Customer Identity & Access Management (CIAM) Security Architecture Lead

IDEXXs Cyber Security and Information Security teams enable a resilient adaptable and security-aware enterprisesupporting the technology that delivers trusted products and solutions to customers worldwide.

The Customer Identity & Access Management (CIAM) Security Architecture Lead is a senior high-impact role within the Information Security organization serving as the primary architectural authority and technical visionary for customer identity across IDEXXs customer-facing ecosystem.

This roleis responsible forassessing strengthening and evolving a secure scalable and unified CIAM architecture that supports multiple products customer types and integration modelswhile delivering a consistent friction-aware customer experience. IDEXX has an existing Auth0 implementation in place; however this role will lead a comprehensive review and re-architecture of the current environment to ensure it is securely implemented properly configured and aligned to enterprise-scale requirements and long-term CIAM vision.

While Auth0 is the current CIAM platform this rolemaintainsa platform-agnostic security architecture perspective ensuring IDEXX can evolve extend or transition CIAM platforms as business risk or regulatory needschange. You will bridge executive strategy and hands-on engineering executiondefining not only what is built but how customer identity integrates into IDEXXs broader cyber security architecture ensuring identity is a business enabler not a constraint.

Location: We are seeking someone driving distance to our Westbrook Maine HQ where you will be able to work hybrid with a minimum of 8 days on-site per month. We are also open to those willing to relocate.

In this role your key responsibilities will include...

CIAM Security Architecture & Platform Leadership:

• Serve as the security architecture authority for customer identity and access management across all customer-facing products

• Assess the existing Auth0 deployment and lead remediation reconfiguration and architectural improvements to meet enterprise security and scale requirements

• Design and evolve an enterprise CIAM architecture thatremainsportable across other CIAM platforms (e.g. Okta CIAM Ping Identity ForgeRock Microsoft Entra ID)

• Establish CIAM security standards reference architectures control requirements and guardrails aligned with Zero Trust principles and enterprise security strategy

Strategic Roadmap & Vision

• Develop andmaintaina multi-year CIAM roadmap aligned with enterprise goals and digital transformation initiatives

• Define future-state capabilities including SSO MFApasswordlessauthentication adaptive authentication modern RBAC/ABAC models and expansion across B2B and B2C use cases

• Ensure the roadmap addresses remediation of current-state gaps while enabling long-term scalability and consistency

Authentication Authorization & Federation

• Architect and govern secure authentication and authorization patterns across diverse customer use cases

• Design and implement federated identity integrations using OIDC OAuth 2.0 and SAML

• Support customer-managed and federated identity scenarios including trust boundary definition assurance levels and delegated administration models

Multi-Tenant Admin & Delegated Access Models

• Architect secure multi-tenant CIAM models supporting multiple products customers and environments

• Design layered administrative and delegated access controls for internal operations and customer administrators

• Ensure administrative access adheres to least privilege separation of duties and strong auditability

Integrations System Accounts & Non-Human Identity

• Architect CIAM solutions supporting both human customer identities and system service and integration accounts

• Define secure API authentication token lifecycle managementsystem to system (internal and external) authentication patternsand non-interactive access patterns

Security Controls Risk & Governance

• Define andvalidatesecurity controls configurations and assurance requirements for CIAM implementations

• Ensure CIAM solutions integrate with the broader security ecosystem including SIEM/SOAR IAM/IGA monitoring and fraud detection platforms

• Partner with GRC Security Operations and Product Security teams to perform threat modeling support audits and reduce identity-related risk

Cross-Functional Leadership & Communication

• Act as the primary CIAM security advisor to Product Marketing IT Engineering and Platform teams

• Translate complex identity and security requirements into clear consumable architectural guidance

• Communicate CIAM strategy risk posture and progress to VP-level and executive leadership

What You Will NeedToSucceed...

• 8 years of experience in CIAM/IAM with at least 3 years in a lead or security architecture capacity

• Demonstrated experience assessing remediating and scaling existing CIAM implementations in complex environments

• Deep hands-on experience with Auth0 and at least oneadditionalTier-1 CIAM platform (e.g. Okta CIAM Ping Identity ForgeRock Microsoft Entra ID)

• Expertisein OIDC OAuth 2.0 SAML FIDO2/WebAuthn and SCIM

• Strong understanding of modern application architectures (SPAs microservices mobile APIs) and cloud platforms (AWS preferred)

• Proven ability to translate identity risk and architectural gaps into actionable remediation and roadmap decisions

• Strong understanding of Zero Trust principles identity threat models logging monitoring and auditability

• Ability to communicate complex security concepts to technical and non-technical stakeholders

• Proven ability to navigate a matrixed organization toaccomplishgoals

Preferred Qualifications

• Security certifications such as CISSP-ISSAP CISM or senior vendor certifications (e.g. Okta or Auth0 Certified Architect)

• Experience with Identity-as-Code CI/CD pipelines and Terraform

• Experience integrating CIAM with fraud detection bot mitigation or risk-based authentication engines

• Experience supporting CIAM in regulated or high-trust environments such as healthcare or life sciences

• Programming or scripting experience (Python Java Go etc.)

• Experience applying analytics or AI/ML to identity security or anomaly detection

What Success Looks Like

• A hardened well-architected Auth0 environment aligned with enterprise security standards and long-term CIAM vision

• Clear remediation of current-state CIAM security and configuration gaps

• A scalable secure CIAM foundation supporting consistent customer experiences across products

• A platform-agnostic CIAM architecture that can evolve or migrate without increasing risk

• Product teams enabled with secure reusable identity patterns that accelerate delivery

What you can expect from us:
Base annual salary target: $140000 - $160000 (yes we do have flexibility if needed)
Opportunity for annual cash bonus and yearly Equity award
Health / Dental / Vision Benefits Day-One
5% matching 401k
Additional benefits including but not limited to financial support pet insurance mental health resources volunteer paid days off employee stock program foundation donation matching and much more!

Why IDEXX

Were proud of the work we do because our work matters. An innovation leader in every industry we serve we follow our Purpose and Guiding Principles to help pet owners worldwide keep their companion animals healthy and happy to ensure safe drinking water for billions and to help farmers protect livestock and poultry from diseases. We have customers in over 175 countries and a global workforce of over 10000 talented people.

So what does that mean for you We enrich the livelihoods of our employees with a positive and respectful work culture that embraces challenges and encourages learning and discovery. At IDEXX you will be supported by competitive compensation incentives and benefits while enjoying purposeful work that drives improvement.

Lets pursue what matters together.

IDEXX values a diverse workforce and workplace and strongly encourages women people of color LGBTQ individuals people with disabilities members of ethnic minorities foreign-born residents and veterans to apply.

IDEXX is an equal opportunity employer. Applicants will not be discriminated against because of race color creed sex sexual orientation gender identity or expression age religion national origin citizenship status disability ancestry marital status veteran status medical condition or any protected category prohibited by local state or federal laws.

#LI-EV1