Enterprise Security Architect · Engineering Leader · Computer Scientist

Table of Contents

1 Key skills

29 years of multidisciplinary team and project leadership experience; IT Enterprise Architecture; Scaled Agile Framework (SAFe) Architect and Product Owner.
Computer Security
Enterprise security architecture; virtualization and cloud computing security; risk management and compliance; intrusion detection and prevention; operating systems and network security; software security and secure software development; CISSP certification.
Excellent written and spoken communication skills, extensive public speaking, writing and teaching experience.
Systems and Development
Unix/Linux systems engineering and administration, system health management and monitoring, cloud platforms, software development, configuration management.
Ph.D. in Computer Science, 9 years of experience at IBM Research.

2 Professional highlights

  • 18 years of experience in education and research, 11 years of industry experience.
  • Management and leadership, IT security, cloud computing
    • Manage security architecture, risk management, data governance and compliance (ISO27001, ISAE3402/3000, etc.) for Swisscom’s Cloud platforms.
    • Established and lead the Swisscom IT Clouds security community of practice.
    • Established and led the Health and State Management team at Swisscom to design, implement and operate a framework for scalable monitoring, logging and alerting for Swisscom’s Cloud platforms.
    • Established and led the first computer security organization at UNAM, which has grown into the university’s Information Security Coordination (UNAM-CERT).
    • Managed IT security customer relationships at HP Enterprise Services, including overseeing the activities of operational and engineering teams, risk and compliance management, requirements discussion and reporting.
    • Managed the CFEngine language product roadmap.
  • Research, architecture and design
    • Designed the Orchard monitoring framework for Swisscom’s Application Cloud platform, and led the team that implemented it and brought it into production.
    • Designed and implemented the Billy Goat malware capture and analysis system at IBM.
  • Communications and community

3 Experience


LOCATION: Switzerland
FROM: 2015

Enterprise Architect and IT Clouds Solution Security Architect

FROM: <2019-04-01>
  • As an Enterprise Architect, I participate in the design of future products and solutions offered by Swisscom, in collaboration with architects from all other divisions of the company.
  • As Solution Security Architect for Swisscom’s Cloud Platforms —which include Enterprise Service Cloud, Enterprise Application Cloud, Dynamic Computing Services, Enterprise Cloud for SAP Applications and related services— I am responsible for the security, compliance and data governance of those services. I define, prioritize and drive relevant product features and business goals. I also lead the IT Clouds Security Community of Practice and advise engineering teams on compliance, governance and operational activities.
  • Selected achievements and activities:
    • Ensure cloud platform and service compliance with internal, contractual and regulatory standards, including ISO27001, ISAE3402/3000 and GDPR.
    • Establish and currently lead a community of around 30 Security Champions from different teams, who drive security initiatives and promote the security culture within the Swisscom IT Clouds organization.
    • Coordinate threat modelings, audits, penetration tests and security compliance reporting.
    • Coordinate organization- and team-wide processes for risk and vulnerability management.
    • Development of the Swisscom Platforms vision for 2025.

Team Lead & Product Owner for Health & State Management

FROM: <2016-03-01>
TO: <2019-04-01>
  • I built and led a team which evolved on par with Swisscom cloud platforms to provide their monitoring and logging capabilities. My responsibilities included people management (up to 16 people), definition and prioritization of requirements and roadmaps (in collaboration with Product Managers and other stakeholders), technical architecture, and managing the planning and execution of team activities.
  • Selected achievements:
    • Led the transition of the Enterprise Cloud LEMM (Logging, Event Management and Monitoring) and Access & Inventory frameworks into maintenance mode as the platform was retired.
    • Defined the scope and mission of the Health and State Management (HSM) team as part of the new Enterprise Service Cloud project, and later of other platforms as the IT Clouds scope expanded to Application Cloud, Enterprise Cloud for SAP Solutions and Dynamic Computing Services.
    • Defined the logging and monitoring architecture for the Enterprise Service Cloud platform based on VMware vRealize Operations and vRealize Log Insight.
    • Led the transition of the Application Cloud platform monitoring from the Orchard framework to a TICK-based framework.
    • Defined architecture and oversaw implementation of the Customer Log Forwarding service.
    • Managed business relationship and technical implementation of OpsGenie for alert management in IT Clouds.
  • Main technologies involved: VMware vSphere (ESX, vCenter, NSX), VMware vRealize Operations Manager and Log Insight, Ansible (configuration management), OpsGenie (alert management).

