PAM and Secrets Management Engineer

Who We Are

Applied Materials is a global leader in materials engineering solutions used to produce virtually every new chip and advanced display in the world. We design, build and service cutting-edge equipment that helps our customers manufacture display and semiconductor chips – the brains of devices we use every day. As the foundation of the global electronics industry, Applied enables the exciting technologies that literally connect our world – like AI and IoT. If you want to push the boundaries of materials science and engineering to create next generation technology, join us to deliver material innovation that changes the world. 

What We Offer

Location:

Bangalore,IND

You’ll benefit from a supportive work culture that encourages you to learn, develop, and grow your career as you take on challenges and drive innovative solutions for our customers. We empower our team to push the boundaries of what is possible—while learning every day in a supportive leading global company. Visit our Careers website to learn more. 

At Applied Materials, we care about the health and wellbeing of our employees. We’re committed to providing programs and support that encourage personal and professional growth and care for you at work, at home, or wherever you may go. Learn more about our benefits. 

About the Role

Join Applied Materials as a PAM & Secrets Management Engineer to lead privileged access management and secrets management initiatives across our global enterprise infrastructure. You'll architect and operate enterprise-scale PAM solutions (CyberArk, evaluating alternatives) and HashiCorp Vault, working at the intersection of security, DevOps, and cloud platforms to protect critical systems and enable secure development.

Key Responsibilities

Privileged Access Management (PAM)

• Design, implement, and manage enterprise PAM solutions at scale (500+ concurrent sessions, 2K+ daily logins, 2.5K+ targets)
• Operate and maintain CyberArk self-hosted environment lead evaluation of alternatives (Delinea, BeyondTrust, CyberArk Privilege Cloud)
• Architect privileged session management (PSM) for RDP, SSH with native client support and passwordless credential injection
• Implement automated account discovery and onboarding workflows (Windows local, AD, Linux/Unix accounts)
• Configure session recording, monitoring, and alerting for compliance and security
• Troubleshoot and resolve PAM infrastructure stability issues (eliminating outages)

Secrets Management

• Architect and operate HashiCorp Vault Enterprise at scale across multi-cloud environments
• Implement Vault secrets engines: KV v2, Dynamic Secrets (LDAP, Azure, databases), PKI, Transit Encryption
• Design and deploy Vault authentication methods: OIDC/JWT, Kubernetes, AppRole, AWS IAM, Azure AD
• Configure Vault policies and namespaces for multi-tenant secret isolation
• Integrate Vault with CI/CD pipelines (Jenkins, GitLab, GitHub Actions, Azure DevOps) for secure secret injection
• Implement Vault Agent and sidecar injectors for application secret delivery
• Configure Vault auto-unseal with cloud KMS (AWS KMS, Azure Key Vault, GCP Cloud KMS)
• Manage Vault high availability, disaster recovery, and performance tuning
• Implement secret rotation automation for databases, cloud credentials, and API keys

Cross-Functional Collaboration

• Partner with CI/CD, Network, Cloud, and Platform teams to integrate PAM/SM controls
• Lead incident response for privileged access breaches and secrets exposure events
• Conduct security assessments and ensure compliance with SOX, PCI-DSS, ISO 27001
• Automate PAM and Secret Management workflows using Python, Bash, PowerShell, Terraform, Ansible

Required Qualifications

Privileged Access Management (PAM) Expertise:

• 5+ years hands-on experience with enterprise PAM solutions at scale (10,000+ employees or global infrastructure)
• Deep experience with privileged session management: RDP, SSH session recording, monitoring, and credential injection
• Strong understanding of account lifecycle management: discovery, onboarding, rotation for Windows local, AD, Linux/Unix accounts
• Experience with PAM platforms: CyberArk (PAS, PVWA, CPM, PSM) or equivalent (BeyondTrust, Delinea, Arcon)
• Knowledge of least privilege principles and privilege elevation workflows
• Experience integrating PAM with approval workflows (ServiceNow, ITSM tools)
• Understanding of session isolation, credential vaulting, and password/SSH key rotation
• Familiarity with PAM architecture: high availability, disaster recovery, horizontal scaling

