approval workflows, MFA enforcement, activation duration settings, and monitoring for high-risk role activation. - Ensure alignment between PIM (role elevation) and PAM (credential vaulting/session control) platforms. Security, Compliance & Audit Support - Maintain controls required for SOX, SOC2, ISO, and internal/external audit reviews of privileged access activity. - Support regular access reviews for privileged accounts and roles, collaborating with managers and system owners. - Provide evidence for audits related to privileged access, session logs, credential governance, and administrative workflows. Automation, Scripting & Operational Efficiency - Develop and maintain automation (e.g., PowerShell, Python, APIs) for onboarding, credential rotation, vault management, and reporting. - Build integrations between PAM and enterprise systems such as ServiceNow, SIEM, CMDB, IGA platforms, and cloud identity services. - Streamline manual processes and reduce ticket volume through automation and mature workflow design. Monitoring & Incident Response - Monitor for suspicious privileged behavior, anomalous sign-ins, risky activations, or vault activity using SIEM and platform analytics. - Maintain and periodically validate breakglass/emergency access controls across critical systems. - Serve as an escalation point for privileged access issues or failures impacting operations. Cross Functional Collaboration & Governance - Partner with infrastructure, application, cloud, and security teams to enforce standards for privileged access governance. - Assist system owners in identifying what constitutes privileged access and mapping roles, entitlements, and required controls. - Contribute to PAM roadmap planning, tool evaluations, and ongoing PAM maturity initiatives. Location: Driving distance to our Westbrook, Maine HQ. Flexible hybrid on-site of 8 days per month/2 days per week on average, is required. What You Will Need to Succeed: - 2 to 5 years of hands-on experience administering enterprise PAM solutions such as CyberArk. - Strong understanding of privileged access concepts including: - Credential vaulting - Session monitoring and recording - JIT elevation & PIM - Password rotation - Tiering/Zero Trust/least privilege - Expertise with Windows/MacOS/Linux administration, Active Directory/Entra ID, cloud IAM roles (Azure, AWS, GCP), and integration of privileged accounts across these systems. - Scripting & Automation: Proficiency in PowerShell, APIs, JSON, and automation frameworks. Experience automating password rotation, onboarding workflows, and data collection. - Soft Skills: Strong analytical abilities and troubleshooting skills for complex privileged access scenarios. Excellent communication skills and ability to translate technical concepts to nontechnical partners. Demonstrated cross-functional collaboration with security, engineering, and operations teams. - Compliance & Security Knowledge: Familiarity with audits, risk controls, and compliance frameworks (SOX, SOC2, ISO 27001). Experience supporting audit evidence gathering and implementing controls to reduce privileged access risk. Why IDEXX? We're proud of the work we do, because our work matters. An innovation leader in every industry we serve, we follow our Purpose and Guiding Principles to help pet owners worldwide keep their companion animals healthy and happy, to ensure safe drinking water for billions, and to help farmers protect livestock and poultry from diseases. We have customers in over 175 countries and a global workforce of over 10,000 talented people. So, what does that mean for you? We enrich the livelihoods of our employees with a positive and respectful work culture that embraces challenges and encourages learning and discovery.   At IDEXX, you will be supported by competitive compensation, incentives, and benefits while enjoying purposeful work that drives improvement. Let's pursue what matters together. IDEXX values a diverse workforce and workplace and strongly encourages women, people of color, LGBTQ+ individuals, people with disabilities, members of ethnic minorities, foreign-born residents, and veterans to apply. IDEXX is an equal opportunity employer. Applicants will not be discriminated against because of race, color, creed, sex, sexual orientation, gender identity or expression, age, religion, national origin, citizenship status, disability, ancestry, marital status, veteran status, medical condition, or any protected category prohibited by local, state, or federal laws.