IAM Engineer в IT — рынок СНГ и Европы

Медиана IAM Engineer — $2717/мес по данным Zorky CRM (4 активных вакансий с явной IAM-спецификой — реальный pool шире за счёт overlap с general Security / Backend). Стабильный premium-сегмент за счёт «identity is the new perimeter» Zero Trust shift + regulatory pressure (access certification audits — SOC 2 / ISO 27001 / SOX). Senior с workforce IdP mastery (Okta / Entra ID) + protocols deep (SAML / OAuth / OIDC / SCIM) + PAM или IGA expertise — $7000-9500. Senior в банках РФ + Russian IAM vendors (Avanpost / Solar / Indeed Identity) — $6500-10000. Аутсорсеры (EPAM Security Practice / Luxoft) — $7000-11000 Senior на US enterprise IAM-projects. Международные tech-companies (Okta + Microsoft + Ping Identity + SailPoint + CyberArk + BeyondTrust + WorkOS + Auth0) — full-remote $9000-15000+ Senior. Big Tech identity teams (Google Identity / AWS IAM / Microsoft Entra / Apple) — $14000-22000+ Senior + RSU. Премиум-доплаты: Okta Certified Consultant / Developer +10-20%, SailPoint / CyberArk certifications +10-20%, Microsoft SC-300 +5-15%, authorization specialty (OPA / OpenFGA / Cedar) +10-20% (rising rare-skill), CIAM platform engineering depth +10-15%.

Junior — typical entry: 1) Sysadmin / IT support + Active Directory administration experience → IAM Junior, 2) Security Engineer Middle + identity specialization, 3) Backend Engineer + auth implementation experience (OAuth / OIDC) → CIAM-leaning IAM. Скачок Junior → Middle — после первого end-to-end IdP deployment (SSO для org) + первого MFA rollout + lifecycle automation (joiner-mover-leaver). Middle → Senior — multi-system identity architecture + protocol mastery + PAM или IGA deep + access governance ownership (typical mandate: automate access certification campaigns + reduce orphaned accounts). Senior → Identity Architect — org-wide IAM strategy + Zero Trust identity design + protocol expertise + compliance leadership. Career-flow: Sysadmin (AD admin) / Security Middle / Backend Middle (2-3 года) + IAM focus → IAM Junior (1-2 года) → Middle (2-3 года) → Senior → либо Identity Architect, либо PAM specialist, либо IGA specialist, либо CIAM Engineer (consumer-facing — Backend-leaning), либо Authorization Engineer (OPA / OpenFGA — rising).

Москва Senior IAM Engineer — $6500-9500/мес (банки доминируют — Сбер.Tech / Тинькофф / ВТБ / Газпромбанк / Альфа / Райффайзен / МКБ имеют большие IAM teams + Russian IAM vendors — Avanpost (IDM + FAM — leader РФ) + Solar (inRights IGA + SafeInspect PAM) + Indeed Identity + РТ-ИАМ (Ростелеком) + КриптоПро (certificate-based) + АйТи Бастион (СКДПУ НТ PAM); Яндекс / VK / Ozon / Wildberries / X5 Group / МТС identity teams; госкомпании — Газпром / Роснефть / Атомэнергопроект). СПб $6000-9000. Минск/Киев $5500-8500 Senior. Польша €6500-10500 gross Senior. Германия €75-115K/год Senior. 0% — удалёнка. Аутсорсеры (EPAM Security Practice / Luxoft Security / Andersen / DataArt) — почти всегда remote, $7000-11000 Senior на US IAM-projects. Международные tech-companies (Okta / Microsoft Entra / Ping Identity / SailPoint / CyberArk / BeyondTrust / Delinea / WorkOS / Auth0 / Stytch / Frontegg / Clerk) — full-remote $9000-15000+ Senior. Big Tech identity teams (Google Identity / AWS IAM team / Microsoft Entra / Apple / Meta) — $14000-22000+ Senior. Премиум для multi-platform certs holders (Okta + Microsoft SC-300 + SailPoint / CyberArk) — $10000-16000+ Senior на international remote.

