Harsha has successfully executed projects that span cloud-based security solutions, Single Sign-On (SSO), Multi-Factor Authentication (MFA), and advanced protocol migrations.
Harsha Kendyala, a highly accomplished Technical Lead, specializes in Cybersecurity, Identity and Access Management (IAM), and the integration of cutting-edge authentication technologies. With over 12 years of experience in the industry, Harsha has successfully executed projects that span cloud-based security solutions, Single Sign-On (SSO), Multi-Factor Authentication (MFA), and advanced protocol migrations. His expertise includes the deployment and optimization of platforms such as PingIdentity, ForgeRock, and Transmit Security, as well as designing custom solutions to meet unique business requirements. Harsha holds a Master’s in Computer Science from the University of Illinois and is a PingIdentity Certified Professional, bringing a strategic blend of technical acumen and business alignment to every project.
Q1: What initially drew you to specialize in Identity & Access Management, and what keeps you engaged in this field?
A: I was drawn to Cybersecurity and IAM due to their pivotal role in protecting enterprise systems and user data. Early in my career, I realized the critical nature of IAM as businesses expanded their digital operations, with secure authentication becoming a foundational necessity. The field’s dynamic nature, driven by evolving security threats and innovations like OAuth, OIDC, and adaptive authentication, continues to inspire me. The opportunity to build systems that safeguard users and organizations while navigating complex challenges keeps me engaged and motivated.
Q2: Can you discuss a significant challenge you faced while migrating SSO infrastructure from on-premise to AWS?
A: Migrating SSO infrastructure to AWS was a complex yet fulfilling challenge. The main obstacle was ensuring data security and maintaining seamless user access during the transition. Our priority was to manage the identity provider connections and integrate them within the AWS ecosystem without disrupting the user experience. We achieved this by breaking down the migration into phases, rigorously testing each step in a sandbox environment, and establishing failover contingencies to ensure smooth scalability and high availability. Post-migration, we optimized configurations, especially around PingFederate and PingAccess, which led to improved user response times and a more resilient setup.
Q3: Could you elaborate on the role of custom federation adapters in meeting specific business needs?
A: Custom federation adapters are indispensable when standard protocols don’t fully align with unique business requirements. I designed & developed adapters that supported advanced data mappings and integrated seamlessly with legacy applications in the financial sector. These adapters enabled adaptive authentication strategies, ensuring compliance with regulatory mandates while optimizing the user experience. Customizing authentication flows helped bridge the gap between proprietary systems and modern security protocols. Tailoring these solutions gives businesses more control over security while optimizing the user experience, which is often critical in finance and high-security environments.
Q4: What strategies have you employed to combat phishing and DDoS attacks in IAM systems?
A: To combat phishing and DDoS attacks, I designed and implemented a proxy solution that filters malicious traffic and enforces access controls to protect core authentication infrastructure. For phishing prevention, I introduced device fingerprinting, which builds unique device profiles based on attributes like browser type and IP address. These measures, combined with rate limiting and real-time traffic analysis, significantly reduced attack surfaces while ensuring system availability during high traffic or malicious activity.
Q5: What approaches do you find most effective in ensuring high availability and load balancing in PingFederate, Transmit Security and Forgerock deployments?
A: High availability and load balancing across PingFederate, Transmit Security, and ForgeRock deployments are critical to maintaining secure, reliable authentication systems. Here are the approaches I implement to achieve this:
1. Adaptive Clustering
- PingFederate: I utilize clustering to distribute authentication workloads across multiple nodes, ensuring redundancy and high availability. Adaptive clustering allows us to dynamically allocate resources based on traffic patterns, providing scalability during peak usage.
- ForgeRock: ForgeRock’s AM (Access Management) supports horizontal scaling through cluster setups, where each node operates independently yet shares session and configuration data, ensuring consistent performance.
- Transmit Security: For Transmit Security, clustering is employed to balance user sessions and authentication requests across multiple nodes, ensuring failover capabilities during outages or high traffic.
2. Sub-Clustering for Specific Lines of Business (LOBs)
- To address varied requirements across different departments or business units, I implement sub-clustering, which allows dedicated clusters for specific LOBs. This isolates workloads, ensuring critical business applications receive priority resources while maintaining overall system stability.
3. Containerized Deployments
- Using Docker and Kubernetes, I containerize components of PingFederate, ForgeRock, and Transmit Security. Containerization allows for rapid scaling, consistent deployments, and easy updates without disrupting services. Kubernetes manages container orchestration, scaling nodes up or down automatically based on demand.
4. AWS Load Balancers and Cloud Integration
- AWS Elastic Load Balancers (ELB) are integrated with these platforms to distribute traffic evenly across clusters, ensuring high availability. For cloud-based deployments, AWS scaling groups dynamically adjust instance counts to meet demand, ensuring no single point of failure.
