Cloud Security Engineer

About The Position

Requirements

• A minimum of ten years of IS experience, with five years of hands-on cloud security engineering with Azure, AWS and/or GCP.
• A bachelor's degree in information systems or equivalent work experience; an M.B.A. or M.S. in information security is preferred.
• Active Certifications Required (3 or more - CISSP, CCSP, GIAC (i.e., GCSA, GCLD, GCAD, GCPN, GPCS, GCTD), CKS, CCAK, Security+.)
• Subject matter expert knowledge in encryption, KMS/Key Vault concepts, secrets management, identity federation (SAML/OIDC/OAuth2), and modern access controls.
• Hands‑on experience securing both Azure and AWS in production, including IAM, networking, storage, and monitoring across multiple accounts/subscriptions.
• Experience designing immutable logging and integrating cloud telemetry with SIEM/SOAR; skillful at alert tuning to reduce noise and surface true risk.
• Subject matter expert knowledge in Infrastructure-as-Code and CI/CD security.
• Proficiency reviewing IaC for security issues and implementing policy‑as‑code guardrails; strong understanding of secure provisioning patterns and drift control.
• Subject matter expert knowledge of Kubernetes and API security
• Subject Matter Expert level knowledge of security tools, trends, methodologies and best practices for securing platforms and operating systems at the server, client and network level.
• Ability to script and automate with Python and/or PowerShell, use cloud CLIs/SDKs, and work with APIs/webhooks for integrations and workflows.
• Motivated self-starter who has a track record of taking ownership of information security challenges and driving them to resolution.
• Must be able to thrive in a fast-paced, rapidly evolving security department/environment with varying priorities, while interacting with other departments.
• Thorough and current understanding of a wide range of threat vectors and their potential exploits against current corporate controls and cloud specific attacks.
• Strong knowledge of industry frameworks related to information security (e.g. ISO 27000, NIST CSF, HIPAA Security, CIS Benchmarks, etc.).
• Ability to implement/enforce industry frameworks using cloud native services and automation.
• Maintain an expert knowledge of InfoSec industry trends and developments and advise on changes to the threat landscape.
• Knowledge of cloud networking, network infrastructure, including routers, switches, firewalls, and the associated network protocols and concepts.
• Excellent interpersonal, verbal and written communication, and organizational skills.
• Clear, concise communicator with the ability to produce standards, runbooks, diagrams, and executive‑level reporting.
• Experience supporting 24×7 incident response, including participation in major incident/problem calls.
• Maintains work effort status within SLA’s on Brown University Health’s Service Desk and Task Management Platforms.

Nice To Haves

• A bachelor's degree in information systems or equivalent work experience; an M.B.A. or M.S. in information security is preferred.

Responsibilities

• Own and improve cloud security posture across a multi-cloud environment (Azure, AWS and/or GCP).
• Establish, document and enforce secure guardrails and baselines aligned to CIS Benchmarks and NIST CSF 2.0
• Operate and tune our cloud security posture / CNAPP platform (agentless discovery, misconfiguration/vulnerability/identity risk analysis), drive prioritized remediation with responsible parties.
• Review and advise on policy-as-code and infrastructure-as-code (IaC) security checks across pre-commit, CI/CD, and pre-deployment gates.
• Conduct security design reviews of IaC to identify and recommend fixes for misconfigurations before provisioning.
• Design and advise on least‑privilege access models (roles, conditional access policies, break‑glass, service principals), secrets management, key management, and encryption (at rest, in transit, and in use where applicable).
• Design secure network architecture: VPC/VNet design, private connectivity/peering, egress controls, segmentation, and zero‑trust‑oriented access to cloud services.
• Centralize logging/telemetry (activity, audit, identity, network, and data access) and integrate with SIEM/SOAR for alerting, correlation, and automated response.
• Design and document data security controls across object storage, databases, and analytics services (classification, access boundaries, tokenization/format‑preserving encryption, key rotation, and auditing).
• Perform periodic control assessments and gap analyses against CIS Benchmarks and NIST CSF 2.0.
• Publish metrics/KPIs and risk treatment plans for leadership.
• Automate routine security tasks and remediations using scripting and APIs (e.g., Python, PowerShell, serverless functions, workflow automation).
• Partner with IT/Cloud Platform teams to maintain hardened images, patching, and vulnerability management for cloud workloads (VMs, managed services; containers, etc.).
• Partner with Security Operations to translate cloud attack paths into detections (control-plane logs, API activity, network flow, workload telemetry) and tune SIEM/SOAR playbooks.
• Secure SaaS integrations with cloud accounts (SSO, SCIM/JIT, conditional access, least‑privilege service integrations) and third‑party connectivity.
• Identify, document and report any deviations from policy / standards, recommend corrective actions, and review security policies and control documentation to align with current practices.
• Ensure least-privilege and MFA with Azure AD (Entra ID), AWS IAM, and workload federation are enforced.
• Develop standards, policies, procedures and tabletop exercise scenarios.
• Review and recommend updates to security policies, procedures, and control documentation to ensure they reflect current security best practices and regulatory requirements.
• Monitor emerging threats, vulnerabilities, and industry best practices to ensure security controls remain effective and aligned with the evolving threat landscape.
• Research and assists in the piloting and evaluation of new tools, technologies, technical controls, and processes to support and enforce defined security policies.
• Support incident response (triage, containment, snapshot/metadata collection, forensics coordination, and post‑incident reviews) as required.
• Attend and actively contribute to team, project, project management, problem management, cloud migration and major incident conference calls as required.
• Performs other duties as assigned.