November 2018 – October 2019 (1 year)

Project: Azure cloud system hardening and HITRUST certification

Technologies: Azure

Objectives:

• Audit existing environment for security control implementation.
• Modify policy and technical controls for HITRUST certification.
• Oversee technical presentations for third party audit and completion of HITRUST.

Timothy was engaged by Premera to audit and create Azure security policy. He also reviewed policy implementation and technical controls, resulting in their first HITRUST certification for their Azure teams.

September 2018 – July 2019 (11 months)

Project: AWS and GCP secure development lifecycle review

Technologies: AWS, GCP, Nexpose

Objectives:

• Audit existing secure development lifecycle process.
• Create guidelines for hardening production systems.
• Update and deploy Nexpose system for compliance with security lifecycle KPIs.

Timothy was engaged by Credit Karma to audit and create AWS and GCP security policy. Scanning and report automation for their Nexpose platform was also implemented, which gave them greater agility and flexibility in their production environments. He was responsible for reviewing the technical requirements of a number of M&A acqusitions, which then consolidated disparate systems into a unified platform.

February 2017– September 2018 (1 year 7 months)

Project: Evolving threat detection and system hardening

Technologies: AWS, Ruby, Nexpose

Objectives:

• Create Lambda function for automatic creation and remove of scanners.
• Create guidelines for hardening production servers.
• Deploy a new Enterprise PKI.

Timothy was engaged by Sonos to create AWS security scanning automation for their Nexpose platform. Key to their objectives was the ability to dynamically spawn an instance of the scanner and, for cost control, tear it down upon scan completion. Scanners were deployed ephemerally, contrary to capabilities espoused by the Nexpose internal engineers. Upon successful completion of this project, he was then retained to assist in hardening their production systems and deploy a new enterprise PKI with self-service front end.

August 2017 - December 2017 (5 months)

Project: Application security review and system hardening

Technologies: Design level security review of all T-Mobile applications.

Objectives:

• Create application review standards and risk matrix.
• Train a team to evaluate all enterprise applications against developed standards.
• Provide design and configuration change recommendations based on risks detected.

Timothy was engaged by T-Mobile to create an application design risk review process, and to train a team of security specialists to evaluate their existing applications against the new set of standards. He also provided technical guidance for solving built-in security vulnerabilities without major code changes, which allowed the operation of otherwise noncompliant applications in a secure fashion.

August 2016 - February 2017 (7 months)

Project: Corporate Firewall Audit

Technologies: Cisco ASA, Checkpoint, TuFin

Objectives:

• Analyze and document existing firewall design and rules.
• Evaluate firewall security rules and reduce rule count to an optimized list.
• Remove unused and legacy rules that created security holes.

‍Timothy was engaged to help Verizon redesign their corporate firewall system. Operating as an SME lead he successfully audited all existing firewalls. He reduced the rule complexity throughout all of Verizon corporate from 160 thousand rules across over 200 firewalls to 30 thousand rules across 70 firewalls. The project was successfully completed ahead of schedule and with fewer resources than anticipated. This was due to changes he recommended and made to the TuFin product, as well as other tools that he created to assist in the audit efforts. Additionally, he implemented a team for ongoing governance of the firewall system to prevent rule bloating. Furthermore, he hired, trained, and implemented a team for ongoing governance of the firewall system to prevent rule bloating.

October 2015 - March 2016 (6 months)

Consultant on security functionality and recommendations for improved security posture.

Currently under extended NDA; details of this position are only discussed confidentially.

July 2015 - March 2016 (9 months)

Project: AWS Migration Guidelines and Procedures

Technologies: AWS Templates, AWS Lambda, AWS Dynamo, AWS API & Automation scripting.

Objectives:

• Create application specific deployment templates and automate operations procedures.
• Develop methods for ensuring business and security rules are enforced through custom code.
• Establish process and procedure for load distribution and security template selection.

Timothy was engaged by T-Mobile to lead the creation of best practices for their AWS migration. After some discovery work, he decided to leverage a few existing security products and expand their capabilities to cover AWS components. He created various Lambda functions that consumed security scan reports and enforced business rules on the AWS resources. When finished, AWS resources would be automatically corrected if changes were made that allowed overly permissive access based on the data classification of the resource. He also implemented load distribution policies and procedure guides that enabled T-Mobile operations teams to react to denial of service attacks.