5. Session Persistence and Sticky Sessions
- Sticky sessions (session affinity) are configured at the load balancer level to ensure user requests are routed to the same node during a session. This is particularly critical for applications requiring session continuity, such as SSO and adaptive authentication.
6. Active Monitoring and Failover Mechanisms
- For all three platforms, I configure health checks to monitor node performance. In case of a node failure, the load balancer automatically routes traffic to healthy nodes. Additionally, I implement failover clusters to ensure seamless user access during unexpected downtimes.
7. Cache Optimization and Replication
- ForgeRock: Caching user authentication sessions in ForgeRock reduces database queries, enhancing performance during high traffic. Cache replication across nodes ensures session consistency in the event of failover.
- PingFederate & Transmit Security: Similar caching mechanisms reduce backend load and optimize response times during peak usage.
8. Proactive Scaling
- Predictive analytics and monitoring tools like NewRelic, Datadog, and Splunk are used to forecast traffic spikes and scale resources proactively. These tools provide insights into CPU utilization, memory usage, and thread counts, enabling proactive adjustments before performance degradation occurs.
Q6: With security threats evolving, how do you stay current with advancements in the IAM field?
A: Staying updated in the IAM field requires continuous learning and engagement. I make it a point to participate in industry webinars, technical conferences, and workshops focused on IAM and cybersecurity. Additionally, I review the latest documentation and release notes from platforms like PingIdentity and ForgeRock to understand new features and security updates. Engaging with the developer community and testing new functionalities in sandbox environments also helps me stay on top of industry advancements, especially as new security threats emerge.
Q7: Describe a project where your troubleshooting skills were essential in resolving critical issues.
A: One of the most challenging projects was supporting a major identity store migration from a legacy system to Active Directory Lightweight Directory Services (ADLDS). As this involved moving user data and applications to a more scalable environment, issues arose around data integrity and user access compatibility. Through careful troubleshooting, I identified bottlenecks in the authentication flows, particularly when connecting legacy APIs to ADLDS. Using debugging tools like Http-Watch and Fiddler, we resolved these issues by adjusting connection pooling parameters and refining our authentication checks, ensuring a smooth transition with minimal downtime.
Q8: How do you manage the balance between business needs and security protocols in IAM projects?
A: Managing this balance requires a strategic approach, as both security and accessibility are critical. I work closely with business, product, and compliance teams to identify their priorities and align them with security requirements. We use risk assessments to determine where adaptive authentication is most suitable, which ensures sensitive areas are secure while maintaining ease of access in low-risk areas. By implementing role-based access controls and fine-tuning our identity verification steps, we’re able to meet business goals without compromising security.
Q9: Can you explain how automation has improved your processes, particularly in deployment and maintenance?
A: Automation has significantly streamlined deployment and maintenance tasks. For instance, automating PingFederate upgrades across more than 100 servers allowed us to maintain consistency in configurations and reduced manual intervention. And we have also automated onboarding of applications SAML & OAuth/OIDC. Similarly, we set up automated monitoring dashboards that track user activity, server health, and security metrics, making it easier to identify anomalies proactively. Automation in identity management minimizes errors and accelerates responses to issues, allowing us to focus on high-impact tasks rather than repetitive processes.
Q10: What strategies do you employ for effective monitoring and diagnostics in production environments?
A: For monitoring, I rely on a combination of tools, including Splunk, FluentD, NewRelic, Datadog, and Kibana, which collectively provide insights into server health, user activity, and potential security threats. Diagnostic alerts are configured for specific metrics like CPU utilization, thread counts, and memory leaks. Additionally, by analyzing SSO logs, we can preemptively address issues related to user authentication and API connectivity. Consistent monitoring paired with diagnostic tools helps us maintain a stable and responsive production environment.
Q11: How do you mentor and guide team members in such a specialized field?
A: Mentoring is an integral part of my role as it contributes to a more knowledgeable and proactive team. I focus on hands-on training and involve team members in projects where they can apply IAM concepts, such as SAML Federation and OAuth protocols, in real-world scenarios. Regular knowledge-sharing sessions and workshops help the team stay updated on best practices and emerging trends. I also encourage them to pursue certifications and provide support on challenging tasks, building a collaborative environment that fosters continuous learning and improvement.
About Harsha Kendyala
Harsha Kendyala exemplifies technical leadership in Cybersecurity and IAM, blending innovative solutions with a keen focus on scalability and security. His expertise in modernizing legacy systems, mitigating threats like phishing and DDoS attacks, and adopting advanced authentication protocols positions him as a trailblazer in the cybersecurity landscape. Harsha’s ability to balance business needs with robust security practices continues to drive impactful and future-ready digital transformations.
First Published: 07 June, 2022
Topics