Solutions Architect MIT

City/State:
Yonkers, New York
Grant Funded:
No
Department:
IT - Technology & Cloud Services
Work Shift:
Day
Work Days:
MON-FRI
Scheduled Hours:
8 AM-5:30 PM
Scheduled Daily Hours:
8.5 HOURS
Pay Range:
$148,000.00-$185,000.00

Montefiore is ranked among the top hospitals nationally and regionally by U.S. News & World Report . For more than 100 years we have been innovating new treatments, procedures, and approaches to patient care, producing stellar outcomes and raising the bar for academic medical centers in the region and around the world. Our work to improve health outcomes in underserved communities is unparalleled in the United States. Our workforce is among the most diverse in the US: Montefiore associates speak 60+ languages.

As Montefiore has built paths to deliver lifesaving health outcomes to underserved communities, we are looking to the future of tech-enabled care delivery to create better experiences for patients, providers, and operations teams. Montefiore is actively investing in its technology teams as a system-level priority. We are seeking a Cloud Cybersecurity Architect.

Overview

The Cloud Cybersecurity Architect is responsible for designing, validating, and governing secure cloud architectures across AWS and Azure. This role reviews designs and operations from a cybersecurity architecture and operations perspective and will work closely with risk, compliance and policy teams within the Cybersecurity team-covering PHI/PII protection, identity, network segmentation, data security, monitoring, incident response, and gathering evidence for audit requests from the Cyber team. The Architect partners with Cloud Engineering, Security Operations, Cybersecurity, Networking, Cyber Compliance/GRC, and clinical application teams (e.g., EHR/VDI/PACS) to ensure secure-by-default, audit-ready platforms that meet HIPAA, HITECH, and HITRUST requirements while enabling delivery velocity and cost efficiency.

Education

A combination of education, experience, and training should qualify the candidate.

Certification(s)

• Preferred: CISSP, CCSP, CCSK, or HITRUST CCSFP
• Cloud security certifications (e.g., AWS Security Specialty, Azure Security Engineer (AZ-500), SC-100)
• Bonus: GIAC (GCSA, Google Cloud PlatformN, GCIH), CISM

Role and Responsibilities

The Cloud Cybersecurity Architect leads the definition and validation of cloud security controls, ensures compliance with healthcare regulations at the direction of the Cybersecurity team and reduces risk via secure reference architectures, guardrails, and automated checks embedded in pipelines and making sure standards such as CIS are applied and maintained.

Key Responsibilities:

• AWS Organizational Governance: Service Control Policies (SCP) design, multi-account patterns, delegated admin setups.
• Logging & Audit Foundations: Org CloudTrail, AWS Config aggregator, S3 log archive hardening, GuardDuty, Security Hub.
• CSPM / CNAPP Operations(Wiz.io): Onboarding accounts/resources, tuning posture policies, integrating with ticketing and log routing (e.g., Cribl/SIEM).
• Infrastructure as Code: Terraform modules, reusable patterns, policy-as-code integration, CI scanning.
• Vulnerability & Risk Prioritization: Combining CVSS, exploit context, asset criticality, and signal sources into severity logic.
• Automation & Scripting: Python (boto3), AWS CLI, shell tooling for validation, evidence export, reporting.
• Identity & Access: IAM least privilege, cross-account role assumptions, permission boundaries, automation roles.
• Observability / Data Routing (Plus): Cribl / Firehose / Kinesis or equivalent pipeline familiarity.
• Compliance Awareness: HIPAA safeguard themes (auditability, access control, data protection, etc).
• Metrics & Reporting: Designing & extracting KPIs (coverage %, MTTR, SLA compliance, control efficacy).
• Define secure, compliant reference architectures (landing zones, IAM, network segmentation, encryption, logging/monitoring, backup/DR).
• Work with the Cyberteam on the above to ensure they meet their requirements, standards and policies and that they are included and in all designs and sign off on them
• Review and approve solution designs and changes through an architecture review process; perform threat modeling and risk assessments in clode coordination with the Cyber and enterprise Architecture teams and processes.
• Map HIPAA/HITECH safeguards and HITRUST/NIST controls to cloud-native services and operating procedures; maintain control matrices and evidence catalogs.
• Establish identity and access strategies: SSO/Federation, least privilege, role design, JIT/JEA, PAM, key and secret management (KMS/HSM).
• Implement data security patterns: data classification/tagging, tokenization, DLP, encryption-in-transit/at-rest, key rotation, and logging.
• Harden network patterns: private endpoints, service endpoints, firewall/WAF, egress control, segmentation, zero-trust access, and secure remote administration.
• Embed security into CI/CD: IaC scanning (e.g., Checkov, tfsec), container/Kubernetes security, SAST/DAST/secret scanning, artifact signing, and policy-as-code (OPA/Conftest).
• Select and integrate cloud security tooling (e.g., CSPM, CWPP, CIEM, SIEM/SOAR) and cloud-native controls (AWS Security Hub/GuardDuty/Macie; Microsoft Defender for Cloud/Sentinel; Google Cloud Platform SCC) or similar tools.
• Define monitoring and response playbooks; partner with Cyber teams on detections, runbooks, incident response, tabletop exercises, and post-incident hardening.
• Guide backup/DR strategy with validated RPO/RTO for clinical systems; partner on business impact analysis and resilience testing and ensure backups and immutable backups are maintained and tested.
• Collaborate on vendor/SaaS security reviews, BAAs, and third-party risk assessments; advise on data residency and cross-border transfer constraints.
• Coach engineers via reusable patterns, golden modules, and security guardrails; promote a "paved road" developer experience.
• Partner with FinOps and platform teams to balance risk, cost, and performance; quantify risks and trade-offs for executive decision-making.

