Architect Specialist

Job Title: Architect Specialist

Location: Calgary, AB

Estimated Duration: 12 Months

Job Description:
 
The ES Cybersecurity Architect is embedded within the SAP project organization and the broader organization. This role is responsible for bridging the gap between the Company’s business strategy and secure technology solutions by crafting robust cybersecurity architectures and designing a transformation roadmap at the solution and enterprise level to ensure secure adoption of Cloud-based architecture. The position is a trusted advisor ensuring cybersecurity is embedded within SAP-based Enterprise Architectures.
 
Key Outcomes:
 
A robust security architecture covering identity management, application security, data protection, cloud infrastructure, zero-trust, and compliance, enabling the S/4HANA implementation to proceed with minimized risk and aligned with industry best practices (e.g. NIST CSF, ISO 27001). The architect’s work will prevent the common risks of ERP cloud migrations (data breaches, compliance gaps, misconfigurations) by proactive design and oversight.
 
What you’ll do:
 
• Develop Security reference architectures & patterns: Design comprehensive cyber security architecture for the S/4HANA landscape (including ERP, databases, interfaces, cloud infrastructure, and SAP BTP components). Produce reference architecture and security design patterns that address how all components interact securely, ensuring consistency across projects. This includes network zone segmentation, secure integration patterns, and data flow diagrams delineating trust boundaries.
• Embed Secure-By-Design in the Program: Work closely with SAP project teams from the planning phase onward to embed security into solution designs. Review project designs (extensions, integrations, migrations) and ensure they follow secure-by-design principles (least privilege, defense in depth, secure defaults, etc.). Influence solution architects and developers to make design choices that reduce risk (for example, using secure APIs, avoiding hard-coding secrets, etc.).
• Collaborate with GRC and audit teams to ensure that implemented architectures satisfy frameworks like SOX, TSA pipeline security directives, FERC standards, and applicable data privacy.
• Integrate S/4HANA and SAP Fiori with corporate Single Sign-On solutions using SAML 2.0 and/or OpenID Connect. Leverage Identity Provider (IdP) platforms like Okta or Azure AD to achieve central authentication (potentially using SAP Cloud Identity services as a bridge).
• Design and implement Privileged Access Management (PAM) controls for SAP administrative accounts, ensuring time-bound, monitored, and least-privilege access. Emergency access management (e.g., firefighter IDs) falls under the scope of SAP GRC and is not part of this role .
Data Protection: Develop and enforce policies for data encryption and key management
• Ensure all sensitive data in the S/4HANA landscape is encrypted at rest and in transit. Verify that the SAP HANA databases, application servers, and backups use strong encryption (AES-256 or as provided by SAP) and that TLS 1.2+ is enforced for all data in transit.
• Coordinate with cloud providers and SAP Basis teams on a secure Key Management System (KMS) or key vault. Make sure cryptographic keys (for database encryption, SSL certificates, etc.) are managed with proper segregation of duties and rotation policies
 

