[Remote] Staff Enterprise and Cloud Engineer
Note: The job is a remote job and is open to candidates in USA. Zocdoc is the leading healthcare marketplace dedicated to empowering patients by simplifying access to care. As a Staff Enterprise and Cloud Engineer, you will lead the technical vision for identity and access management, ensuring secure and efficient operations across Zocdoc's corporate cloud infrastructure.
Responsibilities
- Own the multi-year technical roadmap and architectural standards for Corporate and Cloud IAM (centered on Entra ID), acting as the technical authority who uplevels the team through design reviews and RFCs
- Architect secure SSO, SCIM, and JIT provisioning patterns for all enterprise tools, specifically owning the access posture, spend governance, and automated approval workflows for AI platforms (OpenAI, Claude, GCP)
- Define configuration standards, security baselines, and lifecycle management patterns that scale across dozens of SaaS platforms. Drive consolidation and rationalization initiatives, and proactively close governance gaps before they become audit findings or incidents
- Field escalated tickets to identify and eliminate repeating manual work—converting complex access requests into self-service paths or automated workflows using Terraform, Python, or PowerShell
- Participate in a tiered on-call rotation for triaging functional area outages, conditional access failures, compromised accounts, and break-glass events, and convert recurring pages into automated detections, runbooks, and self-healing workflows to reduce toil over time
- Own the architectural engineering of endpoint configuration, software distribution, and provisioning workflows across Jamf (macOS) and Intune (Windows), partnering with InfoSec on hardening baselines and rolling out enterprise software (including AI developer tools) at scale
- Hands-on ownership of identity certificate and token lifecycles, GitHub access pipelines, and AWS landing-zone governance (Control Tower/IAM baselines) to ensure proactive monitoring and prevent configuration drift
- Partner with Security to drive Zero Trust initiatives, integrating Conditional Access with device posture data from Intune, Jamf, and CrowdStrike across the broader SaaS estate (Snowflake, Jira, Google Workspace)
- Lead IAM workstreams for HITRUST and SOC2 cycles by translating audit requirements into reusable engineering patterns and participating in a critical on-call rotation for access-related incidents
- Serve as a trusted technical partner to InfoSec, People Systems, Compliance, and Engineering leadership. Influence roadmap priorities based on deep understanding of stakeholder needs, and represent IT Engineering in strategic planning, audit cycles, and incident response
- Lead initiatives whose impact is recognized at the organizational level identity governance transformation, least-privilege enforcement at scale, or AI access governance translating business goals into actionable plans and aligning multiple teams behind them
Skills
- Deeply fluent in Microsoft Entra ID (Identity Governance, Access Packages), SSO/SCIM standards (SAML, OIDC), and custom integrations for a diverse SaaS and AI estate
- Excited to scale AI platforms like OpenAI and Anthropic through thoughtful RBAC, tiered spend/quota governance, and secure, consumable access patterns
- Comfortable working the access queue to identify patterns, with a relentless focus on building the automation and self-service tools that retire repetitive manual work
- A cross-functional partner who models Staff-level behaviors by mentoring engineers, aligning stakeholders, and setting the technical standards that drive adoption across the organization
- An outcome-driven leader who brings humility, curiosity, and a sense of humor to solving challenging problems in a growing, high-scale environment
- Own the multi-year technical roadmap and architectural standards for Corporate and Cloud IAM (centered on Entra ID), acting as the technical authority who uplevels the team through design reviews and RFCs
- Architect secure SSO, SCIM, and JIT provisioning patterns for all enterprise tools, specifically owning the access posture, spend governance, and automated approval workflows for AI platforms (OpenAI, Claude, GCP)
- Define configuration standards, security baselines, and lifecycle management patterns that scale across dozens of SaaS platforms. Drive consolidation and rationalization initiatives, and proactively close governance gaps before they become audit findings or incidents
- Field escalated tickets to identify and eliminate repeating manual work—converting complex access requests into self-service paths or automated workflows using Terraform, Python, or PowerShell
- Participate in a tiered on-call rotation for triaging functional area outages, conditional access failures, compromised accounts, and break-glass events, and convert recurring pages into automated detections, runbooks, and self-healing workflows to reduce toil over time
- Own the architectural engineering of endpoint configuration, software distribution, and provisioning workflows across Jamf (macOS) and Intune (Windows), partnering with InfoSec on hardening baselines and rolling out enterprise software (including AI developer tools) at scale
- Hands-on ownership of identity certificate and token lifecycles, GitHub access pipelines, and AWS landing-zone governance (Control Tower/IAM baselines) to ensure proactive monitoring and prevent configuration drift
- Partner with Security to drive Zero Trust initiatives, integrating Conditional Access with device posture data from Intune, Jamf, and CrowdStrike across the broader SaaS estate (Snowflake, Jira, Google Workspace)
- Lead IAM workstreams for HITRUST and SOC2 cycles by translating audit requirements into reusable engineering patterns and participating in a critical on-call rotation for access-related incidents
- Serve as a trusted technical partner to InfoSec, People Systems, Compliance, and Engineering leadership. Influence roadmap priorities based on deep understanding of stakeholder needs, and represent IT Engineering in strategic planning, audit cycles, and incident response
- Lead initiatives whose impact is recognized at the organizational level identity governance transformation, least-privilege enforcement at scale, or AI access governance translating business goals into actionable plans and aligning multiple teams behind them
- Track record leading identity or enterprise platform initiatives at a multi-thousand-employee organization, with measurable outcomes (toil eliminated, audit findings reduced, time-to-access shortened, or comparable business metrics)
- Demonstrated ability to drive adoption of standards across teams through RFCs, design reviews, and architectural pattern-setting
- 10+ years in IT/Systems (mid-to-large scale) as a 'player-coach' with a proven track record of defining adoption-ready standards and writing the design docs/RFCs that become the organization's source of truth
- Deep expertise in Microsoft Entra ID (Conditional Access, PIM, Identity Governance) and the ability to own the entire identity lifecycle, including onboarding/offboarding flows and permission hygiene
- Extensive experience delivering SSO and SCIM integrations (SAML, OIDC/OAuth) across a massive SaaS estate, with a focus on replacing manual access work with programmatic or self-service provisioning
- A systems-thinker comfortable being measured by toil eliminated; expert at automating workflows across IdP, HRIS (Workday), and SaaS platforms via APIs to remove repetitive manual tasks
- Experience governing IAM, spend, and quotas for AI platforms (OpenAI, Anthropic) and fluency in using Generative AI tools (Claude Code, LLMs) to accelerate engineering velocity
- Experience in audit-sensitive environments (HITRUST/SOC2 evidence collection) and owning the security hygiene of the identity certificate and token lifecycle
- Familiarity with the broader endpoint and security ecosystem, including Intune, Jamf, Google Workspace, and CrowdStrike, to ensure a cohesive identity posture across all platforms
- Hands-on experience with AWS infrastructure and networking primitives (VPC, DNS, Load Balancing) to debug connectivity, utilizing AWS CDK, Terraform, Python, or PowerShell for automation
Benefits
- Certain positions are also eligible for variable pay and/or equity.
Company Overview
Company H1B Sponsorship