PAM and Secrets Management Engineer

Who We Are

Applied Materials is a global leader in materials engineering solutions used to produce virtually every new chip and advanced display in the world. We design build and service cutting-edge equipment that helps our customers manufacture display and semiconductor chips the brains of devices we use every day. As the foundation of the global electronics industry Applied enables the exciting technologies that literally connect our world like AI and IoT. If you want to push the boundaries of materials science and engineering to create next generation technology join us to deliver material innovation that changes the world.

What We Offer

Location:

Youll benefit from a supportive work culture that encourages you to learn develop and grow your career as you take on challenges and drive innovative solutions for our customers. We empower our team to push the boundaries of what is possiblewhile learning every day in a supportive leading global company. Visit our Careers website to learn more.

At Applied Materials we care about the health and wellbeing of our employees. Were committed to providing programs and support that encourage personal and professional growth and care for you at work at home or wherever you may go. Learn more about our benefits.

About the Role

Join Applied Materials as a PAM & Secrets Management Engineer to lead privileged access management and secrets management initiatives across our global enterprise infrastructure. Youll architect and operate enterprise-scale PAM solutions (CyberArk) and HashiCorp Vault working at the intersection of security DevOps and cloud platforms to protect critical systems and enable secure development.

Key Responsibilities

Privileged Access Management (PAM)

• Design implement and manage enterprise PAM solutions at scale (500 concurrent sessions 2K daily logins 2.5K targets)
• Operate and maintain CyberArk self-hosted environment lead evaluation of alternatives (Delinea BeyondTrust CyberArk Privilege Cloud)
• Architect privileged session management (PSM) for RDP SSH with native client support and passwordless credential injection
• Implement automated account discovery and onboarding workflows (Windows local AD Linux/Unix accounts)
• Configure session recording monitoring and alerting for compliance and security
• Troubleshoot and resolve PAM infrastructure stability issues (eliminating outages)

Secrets Management

• Architect and operate HashiCorp Vault Enterprise at scale across multi-cloud environments
• Implement Vault secrets engines: KV v2 Dynamic Secrets (LDAP Azure databases) PKI Transit Encryption
• Design and deploy Vault authentication methods: OIDC/JWT Kubernetes AppRole AWS IAM Azure AD
• Configure Vault policies and namespaces for multi-tenant secret isolation
• Integrate Vault with CI/CD pipelines (Jenkins GitLab GitHub Actions Azure DevOps) for secure secret injection
• Implement Vault Agent and sidecar injectors for application secret delivery
• Configure Vault auto-unseal with cloud KMS (AWS KMS Azure Key Vault GCP Cloud KMS)
• Manage Vault high availability disaster recovery and performance tuning
• Implement secret rotation automation for databases cloud credentials and API keys

Cross-Functional Collaboration

• Partner with CI/CD Network Cloud and Platform teams to integrate PAM/SM controls
• Lead incident response for privileged access breaches and secrets exposure events
• Conduct security assessments and ensure compliance with SOX PCI-DSS ISO 27001
• Automate PAM and Secret Management workflows using Python Bash PowerShell Terraform Ansible

Required Qualifications

Privileged Access Management (PAM) Expertise:

• 5 years hands-on experience with enterprise PAM solutions at scale (10000 employees or global infrastructure)
• Deep experience with privileged session management: RDP SSH session recording monitoring and credential injection
• Strong understanding of account lifecycle management: discovery onboarding rotation for Windows local AD Linux/Unix accounts
• Experience with PAM platforms: CyberArk (PAS PVWA CPM PSM) or equivalent (BeyondTrust Delinea Arcon)
• Knowledge of least privilege principles and privilege elevation workflows
• Experience integrating PAM with approval workflows (ServiceNow ITSM tools)
• Understanding of session isolation credential vaulting and password/SSH key rotation
• Familiarity with PAM architecture: high availability disaster recovery horizontal scaling

Secrets Management Expertise:

• 3 years hands-on experience with HashiCorp Vault in production environments
• Deep knowledge of Vault secrets engines: KV (v1/v2) Dynamic Secrets (databases AWS Azure) PKI Transit SSH TOTP
• Experience with Vault authentication methods: Kubernetes AppRole OIDC/JWT AWS IAM Azure AD LDAP TLS Certificates
• Strong understanding of Vault policies namespaces and entity/identity management
• Experience with Vault Agent sidecar injectors and application integration patterns
• Knowledge of Vault operations: auto-unseal (HSM) replication (DR/Performance) backup/restore upgrades
• Experience integrating Vault with CI/CD pipelines for dynamic secret injection
• Understanding of secret zero problem and secure secret bootstrap mechanisms

Technical & Cloud Skills:

• Multi-cloud secrets management: AWS Secrets Manager/IAM Azure Key Vault/Managed Identity GCP Secret Manager
• Experience with Kubernetes: Vault sidecar injection CSI secret driver external secrets operator
• Proficiency in scripting and automation: Python Bash PowerShell Go (preferred)
• Experience with Infrastructure-as-Code: Terraform Ansible (Vault configuration automation)
• Understanding of PKI fundamentals: certificate lifecycle CA hierarchies mTLS certificate-based authentication
• Experience with Directory services: Active Directory LDAP (for PAM/Vault integration)

Collaboration & Communication Skills:

• Proven track record working with DevOps Platform Engineering Cloud and Network teams
• Strong communication skills with technical and non-technical stakeholders
• Ability to lead cross-functional PAM/SM initiatives and provide technical mentorship
• Experience in incident response for privileged access and secret exposure events

Preferred Qualifications (Advantages)

• CyberArk Certified: CyberArk Defender Sentry or Trustee certifications
• Hands-on experience in Delinea Secret Server BeyondTrust Arcon CyberArk Privilege Cloud
• Experience with account discovery automation and policy-based onboarding at scale
• HashiCorp Certified: Vault Associate or Vault Professional certification
• Deep knowledge of Vault database secrets engine: PostgreSQL MySQL MongoDB MSSQL Oracle dynamic credentials
• Hands-on with Vault Transit engine: encryption-as-a-service key derivation convergent encryption
• Experience with Vault SSH secrets engine: signed SSH certificates OTP SSH CA-based SSH access
• Experience with Vault KMIP secrets engine for legacy application encryption key management
• Experience with Vault monitoring: metrics (Prometheus) logging audit logs performance tuning

Certifications & Education:

• Bachelors degree in Computer Science Information Security or related field
• Professional certifications: CyberArk CDE/Sentry HashiCorp Vault Associate/Professional CISSP CISM CISA CEH
• Cloud certifications: AWS Security Specialty Azure Security Engineer GCP Security Engineer

Compliance & Architecture:

• Deep knowledge of compliance frameworks: SOX PCI-DSS NIST CSF ISO 27001 GDPR HIPAA
• Experience with zero-trust architecture and secrets management in zero-trust models
• Understanding of threat modeling for privileged access and secret exposure risks

Additional Information

Time Type:

Employee Type:

Travel:

Relocation Eligible:

Applied Materials is an Equal Opportunity Employer. Qualified applicants will receive consideration for employment without regard to race color national origin citizenship ancestry religion creed sex sexual orientation gender identity age disability veteran or military status or any other basis prohibited by law.