October 2015 - February 2016 (5 months)

Project: Azure Migration Feasibility Analysis

Technologies: MS Azure, F5 GTM, Citrix Netscalar, Win Svr 2012, SQL 2012, MS Dynamics

Objectives:

• Analyze and document physical datacenters and design core modeling templates.
• Evaluate business and security rules and create gap and resolution guidelines.
• Provide development requirements to Azure teams for the creation of new functionality.

Timothy was engaged by the Microsoft CRM Online team to analyze the feasibility of migrating their service onto Azure infrastructure. He met with all the different service owners and component product groups to gather their requirements and document their existing systems. He then identified gaps in the Azure platform that would impact the proposed migration of each service. After reviewing his findings, the CRM Online team extended his engagement to create guidelines and technical specifications. He was then engaged with the Azure team to champion necessary changes that were blocking the migration of CRM online to Azure. He negotiated with the Azure leadership to show how the proposed changes would not only allow the CRM Online team to migrate, but to also show the overall market impact the new services would have. All his changes were then adopted and budgeted for implementation into the Azure product.

March 2014 - October 2015 (1 year 8 months)

Project: Firewall System Architectural Redesign

Technologies: Splunk, Palo Alto, Cisco ASA, Sky Box, Infoblox, SQL 2012

Objectives:

• Audit and redesign the placement of firewall systems to increase throughput.
• Optimize 170,000+ rules into less than 10,000 rules across all firewalls on all systems globally.
• Establish process and procedure for future rule implementation and ongoing management.

Timothy was engaged by the compliance team at Expedia to lead an audit of their firewall systems. After a brief review of their systems, he helped repair an installation of Sky Box and wrote many SQL based tools for analyzing rule usage data from Splunk. Having completed the review, he created a system to audit all the rules based on a set of criteria provided by the compliance teams. His team then implemented a front/back firewall system per application. Using a custom rule analyzer, he reduced the rule count from 170 thousand rules to less than 10 thousand rules across all production application services and all sister companies.

October 2014 - September 2015 (1 year)

Project: Complete Architectural Redesign

Technologies: Checkpoint, F5 LTM, Win 7 & Svr 2012, SQL 2012

Objectives:

• Redesign system wide architecture to build PCI security zones within a flat network.
• Deploy IPSec and Windows Advanced Firewall solution for application level security zoning.
• Achieve PCI 3.1 compliance within a 10-month time frame.

Timothy was initially engaged to review the compliance stance of Alaska airlines after a failed PCI audit. He led the new security team through a brief investigation and discovered that the compliance shortcomings were far broader and more systemic than initially suspected. Through working with the new Security Director and the new CTO, he championed a complete architectural redesign of all line of business systems. He proposed an IPsec solution for creating compliant segmentation, as well as tools for most major PCI requirements. He then led the security team and assisted the CTO with the necessary changes throughout all business units of Alaska Airlines. This included regularly meeting with corporate and labor leaders to review concerns about privacy and monitoring requirements of the new security systems. He successfully championed the technical and cultural changes needed for compliance while easing the concerns of business and labor leaders. Once the implementation was completed, he then continued to act as SME to the PCI auditors, and defended a nonstandard design through a successful PCI audit.

September 2013 - August 2014 (1 year)

Project: AWS & Azure Cloud Migration

Technologies: AWS Templates, MS Azure Templates, System Center Azure on Premise

Objectives:

• Analyze existing physical datacenters and application architecture to create migration plans.
• Oversee migration timelines and coordinate implementation schedules.
• Create operational run books for outage failover and security scenarios.

Premera reached out to Timothy following their publicized data breach. During the compromise, the system he had previously designed withstood repeated internal attacks, leaked no data, and was the source of alerts that announced the other systems had been compromised. He was brought in to redesign a highly secured core network for the processing of patient and payment information amongst Premera and its partners (“blue’snet”). He worked with application owners and business units to plan and migrate their applications into the cloud based secure environment that he had previously created. He then designed and championed extensive organizational systems and policies, thereby creating Premera’s first dedicated security operations team. He was also responsible for selecting personnel to lead Premera’s security steering committee. This improved security posture throughout the entire enterprise and their partners.