Cloud Architect and Orchard Project Lead

EMPLOYER: Swisscom
LOCATION: Switzerland
FROM: <2015-08-01>
TO: <2016-03-01>
  • Managed a team of three people and led the Orchard project through its implementation, production release and further improvements and development.

Swisscom Cloud Lab

LOCATION: U.S.A. (remote)
FROM: 2014
TO: 2015

Senior Platform Architect

FROM: <2014-08-01>
TO: <2015-07-31>
  • Designed the architecture and implemented the initial prototype for the Orchard health-management and self-healing framework for Swisscom’s Application Cloud Platform-as-a-Service service.
  • Main technologies involved: OpenStack (cloud computing infrastructure), Cloud Foundry (application platform), Consul (health management and service discovery), RabbitMQ (message bus), Riemann (event analysis).

CFEngine AS

LOCATION: Norway/U.S.A. (remote)
FROM: 2011
TO: 2014

Product Manager

FROM: <2013-08-01>
TO: <2014-06-30>
  • Managed the CFEngine language roadmap.
  • Coordinated the CFEngine Design Center project.
  • Coordinated the work on CFEngine third-party integration (e.g. AWS EC2, VMware, Docker and OpenStack).
  • Developed code for both the Design Center core and its integrations.

Senior Security Advisor

FROM: <2011-10-01>
TO: <2014-06-30>
  • CFEngine Advocate, with a special focus on security.
  • Wrote the book Learning CFEngine 3, published by O’Reilly Media, which became the de facto introductory text to CFEngine.
  • Gave talks, wrote articles and blog posts, taught classes, and in general spread the word about CFEngine.
  • Developed and implemented the strategy for CFEngine as a security component.

Boundless Innovation and Technology

FROM: 2012
TO: 2014

Cofounder, Head of Research and Training

FROM: <2012-07-01>
TO: <2014-07-31>
  • I advised and coordinated teams working on teaching- and security-related products, consulting and services.

HP Enterprise Services

FROM: 2009
TO: 2011

Account Security Officer

FROM: <2010-10-01>
TO: <2011-10-01>
  • Acted as first point of contact for all security-related issues for five HP enterprise customers in Mexico.
  • Initiated, advised and managed security-related projects.
  • Handled communication and coordination between technical teams involved in security initiatives.
  • Involved in all security-related decisions at the sales, design, implementation, delivery and ongoing maintenance stages of IT Outsourcing projects.

IT Outsourcing Service Delivery Consultant

FROM: <2009-11-01>
TO: <2010-10-01>
  • Helped multidisciplinary customer teams (software engineering, IT management, networking, sales and support) by solving complex problems in customer environments.
  • Performed analysis, design and implementation of solutions in multiple areas of expertise, including system automation, configuration management, system administration, system design, virtualization, performance and security.

IBM Zurich Research Lab

LOCATION: Switzerland
FROM: 2001
TO: 2009

Research Staff Member

FROM: <2001-10-01>
TO: <2009-10-01>
  • I was a member of the Global Security Analysis Laboratory (GSAL), where I worked in intrusion detection, malware detection and containment, and virtualization security research projects.
  • See Research for details of my research.

Sun Microsystems

FROM: 1997
TO: 1997

Developer (Intern)

FROM: <1997-05-01>
TO: <1997-08-01>
  • Developer for the Bruce host vulnerability scanner, later released as the Sun Enterprise Network Security Service (SENSS).
  • Designed and implemented the first version of the network-based components of Bruce, which allowed it to operate on several hosts in a network, controlled from a central location.

