Senior Cloud Security Infrastructure Engineer
SITA
- London
- Permanent
- Full-time
- Work with security and infrastructure architects in the secure design of SITA networks and infrastructure.
- Work with scrum teams to support agile delivery of new infrastructure incorporating security and privacy by design.
- Create / review Infrastructure as Code to meet SITA, regulatory and market security requirements and best practices to be deployed via CI/CD pipelines.
- Support DevSecOps initiatives to shift left in the detection and remediation of security vulnerabilities and defects.
- Work closely with the SITA Enterprise Information Security Office (EISO) to evolve security guidance and guardrails around infrastructure development and build following a risk based approach.
- Develop new network and infrastructure security controls and tooling including threat detection, vulnerability management, encryption, identity & access management etc.
- Assess emerging security technologies.
- Provide improvement suggestions regarding the security, usability, performance, maintainability, and scalability of existing infrastructure.
- Provide reports and presentations to key stakeholders including management, business partners, regulators and auditors.
- Contribute to the security maturity of SITA through production of documentation, knowledge transfer and conducting training sessions.
- Assist in responding to security issues and incidents as a Subject Matter Expert.
- Facilitate discussions with Engineering and Development teams, while having ability to guide and persuade in reaching decisions to achieve optimal security and business outcomes.
- 5+ years in an IT engineering or architecture capacity with at least 2 years in a security related field.
- 3+ years experience working in Public Cloud (Azure or AWS with preference on Azure) environments; experience with private / hybrid cloud an advantage.
- Knowledge and experience with automation and deploying infrastructure as Code via CI/CD pipelines a must (Ansible, Terraform, Azure DevOps, GitHub).
- Practical experience of virtualization (VMWare) and containerization (Docker, Kubernetes, Rancher etc.)
- Advanced experience in coding/scripting via Python, Bash, Powershell/PowerCLI for generating test artefacts (users, certificates, signatures, etc)
- Understanding of Linux and Windows administration and configuration (RedHat and Microsoft certifications an advantage) including hardening against CIS Benchmarks & CIS-CAT scanning.
- Understanding of core networking technologies including routing, switching, wi-fi, load balancing, DNS, IPv6 etc. (Cisco or Juniper certifications an advantage)
- Practical experience with network security technologies including firewalls, proxies, secure web gateways, Web Application Firewalls, DDoS protection (certifications in Palo Alto, Fortinet, Cisco, Juniper, Cloudflare security products an advantage)
- Practical experience of deployment and use of vulnerability scanners (e.g. Nessus, Qualys) and vulnerability management including assessments and remediation.
- Proven knowledge and experience of storage technologies, encryption at rest, encryption in transit, secrets and key management, PKI etc.
- Practical experience in trust arrangements and technologies which include identity providers (Active Directory, Azure AD) modern authentication methods (OIDC, SAML), claims/identity mapping across trust domains, federation topologies, token encryption signing, and managed identities for cloud principals (experience with vendors such as Okta, Ping, ForgeRock an advantage).
- Experience with Privileged Access Management / Privileged Identity Management an advantage.
- Understanding of common security frameworks (ISO27001, NIST800-53, CIS, CSA CSM)
- Experience of participating in security audits, tabletop exercises and red teaming an advantage.
- Excellent communication skills and ability to present to all levels of technical / non-technical team members
- Excellent team player with ability to communicate and work with cross functional teams
- Certifications with CISSP, CISM, or CKS desired
- Bachelors degree in Information Security or related field