Cloud Security Engineer/Architect (Hybrid)

About the position Tier One Technologies has an immediate need for a Cloud Security Engineer/Architect for our US Government client. This hybrid Contract-to-Hire position will be available to start in Falls Church, VA, Morrisville, NC or Eagan, MN. Selected candidates without required clearance will be subject to a Federal Government background investigation to receive it. Responsibilities • Lead the design of a global Zero Trust architecture, ensuring robust identity governance (IAM), network micro-segmentation, and data encryption across AWS, Azure, or GCP. • Design and implement automated compliance assessments to enforce hardening standards (CIS, NIST) across cloud accounts and on-premises virtualized environments. • Establish security guardrails for the enterprise’s internal and customer-facing AI models. This includes protecting Databricks training pipelines from data poisoning and implementing mitigations for LLM-specific threats like prompt injection and sensitive data leakage. • Develop and enforce enterprise-wide security policies using Terraform, etc., ensuring that non-compliant infrastructure is automatically remediated or blocked from deployment. • Design and oversee the integration of CNAPP and CSPM tools to provide real-time visibility into misconfigurations, vulnerabilities, and excessive permissions. • Conduct deep-dive threat modeling for complex cloud-native systems, simulating advanced persistent threats (APTs) and \"blast radius\" scenarios to strengthen system resilience. • Architect and maintain the security of our sprawling asset inventory. Implement data-at-rest and data-in-transit encryption strategies that span from physical data center servers to cloud-native storage. • Develop and secure the \"Identity Fabric\" linking 600k+ employees and millions of commercial customers. Collaborate with Fraud teams to integrate signals from SIEM and Databricks to detect and block malicious account activity. • Build and manage secure connectivity (Transit Gateways, Service Mesh) between on-premises hypervisors and multi-cloud environments, ensuring consistent policy enforcement. • Partner with the SOC to develop high-fidelity detection logic. Build SOAR playbooks that automate the isolation of compromised cloud workloads or on-premises VMs. • Support ongoing \"Purple Team\" exercises and control testing to validate that security tools (EDR, WAF, DLP) are performing as intended across all tenants. • Drive the transition from manual \"click-to-operate\" security to Autonomous Security Operations. This involves building advanced SOAR playbooks that use ML-based triggers to perform auto-remediation across hybrid environments without human intervention. • Partner with business units to integrate security \"invisibly\" into their workflows. Use automation to reduce \"security friction\" in logistics and retail operations, ensuring that compliance checks (like PCI or SOC2) are performed continuously and programmatically. • Discover and catalog \"Shadow AI\" usage across the enterprise, ensuring all third-party AI tools meet the enterprise’s privacy and security standards. Requirements • Bachelor’s or Master’s degree in Computer Science, Information Security or related field. If the individual's degree is not in the applicable field then four additional years of related experience is required. • 12+ years of experience in Cybersecurity. • 6+ years of experience focused on architecting secure cloud environments at scale. • Deep understanding of Artificial Intelligence (AI) and machine learning (ML) to develop, implement, and manage secure AI-driven solutions. • Expert-level knowledge of security architectures in AWS, Azure, and Google Cloud. • Mastery of Terraform, Ansible, or CloudFormation to deploy and manage security configurations at massive scale. • Ability to leverage Databricks to perform deep-dive analysis on billions of logs for threat hunting and efficacy reporting. • Experience securing Kubernetes (EKS/AKS/GKE) and Docker environments, focusing on runtime protection and image integrity. • Proficiency with OAuth 2.0, SAML, and CIAM solutions for large-scale customer and employee authentication. • Proficiency in using Python (PySpark/Pandas) within Databricks to build custom anomaly detection models that go beyond standard SIEM correlation rules. • Knowledge of the OWASP Top 10 for LLMs and experience implementing AI gateways or \"firewalls\" to monitor and filter AI-generated traffic. • Deep expertise in building \"glue code\" that connects disparate COTS and custom applications via secure, automated APIs to streamline cross-functional business activities. • The ability to explain to non-technical stakeholders how AI-driven security decisions (like blocking a suspicious \$1M commercial transaction) are made and how to handle \"false positives\" at scale. • A relentless focus on identifying repetitive manual tasks (e.g., firewall rule reviews, access audits) and replacing them with self-healing, automated systems. • Excellent communication skills. • Must be a US Citizen or Permanent US Resident (Green Card Holder). • Must be able to obtain Public Trust Clearance. • Be able to pass a drug screening, criminal history, and credit checks. • Must have lived in the United States for the past 5 years. • Cannot have more than 6 months travel outside the United States within the last five years. Military Service excluded. (Exception does not include military family members.)