National Autonomous University of Mexico (UNAM)

FROM: 1991
TO: 1996

Head of Computer Security Area

FROM: <1995-08-01>
TO: <1996-08-01>
  • Founded UNAM’s Computer Security Area, the University’s first team dedicated to computer security, which has evolved into the Information Security Coordination (UNAM-CERT).
  • Managed up to nine people working on different projects related to computer security.
  • Managed security monitoring for a Cray supercomputer and 22 Unix workstations.
  • Provided security services to the whole University, including incident response, security information, auditing and teaching.
  • Established the celebration of the International Computer Security Day (sponsored by the Association for Computing Machinery) at UNAM. Acted as the main organizer of the event for two years (1994 and 1995). This event has grown and evolved into the Computer Security Day and the Computer Security Congress.
  • Designed and headed development of an audit-analysis tool for Unix systems (SAINT) \cite{zamboni96:saint}.

System Administrator

FROM: <1991-11-01>
TO: <1995-08-01>
  • System administrator at UNAM’s Supercomputing Center, managing a Cray Y-MP Supercomputer and related systems.
  • Managed the Network Queuing Subsystem (NQS),
  • Managed and provided support for 22 Unix workstations.
  • Monitored the security of the Cray supercomputer and related workstations.
  • Other responsibilities: user administration, operating system installation, resource management, security policies.

4 Education

Ph.D. in Computer Science

LOCATION: West Lafayette, IN, U.S.A.
SCHOOL: Purdue University
FROM: <1996-08-01>
TO: <2001-08-01>

M.S. in Computer Science

LOCATION: West Lafayette, IN, U.S.A.
SCHOOL: Purdue University
FROM: <1996-08-01>
TO: <1998-05-01>

Bachelor’s degree in Computer Engineering

LOCATION: Mexico City, Mexico
SCHOOL: National Autonomous University of Mexico (UNAM)
FROM: <1989-08-01>
TO: <1995-07-01>

5 Languages

full professional proficiency
basic proficiency (B1 level)

6 Certifications

Certified Information Systems Security Professional (CISSP)

ORGANIZATION: (ISC)², the International Information System Security Certification Consortium
LOCATION: April 2019

The vendor-neutral CISSP credential confirms technical knowledge and experience to design, engineer, implement, and manage the overall security posture of an organization. Required by the world’s most security-conscious organizations, CISSP is the gold-standard information security certification that assures information security leaders possess the breadth and depth of knowledge to establish holistic security programs that protect against threats in an increasingly complex cyber world.

SAFe® 4 Certified Product Owner/Product Manager

ORGANIZATION: Scaled Agile Inc.
LOCATION: July 2017 (not renewed)

A SAFe® 4 Certified Product Owner/Product Manager is a SAFe professional who works with customers and development organizations to identify and write requirements. Key areas of competency include identifying customer needs, writing epics, capabilities, features, stories, and prioritizing work in order to effectively deliver value to the enterprise.

7 Research

(see ``Publications’’ for publication reference details)

Selected research projects at IBM


FROM: 2008
TO: 2009
  • Security for VMware virtual environments using virtual machine introspection (based on the VMware VMsafe API) to provide intrusion detection and prevention capabilities.
  • Publications: \cite{Christodorescu:2009:CSV:1655008.1655022}.

Billy Goat: Active worm detection and capture

FROM: 2002
TO: 2008
  • Billy Goat was the first instance of what is today called honeypots and honeynets.
    • An active worm-detection system, widely deployed (at the time) in the IBM worldwide internal network. It listens for connections to unused IP address ranges and actively responds to those connections to accurately detect worm-infected machines, and in many cases capture the worms themselves. Billy Goat is engineered for distributed deployment, with each device containing standalone detection and reporting capabilities, together with data centralization features that allow network-wide data analysis and reporting.
  • Publications: \cite{riordan06:_build_billy_goat:first2006, riordan05:bg_techreport}

Router-based Billy Goat

FROM: 2005
TO: 2007
  • An active worm-capture device deployed at the network boundary and coupled with the border router, that allows the Billy Goat to effectively and automatically spoof every unused IP address outside the local network. This makes it possible for the Router-based Billy Goat to accurately detect local infected machines and prevent them from establishing connections to the outside, limiting the propagation of the worms to the outside network.
  • Publications: \cite{zamboni07:sruti07-rbg}

SOC in a Box

FROM: 2005
TO: 2007
  • Integrated device containing multiple security tools: intrusion detection, worm detection, vulnerability scanning and network discovery. Precursor to what is today called Unified Threat Management systems.


