Enterprise Security Architect · Engineering Leader · Computer Scientist
Table of Contents
- 1. Key skills
- 2. Professional highlights
- 3. Experience
- 4. Education
- 5. Languages
- 6. Certifications
- 7. Research
- 8. System Development and Management
- 9. Software Development Projects
- 10. Honors & Awards
- 11. Program Committees and Boards
- 12. Teaching and Advising
- 13. Other Professional Activities
- 14. Publications, Talks and Intellectual Property
- 15. References
1 Key skills
- Leadership
- 29 years of multidisciplinary team and project leadership experience; IT Enterprise Architecture; Scaled Agile Framework (SAFe) Architect and Product Owner.
- Computer Security
- Enterprise security architecture; virtualization and cloud computing security; risk management and compliance; intrusion detection and prevention; operating systems and network security; software security and secure software development; CISSP certification.
- Communications
- Excellent written and spoken communication skills, extensive public speaking, writing and teaching experience.
- Systems and Development
- Unix/Linux systems engineering and administration, system health management and monitoring, cloud platforms, software development, configuration management.
- Research
- Ph.D. in Computer Science, 9 years of experience at IBM Research.
2 Professional highlights
- 18 years of experience in education and research, 11 years of industry experience.
- Management and leadership, IT security, cloud computing
- Manage security architecture, risk management, data governance and compliance (ISO27001, ISAE3402/3000, etc.) for Swisscom’s Cloud platforms.
- Established and lead the Swisscom IT Clouds security community of practice.
- Established and led the Health and State Management team at Swisscom to design, implement and operate a framework for scalable monitoring, logging and alerting for Swisscom’s Cloud platforms.
- Established and led the first computer security organization at UNAM, which has grown into the university’s Information Security Coordination (UNAM-CERT).
- Managed IT security customer relationships at HP Enterprise Services, including overseeing the activities of operational and engineering teams, risk and compliance management, requirements discussion and reporting.
- Managed the CFEngine language product roadmap.
- Research, architecture and design
- Designed the Orchard monitoring framework for Swisscom’s Application Cloud platform, and led the team that implemented it and brought it into production.
- Designed and implemented the Billy Goat malware capture and analysis system at IBM.
- Communications and community
- Author of multiple books including Learning CFEngine, Learning Hammerspoon and Literate Configuration.
- Program chair and program committee member for multiple conferences including the RAID symposium, DIMVA conference, the Computer Security Day and Computer Security conference at UNAM, and others.
- Member of the Editorial Board of the Computers & Security Journal.
3 Experience
Swisscom
LOCATION: Switzerland FROM: 2015
Enterprise Architect and IT Clouds Solution Security Architect
FROM: <2019-04-01>
- As an Enterprise Architect, I participate in the design of future products and solutions offered by Swisscom, in collaboration with architects from all other divisions of the company.
- As Solution Security Architect for Swisscom’s Cloud Platforms —which include Enterprise Service Cloud, Enterprise Application Cloud, Dynamic Computing Services, Enterprise Cloud for SAP Applications and related services— I am responsible for the security, compliance and data governance of those services. I define, prioritize and drive relevant product features and business goals. I also lead the IT Clouds Security Community of Practice and advise engineering teams on compliance, governance and operational activities.
- Selected achievements and activities:
- Ensure cloud platform and service compliance with internal, contractual and regulatory standards, including ISO27001, ISAE3402/3000 and GDPR.
- Establish and currently lead a community of around 30 Security Champions from different teams, who drive security initiatives and promote the security culture within the Swisscom IT Clouds organization.
- Coordinate threat modelings, audits, penetration tests and security compliance reporting.
- Coordinate organization- and team-wide processes for risk and vulnerability management.
- Development of the Swisscom Platforms vision for 2025.
Team Lead & Product Owner for Health & State Management
FROM: <2016-03-01> TO: <2019-04-01>
- I built and led a team which evolved on par with Swisscom cloud platforms to provide their monitoring and logging capabilities. My responsibilities included people management (up to 16 people), definition and prioritization of requirements and roadmaps (in collaboration with Product Managers and other stakeholders), technical architecture, and managing the planning and execution of team activities.
- Selected achievements:
- Led the transition of the Enterprise Cloud LEMM (Logging, Event Management and Monitoring) and Access & Inventory frameworks into maintenance mode as the platform was retired.
- Defined the scope and mission of the Health and State Management (HSM) team as part of the new Enterprise Service Cloud project, and later of other platforms as the IT Clouds scope expanded to Application Cloud, Enterprise Cloud for SAP Solutions and Dynamic Computing Services.
