Overview
Remote
Depends on Experience
Accepts corp to corp applications
Contract - Independent
Contract - W2
Able to Provide Sponsorship
Skills
GCP
Security
Job Details
Job Title: Google Cloud Platform Cloud Security Architect (Retail & Compliance)
Location: Remote US
Terms: Citizens
Longterm
Role Overview
We are seeking a Google Cloud Platform Cloud Security Engineer/Architect to lead the design, implementation, and
governance of a large American retail brand s new Google Cloud Platform (Google Cloud Platform) landing zone. As a
key player in the consumer retail space, their primary mission is to build a secure-by-default environment
that protects customer data, ensures compliance with PCI DSS, and is hardened against security
incidents.
You will be the lead subject matter expert for all cloud security matters, responsible for translating their
guiding principles into enforceable, automated policies. This is a hands-on role for an expert who can
move their security posture from "monitoring" to "fully enforced" and ensure their cloud foundation meets
the highest standards of security and compliance.
A great candidate is someone with strong, hands-on expertise in these areas, who can design,
implement, and operate secure google cloud systems at scale.
Key Responsibilities
Security Design & Governance
Develop and maintain a comprehensive Technical Security Design document for the Google Cloud Platform security
framework, ensuring it aligns with the existing OCI/OSHI standards.
Design, implement, and document security controls to meet and maintain PCI DSS compliance
within the Google Cloud Platform environment, preparing for and facilitating audits.
Translate high-level security principles into detailed, enforceable Organization Policies and
governance standards.
Drive the full adoption and operationalization of Google Security Command Center (SCC)
Premium for continuous posture management, threat detection, and compliance reporting.
Network & Infrastructure Security
Conduct a deep-dive review of all foundational infrastructure, including VPCs, private
interconnects, and ingress/egress traffic patterns.
Design and implement a hardened VPC Service Controls (VPCSC) perimeter, moving from the
current monitoring mode to a fully enforced posture to protect the Cardholder Data Environment
(CDE) and other sensitive data.
Lead the migration from legacy Google Cloud Platform firewall rules to modern, centralized Google Cloud Platform firewall policies,
ensuring strict enforcement and proper segmentation (especially for CDE isolation).
Design and configure security solutions for e-commerce web applications and APIs using Cloud
Armor.
Validate and optimize security service SKU selections to ensure maximum value and protection.
Identity & Access Management (IAM)
Serve as the lead technical expert for all Google Cloud Platform IAM strategy and implementation, with a focus on
least-privilege access to sensitive consumer data.
Design and enforce granular Organization Policies to restrict high-risk permissions (e.g., denying
firewall modifications or public IP creation).
Implement time-bound access and privileged access management (PAM) solutions for elevated
permissions, especially for systems within the CDE scope.
Architect and execute the transition from service account keys to a
keyless/credential-less model using Workload Identity Federation between Azure AD and Google Cloud Platform.
Design and implement a best-practice RBAC model for Google Secrets Manager.
Establish comprehensive logging and alerting for all critical identity, access, and permissionsrelated events, per PCI DSS requirements.
Automation & DevSecOps
Perform a security-focused review of the Terraform automation and GitHub Actions CICD
pipelines.
Implement DevSecOps best practices to harden pipelines, manage access controls, improve
error handling, and minimize the blast radius of deployments, ensuring compliance is built into the
pipeline.
Establish security-focused housekeeping and hygiene plans for pipeline maintenance, API
versioning, and credential management.
Provide expert guidance on the security implications of migrating from Azure ARM/Jenkins to
Terraform/GitHub Actions.
Qualifications & Skills: Required (Must-Have)
8+ years of experience in a senior cloud security or cloud architect role.
Google Cloud Certified: Professional Cloud Security Engineer or Professional Cloud Architect.
Deep, hands-on expertise with core Google Cloud Platform security services: Google Cloud Platform IAM, VPC Service Controls, Google Cloud Platform
Firewall Policies, Organization Policies, and Security Command Center (SCC) Premium.
Demonstrable experience designing, implementing, and auditing controls for regulatory
compliance frameworks, specifically PCI DSS, within a major cloud provider (Google Cloud Platform preferred).
Proven experience designing and implementing Workload Identity Federation, specifically for
federating identities from Azure AD.
Strong understanding of Terraform (IaC) and CICD pipelines (e.g., GitHub Actions, Jenkins) from a
security (DevSecOps) perspective.
Expertise in cloud-native network security, including CDE segmentation, VPC design, private
interconnects, and WAFs (Cloud Armor).
Demonstrated ability to create high-quality TDDs and security policy documentation for
compliance and audit purposes.
Preferred (Nice-to-Have)
Experience in multi-cloud environments, especially with Azure security (Azure AD, ARM).
Familiarity with other consumer data privacy regulations (e.g., CCPA/CPRA, GDPR).
Hands-on experience with Google's Privileged Access Management (PAM) solutions.
Regards,
Vinay Ram (Direct) Desk: Suwanee, GA - 30024 An MBE & eVerify Company |
Connect with me for exciting career opportunities:
Open Jobs (For Recruiters):
Employers have access to artificial intelligence language tools (“AI”) that help generate and enhance job descriptions and AI may have been used to create this description. The position description has been reviewed for accuracy and Dice believes it to correctly reflect the job opportunity.