Data Engineer - Zero Trust and IAM

What we look for

· 3+ years of professional experience building and operating production-grade applications and services across the stack (frontend, backend, databases, CI/CD).

· Strong programming skills in Python and/or Scala and SQL; ability to write modular, testable, and well-documented code for batch and streaming workloads.

· Hands-on with modern data engineering stacks:

· Distributed processing: Apache Spark (Databricks preferred), PySpark/Scala.

· Orchestration: Azure Data Factory or Apache Airflow; event-driven patterns with Azure Functions/Logic Apps.

· Storage & formats: Delta Lake/Lakehouse, ADLS Gen2, Parquet/Avro, Hive Metastore/Unity Catalog.

· Data modeling: dimensional/star, data vault or lakehouse medallion; schema evolution and governance at scale.

· IAM domain expertise: identity lifecycle (joiner/mover/leaver), entitlements/roles, access requests & approvals, certification/attestation, SoD; familiarity with IdPs and IGA/PAM:

· Microsoft Entra ID (Azure AD), Okta, Ping Identity; SailPoint or Saviynt; CyberArk/BeyondTrust.

· Standards & protocols: OAuth2/OIDC, SAML, SCIM, JWT; basic understanding of policy enforcement (RBAC/ABAC).

· Cloud proficiency (Azure preferred; AWS/GCP a plus): Databricks, Synapse/SQL, Event Hubs/Kafka, Key Vault, Monitor/Log Analytics, Microsoft Graph API, Purview for lineage & catalog.

· DevOps/DevSecOps: Git and PR workflows; CI/CD (Azure DevOps/GitHub Actions), Infrastructure as Code (Terraform/Bicep); dependency/SCA management, secrets management, and security gates.

· Excellent collaboration and communication skills to partner with IAM engineers, security architects, SOC/IR, and product teams; ability to articulate complex data topics to non-technical stakeholders.

· Bachelor’s degree in Computer Science, Data/Software Engineering, or equivalent experience.

Preferred

· Design and implement scalable ingestion, transformation, and serving layers that unify identity data across sources: Entra ID/Okta/Ping, IGA (SailPoint/Saviynt), PAM (CyberArk), HRIS (Workday), ITSM/CMDB (ServiceNow), M365, SAP/Salesforce, network/ZTNA/WAF/VPN telemetry, and SIEM (e.g., Splunk).

· Develop streaming and micro-batch pipelines for near-real-time identity signals (e.g., risk events, privileged session activity) to support conditional access and continuous verification.

· Engineer robust connectors and integrations (SCIM, Microsoft Graph, REST APIs, webhooks) with idempotent processing, backpressure handling, and replay capabilities.

· Establish DataOps practices: environment-as-code, test pyramids (unit/integration/contract), CI/CD with quality gates, blue/green or canary releases, and reproducible runtime configurations.

· Partner with IAM/SecEng to define reference architectures and paved paths for identity analytics and governance, including reusable transformation libraries and policy-as-code.

· Create self-service semantic layers and well-documented APIs/SQL endpoints for downstream consumers (risk engines, certification portals, analytics/Power BI).

· Drive operational excellence: instrumentation, dashboards & alerts, SLOs/error budgets, on-call rotations, incident response, and continuous improvement through RCAs and corrective actions.

· Contribute to documentation (designs, runbooks, data dictionaries) and mentor engineers on data engineering best practices and secure coding standards.

Certifications (nice to have)

· Microsoft Certified: Azure Data Engineer Associate (DP‑203); Azure Security Engineer (AZ‑500); Identity and Access Administrator (SC‑300).

· Databricks Data Engineer Professional; Okta Certified Professional/Developer; SailPoint IdentityNow Engineer; CyberArk Defender.

· Security certifications that indicate breadth (e.g., CISSP, GIAC) are a plus for cross-domain collaboration.

Johnson Controls International plc. is an equal employment opportunity and affirmative action employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, age, protected veteran status, genetic information, status as a qualified individual with a disability, or any other characteristic protected by law. For more information, please view EEO is the Law. If you are an individual with a disability and you require an accommodation during the application process, please visit www.johnsoncontrols.com/careers.