Google Cloud Platform Architect- Remote

Principal Cloud Architect: Google Cloud Platform Network, Security, and GenAI

1. Position Overview & Mission
Reporting directly to the Head of Cloud Infrastructure, the Principal Cloud Architect is the ultimate technical arbiter of the "FY26 Google Cloud Platform Mandate." Following our Strategic Agreement with Google Cloud Platform, this role is tasked with the high-stakes mission of accelerating Generative AI capabilities by year-end. You will be the primary architect responsible for balancing aggressive "Speed to Value" with "Secure by Default" principles across the Google Cloud Platform Foundation. This is not a theoretical role; you will translate complex architectural assessments into a hardened, production-ready ecosystem that protects enterprise data while enabling cutting-edge Agentic AI workflows.

2. Core Responsibilities: GenAI Governance & Implementation
The architect will operationalize the "Model Armor Recommendation Framework" to ensure no GenAI traffic bypasses established security controls.
Model Armor Floor Settings: Enforce non-negotiable safety baselines via Terraform at the Folder and Project levels. You must implement the "Block vs. Redact" decision matrix: Block for Malicious Intent (Jailbreak, Prompt Injection) and Redact for Incidental Sensitivity (PII/PHI in prompts/responses).
Secure Authentication Passthrough: Architect secure Agent-to-Agent (A2A) and MCP Server workflows using the Google Agent Development Kit (ADK) and OAuth2, ensuring the original user's identity is propagated for downstream actions like BigQuery deletions.
Agentic AI Security: Secure the Vertex AI Agent Engine to prevent "rogue agent" commands. Enforce least-privilege access for agents interacting with BigQuery and AlloyDB, utilizing BigQueryCredentialsConfig to decouple authentication from the tool lifecycle.
Policy Enforcement: Establish "Fail-Closed" policies where GenAI traffic is automatically blocked if Model Armor or security inspection services are unreachable.
Technical Implementation: Configure safety attribute thresholds (e.g., Toxicity, Hate Speech) with high-confidence (0.7+) blocking and flagging protocols.

3. Core Responsibilities: Enterprise Cloud Networking
You will manage a complex, global network topology based on the "VPC Service Controls Strategy," ensuring strict isolation between core foundations and legacy assets.
Topology Management: Enforce a strict Hub-and-Spoke network topology. You will standardize the naming convention across all environments: 0p (Production), 0n (Non-Production), 0d (Dev), 0s (Stage), and 0t (Test).
Perimeter Defense: Design and validate VPC Service Controls (VPC-SC) to prevent data exfiltration.
Traffic Security: Standardize SSL Policies using the RESTRICTED profile and a minimum of TLS 1.2 across all Load Balancer proxies (e.g., admin-api-https-proxy, braze-proxy-htts-proxy).
Firewall Governance: Implement Hierarchical Firewall Policies at the Organization level to enforce a "deny-all outbound" default posture.
Hybrid Connectivity: Validate and enforce Partner Interconnect encrypted VLAN attachments for all traffic traversing from on-premise to Google Cloud Platform.

4. Core Responsibilities: Identity, Data Security, & Compliance
Synthesize the IAM Strategy and Data Security Checklist into a Zero Trust architectural mandate.

Security Domain
Architectural Mandate
IAM & Identity
Enforce Workload Identity Federation (WIF) for all CI/CD and GKE workloads. Implement a "Service Account Reaper" to automate the disabling of accounts inactive for 90+ days.
Privileged Access
Implement Just-in-Time (JIT) Data Access via Privileged Access Manager (PAM) for BigQuery, ensuring analysts have session-based elevation rather than standing access to PII/PCI tables.
Data Protection
Mandate Customer-Managed Encryption Keys (CMEK) for "Confidential" and "Restricted" data using Cloud KMS Autokey for simplified lifecycle management.
Audit & Logging
Enable and monitor BigQuery Data Access Logs (DATA_READ/DATA_WRITE) in all production projects to catch and alert on unauthorized query attempts (Status Code 7).
Compliance
Maintain PCI DSS readiness for the Cardholder Data Environment (CDE) and ensure alignment with CIS Foundations Benchmarks.

5. Technical Qualifications & Tech Stack Expertise
IaC Mastery: Expert-level Terraform for provisioning projects, hierarchical labels, and Model Armor floor settings (using google_model_armor_floorsetting).
Google Cloud Platform AI Stack: Deep knowledge of Vertex AI Agent Engine, Agent Development Kit (ADK), and Model Context Protocol (MCP).
Security Tooling: Hands-on experience with Google Cloud Armor, Cloud KMS Autokey, VPC Service Controls, and Security Command Center (SCC).
Confidential Computing: Expertise in Confidential VMs (AMD SEV-SNP) for GKE nodes and Compute instances processing sensitive models or PII.
Data Architecture: High familiarity with BigQuery, AlloyDB, and Dataplex aspect types for metadata and classification.

6. Resource Governance & Operational Excellence
The architect is responsible for the integrity of the organizational resource hierarchy and must resolve existing technical debt:
Anomaly Remediation: Identify and migrate "Root Level Anomalies" into governed folder structures.
Labeling Standardization: Standardize project labeling (team, environment, cost attribution) across all business units. Immediate priority is bringing the Legacy-CRM migration folder into alignment with the Google Cloud Platform Foundation naming and labeling standards.
Drift Detection: Utilize Cloud Asset Inventory (CAI) to query for resources with the secure tag env:prod to ensure strict security settings are applied dynamically and consistently.