- Defined the logging and monitoring architecture for the Enterprise Service Cloud platform based on VMware vRealize Operations and vRealize Log Insight.
- Led the transition of the Application Cloud platform monitoring from the Orchard framework to a TICK-based framework.
- Defined architecture and oversaw implementation of the Customer Log Forwarding service.
- Managed business relationship and technical implementation of OpsGenie for alert management in IT Clouds.
- Main technologies involved: VMware vSphere (ESX, vCenter, NSX), VMware vRealize Operations Manager and Log Insight, Ansible (configuration management), OpsGenie (alert management).
Cloud Architect and Orchard Project Lead
EMPLOYER: Swisscom LOCATION: Switzerland FROM: <2015-08-01> TO: <2016-03-01>
- Managed a team of three people and led the Orchard project through its implementation, production release and further improvements and development.
Swisscom Cloud Lab
LOCATION: U.S.A. (remote) FROM: 2014 TO: 2015
Senior Platform Architect
FROM: <2014-08-01> TO: <2015-07-31>
- Designed the architecture and implemented the initial prototype for the Orchard health-management and self-healing framework for Swisscom’s Application Cloud Platform-as-a-Service service.
- Main technologies involved: OpenStack (cloud computing infrastructure), Cloud Foundry (application platform), Consul (health management and service discovery), RabbitMQ (message bus), Riemann (event analysis).
CFEngine AS
LOCATION: Norway/U.S.A. (remote) FROM: 2011 TO: 2014
Product Manager
FROM: <2013-08-01> TO: <2014-06-30>
- Managed the CFEngine language roadmap.
- Coordinated the CFEngine Design Center project.
- Coordinated the work on CFEngine third-party integration (e.g. AWS EC2, VMware, Docker and OpenStack).
- Developed code for both the Design Center core and its integrations.
Senior Security Advisor
FROM: <2011-10-01> TO: <2014-06-30>
- CFEngine Advocate, with a special focus on security.
- Wrote the book Learning CFEngine 3, published by O’Reilly Media, which became the de facto introductory text to CFEngine.
- Gave talks, wrote articles and blog posts, taught classes, and in general spread the word about CFEngine.
- Developed and implemented the strategy for CFEngine as a security component.
Boundless Innovation and Technology
LOCATION: Mexico FROM: 2012 TO: 2014
Cofounder, Head of Research and Training
FROM: <2012-07-01> TO: <2014-07-31>
- I advised and coordinated teams working on teaching- and security-related products, consulting and services.
HP Enterprise Services
LOCATION: Mexico FROM: 2009 TO: 2011
Account Security Officer
FROM: <2010-10-01> TO: <2011-10-01>
- Acted as first point of contact for all security-related issues for five HP enterprise customers in Mexico.
- Initiated, advised and managed security-related projects.
- Handled communication and coordination between technical teams involved in security initiatives.
- Involved in all security-related decisions at the sales, design, implementation, delivery and ongoing maintenance stages of IT Outsourcing projects.
IT Outsourcing Service Delivery Consultant
FROM: <2009-11-01> TO: <2010-10-01>
- Helped multidisciplinary customer teams (software engineering, IT management, networking, sales and support) by solving complex problems in customer environments.
- Performed analysis, design and implementation of solutions in multiple areas of expertise, including system automation, configuration management, system administration, system design, virtualization, performance and security.
IBM Zurich Research Lab
LOCATION: Switzerland FROM: 2001 TO: 2009
Research Staff Member
FROM: <2001-10-01> TO: <2009-10-01>
- I was a member of the Global Security Analysis Laboratory (GSAL), where I worked in intrusion detection, malware detection and containment, and virtualization security research projects.
- See Research for details of my research.
Sun Microsystems
LOCATION: U.S.A. FROM: 1997 TO: 1997
Developer (Intern)
FROM: <1997-05-01> TO: <1997-08-01>
- Developer for the Bruce host vulnerability scanner, later released as the Sun Enterprise Network Security Service (SENSS).
- Designed and implemented the first version of the network-based components of Bruce, which allowed it to operate on several hosts in a network, controlled from a central location.
National Autonomous University of Mexico (UNAM)
LOCATION: Mexico FROM: 1991 TO: 1996
Head of Computer Security Area
FROM: <1995-08-01> TO: <1996-08-01>
- Founded UNAM’s Computer Security Area, the University’s first team dedicated to computer security, which has evolved into the Information Security Coordination (UNAM-CERT).
