Senior Data Security Architect

About The Position

Requirements

• Bachelor's degree in Computer Science, Information Systems, Cybersecurity, or a related field.
• 7+ years of technical and professional experience, with at least 4 years focused on data security architecture or data governance in a cloud environment.
• Proven experience implementing data security controls in regulated healthcare environments: HIPAA/HITECH compliance, PHI handling, and audit-ready evidence production.
• Strong working knowledge of SOX ITGC controls — specifically logical security, change management, user administration, and computer operations domains as they apply to data platforms.
• Hands-on experience with IAM platforms: Okta, Microsoft Entra ID (Azure AD), SailPoint, and CyberArk service account management.
• Deep knowledge of Databricks Unity Catalog security: RBAC, ABAC tag-based policies, dynamic data masking, row/column-level security, and the interaction between workspace-level and catalog-level permissions.
• Experience implementing tokenization, de-identification, pseudonymization, and encryption-at-rest/in-transit strategies for sensitive healthcare data.
• Understanding of Azure cloud security architecture: Azure Private Endpoints, VNet-level network isolation, Azure Key Vault, managed identities, and Azure RBAC.
• Experience designing security architecture for external customer-facing data products: multi-tenant access isolation, partner data sharing controls, and row-level security in BI tools (Tableau, Power BI).
• Strong ability to translate regulatory requirements into concrete, implementable platform controls — not just policy documentation.
• Excellent communication skills; ability to produce audit-quality evidence artifacts and explain security architecture to both technical teams and compliance auditors.

Nice To Haves

• SOC 2 Type II and/or FedRAMP implementation experience — specifically scoping, control mapping, and evidence production for cloud-hosted data platforms.
• Experience with healthcare data sharing and consent frameworks — including HIPAA minimum necessary standards, TPO exceptions, and patient authorization models for data use.
• Knowledge of data rights enforcement at scale: contractual data tier entitlements, data sharing agreements, and purpose-based access controls that survive schema evolution.
• Experience with FHIR-based data platforms and the security implications of interoperability standards in regulated environments.
• Familiarity with data security posture management (DSPM) tooling and cloud security posture management (CSPM) platforms.
• Experience governing de-identification mechanisms for non-production environments, including tooling evaluation and integration (e.g., Datavant, Privitar, or equivalent).
• Working knowledge of Databricks Asset Bundle deployment security: CI/CD service account scoping, environment-level permission boundaries, and change management audit trail design.
• Experience operating within complex enterprise governance structures involving corporate IT, legal, privacy, and compliance stakeholders across multiple business units.

Responsibilities

• Define and own the enterprise data security architecture across the CoverMyMeds data platform — spanning Databricks Unity Catalog, Azure Data Lake Storage, Azure Data Factory, and downstream BI/reporting layers.
• Design and implement role-based access control (RBAC), attribute-based access control (ABAC), and row/column-level security patterns across Unity Catalog, ensuring controls propagate correctly from source to Gold-layer consumption.
• Lead data rights enforcement architecture — designing entitlement models, consent-based access patterns, and contractual data tier controls that support both internal use cases and external customer data sharing.
• Architect identity and access management (IAM) patterns integrated with Okta, Microsoft Entra ID, SailPoint, and CyberArk — covering human users, service accounts, and CI/CD service principals.
• Define tokenization, de-identification, and encryption strategies for PHI/PII data across all platform layers, including selection and integration of tools such as Datavant for tokenization and Azure Key Vault for secrets management.
• Design masking architecture across non-production environments, ensuring analysts and engineers can validate pipelines against production-representative data without exposure to raw PHI/PII.
• Establish external-facing data security patterns for customer portals, partner integrations, and embedded analytics — including multi-tenant access isolation, data residency controls, and audit logging.
• Build the SOX ITGC control evidence architecture: defining how logical access reviews (SailPoint UAR), change management audit trails (CI/CD deployment logs), segregation of duties, and privileged access restrictions are documented and evidenced.
• Lead HIPAA, SOC Type II, and FedRAMP alignment across data platform controls — partnering with Legal, Compliance, and Privacy teams to ensure regulatory requirements are implemented as concrete platform controls rather than policy statements.
• Partner with Data Engineering, SRE, and DBA teams to embed security controls into pipeline development standards, CI/CD deployment gates, and platform onboarding checklists.
• Define data classification frameworks, PII/PHI tagging governance, and tag propagation standards across the medallion architecture — including accountability models for tag validation and source contract change notification.
• Evaluate and recommend security tooling decisions, including resolution of platform-level decisions such as TrustLogix versus Unity Catalog native fine-grained access control.
• Produce architecture decision records, security control matrices, and evidence artifacts consumable by internal audit teams and external auditors.

Benefits

• competitive compensation package
• annual bonus
• long-term incentive opportunities