Топ-5: Okta, Microsoft Entra ID, Keycloak, SAML, OAuth 2.0. Workforce IdP mastery: один из Okta (industry leader — Workforce Identity Cloud — премиум знание) / Microsoft Entra ID (former Azure AD — доминирует Microsoft-shop) / Ping Identity (enterprise) / OneLogin / JumpCloud / Keycloak (open-source Red Hat — популярен РФ) / Authentik (open-source modern rising) / Zitadel. Russian: Avanpost (leader РФ) / Solar inRights / Indeed Identity / РТ-ИАМ / КриптоПро. CIAM (Customer IAM) mastery: Auth0 (Okta-owned — developer-favorite) / Amazon Cognito / Microsoft Entra External ID / Firebase Authentication / Frontegg (B2B) / Stytch (passwordless-first) / SuperTokens (open-source) / WorkOS (B2B SSO-as-a-service) / Clerk (React-first modern) / Ory (open-source — Kratos + Hydra + Keto). PAM (Privileged Access Management): CyberArk (leader — PAM + Conjur secrets) / BeyondTrust / Delinea (Thycotic + Centrify merger) / HashiCorp Vault + Boundary / Teleport (modern infrastructure access — rising 2024+) / StrongDM. Russian: Solar SafeInspect / Indeed PAM / Avanpost PAM / СКДПУ НТ (АйТи Бастион). IGA (Identity Governance & Administration): SailPoint (leader — IdentityIQ + IdentityNow) / Saviynt / Microsoft Entra ID Governance / Omada / One Identity. Russian: Solar inRights / Avanpost IDM. Protocols / standards mastery — must: SAML 2.0 (enterprise SSO), OAuth 2.0 / 2.1 (authorization framework — grant types, PKCE, token rotation), OIDC (OpenID Connect — authentication layer), SCIM (provisioning standard — joiner-mover-leaver automation), FIDO2 / WebAuthn (passwordless), LDAP + Kerberos (legacy directory + auth). MFA / Passwordless: FIDO2 / WebAuthn / Passkeys (passwordless future — Apple / Google / Microsoft push 2024-2026 — phishing-resistant), YubiKey (hardware tokens), Duo Security (Cisco), Okta Verify / Microsoft Authenticator, magic links + OTP (legacy). Directory services: Active Directory (AD — enterprise standard — Group Policy + OU design + replication), Microsoft Entra ID, LDAP (OpenLDAP / 389 Directory Server), Google Workspace Directory. Authorization (fine-grained — rising 2024+): OPA (Open Policy Agent — CNCF — Rego policy language), OpenFGA (CNCF — relationship-based, Google Zanzibar-inspired), Cedar (AWS authorization language — Amazon Verified Permissions), SpiceDB (Authzed — Zanzibar-inspired), Oso (authorization library), Permit.io. Zero Trust identity: Conditional Access policies (risk-based authentication), continuous verification, device trust, ITDR (Identity Threat Detection & Response — rising 2024+). Secrets management (overlap): HashiCorp Vault + cloud-native. Languages: Python primary (IAM automation + SCIM connectors + custom integrations) + JavaScript / TypeScript (CIAM frontend integration) + bash + PowerShell (AD administration).

