GCP Cloud Security Engineer/Architect (Retail & Compliance) || Direct Client || Remote
Allen Chris || Smartsoft International
Dear Vendor
Hope you are doing well
ONLY GC AND US CITIZENS NO OTHER VISA
Job Title: GCP Cloud Security Engineer/Architect (Retail & Compliance)
Location:
Remote
Terms: GC/Citizens
Role Overview
We are seeking a GCP Cloud Security Engineer/Architect to lead the design,
implementation, and
governance of a large American retail brand’s new Google Cloud Platform (GCP)
landing zone. As a
key player in the consumer retail space, their primary mission is to build a
secure-by-default environment
that protects customer data, ensures compliance with PCI DSS, and is hardened
against security
incidents.
You will be the lead subject matter expert for all cloud security matters,
responsible for translating their
guiding principles into enforceable, automated policies. This is a hands-on
role for an expert who can
move their security posture from "monitoring" to "fully
enforced" and ensure their cloud foundation meets
the highest standards of security and compliance.
A great candidate is someone with strong, hands-on expertise in these areas,
who can design,
implement, and operate secure google cloud systems at scale.
Key Responsibilities
Security Design & Governance
• Develop and maintain a comprehensive Technical Security Design document for
the GCP security
framework, ensuring it aligns with the existing OCI/OSHI standards.
• Design, implement, and document security controls to meet and maintain PCI
DSS compliance
within the GCP environment, preparing for and facilitating audits.
• Translate high-level security principles into detailed, enforceable
Organization Policies and
governance standards.
• Drive the full adoption and operationalization of Google Security Command
Center (SCC)
Premium for continuous posture management, threat detection, and compliance
reporting.
• Network & Infrastructure Security
• Conduct a deep-dive review of all foundational infrastructure, including
VPCs, private
interconnects, and ingress/egress traffic patterns.
• Design and implement a hardened VPC Service Controls (VPCSC) perimeter,
moving from the
current monitoring mode to a fully enforced posture to protect the Cardholder
Data Environment
(CDE) and other sensitive data.
• Lead the migration from legacy GCP firewall rules to modern, centralized GCP
firewall policies,
ensuring strict enforcement and proper segmentation (especially for CDE
isolation).
• Design and configure security solutions for e-commerce web applications and
APIs using Cloud
Armor.
• Validate and optimize security service SKU selections to ensure maximum value
and protection.
Identity & Access Management (IAM)
• Serve as the lead technical expert for all GCP IAM strategy and
implementation, with a focus on
least-privilege access to sensitive consumer data.
• Design and enforce granular Organization Policies to restrict high-risk
permissions (e.g., denying
firewall modifications or public IP creation).
• Implement time-bound access and privileged access management (PAM) solutions
for elevated
permissions, especially for systems within the CDE scope.
• Architect and execute the transition from service account keys to a
• keyless/credential-less model using Workload Identity Federation between
Azure AD and GCP.
• Design and implement a best-practice RBAC model for Google Secrets Manager.
• Establish comprehensive logging and alerting for all critical identity,
access, and permissions-
related events, per PCI DSS requirements.
Automation & DevSecOps
• Perform a security-focused review of the Terraform automation and GitHub
Actions CICD
pipelines.
• Implement DevSecOps best practices to harden pipelines, manage access
controls, improve
error handling, and minimize the blast radius of deployments, ensuring
compliance is built into the
pipeline.
• Establish security-focused housekeeping and hygiene plans for pipeline
maintenance, API
versioning, and credential management.
• Provide expert guidance on the security implications of migrating from Azure
ARM/Jenkins to
Terraform/GitHub Actions.
Qualifications & Skills: Required (Must-Have)
• 8+ years of experience in a senior cloud security or cloud architect role.
• Google Cloud Certified: Professional Cloud Security Engineer or Professional
Cloud Architect.
• Deep, hands-on expertise with core GCP security services: GCP IAM, VPC
Service Controls, GCP
Firewall Policies, Organization Policies, and Security Command Center (SCC)
Premium.
• Demonstrable experience designing, implementing, and auditing controls for
regulatory
compliance frameworks, specifically PCI DSS, within a major cloud provider (GCP
preferred).
• Proven experience designing and implementing Workload Identity Federation,
specifically for
federating identities from Azure AD.
• Strong understanding of Terraform (IaC) and CICD pipelines (e.g., GitHub
Actions, Jenkins) from a
security (DevSecOps) perspective.
• Expertise in cloud-native network security, including CDE segmentation, VPC
design, private
interconnects, and WAFs (Cloud Armor).
• Demonstrated ability to create high-quality TDDs and security policy
documentation for
compliance and audit purposes.
Preferred (Nice-to-Have)
• Experience in multi-cloud environments, especially with Azure security (Azure
AD, ARM).
• Familiarity with other consumer data privacy regulations (e.g., CCPA/CPRA,
GDPR).
• Hands-on experience with Google's Privileged Access Management (PAM)
solutions.
Details gathered from Client Conversations:
This job is about designing and managing security for a large retail company’s
Google Cloud Platform
(GCP) system. The company wants someone who will make sure that sensitive
customer data is
protected, systems follow strict compliance rules (like PCI DSS), and the cloud
setup is hardened against
attacks. Minimum 8+ years in security architecture, at least 3–5 years hands-on
with GCP in regulated
environments
They are looking for a senior expert who can:
• Set up strong, automated security policies in GCP.
• Build secure networks (VPCs), control traffic, and make sure e-commerce
applications and APIs
are protected.
• Lead efforts to control who has access to sensitive data, using best practices
(least privilege,
PAM).
• Oversee migration to modern security controls, firewall policies, and
identity management (using
things like Workload Identity Federation).
• Design and secure automated deployment (DevSecOps) using Terraform and GitHub
Actions,
with compliance built into the process.
• Write clear technical and security documents for audits.
Great fit:
• 10+ years in cloud security or architecture, preferably on GCP.
• Google Cloud certification (Cloud Security Engineer or Architect).
• Deep hands-on skill with GCP security features (IAM, VPC Service Controls,
Firewall, SCC
Premium).
• Proven work in regulatory compliance, especially PCI DSS.
• Experience connecting Azure identities with GCP (Workload Identity
Federation).
• Strong knowledge of Terraform and secure CICD pipelines.
• Can design secure networks and manage web app/API protection.
• Knows about consumer data privacy regulations (CCPA/CPRA, GDPR).
• Has worked in multi-cloud setups (especially Azure).
Key skills needed:
• Cloud security (GCP, Azure)
• Network security (VPC, segmentation, firewalls)
• Identity Access Management (IAM, PAM, federation)
• Regulatory compliance (PCI DSS, privacy laws)
• DevSecOps (Terraform, CICD, automation)
• Documentation for audits
Email is the best way to reach me.
CONNECT WITH ME ON: Linked-IN