- Managed up to nine people working on different projects related to computer security.
- Managed security monitoring for a Cray supercomputer and 22 Unix workstations.
- Provided security services to the whole University, including incident response, security information, auditing and teaching.
- Established the celebration of the International Computer Security Day (sponsored by the Association for Computing Machinery) at UNAM. Acted as the main organizer of the event for two years (1994 and 1995). This event has grown and evolved into the Computer Security Day and the Computer Security Congress.
- Designed and headed development of an audit-analysis tool for Unix systems (SAINT) \cite{zamboni96:saint}.
System Administrator
FROM: <1991-11-01> TO: <1995-08-01>
- System administrator at UNAM’s Supercomputing Center, managing a Cray Y-MP Supercomputer and related systems.
- Managed the Network Queuing Subsystem (NQS),
- Managed and provided support for 22 Unix workstations.
- Monitored the security of the Cray supercomputer and related workstations.
- Other responsibilities: user administration, operating system installation, resource management, security policies.
4 Education
Ph.D. in Computer Science
LOCATION: West Lafayette, IN, U.S.A. SCHOOL: Purdue University FROM: <1996-08-01> TO: <2001-08-01>
- Thesis title: Using Internal Sensors for Computer Intrusion Detection.
- Advisor: Eugene H. Spafford.
M.S. in Computer Science
LOCATION: West Lafayette, IN, U.S.A. SCHOOL: Purdue University FROM: <1996-08-01> TO: <1998-05-01>
- Advisor: Eugene H. Spafford.
Bachelor’s degree in Computer Engineering
LOCATION: Mexico City, Mexico SCHOOL: National Autonomous University of Mexico (UNAM) FROM: <1989-08-01> TO: <1995-07-01>
- Thesis title: UNAM/Cray Project for Security in the Unix Operating System (in Spanish, original title: Proyecto UNAM/Cray de Seguridad en el Sistema Operativo Unix).
5 Languages
- Spanish
- native
- English
- full professional proficiency
- German
- basic proficiency (B1 level)
6 Certifications
Certified Information Systems Security Professional (CISSP)
ORGANIZATION: (ISC)², the International Information System Security Certification Consortium LOCATION: April 2019
The vendor-neutral CISSP credential confirms technical knowledge and experience to design, engineer, implement, and manage the overall security posture of an organization. Required by the world’s most security-conscious organizations, CISSP is the gold-standard information security certification that assures information security leaders possess the breadth and depth of knowledge to establish holistic security programs that protect against threats in an increasingly complex cyber world.
SAFe® 4 Certified Product Owner/Product Manager
ORGANIZATION: Scaled Agile Inc. LOCATION: July 2017 (not renewed)
A SAFe® 4 Certified Product Owner/Product Manager is a SAFe professional who works with customers and development organizations to identify and write requirements. Key areas of competency include identifying customer needs, writing epics, capabilities, features, stories, and prioritizing work in order to effectively deliver value to the enterprise.
7 Research
(see ``Publications’’ for publication reference details)
Selected research projects at IBM
Phantom
FROM: 2008 TO: 2009
- Security for VMware virtual environments using virtual machine introspection (based on the VMware VMsafe API) to provide intrusion detection and prevention capabilities.
- Publications: \cite{Christodorescu:2009:CSV:1655008.1655022}.
Billy Goat: Active worm detection and capture
FROM: 2002 TO: 2008
- Billy Goat was the first instance of what is today called honeypots and honeynets.
- An active worm-detection system, widely deployed (at the time) in the IBM worldwide internal network. It listens for connections to unused IP address ranges and actively responds to those connections to accurately detect worm-infected machines, and in many cases capture the worms themselves. Billy Goat is engineered for distributed deployment, with each device containing standalone detection and reporting capabilities, together with data centralization features that allow network-wide data analysis and reporting.
- Publications: \cite{riordan06:_build_billy_goat:first2006, riordan05:bg_techreport}
Router-based Billy Goat
FROM: 2005 TO: 2007
- An active worm-capture device deployed at the network boundary and coupled with the border router, that allows the Billy Goat to effectively and automatically spoof every unused IP address outside the local network. This makes it possible for the Router-based Billy Goat to accurately detect local infected machines and prevent them from establishing connections to the outside, limiting the propagation of the worms to the outside network.
- Publications: \cite{zamboni07:sruti07-rbg}
SOC in a Box
FROM: 2005 TO: 2007
- Integrated device containing multiple security tools: intrusion detection, worm detection, vulnerability scanning and network discovery. Precursor to what is today called Unified Threat Management systems.