IAM Engineer (эта страница) — focus на identity & access management implementation: SSO + MFA + provisioning + privileged access + governance. Specialty внутри security. Зарплаты $4500-9500. Identity Architect — Senior IAM с org-wide strategy focus: Zero Trust identity architecture design + protocol expertise + technology selection + compliance leadership. Programming меньше, strategy больше. Career evolution от Senior IAM Engineer. Зарплаты $9000-14000. Security Engineer (general) — broad coverage всех security-domains (SIEM + EDR + network + IAM — но IAM lишь one part). См. Security Engineer (general). Зарплаты $4500-9500. Backend Engineer (auth-focused) — implements authentication / authorization в product code (OAuth flows + session management + JWT handling + RBAC implementation). Не IAM-specialist, но overlap в CIAM context. Зарплаты варьируются — backend-tier. Reality 2026 (overlap heatmap): IAM ↔ Security Engineer: 40% (IAM is one security domain). IAM ↔ Backend (auth): 50% в CIAM context (consumer-facing auth — Backend Engineers часто implement, IAM Engineers design). IAM ↔ DevOps: 30% (machine identity + secrets management + service-to-service auth). Workforce IAM vs CIAM split: Workforce IAM — employee identity (Okta / Entra ID — SSO для internal apps + lifecycle management) — closer to traditional IT / security. CIAM (Customer IAM) — consumer-facing auth (Auth0 / Cognito / Clerk — millions of users + scalability + UX) — closer to Backend engineering + product. Эти два IAM-направления требуют разные skill sets. Career-pivots: Sysadmin (AD admin) → Workforce IAM Engineer — 4-8 месяцев. Backend Engineer → CIAM Engineer — 3-6 месяцев (auth knowledge translates). Security Engineer → IAM Engineer — 3-6 месяцев. IAM Senior → Identity Architect — 2-4 years.

Decision tree для IAM platform choice 2026: WORKFORCE IAM (employee SSO): 1) Microsoft Entra ID (former Azure AD) — default для Microsoft-shop organizations (если уже используете Microsoft 365 / Azure — Entra ID included / discounted, native integration). Strengths: deep Microsoft ecosystem, Conditional Access, free tier с M365. Weaknesses: complex licensing tiers, weaker non-Microsoft app integration historically. 2) Okta (Workforce Identity Cloud) — best для multi-vendor environments + best-of-breed approach. Strengths: 7000+ pre-built app integrations (largest catalog), vendor-neutral, polished UX, strong lifecycle management. Weaknesses: premium pricing, 2022 breach reputational hit (recovered). Use case: non-Microsoft-centric orgs + want best integration coverage. 3) Ping Identity — enterprise-heavy, complex hybrid environments. Use case: large enterprises с on-prem + cloud hybrid + complex federation needs. 4) Keycloak (open-source — Red Hat) — best для self-hosted + budget-zero + technical teams. Strengths: free, full-featured (SAML + OIDC + identity brokering), customizable. Weaknesses: operational burden (you run it), steeper learning curve. Use case: budget-constrained + technical team + popular в РФ context (self-hosted preference). 5) Authentik / Zitadel — open-source modern alternatives к Keycloak (better UX). Rising 2024+. 6) Russian workforce IdP (after импортозамещение): Avanpost (leader РФ) / Solar inRights / Indeed Identity / РТ-ИАМ — для РФ-only organizations + госкомпании. CIAM (consumer-facing auth): 7) Auth0 (Okta-owned) — developer-favorite, best DX (developer experience), extensive SDK / docs. Use case: startups → mid-market, fast time-to-market. Pricing scales aggressively at high MAU (Monthly Active Users). 8) Amazon Cognito — best для AWS-native applications. Cheap at scale. Weaknesses: clunky DX, limited customization. 9) WorkOS — B2B SSO-as-a-service — «enterprise readiness в один API» (SAML + SCIM + directory sync для B2B SaaS selling to enterprises). Rising fast 2024+ — best для B2B SaaS that needs to support enterprise customers' SSO. 10) Clerk — modern developer-friendly, React-first, beautiful pre-built UI components. Use case: modern web apps (Next.js / React), fast iteration. 11) Stytch — passwordless-first, modern API. 12) Firebase Authentication — best для mobile apps + Firebase ecosystem. 13) Ory (open-source — Kratos + Hydra + Keto) — best для self-hosted CIAM + full control. 14) SuperTokens — open-source CIAM alternative. Default 2026 рекомендации: Microsoft-shop workforce → Entra ID. Multi-vendor workforce → Okta. Budget-zero self-hosted workforce → Keycloak (или Authentik / Zitadel для лучшего UX). РФ-only org → Avanpost / Solar. Consumer app CIAM → Auth0 (fast) или Clerk (modern React) или Cognito (AWS-native). B2B SaaS needing enterprise SSO → WorkOS. Self-hosted CIAM → Ory или SuperTokens. Authorization layer (отдельно от authentication): OPA (general policy) / OpenFGA или SpiceDB (relationship-based, Zanzibar-style) / Cedar (AWS) / Oso или Permit.io (embedded).