FROM: 2001
TO: 2002
  • Host-based, behavior-based intrusion detection using sequences of system calls.

Ph.D. Thesis Research

Using internal sensors and embedded detectors for intrusion detection

  • Study of data collection methods for intrusion detection systems.
  • Implementation of novel methods for data collection in intrusion detection systems.
  • Analysis of the properties, advantages and disadvantages of internal sensors and embedded detectors as data collection and analysis elements in intrusion detection systems.
  • Publications: \cite{zamboni01:phd-thesis, zamboni02:sensors_detectors, kerschbaum00:network-embedded-sensors, zamboni00:thesis-proposal, zamboni:raid2000}

Additional research projects

Using autonomous agents for intrusion detection

  • Design and documentation of an architecture (AAFID) to perform distributed monitoring and intrusion detection using autonomous agents.
  • Implementation of a prototype according to the architecture. This prototype is published as open source.
  • Exploration of research issues in the distributed intrusion detection area.
  • Publications: \cite{spafford00:intrus_detec_auton_agent, zamboni:aafid-acsac98, zamboni:aafid-architecture, zamboni:raid98, zamboni00:build_aafid_with_perl, zamboni:raid99}.

Analysis of a denial-of-service attack on TCP/IP (Synkill)

8 System Development and Management

Programming languages
Ruby, Python, C, Perl, Java, LISP family (Clojure, Racket), AWK, Unix shells.
Development environments
Unix/Linux, Cloud Foundry, Amazon EC2, macOS.
Unix system administration
Linux (multiple distributions), OpenBSD, FreeBSD, macOS, Solaris.
Configuration management
CFEngine, Puppet, Chef, Ansible.
Virtualization, containers and cloud
VMWare (ESX, vSphere), OpenStack, Amazon EC2, Docker, Cloud Foundry.
Health Management and Monitoring
VMware vRealize Operations Manager, vRealize Log Insight, Nagios, Icinga.
Other technologies
REST APIs, Riemann (event stream processing), XML and related technologies, network programming, database programming (SQL), kernel programming (OpenBSD and Linux), HTML.

9 Software Development Projects

Publicly available software projects: see https://github.com/zzamboni/ and https://gitlab.com/zzamboni

Other software projects (not publicly available)

Pilatus (IBM)

FROM: 2005
TO: 2007

A system installer that allows arbitrary system installation and configurations, allowing for both proprietary and open source components to be installed in an automated fashion. Open source components can be downloaded directly from their original source to avoid distributing them.

SOC in a Box (IBM)

FROM: 2005
TO: 2007

A specialized Linux distribution containing multiple security services for integrated security monitoring in small and medium networks. Implementation includes also backend infrastructure components for system installation, configuration and upgrade; and data centralization, analysis and reporting.

Billy Goat (IBM)

FROM: 2002
TO: 2007

A specialized Linux distribution containing multiple sensors for detection of large-scale automated attacks. Implementation includes also backend infrastructure components for system configuration and upgrade, data centralization, analysis and reporting.

Embedded Sensors Project (Purdue University)

FROM: 1999
TO: 2001

A system of sensors for intrusion detection developed in OpenBSD through code instrumentation. Developed as part of my Ph.D. thesis work.

10 Honors & Awards

IEEE Security & Privacy Test of Time Award (IEEE S&P page, CERIAS blog post)

DATE: <2020-05-18>

CFEngine Champion

DATE: 2010

Josef Raviv Memorial Postdoctoral Fellowship

DATE: <2001-07-01>

Member of Phi Beta Delta

DATE: <2001-04-01>
ORGANIZATION: honor society recognizing scholarly achievement

UPE Microsoft Scholarship Award

DATE: <2000-09-01>
ORGANIZATION: honor society recognizing scholarly achievement

Member of Upsilon Pi Epsilon

DATE: <1998-04-01>
ORGANIZATION: the ACM Computer Sciences honor society

Fulbright Scholarship

DATE: <1996-05-01>
ORGANIZATION: for pursuing Ph.D. studies at Purdue University

11 Program Committees and Boards

Editorial Board Member

ORGANIZATION: Computers \& Security Journal
DATE: 2011--2013

Steering Committee Member

ORGANIZATION: Intl. Symposium on Recent Advances in Intrusion Detection
DATE: 2007--2017

