Trust-minimized
security systems.
Self-hosted infrastructure. Threat-model driven decisions.
Identity and access management. Operational resilience without trusting
what you don't control.
Senior Technical Support Specialist at OpenText,
specialising in NetIQ IDM, eDirectory, and NAM.
I troubleshoot what others escalate.
Default-Deny Thinking
Security begins with reducing trust assumptions. What you don't allow can't be exploited.
Privacy by Design
Convenience is evaluated against exposure. Data you don't collect can't be breached.
Own Critical Infrastructure
Self-host where trust matters. Infrastructure you control is infrastructure you understand.
Threat Model Everything
Security decisions require context and tradeoffs. Without a threat model, you're guessing.
Practical Security
Operational reality over theoretical purity. The best security is the security that actually runs.
End-to-end encrypted photo backup. Self-hosted with local object storage. No vendor access to media. No telemetry. No cloud inference.
Self-hosted photo management with on-device ML for face recognition and search. Runs locally — no Google Photos, no model training on personal data.
Local LLM inference interface. Queries never leave the machine. Cloud AI is a data collection contract. Local compute eliminates that exposure.
S3-compatible object storage, self-hosted. Backing critical services without cloud dependency. Storage you own means data you control.
Secure external access without exposing home IP or opening inbound ports. Zero-trust network perimeter. Attack surface reduced to the tunnel endpoint.
Self-hosted service health monitoring. Visibility into the stack without sending metrics to a SaaS platform. Own your observability.
- Decision
- Self-host with Ente (E2E encrypted) + Immich (local ML), backed by MinIO object storage.
- Threat Model
- Cloud photo providers have plaintext access to media, train models on personal photos, and carry unclear regulatory jurisdiction.
- Tradeoff
- Full operational burden: maintenance, patching, and backup responsibility falls on the operator.
- Mitigation
- Automated backups, versioned storage with MinIO, E2E encryption as a second trust layer.
- Decision
- Local LLM inference via Open WebUI. Prompts and context processed entirely on local hardware.
- Threat Model
- Prompts sent to cloud LLMs expose private context to vendors. Data used for training. No deletion guarantee. IP and behavioral profiling.
- Tradeoff
- Reduced capability versus frontier cloud models. Hardware constraints bound inference quality.
- Mitigation
- Task-specific model selection. Quantized models balance capability vs. compute. Clear offline/online task routing.
- Decision
- Cloudflare Tunnel for external service access. No inbound ports open. Home IP never exposed.
- Threat Model
- Direct port forwarding exposes home IP, enables port scanning, increases attack surface on residential infrastructure.
- Tradeoff
- Traffic transits Cloudflare edge nodes. Introduces a dependency on an external intermediary.
- Mitigation
- End-to-end encryption for all services. Minimal exposure set. Access log review. Vendor concentration acknowledged.
Specialising in NetIQ IDM, eDirectory, and NetIQ Access Manager (NAM) on the OpenText stack. Scope covers IDM upgrade failures, eDirectory certificate chain issues, User Application (UA) performance bottlenecks, and workflow design & provisioning logic — across RHEL, SUSE, and Windows Server environments.
Disproportionate value added through lab engineering: full-stack reproduction environments integrating Active Directory, Microsoft SQL Server, Azure Entra ID, and AWS IAM — isolating root causes before they become R&D handoffs.
Senior Technical Support Specialist with 10+ years of experience, the last year deep in Identity and Access Management — NetIQ IDM, eDirectory, and NAM on the OpenText stack.
I troubleshoot what others escalate.
Outside of work: building a self-hosted infrastructure stack with a privacy-first, trust-minimized approach — self-hosted photo storage, local AI inference, zero-trust networking. CEH-certified. TryHackMe Level 8. Advent of Cyber 2024 completed.
This site documents decisions, tradeoffs, and writeups. Not a portfolio. A working log.