Halil Oeztoprak-Principal Cloud & DevSecOps Architect (AWS / Azure / Terraform / Kubernetes / CI-CD)

Regulated environment within a German banking group (approx. 8,500 employees, hybrid cloud strategy).

Responsible for operating, provisioning, and continuously securing business-critical platforms – including a GenAI chat application, a big data/AI platform, and data science workspaces based on Azure Virtual Desktops and VMs. Ownership of Azure DevOps projects for ShaiHulud and React2Shell, as well as BSI alerts – Security Operations improvements across the SDLC.

Deployment responsibility for the GenAI chat application, big data/AI platform (BDAI), and data science workspaces (AVD/VM-based) in the respective landing zones.

Deployment & release management: end-to-end responsibility for deploying portal and service applications across multiple Azure landing zones, including technical approvals, compliance with development team deployment guidelines, and ensuring ITIL-based change and release processes via ServiceNow.

Azure landing zones & network architecture: design, provisioning, and operation of Azure landing zones for 3-tier web applications with enhanced network segmentation, VNet peering, hub-and-spoke architectures, private endpoints, and firewall integration across separate subscriptions and tenants.

Azure DevOps governance & operations: ownership of the Azure DevOps organization, including projects, repositories, and CI/CD pipelines; implementation of governance requirements such as branch policies, approval gates, permission models, and audit-ready operating structures.

Infrastructure as Code (Terraform): design, implementation, and operation of a modular Terraform architecture for standardized cloud infrastructure deployment, including state management, provider versioning, reusability, and policy-as-code approaches.

CI/CD pipeline engineering: design, operation, and optimization of complex YAML-based CI/CD pipelines with multi-stage deployments, template standardization, self-hosted agents, integrated secret management, and automated quality and security checks.

Git migration & platform consolidation: planning and execution of repository and pipeline migration from Azure DevOps to GitLab CI/CD, including automated scripts, full Git history transfer, pipeline porting, and platform consolidation.

Container & platform operations (AKS): operation and security assessment of containerized workloads on Azure Kubernetes Service, centralization of on-premises container registries for ACR.

OpenShift (OCP) security reviews: security assessment of code baselines, build pipelines, and deployment processes for on-premises OpenShift clusters with critical applications, and derivation of specific hardening recommendations.

Shift-left security & DevSecOps transformation: introduction of a company-wide shift-left approach for early security integration in development and deployment processes, enabling developers to perform self-led security checks and sustainably reduce vulnerabilities before production (IDE integrations, pre-commit hooks, local scanners).

Software supply chain security: analysis and mitigation of supply chain risks in NPM- and Yarn-based applications through dependency audits, CI/CD pipeline hardening, token rotation, and restriction of risky build and lifecycle mechanisms.

Frontend & framework security (React / Next.js): security assessment and coordination of critical vulnerability remediation across platform applications and web frameworks, including coordination and complementary technical mitigations with all teams following BSI alerts.

Software composition analysis (SCA): introduction and operation of automated vulnerability scans for container images, pipelines/artifacts, and third-party dependencies, including SBOM exports within CI/CD pipelines.

SAST/DAST integration: design and piloting of static and dynamic application security tests in close collaboration with security architecture and development teams, for continuous improvement of code and runtime security, and establishing operational acceptance tests.

Artifact & registry consolidation: analysis and consolidation of all package and container repositories for service applications and AKS workloads, aiming for a centralized, secured registry strategy with centralized vulnerability scanning and governance.

Dependency-Track & SBOM strategy: advising the compliance board on introducing a central SBOM and vulnerability management platform to increase enterprise-wide dependency transparency and accelerate CVE response capability.

CI/CD pipeline hardening: security analysis and cleanup of the existing pipeline landscape by removing unused pipelines, improving secrets hygiene, implementing least-privilege principles, and isolating build agent environments.

Azure Web Application Firewall (WAF) optimization: analysis and tuning of existing Azure WAF rules (OWASP Top 10 Core Rule Set, DSR/SDC, custom rules) to defend against known vulnerabilities and exploit patterns, including reducing false positives and improving threat detection.