Да, 0% IAM Engineer-вакансий — full-remote или гибрид. IAM work primarily cloud-based (IdP consoles + SaaS platforms + API integrations). Аутсорсеры (EPAM Security Practice / Luxoft / Andersen / DataArt) — почти всегда remote на US IAM-projects. Российские банки (Сбер / Тинькофф / ВТБ / Альфа) — гибрид/офсис за счёт regulatory + identity-data sensitivity + security background-check. Russian IAM vendors (Avanpost / Solar / Indeed Identity / КриптоПро) — гибрид или remote после background-check. Госкомпании — гибрид/офис за счёт security clearances (особенно для PAM работ — privileged access — high-trust roles). Международные tech-companies (Okta / Microsoft Entra / Ping Identity / SailPoint / CyberArk / BeyondTrust / WorkOS / Auth0 / Clerk / Stytch) — full-remote standard. Big Tech identity teams (Google Identity / AWS IAM / Microsoft Entra / Apple) — гибрид-standard. CIAM Engineers (consumer-facing — Backend-leaning) — full-remote-friendly за счёт product-engineering nature. Релокант-хабы: Польша (Security-friendly EU) / Германия / Канада / Сербия. Английский для international IAM-remote — must (protocols specs — SAML / OAuth / OIDC RFCs + vendor docs Okta / Microsoft / SailPoint + community англоязычные).

IAM Engineer (general) — focus на workforce identity broadly: SSO + MFA + provisioning + access management для all users. PAM Engineer (Privileged Access Management specialty) — focus специально на privileged accounts (administrator / root / service accounts — highest-risk identities). Day-to-day: 1) PAM platform deployment (CyberArk / BeyondTrust / Delinea / HashiCorp Boundary / Teleport), 2) Privileged credential vaulting (secrets rotation + checkout / checkin workflows), 3) Session recording + monitoring (record admin sessions для audit + forensics), 4) Just-In-Time (JIT) privileged access (grant admin rights temporarily, auto-revoke), 5) Privilege escalation control + least-privilege enforcement, 6) Service account / machine identity management (non-human identities — часто 10× больше human accounts), 7) Break-glass access procedures (emergency access). Why specialty: privileged accounts — primary target ransomware + APT attacks (compromise admin → game over). Regulatory mandate (PCI-DSS / SOX / 187-ФЗ требуют PAM controls). Зарплаты: PAM Engineer — премиум над general IAM +10-20% за счёт rare-skill + high-trust nature. IGA Engineer (Identity Governance & Administration specialty) — другая specialty: focus на access governance — access certification campaigns (periodic review «does this person still need this access?»), Segregation of Duties (SoD) policy enforcement, access request workflows, compliance reporting (SOC 2 / ISO 27001 / SOX access audits). Tools: SailPoint / Saviynt. CIAM Engineer — consumer-facing auth (millions of users — scalability + UX + Backend-engineering-leaning). См. decision tree выше. Authorization Engineer (rising 2024+) — fine-grained authorization specialty (OPA / OpenFGA / Cedar / SpiceDB) — «who can do what on which resource» at scale. Career-выбор: general IAM if breadth + workforce identity, PAM if high-trust + privileged-account-deep + security-critical, IGA if governance + compliance + audit-focused, CIAM if consumer-scale + product engineering, Authorization Engineer if fine-grained authz + modern policy engines.