Program Chair

ORGANIZATION: 9th Intl. Symposium on Recent Advances in Intrusion Detection (RAID)
DATE: 2006

Program Committee Member

ORGANIZATION: Intl. Symposium on Recent Advances in Intrusion Detection
DATE: 2001--2005

Program Co-chair

ORGANIZATION: IBM Academy of Technology Security and Privacy Symposium
DATE: 2009

Program Chair

ORGANIZATION: ZISC Workshop on Security in Virtualized Environments and Cloud Computing
DATE: 2009
LOCATION: Switzerland

Program Chair

ORGANIZATION: Detection of Intrusions and Malware \& Vulnerability Assessment (DIMVA)
DATE: 2008

Program Committee Member

ORGANIZATION: IEEE Security and Privacy Symposium
DATE: 2007

Program Committee Member

ORGANIZATION: Annual Computer Security Applications Conference (ACSAC)
DATE: 2003--2007

Program Committee Member

ORGANIZATION: Computer Security Day Conference
DATE: 1994--2000

Founder and organizer

ORGANIZATION: Computer Security Day Conference
DATE: 1994--1995

12 Teaching and Advising


Daniele Sgandurra, University of Pisa, Italy

LABEL: Internship advisor
FROM: 2009
TO: 2009
  • Project: Design and implementation of process injection using virtual machine introspection.

Martin Carbone, Georgia Institute of Technology, U.S.A.

LABEL: Internship advisor
FROM: 2007
TO: 2007

Project: Implementation of a proof of concept Hyperjacking attack on Intel platform.

Urko Zurutuza Ortega, Mondragon University, Spain

Milton Yates, ENST Bretagne, France

LABEL: External Diploma Thesis advisor
FROM: 2005
TO: 2005

Candid Wüest, ETH Zurich, Switzerland

LABEL: Diploma Thesis tutor
FROM: 2002
TO: 2003


CISSP training (30 hours)

LABEL: iNetworks, Mexico (remote class)
DATE: 2020

CFEngine one-day training class (8 hours)

LABEL: Multiple venues
FROM: 2011
TO: 2013

“Virtualization” lecture (2 hours), Systems Security class, Computer Science Dept.

FROM: 2011
TO: 2013

“Intrusion detection: Basic concepts and current research at IBM” class (3 hours), Information Technology Security Spring School

LABEL: University of Lausanne
FROM: 2005
TO: 2005

“Introduction to Computer Security” class (40 hours)

FROM: 2003
TO: 2003

EE495 (“Information Extraction, Retrieval and Security”) course

LABEL: Purdue University, U.S.A.
FROM: 2000
TO: 2000
  • Co-designed eight security-related lectures and taught two of them.
  • Co-designed the class project.

“SSH: Achieving secure communication over insecure channels” class

LABEL: CSI NetSec conference, U.S.A.
FROM: 2000
TO: 2000

“Protecting your computing system” class

LABEL: Schlumberger, U.S.A.
FROM: 1997
TO: 1997

Supercomputing Internship Program Courses

FROM: 1991
TO: 1996
  • Designed and taught multiple courses (10–40 hours long) on the following topics:
    • Introduction to Unix
    • Unix utilities
    • Unix security
    • Basic Unix administration
    • Advanced Unix administration
    • UNICOS system administration on Cray supercomputers

13 Other Professional Activities

The Association for Computing Machinery (ACM)

DATE: 1998--

Purdue.pm, the Purdue Perl Users Group

DATE: 2000

Purdue University Chapter of Upsilon Pi Epsilon

POSITION: President
DATE: 1999

Purdue University Chapter of Upsilon Pi Epsilon

POSITION: Secretary
DATE: 1998

14 Publications, Talks and Intellectual Property

The list of publications is for the moment not available in the HTML version of my CV. Please see the full PDF version.

15 References

Available by request.

Author: Diego Zamboni

Created: 2021-07-10 Sat 17:22