Exorcist
FROM: 2001 TO: 2002
- Host-based, behavior-based intrusion detection using sequences of system calls.
Ph.D. Thesis Research
Using internal sensors and embedded detectors for intrusion detection
- Study of data collection methods for intrusion detection systems.
- Implementation of novel methods for data collection in intrusion detection systems.
- Analysis of the properties, advantages and disadvantages of internal sensors and embedded detectors as data collection and analysis elements in intrusion detection systems.
- Publications: \cite{zamboni01:phd-thesis, zamboni02:sensors_detectors, kerschbaum00:network-embedded-sensors, zamboni00:thesis-proposal, zamboni:raid2000}
Additional research projects
Using autonomous agents for intrusion detection
- Design and documentation of an architecture (AAFID) to perform distributed monitoring and intrusion detection using autonomous agents.
- Implementation of a prototype according to the architecture. This prototype is published as open source.
- Exploration of research issues in the distributed intrusion detection area.
- Publications: \cite{spafford00:intrus_detec_auton_agent, zamboni:aafid-acsac98, zamboni:aafid-architecture, zamboni:raid98, zamboni00:build_aafid_with_perl, zamboni:raid99}.
Analysis of a denial-of-service attack on TCP/IP (Synkill)
- Collaborated in the analysis of the SYN-flooding denial-of-service attack against TCP and in the implementation of a defense tool.
- Publications: \cite{schuba97:synkill}, awarded the 2020 IEEE Security & Privacy Test of Time Award.
8 System Development and Management
- Programming languages
- Ruby, Python, C, Perl, Java, LISP family (Clojure, Racket), AWK, Unix shells.
- Development environments
- Unix/Linux, Cloud Foundry, Amazon EC2, macOS.
- Unix system administration
- Linux (multiple distributions), OpenBSD, FreeBSD, macOS, Solaris.
- Configuration management
- CFEngine, Puppet, Chef, Ansible.
- Virtualization, containers and cloud
- VMWare (ESX, vSphere), OpenStack, Amazon EC2, Docker, Cloud Foundry.
- Health Management and Monitoring
- VMware vRealize Operations Manager, vRealize Log Insight, Nagios, Icinga.
- Other technologies
- REST APIs, Riemann (event stream processing), XML and related technologies, network programming, database programming (SQL), kernel programming (OpenBSD and Linux), HTML.
9 Software Development Projects
Publicly available software projects: see https://github.com/zzamboni/ and https://gitlab.com/zzamboni
Other software projects (not publicly available)
Pilatus (IBM)
FROM: 2005 TO: 2007
A system installer that allows arbitrary system installation and configurations, allowing for both proprietary and open source components to be installed in an automated fashion. Open source components can be downloaded directly from their original source to avoid distributing them.
SOC in a Box (IBM)
FROM: 2005 TO: 2007
A specialized Linux distribution containing multiple security services for integrated security monitoring in small and medium networks. Implementation includes also backend infrastructure components for system installation, configuration and upgrade; and data centralization, analysis and reporting.
Billy Goat (IBM)
FROM: 2002 TO: 2007
A specialized Linux distribution containing multiple sensors for detection of large-scale automated attacks. Implementation includes also backend infrastructure components for system configuration and upgrade, data centralization, analysis and reporting.
Embedded Sensors Project (Purdue University)
FROM: 1999 TO: 2001
A system of sensors for intrusion detection developed in OpenBSD through code instrumentation. Developed as part of my Ph.D. thesis work.
10 Honors & Awards
IEEE Security & Privacy Test of Time Award (IEEE S&P page, CERIAS blog post)
DATE: <2020-05-18> ORGANIZATION: IEEE LOCATION: U.S.A.
CFEngine Champion
DATE: 2010 ORGANIZATION: CFEngine AS LOCATION: Norway
Josef Raviv Memorial Postdoctoral Fellowship
DATE: <2001-07-01> ORGANIZATION: IBM LOCATION: U.S.A.
Member of Phi Beta Delta
DATE: <2001-04-01> ORGANIZATION: honor society recognizing scholarly achievement LOCATION: U.S.A.
UPE Microsoft Scholarship Award
DATE: <2000-09-01> ORGANIZATION: honor society recognizing scholarly achievement LOCATION: U.S.A.
Member of Upsilon Pi Epsilon
DATE: <1998-04-01> ORGANIZATION: the ACM Computer Sciences honor society LOCATION: U.S.A.