В топе: Сбер.Tech, Avanpost, Тинькофф. Российские банки (крупнейший channel за счёт regulatory + identity-security mandate): Сбер.Tech, Тинькофф, ВТБ, Газпромбанк, Альфа-Банк, Райффайзен, Россельхозбанк, МКБ, Открытие. Russian IAM vendors (крупнейший IAM-product сегмент СНГ — активный hiring после импортозамещение): Avanpost (IDM + FAM + PKI — leader РФ workforce IAM), Solar (МТС RED — inRights IGA + SafeInspect PAM), Indeed Identity (Indeed IAM + Indeed PAM), РТ-ИАМ (Ростелеком — государственный IAM), КриптоПро (certificate-based authentication — государственная криптография), АйТи Бастион (СКДПУ НТ — PAM), Аладдин Р.Д. (token-based auth). Яндекс (internal IAM + Yandex Cloud IAM service). Ozon / VK / Wildberries / X5 Group / МТС identity teams. JetBrains (identity для JetBrains Account + IDE licensing). Госкомпании: РТК / Ростелеком / Газпром / Роснефть / Атомэнергопроект. Аутсорсеры с Security Practice: EPAM Security Practice (крупнейший IAM-аутсорс в СНГ для US enterprise IAM-projects — SailPoint / Okta / CyberArk implementations), Luxoft Security, Andersen Security, DataArt Security. International tech-companies (full-remote премиум): Okta (+ Auth0 — workforce + CIAM leader), Microsoft (Entra — крупнейшая identity team globally), Ping Identity, SailPoint (IGA leader), CyberArk (PAM leader), BeyondTrust, Delinea, WorkOS (B2B SSO — rising fast), Clerk (modern CIAM), Stytch, Frontegg, SuperTokens, Ory, Authzed (SpiceDB authorization), Teleport (infrastructure access). Y Combinator identity startups (CIAM + authorization space — самая active sub-niche 2024-2026). Big Tech identity teams (топ-tier salary): Google Identity (Google Sign-In + Cloud Identity) / AWS IAM team / Microsoft Entra / Apple (Sign in with Apple + identity) / Meta (identity infrastructure) — $14000-22000+ Senior.