December 2010 - June 2013 (2 years 7 months)

Project: Confidential - Contact me with an offer if you would like details.

Technologies: Confidential

Objectives:

• Oversee the deployment of new network security measures.
• Design FISMA compliant 802.1X system for mixed vendor wireless and wired devices.
• Design Windows Server based NAP (Network Access Protection) and IPsec solution.
• Create design and deployment guides a high availability authentication API.

IT security for the National Nuclear and Biological Logistic Control System.

Currently under extended clearance requirements; details of this position are only discussed confidentially.

June 2012 - May 2013 (1 year)

Project: Datacenter Expansion and PCI Compliance Remediation.

Technologies: F5 GTM & LTM, MS Azure, Chef, System Center, Juniper, Palo Alto.

Objectives:

• Design a solution for increasing existing capacity.
• Advise on security and availability deficiencies and provide remediation planes.
• Create security guidelines for DLP and PCI negative attestation.

Timothy was brought into Starbucks to help them design and expand their current datacenter. He worked with the security team to audit their existing systems and provided architectural solutions to further improve their datacenter. He then developed numerous solutions that allowed Starbucks to decentralize security controls and significantly expand capacity. Additionally, he built and led a team that implemented new attack detection and loss prevention methods. Finally, his team selected and successfully implemented a negative attestation system to meet new PCI requirements.

April 2011 - October 2012 (1 year 7 months)

Project: DRM security for E-Reader

Technologies: Undisclosed

Objectives:

• Review the organizations corporate security systems and segmentation for DRM systems.
• Design a solution for DRM control within their E-Reader.
• Perform penetration testing of the E-Reader device and supporting services.

A prior coworker reached out to Timothy to assist with a project; he was familiar with the work Timothy had done on DRM for Microsoft Zune and Xbox and needed his expertise. VML was creating an EReader and needed strong DRM controls. Timothy was engaged as a consultant to help their security team create proper guidelines and coding practices to ensure the protection of content on their device. Working with management, technical leaders, and content providers, Timothy’s team successfully created a system to provide proper DRM controls,which then ensured the safety of the devices and all the web based supporting services.

February 2011 - July 2012 (1 year 6 months)

Project: HIPPA Cloud Compliance Remediation

Technologies: F5 LTM, Web Sense, Tripwire, Blue Coat, Chef, Win Svr 2012

Objectives:

• Oversee the security components of applications being moved into cloud based hosting.
• Create guidelines for HIPAA compliance across all applications.
• Advise on security and availability deficiencies and provide remediation planes.

Timothy assisted in the design and implementation of Azure and AWS resources to help ease the load requirements of their on site datacenters. The designed system synchronized resources between both cloud providers and the existing Rack Space installation, which reduced the bandwidth demands on their local site.He designed and championed a solution that would allow applications to seamlessly exist in all three locations and be visible through a single dashboard. He trained the existing personnel in the design and operation of the solution, and oversaw the final implementation.

July 2011 - June 2012 (1 year)

Project: HIPPA Compliance Remediation and Quarantine System

Technologies: Juniper, F5 AFM, F5 ASM, System Center, Win 7 & Svr 2012

Objectives:

• Design a system to provide quarantine capabilities for HIPPA compliance.
• Create guidelines for HIPPA compliant quarantine procedures and resolutions.
• Advise on network and device security deficiencies and provide remediation planes.

After some findings discovered during an audit, one of Timothy’s colleagues reached out for assistance with a quarantine project. Hospira had previously engaged Microsoft and Cisco to help them design a quarantine system, however given the existing limitations, both companies could only recommend replacement of all edge switching systems. Upon investigation of the findings from both prior companies, Timothy made recommendations on how to achieve the needed quarantine solutions. After discussing the pros and limitations of the proposed solutions, the management team accepted it, and he was then retained to write a set of domain GPOs that would engage the operating system’s local inbound/outbound firewall, and limit communications to remediation systems only. He then operated as technical consultant and procedure guide author during the testing and rollout of the new solution, resulting in an unprecedented simplicity and effectiveness. Their auditor was impressed, and Hospira was impressed that its cost was negligible and the solution documentation was simple to understand and implement.