Fulbright Scholarship
DATE: <1996-05-01> ORGANIZATION: for pursuing Ph.D. studies at Purdue University LOCATION: Mexico
11 Program Committees and Boards
Editorial Board Member
ORGANIZATION: Computers \& Security Journal DATE: 2011--2013
Steering Committee Member
ORGANIZATION: Intl. Symposium on Recent Advances in Intrusion Detection DATE: 2007--2017
Program Chair
ORGANIZATION: 9th Intl. Symposium on Recent Advances in Intrusion Detection (RAID) DATE: 2006 LOCATION: Germany
Program Committee Member
ORGANIZATION: Intl. Symposium on Recent Advances in Intrusion Detection DATE: 2001--2005
Program Co-chair
ORGANIZATION: IBM Academy of Technology Security and Privacy Symposium DATE: 2009
Program Chair
ORGANIZATION: ZISC Workshop on Security in Virtualized Environments and Cloud Computing DATE: 2009 LOCATION: Switzerland
Program Chair
ORGANIZATION: Detection of Intrusions and Malware \& Vulnerability Assessment (DIMVA) DATE: 2008 LOCATION: France
Program Committee Member
ORGANIZATION: IEEE Security and Privacy Symposium DATE: 2007 LOCATION: U.S.A.
Program Committee Member
ORGANIZATION: Annual Computer Security Applications Conference (ACSAC) DATE: 2003--2007
Program Committee Member
ORGANIZATION: Computer Security Day Conference DATE: 1994--2000 LOCATION: Mexico
Founder and organizer
ORGANIZATION: Computer Security Day Conference DATE: 1994--1995 LOCATION: Mexico
12 Teaching and Advising
Students
Daniele Sgandurra, University of Pisa, Italy
LABEL: Internship advisor FROM: 2009 TO: 2009
- Project: Design and implementation of process injection using virtual machine introspection.
Martin Carbone, Georgia Institute of Technology, U.S.A.
LABEL: Internship advisor FROM: 2007 TO: 2007
Project: Implementation of a proof of concept Hyperjacking attack on Intel platform.
Urko Zurutuza Ortega, Mondragon University, Spain
LABEL: Ph.D. co-advisor FROM: 2005 TO: 2008
Milton Yates, ENST Bretagne, France
LABEL: External Diploma Thesis advisor FROM: 2005 TO: 2005
Candid Wüest, ETH Zurich, Switzerland
LABEL: Diploma Thesis tutor FROM: 2002 TO: 2003
Teaching
CISSP training (30 hours)
LABEL: iNetworks, Mexico (remote class) DATE: 2020
CFEngine one-day training class (8 hours)
LABEL: Multiple venues FROM: 2011 TO: 2013
“Virtualization” lecture (2 hours), Systems Security class, Computer Science Dept.
LABEL: ETH Zürich FROM: 2011 TO: 2013
“Intrusion detection: Basic concepts and current research at IBM” class (3 hours), Information Technology Security Spring School
LABEL: University of Lausanne FROM: 2005 TO: 2005
“Introduction to Computer Security” class (40 hours)
LABEL: ITESM, Mexico FROM: 2003 TO: 2003
EE495 (“Information Extraction, Retrieval and Security”) course
LABEL: Purdue University, U.S.A. FROM: 2000 TO: 2000
- Co-designed eight security-related lectures and taught two of them.
- Co-designed the class project.
“SSH: Achieving secure communication over insecure channels” class
LABEL: CSI NetSec conference, U.S.A. FROM: 2000 TO: 2000
“Protecting your computing system” class
LABEL: Schlumberger, U.S.A. FROM: 1997 TO: 1997
Supercomputing Internship Program Courses
LABEL: UNAM, Mexico FROM: 1991 TO: 1996
- Designed and taught multiple courses (10–40 hours long) on the following topics:
- Introduction to Unix
- Unix utilities
- Unix security
- Basic Unix administration
- Advanced Unix administration
- UNICOS system administration on Cray supercomputers
13 Other Professional Activities
The Association for Computing Machinery (ACM)
POSITION: Member DATE: 1998--
Purdue.pm, the Purdue Perl Users Group
POSITION: Founder DATE: 2000 LOCATION: U.S.A.
Purdue University Chapter of Upsilon Pi Epsilon
POSITION: President DATE: 1999 LOCATION: U.S.A.
Purdue University Chapter of Upsilon Pi Epsilon
POSITION: Secretary DATE: 1998 LOCATION: U.S.A.
14 Publications, Talks and Intellectual Property
15 References
Available by request.