Roadmap: 1) Identity fundamentals — authentication vs authorization vs accounting (AAA), identity lifecycle (joiner-mover-leaver), least-privilege principle, RBAC vs ABAC vs ReBAC (Role / Attribute / Relationship-Based Access Control). 2) Protocols deep — must: SAML 2.0 (assertions + bindings + SP-initiated vs IdP-initiated flows), OAuth 2.0 / 2.1 (grant types — authorization code + PKCE + client credentials; token types; common pitfalls), OIDC (OpenID Connect) (ID tokens + UserInfo + discovery), SCIM (provisioning standard). Книга: «Solving Identity Management in Modern Applications» Yvonne Wilson / Abhishek Hingnikar (canonical — OAuth/OIDC for developers). 3) Active Directory fundamentals — AD structure (forests / domains / OUs), Group Policy, Kerberos authentication, LDAP. Книга: «Active Directory» Brian Desmond (O'Reilly). 4) Workforce IdP hands-on — выбрать один: Okta (Okta Developer free tier — best для learning + Okta Certified Professional cert) или Microsoft Entra ID (Azure free tier + SC-300 cert) или Keycloak (self-host free — учиться protocols deeply). Set up SSO для test apps. 5) MFA / Passwordless — understand FIDO2 / WebAuthn / Passkeys (passwordless future), set up YubiKey, configure Conditional Access policies. 6) CIAM hands-on (если consumer-facing track) — Auth0 free tier или Clerk или Keycloak. Implement login flows в test app (React / Next.js). 7) PAM hands-on (если privileged-access track) — HashiCorp Vault (free self-host) + Boundary, или Teleport (free tier). Understand secrets vaulting + session recording + JIT access. 8) IGA basics (если governance track) — SailPoint training (SailPoint University) — access certification + SoD concepts. 9) Authorization (rising 2024+) — OPA (Open Policy Agent — Rego language) + OpenFGA (relationship-based — Google Zanzibar paper читать) + Cedar (AWS). Build fine-grained authz demo. 10) IAM automation — Python для SCIM connectors + custom integrations + IdP API automation (Okta API / Microsoft Graph API). 11) Certifications path: Okta Certified (Professional → Administrator → Consultant / Developer) или Microsoft SC-300 (Identity and Access Administrator) — foundational. Advanced: SailPoint certifications / CyberArk certifications (Defender → Sentry → Guardian) / CIDPRO (Certified Identity Professional — IDPro — vendor-neutral). 12) Pet-проект portfolio: a) full SSO setup (Keycloak / Okta) с multiple apps + SAML + OIDC + SCIM provisioning; b) CIAM demo app с passwordless (WebAuthn / Passkeys); c) fine-grained authorization demo (OpenFGA / OPA). Document на GitHub. Курсы РФ: BI.ZONE Cybersecurity Academy, Otus «IAM» / Security courses, Avanpost training (Russian IAM), Solar training (inRights IGA / SafeInspect PAM). International (eng): Okta Learning (free — best для Okta track), Microsoft Learn SC-300 (free), IDPro Body of Knowledge (vendor-neutral — best foundational resource, free), Auth0 docs + blog (excellent CIAM learning), «OAuth 2 in Action» Justin Richer / Antonio Sanso (Manning — protocols deep). Books-must: «Solving Identity Management in Modern Applications» Wilson / Hingnikar, «OAuth 2 in Action» Richer / Sanso, IDPro Body of Knowledge (online). Communities: IDPro (Identity Professionals community — vendor-neutral), r/identitymanagement, Okta / Auth0 community forums, Telegram @iam_ru, @security_ru. Conferences: Identiverse (largest identity conference), Gartner IAM Summit, European Identity & Cloud Conference (EIC). Sysadmin (AD admin) / Security Middle / Backend Middle + IAM focus → IAM Junior — 4-8 месяцев.

4 активных открытых IAM Engineer-вакансий с явной IAM-спецификой в нашей выборке. Реальный рынок значительно шире — many IAM roles classified как general Security Engineer / Backend Engineer (CIAM auth implementation) / DevOps (machine identity + secrets) / IT Administrator (AD administration). True IAM-focused dev jobs в СНГ + Европе оценочно 150-600 позиций активных любой момент 2026. География: 🇵🇱 Польша. Источники: hh.ru (особенно банки + Russian IAM vendors — Avanpost / Solar / Indeed Identity active), Habr Career, getmatch, Djinni, LinkedIn (огромный международный IAM сегмент через Okta / Microsoft / SailPoint / CyberArk / WorkOS), NoFluffJobs / JustJoin.it (Польша IAM-friendly), Telegram (@iam_ru, @cybersec_jobs, @security_ru, @devops_jobs), карьерные сайты EPAM Security Practice / Luxoft / Andersen / DataArt, специализированные борды (cybersecjobs.com, infosec-jobs.com, idpro.org community job board), Y Combinator identity startups (CIAM + authorization — active 2024-2026), Russian IAM vendor careers (avanpost.ru / rt-solar.ru / indeed-company.ru / cryptopro.ru), IAM vendor direct careers (okta.com / pingidentity.com / sailpoint.com / cyberark.com / workos.com), Identiverse / Gartner IAM Summit / EIC conference hiring. Реальный рынок шире за счёт международного remote-сегмента (Okta / Microsoft Entra / Ping / SailPoint / CyberArk / WorkOS / Auth0 / Clerk / Stytch — full-remote-friendly). Время закрытия Senior IAM Engineer — 6-12 недель (longer чем general Security за счёт rare-skill — protocols depth + platform expertise + governance knowledge combination).

