Lead Engineer - Secure VPN & Zero Trust

Lead Engineer – Secure VPN & Zero Trust 

Odyssey Group Holdings, Inc., and its subsidiaries, collectively referred to as Odyssey Group, is one of the world’s leading providers of reinsurance and specialty insurance, encompassing three distinct yet complementary operating platforms supported by six divisions, 37 business units and a network of more than 30 offices. Odyssey Group is a subsidiary of Fairfax Financial Holdings Limited, a holding company with total assets of $92.0 billion in total assets and $27.7 billion in total equity. We are a financially strong and cohesive global enterprise, locally responsive and built on a unified management and underwriting culture. 

Position Summary 

The Lead Engineer is a senior technical leader responsible for modernizing Odyssey’s global secure‑access architecture, from legacy perimeter‑based VPN/VDI to a fully application‑centric Zero Trust Network Access (ZTNA) model. This role is both strategic and hands‑on, requiring expertise in architecture, design, implementation, configuration, and troubleshooting across cloud and on‑prem environments. 

You will own the engineering lifecycle end‑to‑end: building architecture diagrams, leading solution design workshops, implementing ZTNA and VPN configurations, writing infrastructure‑as-code, deploying secure connectivity patterns, and validating end‑user experience. 

Key Responsibilities 

Zero Trust Architecture & Design 

• Lead the transition from legacy VDI/Citrix access to per‑application ZTNA, including hands‑on buildout of access policies, identity‑based segmentation, and app‑level routing. 

• Produce high‑fidelity architecture diagrams (Visio, Draw.io, Lucidchart) representing application flows, identity boundaries, private endpoints, and ZTNA enforcement points. 

• Document threat models and convert them into implementable, measurable technical controls. 

• Design and maintain Conditional Access policies tied to device posture, risk signals, and session context. 

Customer Experience & Hands-On Secure Connectivity Engineering 

• Develop and maintain deep awareness of customer connectivity patterns to ensure a seamless and secure remote-work experience. 

• Leverage advanced telemetry, monitoring, and behavioral insights to proactively detect performance issues impacting customers and internal business teams. 

• Partner directly with business stakeholders to understand functional needs, application workflows, and friction points experienced during remote access. 

• Develop and maintain deep awareness of remote application connectivity patterns to ensure a seamless and secure remote work experience. 

• Monitor and optimize application performance over VPN and ZTNA, leveraging telemetry and behavioral insights to detect latency, packet loss, or degraded user experience. 

• Partner directly with business stakeholders to understand functional needs, application workflows, and friction points experienced during remote access. 

• Translate customer-driven feedback into actionable engineering improvements across ZTNA, VPN, Conditional Access, and Azure networking architectures. 

• Drive rapid incident resolution by correlating real time signals with user reported symptoms, ensuring clear communication and minimal business disruption. 

• Continuously improve the end user experience by aligning secure access strategies with how customers and employees actually work; prioritizing reliability, performance, and clarity of support. 

• Configure, optimize, and maintain secure VPN services across device platforms, including Intune‑delivered VPN and certificate‑based auth. 

• Implement ZTNA clients, connectors, private access gateways, and per‑application routing rules. 

• Integrate VPN and ZTNA solutions into SASE/SSE architectures (Netskope NPA, Azure ZTNA, etc.). 

• Perform device posture validation testing, packet captures, certificate validation, and endpoint‑to‑app connectivity testing. 

Secure VPN & Remote Connectivity 

• Architect and maintain secure VPN services across all device types with Intune‑based configuration and compliance integration. 

• Evolve VPN usage toward ZTNA‑first patterns, reducing dependency on full‑tunnel, network‑level trust. 

• Architect and maintain secure VPN services across all device types by implementing policydriven controls for both managed and unmanaged devices. 

Implementation, Configuration & Automation 

• Develop infrastructure‑as‑code (IaC) modules using Terraform/Bicep and automate configuration drift management. 

• Create PowerShell (Az/Graph) scripts to automate network configuration, access rule deployment, and policy auditing. 

• Configure monitoring, telemetry, and alerting within Azure Monitor, Defender for Cloud, and custom event pipelines. 

Operational Execution & Troubleshooting 

• Lead root‑cause analysis for network and remote‑access issues—packet‑level debugging, ZTNA connector analysis, identity‑auth flow tracing, DNS deep‑dives, etc. 

• Execute controlled rollout plans, pilot deployments, and user‑experience validation for new Zero Trust components. 

• Maintain configuration standards, documentation, runbooks, and engineering SOPs. 

Azure & Hybrid Network Engineering 

• Engineer and deploy Azure networking components—VNet design, routing, private endpoints, NSGs, firewall rules—to enforce Zero Trust policies. 

• Implement secure hybrid connectivity patterns (ExpressRoute, VPN gateways, identity‑based routing). 

• Build application landing zone networking aligned with corporate Cloud, InfoSec, and Compliance standards. 

Security Engineering & Enforcement 

• Implement advanced DLP, CASB, and session‑based inspection for remote work paths. 

• Translate threat‑modeling outputs into enforceable, measurable controls to strengthen network security posture. 

Automation & Observability 

• Lead automation of network deployments, configuration drift control, and policy changes via PowerShell (Az/Graph), Terraform/Bicep, Azure Automation, or Functions. 

• Enhance monitoring, telemetry, and alerting across Azure Monitor, Defender, and custom integrations. 

Cross‑Functional Leadership 

• Act as the technical authority for secure access—partnering closely with Cloud Engineering, InfoSec, Compliance, Endpoint Engineering, and Infrastructure. 

• Lead design workshops, architecture reviews, and peer engineering sessions to ensure consistent, governed ZT adoption. 

Required Qualifications 

• 5–8+ years in network engineering, including secure VPN, identity‑centric access, and Azure networking. 

• Proven hands‑on experience building, diagramming, and implementing enterprise network architectures. 

• Deep expertise with ZTNA concepts, Conditional Access, and authentication (Entra ID/AD). 

• Strong understanding of routing, segmentation, DNS, secure tunnels, and private endpoints. 

Preferred Qualifications 

• Experience with Netskope NPA or equivalent ZTNA platforms. 

• Proficiency with CI/CD or DevOps automation practices. 

• Experience in regulated or highly secure environments. 

• Certifications or education in networking, cloud security, or modern identity platforms (Azure‑focused preferred). 

Success Measures 

• ZTNA adoption and measurable reductions in legacy VPN/VDI dependency. 

• Automated, auditable secure‑access changes with minimized manual operations. 

• Strong telemetry and policy compliance across access channels.