Candidate Qualifications

• 5+ years in cybersecurity with 3+ years focused on public cloud (AWS/Azure) in regulated environments; healthcare experience preferred but not mandatory.
• Proven experience designing and reviewing secure architectures for mission-critical workloads (EHR, VDI, imaging/PACS, data platforms).
• Hands-on with identity architecture (AAD/Entra ID, AWS IAM), network security, encryption and key management, and logging/observability.
• Working knowledge of HIPAA/HITECH, HITRUST, NIST CSF/800-53/800-66, CIS Benchmarks, and cloud shared responsibility models preferred.
• Familiarity with DevSecOps practices, CI/CD pipelines, IaC (Terraform/Bicep/CloudFormation), and container/Kubernetes security (EKS/AKS).
• Experience collaborating with audit/GRC, legal, compliance, and vendor management on BAAs and assessments.
• Excellent communication skills-able to translate risk into business outcomes for executives and clear guidance for engineers.

Required Skills

• Secure cloud architecture, threat modeling, and risk assessment for AWS/Azure; Google Cloud Platform a plus.
• Identity & access management: federation/SSO, RBAC/ABAC, PAM/JIT, secrets and key management.
• Network security: segmentation, private endpoints, WAF, egress control, zero-trust access patterns.
• Data protection: classification, tokenization, DLP, encryption, key rotation, evidence of control effectiveness.
• DevSecOps: IaC scanning, SAST/DAST, container/Kubernetes hardening, policy-as-code, artifact signing/attestation.
• Monitoring/IR: detections, logging pipelines, SIEM/SOAR integrations, runbooks, and incident coordination.
• Compliance operations: control mapping, policy/standard authorship, audit evidence management, continuous assurance.

Additional Responsibilities

• Author and maintain cloud security policies, standards, and guardrails; measure adherence and remediate gaps including socializing and maintaining these.
• Lead or contribute to security game-days, DR exercises, and continuous control validation.
• Mentor engineers and evangelize secure-by-default designs through reusable templates and documentation.
• Continuously assess emerging cloud services and threats; propose pragmatic control enhancements.

The Cloud Cybersecurity Architect plays a strategic and hands-on role in enabling secure, compliant, and resilient cloud platforms that protect patient data and safeguard clinical operations while accelerating digital transformation across the healthcare system in an open and collaborative way with all teams across the organization.

#SF-DICE-MIT #LI-SC

Montefiore Health System, Inc. is an equal employment opportunity employer. Montefiore Health System, Inc. will recruit, hire, train, transfer, promote, layoff and discharge associates in all job classifications without regard to their race, color, religion, creed, national origin, alienage or citizenship status, age, gender, actual or presumed disability, history of disability, sexual orientation, gender identity, gender expression, genetic predisposition or carrier status, pregnancy, military status, marital status, or partnership status, or any other characteristic protected by law.