Cloud Security Architecture: 
• Create cloud security reference architectures for use.
• Review the cloud network architecture (VPC/VNet design, subnets, security groups) for the SAP systems. Ensure proper network segmentation and firewalls to isolate SAP application tiers and restrict access. For example, confirm internet-facing points (if any, like SAP Web Dispatcher or Fiori) are appropriately protected (WAF, IP restrictions, etc.).
• Verify that cloud-native security controls (in Azure/AWS) are leveraged: e.g., cloud security groups, network ACLs, Azure Private Link or AWS PrivateLink for BTP integration, DDoS protection, etc. Collaborate on a defense-in-depth design where multiple layers (network, application, identity) each enforce security.
• Coordinate identity and access between SAP cloud and corporate cloud environments. If using SAP’s cloud services (IAS/IPS), ensure integration with corporate directories. If using Azure or AWS services alongside SAP, design a unified approach to identity and logging.
SAP BTP Security: Guide secure use of SAP Business Technology Platform services (for extensions, integrations, or analytics):
• Create end to end BTP security reference architecture for use at the Company.
• Ensure that any custom applications or integrations built on BTP follow secure development guidelines and that trust is established between BTP and S/4 (e.g. using secure connectors, principle propagation, or SAP Private Link where applicable).
• Incorporate BTP’s Identity Authentication and Provisioning services in the overall IAM architecture, so that user access and SSO are consistent between S/4HANA and BTP apps.
• Advise on tenant configurations, roles, and entitlements in BTP to enforce least privilege for service accounts and APIs.
Application & Interface Security: Work with development teams to ensure secure application development:
• Establish a Secure Software Development Life Cycle (SDLC) for any SAP custom development (enhancements, Fiori apps, interfaces). This includes setting requirements for code security scans (ABAP code scans for vulnerabilities, static analysis), performing threat modeling for critical extensions, and ensuring penetration testing is done on new interfaces or apps.
• Define security requirements for interfaces between SAP and other systems (e.g., use of secure protocols, API gateways, certificate-based authentication for integrations, data validation to prevent injection attacks).
• Ensure logging of critical actions in applications (e.g., changes to sensitive data, use of privileged functions) is enabled and integrated into monitoring.
• Logging, Monitoring & Incident Response: Establish robust security monitoring and be prepared to respond to incidents
• Design and implement centralized logging for SAP systems – ensure all relevant security logs (e.g., SAP security audit log, OS logs, firewall logs, cloud logs) are aggregated into the enterprise SIEM platform. Define use-cases for monitoring (e.g., alert on multiple failed login attempts, changes to privileged roles, unusual data downloads).
• Develop an incident response plan for SAP security incidents. Work with the cybersecurity operations team to ensure they understand SAP logs and have playbooks for SAP incidents (e.g., detecting and managing a compromised SAP account or a suspicious ABAP program).
• Conduct periodic access reviews and audit support – while this is more GRC-oriented, the architect will ensure that reviews of high-privilege accounts, SOD conflict reports, and compliance audits (SOX, etc.) can be supported by the technical controls in place.
 
Qualifications:
• Bachelor’s degree in Computer Science
• Security certifications like CISSP, CISM, or cloud security certs (CCSP, Azure Security Engineer, AWS Security Specialty) are highly desirable, as they indicate a solid foundation
• Virtuosic diagramming skills and modelling skills
• Demonstrated track record as a prolific security architect, with multiple successful security architecture designs delivered for complex enterprise environments
• Enterprise Security Architecture Experience: 5+ years (as a guideline) in IT security, with at least 3 years in a security architecture role. Proven experience designing secure software solutions and enterprise security architectures – not just implementing controls, but developing strategy and blueprints. The candidate should be able to translate high-level security frameworks (NIST CSF, ISO 27001, etc.) into specific architecture decisions for an enterprise system
• Knowledge of industry controls and key regulatory bodies (e.g., CER, TSA, FERC, SOX)
• Experience with security assessments, penetration testing methodologies, and threat modelling.
• Experience in Zero Trust Architecture (ZTA), Identity and Access Management (IAM), encryption, and data protection.
• Knowledge of Cloud security, Hosted Services security, SaaS/PaaS security models, and Cloud-based security frameworks.
• Cloud Security Knowledge: Demonstrated experience securing solutions on cloud platforms (preferably Azure and AWS).
• For example:
• Designing network security architectures (VPC/VNet, subnetting, NACLs/security groups, VPN/ExpressRoute connectivity).
• Familiarity with cloud native security services – e.g., AWS Security Hub/GuardDuty, Azure Security Center, KMS for key management, cloud monitoring tools. Ability to incorporate these into the SAP landscape (for instance, using an Azure Key Vault for SAP encryption keys, or using AWS CloudWatch for infrastructure logs).
• Understanding the shared responsibility model for cloud, especially in a managed service like RISE Private Cloud. Knowing what aspects of security SAP manages vs the customer is important to focus efforts appropriately (e.g., SAP handles infrastructure patching in RISE, but customer must secure integrations).
• Identity & Access Management: Strong grasp of enterprise IAM concepts:
• Hands-on experience with SSO/Federation protocols (SAML 2.0, OAuth 2.0/OIDC). Should be capable of configuring or guiding SSO integration between SAP and IdPs (e.g., setting up trust between SAP NetWeaver and Azure AD/Okta using SAML).
• Knowledge of authentication technologies like MFA (Multi-factor Authentication), digital certificates, and how to enforce them in an SAP context (for example, using SAML assertions for MFA or certificate-based logins for certain admin users).
• Understanding of Privileged Access Management tools (such as CyberArk, BeyondTrust, or even SAP’