Secrets Management Expertise:

• 3+ years hands-on experience with HashiCorp Vault in production environments
• Deep knowledge of Vault secrets engines: KV (v1/v2), Dynamic Secrets (databases, AWS, Azure), PKI, Transit, SSH, TOTP
• Experience with Vault authentication methods: Kubernetes, AppRole, OIDC/JWT, AWS IAM, Azure AD, LDAP, TLS Certificates
• Strong understanding of Vault policies, namespaces, and entity/identity management
• Experience with Vault Agent, sidecar injectors, and application integration patterns
• Knowledge of Vault operations: auto-unseal (HSM), replication (DR/Performance), backup/restore, upgrades
• Experience integrating Vault with CI/CD pipelines for dynamic secret injection
• Understanding of secret zero problem and secure secret bootstrap mechanisms

Technical & Cloud Skills:

• Multi-cloud secrets management: AWS Secrets Manager/IAM, Azure Key Vault/Managed Identity, GCP Secret Manager
• Experience with Kubernetes: Vault sidecar injection, CSI secret driver, external secrets operator
• Proficiency in scripting and automation: Python, Bash, PowerShell, Go (preferred)
• Experience with Infrastructure-as-Code: Terraform, Ansible (Vault configuration automation)
• Understanding of PKI fundamentals: certificate lifecycle, CA hierarchies, mTLS, certificate-based authentication
• Experience with Directory services: Active Directory, LDAP (for PAM/Vault integration)

Collaboration & Communication Skills:

• Proven track record working with DevOps, Platform Engineering, Cloud, and Network teams
• Strong communication skills with technical and non-technical stakeholders
• Ability to lead cross-functional PAM/SM initiatives and provide technical mentorship
• Experience in incident response for privileged access and secret exposure events

Preferred Qualifications (Advantages)

• CyberArk Certified: CyberArk Defender, Sentry, or Trustee certifications
• Hands-on experience evaluating PAM alternatives: Delinea Secret Server, BeyondTrust, Arcon, CyberArk Privilege Cloud
• Experience with account discovery automation and policy-based onboarding at scale
• HashiCorp Certified: Vault Associate or Vault Professional certification
• Deep knowledge of Vault database secrets engine: PostgreSQL, MySQL, MongoDB, MSSQL, Oracle dynamic credentials
• Hands-on with Vault Transit engine: encryption-as-a-service, key derivation, convergent encryption
• Experience with Vault SSH secrets engine: signed SSH certificates, OTP SSH, CA-based SSH access
• Experience with Vault KMIP secrets engine for legacy application encryption key management
• Experience with Vault monitoring: metrics (Prometheus), logging, audit logs, performance tuning

Certifications & Education:

• Bachelor's degree in Computer Science, Information Security, or related field
• Professional certifications: CyberArk CDE/Sentry, HashiCorp Vault Associate/Professional, CISSP, CISM, CISA, CEH
• Cloud certifications: AWS Security Specialty, Azure Security Engineer, GCP Security Engineer

Compliance & Architecture:

• Deep knowledge of compliance frameworks: SOX, PCI-DSS, NIST CSF, ISO 27001, GDPR, HIPAA
• Experience with zero-trust architecture and secrets management in zero-trust models
• Understanding of threat modeling for privileged access and secret exposure risks

Additional Information

Time Type:

Full time

Employee Type:

Assignee / Regular

Travel:

Yes, 10% of the Time

Relocation Eligible:

Yes

Applied Materials is an Equal Opportunity Employer. Qualified applicants will receive consideration for employment without regard to race, color, national origin, citizenship, ancestry, religion, creed, sex, sexual orientation, gender identity, age, disability, veteran or military status, or any other basis prohibited by law.