Senior IAM Engineer владеет полным циклом identity & access management + technical leadership. Protocols mastery deep: SAML 2.0 (assertions + bindings + SP/IdP-initiated flows + signing / encryption), OAuth 2.0 / 2.1 (all grant types + PKCE + token rotation + DPoP + common vulnerabilities — token leakage / CSRF / redirect manipulation), OIDC (ID tokens + claims + discovery + session management + back-channel logout), SCIM (provisioning automation — joiner-mover-leaver), FIDO2 / WebAuthn (passwordless implementation), Kerberos + LDAP (legacy directory). Workforce IdP mastery: один из Okta / Microsoft Entra ID / Ping deeply — SSO architecture, lifecycle management automation, Conditional Access / risk-based policies, app integration (7000+ catalog для Okta), custom SAML / OIDC app onboarding, IdP federation (multi-IdP scenarios). Directory services mastery: Active Directory deep (forest / domain / OU architecture + Group Policy + replication + AD security — Kerberoasting / DCSync awareness), Entra ID hybrid (AD Connect / Cloud Sync). PAM mastery (если PAM track): CyberArk / BeyondTrust / Delinea / HashiCorp Boundary / Teleport — privileged credential vaulting, session recording, JIT access, service account management, break-glass procedures. IGA mastery (если governance track): SailPoint / Saviynt — access certification campaigns, Segregation of Duties (SoD) policy, access request workflows, role mining, compliance reporting. CIAM mastery (если consumer track): Auth0 / Cognito / Clerk — scalable consumer auth (millions of MAU), passwordless UX, social login, progressive profiling, account security (credential stuffing protection + bot detection). Authorization mastery (rising 2024+): OPA (Rego policy language), OpenFGA / SpiceDB (relationship-based — Google Zanzibar model), Cedar (AWS), fine-grained authz design at scale. Zero Trust identity: Conditional Access architecture, continuous verification, device trust, ITDR (Identity Threat Detection & Response) integration. IAM automation: Python deep (SCIM connectors + IdP API automation — Okta API / Microsoft Graph API + custom integrations), Terraform для IaC IAM (Okta Terraform provider / Entra Terraform). Identity security: identity attack awareness (phishing / MFA bombing / token theft / OAuth consent phishing / Golden SAML), passwordless migration strategy, MFA hardening. System design для IAM: design enterprise SSO architecture на whiteboard, design CIAM for millions of users, design Zero Trust identity architecture, design privileged access workflows. Compliance frameworks: SOC 2 + ISO 27001 + SOX (access controls) + PCI-DSS + 152-ФЗ + 187-ФЗ — access certification + audit support. Soft: ADRs writing для IAM decisions, technical writing (IAM architecture docs), cross-team collaboration (Security / IT / Backend / DevOps / HR teams — IAM touches everyone), executive communication (identity strategy к CISO / CIO), mentoring Middle IAM Engineers. Английский для Senior+ MUST — protocols specs (SAML / OAuth / OIDC RFCs) + vendor docs (Okta / Microsoft / SailPoint / CyberArk) + community (IDPro / Identiverse) англоязычные. Certifications: Okta Certified Consultant / Developer, Microsoft SC-300, SailPoint / CyberArk certifications, CIDPRO (vendor-neutral). Optional bonus: open-source contributions в IAM tools (Keycloak / Ory / OpenFGA / Authentik), conference talks (Identiverse / EIC), authorization specialty depth (OpenFGA / SpiceDB — rising rare-skill) — резко повышают market value для frontier-IAM companies (Okta / WorkOS / Authzed) hiring.

Данные собраны автоматически из 1000+ источников — Telegram-каналов вакансий и сайтов работы СНГ и Восточной Европы (HH, Habr Career, Djinni, DOU, NoFluffJobs, JustJoin.it, Pracuj.pl и других). Парсинг работает круглосуточно, дубликаты фильтруются по описанию и URL, аномальные значения зарплат отсекаются. Подробная методология — на странице «Как работает».