Documentation & stakeholder communication: creating and maintaining technical documentation, runbooks, and architecture overviews in Jira and Confluence, as well as active knowledge transfer between operations, development, security, and compliance stakeholders.

2,500 workloads for over 17,000 employees worldwide.

Multi-account AWS landing zone, multi-stage Kubernetes cluster deployment with Amazon EKS, ECS, and AWS Fargate, hybrid networking with global IP Address Management (IPAM) and WAN, using Transit Gateways and Palo Alto Firewalls (Pan-OS) across six operational cloud regions.

Service ownership of AWS cloud landing zones, including operation, continuous improvement, and ensuring compliance with corporate standards and governance for all subsidiaries.

Conducted security and compliance analyses (DevSecOps) and mapped findings to frameworks like NIST, ISO 27001, and PCI DSS.

Performed AWS Well-Architected Reviews to evaluate and optimize existing multi-account landing zone architectures.

Centralized and consolidated multiple AWS landing zones and built a global network architecture to Azure Prisma Hub.

Operated and optimized incident, change, and problem management processes via ServiceNow for AWS global networking / Azure Global WAN.

Analyzed, optimized, and migrated DaaS workloads (desktop-as-a-service), comparing and transitioning from Nutanix Frame and AWS WorkSpaces Classic to AWS WorkSpaces Pools.

Tuned storage performance and throughput optimization for Amazon FSx for Windows File Server.

Introduced and operated a centralized firewall and traffic inspection setup with Palo Alto Networks (PAN-OS).

Designed and implemented a fully automated AWS landing zone solution with built-in security and compliance mechanisms.

Built and maintained IaC pipelines using Azure DevOps for repeatable, secure deployments including security gates.

Rolled out global AWS WorkSpaces Pools for over 500 CAD/engineering end users, including enablement and architecture optimization.

Implemented staging environments for Kubernetes workloads, including separation of dev/test/prod and access control.

Integrated Dependency-Track for SBOM analysis and implemented additional security services such as AWS Inspector, GuardDuty, and Security Hub.

Connected the AWS environment to external SOC providers, including SIEM integration.

Onboarded the new landing zone into the CSPM tool (SentinelOne Singularity Cloud Platform), including continuous security posture management.

Documentation, quality assurance, and knowledge transfer to internal engineering and security teams.

Various clients across industries, supporting 1,500+ EUC users and five main applications, including infrastructure migrations.

AWS MSP, multi-account AWS landing zone, multi-tenant AppStream 2.0 fleets, and Amazon WorkSpaces Classic deployment with Terraform and AFT.

Configured multiple AWS multi-account landing zones, including workload accounts and organizational units (OUs).

Implemented and managed SCPs and guardrails in AWS Control Tower and AWS Organizations, including regional usage restrictions and establishing an account security and compliance concept following AWS best practices.

Planned, configured, and automated deployment of multiple VPCs and infrastructures for AWS VDI technologies, focusing on Amazon AppStream 2.0 and Amazon WorkSpaces.

Developed, automated, and deployed images for Amazon AppStream 2.0 and AWS WorkSpaces services via Terraform and image pipelines.

Designed migration strategies and planned and executed lift-and-shift migrations of client applications and servers to AWS.

Fully automated client infrastructure and application deployment in multi-stage, multi-account setups via Terraform and CI/CD pipelines.

Configured and conducted end-to-end testing for multi-user streaming via AppStream 2.0, including autoscaling and fleet management.

Created and deployed standardized Amazon WorkSpaces setups, including Active Directory domain join and standard GPOs.

Integrated AWS WorkSpaces services with Microsoft Active Directory workloads and identity providers for user synchronization, including single sign-on via SCIM.

Implemented Azure Active Directory synchronization for Microsoft 365 and Entra ID using Entra ID Connect.

Configured CloudWatch monitoring and enabled application monitoring for client applications.

Set up centralized backup management with AWS Backup service for various client organizations.

