Role: Senior Cloud Security Engineer
Location: Hybrid – 3 days in office, 2 days remote. Must be in Wichita, KS
Contract Length: 3-month CFH
Required Technologies: AWS, AWS solutions architect and security certifications are big. Terraform, python, git hub, git lab, AWS IAM.
Preferred: Other cloud certifications are “icing on the cake”.
Nice to haves: CSPM – InsightCloudSec: if they have it it’ll accelerate them. Kubernettes.
Soft Skills: Must have VERY strong written and verbal communication skills, ability to drive and manage their own projects, ability to lead projects and organize work.
Certifications/Education requirements: College Degree not required but desirable
Team Size/Makeup: It is currently just the hiring manager right now, and the new resource. The new hire will collaborate extensively with the KGS team, which handles the cloud platform aspects.
Daily Responsibilities:
- Security operations and responding to findings.
- Responding to finops anomaly alerts
- Breakfix for AWS service or IAM permissions problems
- Creating/updating/fixing existing fhr cloud services to ensure their viability.
- AWS service lifecycle events and creating recommendations and solutions for product teams.
Notes:
- Security Focus: The role will be approximately 50-60% focused on security engineering, requiring a strong foundation in cloud security and risk analysis.
- Infrastructure Focus: About 30-40% of the role will involve cloud infrastructure tasks, supporting software engineers and managing cloud services.
- FinOps Tasks: The remaining 5-10% of the role will involve FinOps tasks, including cost management and optimization within the cloud environment.
- Dan emphasized the need for a technically savvy individual who can expand and improve existing services, ideally someone more technical than himself.
Cloud Security Operations
- Security Vulnerability Discovery and Remediation - Responsible for using CSPM, CIEM, security tools, security reviews, and any other means to find areas of cloud security risk for FHR. Create monitoring and alerting processes and set expectations with customers on how to remediate the cloud misconfigurations which put our applications at risk and other security vulnerabilities within a standard SLA. Responsible to analyze the situation to understand the real risk and communicate that with the stakeholders on what risk is recommended to accept and which risk should drive action. Prioritizes vulnerabilities so that higher risk findings are addressed first. Works with software engineers and product teams to ensure good software development practices are being used to deploy secure solutions. Responsible for recurring reporting of cloud security risks to IT directors.
- Workload Protection Services via Web Application Firewall Management - Responsible for the creation and deployment of standard WAF rules across our workloads. Monitoring traffic for effectiveness of security protection and to catch any potential false positives. Responsible for other protections for internet-facing workloads. Responsible for creating custom rules to ensure protection of workloads without creating disruption. Logging of requests to assist with troubleshooting and reporting. Escalation of security incidents with the security operations center.
- Remote Access Solutions - Design and implement remote access solutions for administration of cloud-based workloads. Automation and implementation of Zscaler ZPA or AWS Client VPN services. Work in coordination with our Cloud Operations team to fulfill these requests.
Cloud Infrastructure Operations
- Cloud Infrastructure - Responsible for troubleshooting any cloud infrastructure issues with software engineers. Including connectivity issues, capacity, and performance issues. Responsible for ensuring ownership of the cloud infrastructure is defined well and all resources are owned.
- IAM Management Services - Creates and tests standard roles and policies for the company to use using least privilege principals. Monitors for overprivileged roles and works with customers to remediate the risk. Assists software engineers with IAM role and policy creation to ensure least privilege. Manages the roles and policies via Terraform deployed through a Gitlab pipeline to ensure standards are deployed consistently and enforced. Creates and tests new AWS service control policies. Deploys all changes using standard change control processes to reduce the risk of unplanned events.
- EC2 Management - Responsible for server creation automation which is used by the server management team. Escalation point for the server management team regarding cloud-specific EC2 and EBS issues. Knows the hybrid cloud networking design and assists with design changes and troubleshooting. Ensures that EC2s in our hybrid cloud environment are positioned for long-term success which enables the server team to manage them.
- Cloud Service Management - Responsible to review cloud services for security risks and supportability concerns. Will collaborate with customers to understand their needs and determine if a new service should be used or if existing reference architectures should be used. Will enable new cloud services by implementing new standards and reference architectures for the solution which ensures consistency and supportability.
- Application Cloud Infrastructure - Coordinates with software engineers and software architects to design and create solutions for applications in the cloud. To creating and maintaining standard solutions which can be deployed by software engineers. Assists software engineers and software architects with experimentation on new services.
Cloud Financial Operations
- Operate our finops program that enables our software engineers and product teams to be cost efficient with our cloud spend. Discover cloud cost trends and anomalies and collaborate with product teams and software engineers to take corrective action. Create automation for remediation when necessary. Perform analysis on costs to understand if application design changes may be required or just small configuration changes are required to ultimately keep our workloads cost efficient. Provide rightsizing information for the cloud services with the most significant spend. e.g. compute and storage. Provide recurring executive level reports to ensure IT directors are seeing trends and how their teams are impacting the overall cloud cost spend.
List of immediate work/projects for this person when they start.
- Implement new Standard IAM Roles across all our accounts for employees.
- Ensure least privilege.
- Ensure pipelines still function.
- Should ready the organization for using AWS Identity Center.
- Review of current cloud security standards and start the continuous review process to create new standards and implement controls.
- API Security scanning
- Container security
- Migration of KGS-managed VPC from the FHR Alkira segment. Networking changes to ensure there are not backdoors into the fhr network for the other operating companies.
- Create our terraform structure so that code can be managed as a team and not just in my local files.
- ZPA connector rollout for 30-40 accounts. CentOS is deprecated. Migration to RHEL. Requires updating automation.
- Micro segmentation/Application fencing planning and design. Assist with Illumio POC.
- Account meta data verification process
- Find the owners associated and set up a verification process for each account they own.