OpenText · IAM Engineer · Bengaluru, India
// privacy-first security engineering

Trust-minimized
security systems.

Self-hosted infrastructure. Threat-model driven decisions. Identity and access management. Operational resilience without trusting what you don't control.

Senior Technical Support Specialist at OpenText, specialising in NetIQ IDM, eDirectory, and NAM. I troubleshoot what others escalate.

// operating principles
01

Default-Deny Thinking

Security begins with reducing trust assumptions. What you don't allow can't be exploited.

02

Privacy by Design

Convenience is evaluated against exposure. Data you don't collect can't be breached.

03

Own Critical Infrastructure

Self-host where trust matters. Infrastructure you control is infrastructure you understand.

04

Threat Model Everything

Security decisions require context and tradeoffs. Without a threat model, you're guessing.

05

Practical Security

Operational reality over theoretical purity. The best security is the security that actually runs.

// self-hosted infrastructure
Ente Photos · Privacy

End-to-end encrypted photo backup. Self-hosted with local object storage. No vendor access to media. No telemetry. No cloud inference.

vendor access: zero
Immich Photos · Intelligence

Self-hosted photo management with on-device ML for face recognition and search. Runs locally — no Google Photos, no model training on personal data.

inference: local only
Open WebUI AI · Privacy

Local LLM inference interface. Queries never leave the machine. Cloud AI is a data collection contract. Local compute eliminates that exposure.

queries: never transmitted
MinIO Storage

S3-compatible object storage, self-hosted. Backing critical services without cloud dependency. Storage you own means data you control.

s3-compatible · local
Cloudflare Tunnel Networking · Zero-Trust

Secure external access without exposing home IP or opening inbound ports. Zero-trust network perimeter. Attack surface reduced to the tunnel endpoint.

inbound ports: zero
Uptime Kuma Monitoring

Self-hosted service health monitoring. Visibility into the stack without sending metrics to a SaaS platform. Own your observability.

metrics: self-hosted
// architecture decisions
Photo Storage Cloud → Self-hosted
Decision
Self-host with Ente (E2E encrypted) + Immich (local ML), backed by MinIO object storage.
Threat Model
Cloud photo providers have plaintext access to media, train models on personal photos, and carry unclear regulatory jurisdiction.
Tradeoff
Full operational burden: maintenance, patching, and backup responsibility falls on the operator.
Mitigation
Automated backups, versioned storage with MinIO, E2E encryption as a second trust layer.
AI Inference Cloud LLMs → Local
Decision
Local LLM inference via Open WebUI. Prompts and context processed entirely on local hardware.
Threat Model
Prompts sent to cloud LLMs expose private context to vendors. Data used for training. No deletion guarantee. IP and behavioral profiling.
Tradeoff
Reduced capability versus frontier cloud models. Hardware constraints bound inference quality.
Mitigation
Task-specific model selection. Quantized models balance capability vs. compute. Clear offline/online task routing.
Network Exposure Port Forwarding → Tunnel
Decision
Cloudflare Tunnel for external service access. No inbound ports open. Home IP never exposed.
Threat Model
Direct port forwarding exposes home IP, enables port scanning, increases attack surface on residential infrastructure.
Tradeoff
Traffic transits Cloudflare edge nodes. Introduces a dependency on an external intermediary.
Mitigation
End-to-end encryption for all services. Minimal exposure set. Access log review. Vendor concentration acknowledged.
// certifications & tech stack
Certifications
CEH — EC-Council CCNA PG Cyber Security — Simplilearn Agent Assist & Gen AI — Google Build AI Agents — Google
IAM Stack
NetIQ IDM eDirectory NetIQ Access Manager OpenText IAM Azure Entra ID AWS IAM Active Directory Microsoft SQL Server
Infrastructure & OS
RHEL SUSE Linux Windows Server Docker MinIO PostgreSQL
Security
Penetration Testing Threat Modeling Wireshark Nmap Metasploit Burp Suite OSINT
// work experience
Senior Technical Support Specialist · IAM · Identity & Access Management Present · 10+ yrs
OpenText — Bengaluru, Karnataka, India

Specialising in NetIQ IDM, eDirectory, and NetIQ Access Manager (NAM) on the OpenText stack. Scope covers IDM upgrade failures, eDirectory certificate chain issues, User Application (UA) performance bottlenecks, and workflow design & provisioning logic — across RHEL, SUSE, and Windows Server environments.

Disproportionate value added through lab engineering: full-stack reproduction environments integrating Active Directory, Microsoft SQL Server, Azure Entra ID, and AWS IAM — isolating root causes before they become R&D handoffs.

NetIQ IDM eDirectory NAM Azure Entra ID AWS IAM RHEL SUSE Active Directory Lab Engineering
// about

Senior Technical Support Specialist with 10+ years of experience, the last year deep in Identity and Access Management — NetIQ IDM, eDirectory, and NAM on the OpenText stack.

I troubleshoot what others escalate.

Outside of work: building a self-hosted infrastructure stack with a privacy-first, trust-minimized approach — self-hosted photo storage, local AI inference, zero-trust networking. CEH-certified. TryHackMe Level 8. Advent of Cyber 2024 completed.

This site documents decisions, tradeoffs, and writeups. Not a portfolio. A working log.