Advising on the planning, architecture, and full implementation of a scalable Windows Virtual Desktop environment for 500+ users.

Building and configuring host pools (pooled & personal) with automated user assignment and load balancing according to the Azure Well-Architected Framework.

Developing and operating a fully automated image pipeline (Golden Image build & deployment) with Azure Image Builder – including regular updates, security hardening, and integration of CAD applications.

Implementing App Attach (MSIX/App Attach) for dynamic application delivery: packaging, storage integration (Azure Files), assignment, and lifecycle management for different user groups in Entra ID.

Integrating FSLogix for user profile management (Azure Files) to ensure high-performance, persistent user profiles with GPO enforcement.

Implementing monitoring & logging (Azure Monitor, Log Analytics workspace) for proactive troubleshooting and capacity planning.

Automating scaling and maintenance processes for session hosts (start VM on connect, scheduled agent updates, autoscaling).

Implementing Conditional Access policies and multi-factor authentication for secure remote access to the AVD desktops.

Creating operational documentation, runbooks, and handing over to IT operations.

1,250+ workloads and over 5,500 users worldwide.

Providing comprehensive consulting and support to the client during the AWS cloud migration preparation phase.

Conducting detailed assessments for around 250+ Linux servers and over 50 Linux applications.

Introducing Red Hat Satellite for efficient patch management of Red Hat and CentOS servers.

Modernizing the Linux servers with minor and major release changes to prepare for cloud requirements.

Conducting AWS Migration Readiness Assessments (MRA) for resources, tools, and workforce skills.

Installing AWS discovery and inventory tools to analyze application dependencies.

Creating comprehensive documentation of the Linux system landscape as a basis for cloud rehosting.

Healthcare insurance environment, Citrix infrastructure backend services, IGEL thin clients for BARMER.

Initiation and planning of the migration project for Citrix infrastructure outsourcing.

Design and technical implementation of migration paths for the existing Citrix infrastructure.

Development of a new Citrix back-end for future operations.

Identification and implementation of migration strategies for user profiles and software packages.

Design of a new Active Directory group structure, including naming conventions.

Securing the migration process by identifying critical configurations like Citrix UPM and GPOs.

Coordinating and managing external service providers during the transition.

2nd and 3rd level support for Citrix remote workspaces.

Implementation and rollout of Windows 10 clients using Baramundi.

Interim management of the Exchange server.

Software packaging and endpoint management.

Mobile device management via MobileIron/MobilePASS.

Quality management and documentation.

Over 500 workloads, virtualization of physical and virtual servers.

Execution of P2V (Physical to Virtual) virtualization of physical servers with VMware.

V2V (Virtual to Virtual) conversion of KVM/QEMU server systems into VMware vCenter.

Coordination and scheduling for virtualization processes.

Virtualization of RedHat, SLES, and Microsoft Windows servers.

Integration of the virtualized systems into the central data center.

Implementation of service and process monitoring as well as quality assurance of migration processes.

Designed and implemented an IAM environment with Microsoft Identity Manager (MIM).

Developed attribute flows and synchronization rules for Active Directory user objects.

Set up and secured the perimeter network (DMZ), including a reverse proxy.

Integrated and tested IAM tools for single sign-on (SSO) applications.

Configured the SSO identity provider and integrated it with Active Directory Federation Services (ADFS).

Managed two data centers with over 2000 server systems and various network components.

Developed a monitoring system architecture based on Nagios.

Implemented the Nagios master server and configured the platform.

Successfully migrated from Nagios to Check_MK OMD (Open Monitoring Distribution).

Integrated AIX, Linux, and Windows servers into the monitoring system.

Mapped service dependencies and prioritized business-critical applications.

Monitored systems via SNMP and WMI, including alert configuration.

Integrated monitoring results into the ticket system (Omnitracker).

Providing 1st and 2nd level support for end users.

Administering and maintaining Microsoft Small Business Server for multiple clients.

Diagnosing and fixing issues in real time to ensure smooth operations.

Coordinating support tasks while meeting SLAs and KPIs.