August 2011 - May 2012 (10 months)

Project: PCI Compliance Remediation

Technologies: F5 LTM, Cisco FWSM, Cisco WISM, Win 7 & Svr 2012

Objectives:

• Architect a PCI level 1 compliant system for point of sale devices and online ordering.
• Advise on security and availability deficiencies and provide remediation planes.
• Oversee the deployment of compliance requirements to achieve PCI in 3 months.

Timothy was brought into the Microsoft Retail Store team by a director with whom he had previously worked.This director personally reached out to him to pull the retail stores into compliance before the business unit caused Microsoft to fail a PCI audit. Timothy was given a three month window and complete authority over the project. The initial network had been designed by an outside organization because of their experience in Target’s retail environment, which later proved to be lacking in compliance as evidenced by a very serious breach at Target. Recognizing design deficiencies prior to the breach at Target, he assembled and led a small team of select specialists throughout Microsoft. This team redesigned the entire network space for the retail stores, including all demo and display systems, and deployed in 47 days. Afterwards, he and his team engaged Microsoft’s PCI auditor, resulting in a successful compliance assessment in only 23 days. Following the completion, Timothy provided training and experience to information security teams through mock intrusions of the retail environment.

February 2011 - October 2011 (9 months)

Project: Datacenter Consolidation

Technologies: F5 GTM, F5 LTM, Cisco FWSM, Puppet, Win 7 & Svr 2012

Objectives:

• Create design guides for increasing existing datacenter capacity and application availability.
• Architect datacenter infrastructure for lights out management, and private cloud computing.
• Create plans for migrating applications from Merrill Lynch to Bank of America’s datacenters.

Timothy was engaged to ensure that proper security was maintained during the complex migration of the acquired Merrill Lynch systems and the consolidation of Bank of America datacenters. Leading multiple teams of security professionals across all divisions of both companies, he successfully orchestrated the consolidation of all banking software assets. During the project, he was responsible for communicating technical concerns to business management, and ensured project timelines were maintained. He championed numerous concerns brought up by technical or business leaders, and reset appropriate timeline expectations,which successfully delivered the project within agreed upon adjusted timelines. Overall, Timothy managed the myriad of complexity levels of this project without any negative impact on the business processes.Additionally, business objectives were met, allowing all of their call centers to operate unilaterally instead of having to redirect callers, thus decreasing customer service concerns, and improving customer experience.

November 2003 - December 2010 (7 years 2 months)

Title: Senior Security Director - InfoSec

• Review design requirements and specifications.
• Develop security policies and best practices.
• Define goals and objective deadlines.

Title: Senior Availability Architect - Office 365

• Collect requirements and create a customized automation system for hosting office products.
• Design a geographically distributed fault tolerant system for hosting Office 365.
• Design a federated ID system for integration with customer existing domain accounts.

Title: Senior Load Balancing Architect - Azure, Global Traffic Management

• Support existing F5 based equipment while the operations team is hired and trained.
• Collect requirements and create an operations team deployment guide for Azure GTM.
• Design and deploy a data center infrastructure to allow GTM appliances to actively correct for data center failures and DDOS attacks.

Title: Senior Security Architect - BPOS, Dedicated Online Services

• Collect requirements and review migration plans for onboarding client systems.
• Design a geographically distributed fault tolerant system for Exchange, SharePoint, and Lync.
• Design a System Center infrastructure to allow all services and dependencies to be monitored.

Title: Senior System Architect - Windows Phone 7 Development Labs

• Collect requirements and create a long-term deployment plan for Windows Phone 7 Labs.
• Design and deploy a self-servicing development and testing lab using System Center.
• Create design for a lab space with access to direct internet and corporate network.

Title: Senior System Architect - XBOX Live

• Design complete network separate form corporate infrastructure.
• Create security guidelines for credit card transactions.
• Design Lab and Development spaces.

Title: Senior System Architect - Hotmail

• Design and implement a 30-teraflop computing cluster for high speed transactions.
• Create a fully automated failure reporting, monitoring, and recovery system.
• Create an environment where a single threaded application can be run multithreaded.