GCP Cloud Security Engineer/Architect (Retail & Compliance)
Remote US
Long Term
Contract
GC/Citizens
GCP Cloud Security Engineer/Architect to lead the design, implementation, and
governance of a large American retail brand’s new Google Cloud Platform (GCP) landing zone. As a
key player in the consumer retail space, their primary mission is to build a secure-by-default environment
that protects customer data, ensures compliance with PCI DSS, and is hardened against security
incidents.
You will be the lead subject matter expert for all cloud security matters, responsible for translating their
guiding principles into enforceable, automated policies. This is a hands-on role for an expert who can
move their security posture from “monitoring” to “fully enforced” and ensure their cloud foundation meets
the highest standards of security and compliance.
A great candidate is someone with strong, hands-on expertise in these areas, who can design,
implement, and operate secure google cloud systems at scale.
Key Responsibilities
Security Design & Governance
• Develop and maintain a comprehensive Technical Security Design document for the GCP security
framework, ensuring it aligns with the existing OCI/OSHI standards.
• Design, implement, and document security controls to meet and maintain PCI DSS compliance
within the GCP environment, preparing for and facilitating audits.
• Translate high-level security principles into detailed, enforceable Organization Policies and
governance standards.
• Drive the full adoption and operationalization of Google Security Command Center (SCC)
Premium for continuous posture management, threat detection, and compliance reporting.
• Network & Infrastructure Security
• Conduct a deep-dive review of all foundational infrastructure, including VPCs, private
interconnects, and ingress/egress traffic patterns.
• Design and implement a hardened VPC Service Controls (VPCSC) perimeter, moving from the
current monitoring mode to a fully enforced posture to protect the Cardholder Data Environment
(CDE) and other sensitive data.
• Lead the migration from legacy GCP firewall rules to modern, centralized GCP firewall policies,
ensuring strict enforcement and proper segmentation (especially for CDE isolation).
• Design and configure security solutions for e-commerce web applications and APIs using Cloud
Armor.
• Validate and optimize security service SKU selections to ensure maximum value and protection.
Identity & Access Management (IAM)
• Serve as the lead technical expert for all GCP IAM strategy and implementation, with a focus on
least-privilege access to sensitive consumer data.
• Design and enforce granular Organization Policies to restrict high-risk permissions (e.g., denying
firewall modifications or public IP creation).
• Implement time-bound access and privileged access management (PAM) solutions for elevated
permissions, especially for systems within the CDE scope.
• Architect and execute the transition from service account keys to a
• keyless/credential-less model using Workload Identity Federation between Azure AD and GCP.
• Design and implement a best-practice RBAC model for Google Secrets Manager.
• Establish comprehensive logging and alerting for all critical identity, access, and permissions
related events, per PCI DSS requirements.
Automation & DevSecOps
• Perform a security-focused review of the Terraform automation and GitHub Actions CICD
pipelines.
• Implement DevSecOps best practices to harden pipelines, manage access controls, improve
error handling, and minimize the blast radius of deployments, ensuring compliance is built into the
pipeline.
• Establish security-focused housekeeping and hygiene plans for pipeline maintenance, API
versioning, and credential management.
• Provide expert guidance on the security implications of migrating from Azure ARM/Jenkins to
Terraform/GitHub Actions.
Qualifications & Skills: Required (Must-Have)
• 8+ years of experience in a senior cloud security or cloud architect role.
• Google Cloud Certified: Professional Cloud Security Engineer or Professional Cloud Architect.
• Deep, hands-on expertise with core GCP security services: GCP IAM, VPC Service Controls, GCP
Firewall Policies, Organization Policies, and Security Command Center (SCC) Premium.
• Demonstrable experience designing, implementing, and auditing controls for regulatory
compliance frameworks, specifically PCI DSS, within a major cloud provider (GCP preferred).
• Proven experience designing and implementing Workload Identity Federation, specifically for
federating identities from Azure AD.
• Strong understanding of Terraform (IaC) and CICD pipelines (e.g., GitHub Actions, Jenkins) from a
security (DevSecOps) perspective.
• Expertise in cloud-native network security, including CDE segmentation, VPC design, private
interconnects, and WAFs (Cloud Armor).
• Demonstrated ability to create high-quality TDDs and security policy documentation for
compliance and audit purposes.
Preferred (Nice-to-Have)
• Experience in multi-cloud environments, especially with Azure security (Azure AD, ARM).
• Familiarity with other consumer data privacy regulations (e.g., CCPA/CPRA, GDPR).
• Hands-on experience with Google’s Privileged Access Management (PAM) solutions.
Munesh
770-838-3829,
CYBER SPHERE LLC
