Job Specifications
Job Description:
We are seeking a senior-level GCP Cloud Security Architect to lead the design, implementation, and governance of a large American retail brand’s new Google Cloud Platform (GCP) landing zone. As a key player in the consumer retail space, their primary mission is to build a secure-by-default environment that protects customer data, ensures compliance with PCI DSS, and is hardened against security incidents.
You will be the lead subject matter expert for all cloud security matters, responsible for translating their guiding principles into enforceable, automated policies. This is a hands-on role for an expert who can move their security posture from "monitoring" to "fully enforced" and ensure their cloud foundation meets the highest standards of security and compliance.
Key Responsibilities:
Security Design & Governance
Develop and maintain a comprehensive Technical Security Design document for the GCP security framework, ensuring it aligns with the existing OCI/OSHI standards.
Design, implement, and document security controls to meet and maintain PCI DSS compliance within the GCP environment, preparing for and facilitating audits.
Translate high-level security principles into detailed, enforceable Organization Policies and governance standards.
Drive the full adoption and operationalization of Google Security Command Center (SCC) Premium for continuous posture management, threat detection, and compliance reporting.
Network & Infrastructure Security
Conduct a deep-dive review of all foundational infrastructure, including VPCs, private interconnects, and ingress/egress traffic patterns.
Design and implement a hardened VPC Service Controls (VPCSC) perimeter, moving from the current monitoring mode to a fully enforced posture to protect the Cardholder Data Environment (CDE) and other sensitive data.
Lead the migration from legacy GCP firewall rules to modern, centralized GCP firewall policies, ensuring strict enforcement and proper segmentation (especially for CDE isolation).
Design and configure security solutions for e-commerce web applications and APIs using Cloud Armor.
Validate and optimize security service SKU selections to ensure maximum value and protection.
Identity & Access Management (IAM)
Serve as the lead technical expert for all GCP IAM strategy and implementation, with a focus on least-privilege access to sensitive consumer data.
Design and enforce granular Organization Policies to restrict high-risk permissions (e.g., denying firewall modifications or public IP creation).
Implement time-bound access and privileged access management (PAM) solutions for elevated permissions, especially for systems within the CDE scope.
Architect and execute the transition from service account keys to a keyless/credential-less model using Workload Identity Federation between Azure AD and GCP.
Design and implement a best-practice RBAC model for Google Secrets Manager.
Establish comprehensive logging and alerting for all critical identity, access, and permissions-related events, per PCI DSS requirements.
Automation & DevSecOps
Perform a security-focused review of the Terraform automation and GitHub Actions CICD pipelines.
Implement DevSecOps best practices to harden pipelines, manage access controls, improve error handling, and minimize the blast radius of deployments, ensuring compliance is built into the pipeline.
Establish security-focused housekeeping and hygiene plans for pipeline maintenance, API versioning, and credential management.
Provide expert guidance on the security implications of migrating from Azure ARM/Jenkins to Terraform/GitHub Actions.
Required Qualifications & Skills (Must-Have)
7+ years of experience in a senior cloud security or cloud architect role.
Google Cloud Certified: Professional Cloud Security Engineer or Professional Cloud Architect.
Deep, hands-on expertise with core GCP security services: GCP IAM, VPC Service Controls, GCP Firewall Policies, Organization Policies, and Security Command Center (SCC) Premium.
Demonstrable experience designing, implementing, and auditing controls for regulatory compliance frameworks, specifically PCI DSS, within a major cloud provider (GCP preferred).
Proven experience designing and implementing Workload Identity Federation, specifically for federating identities from Azure AD.
Strong understanding of Terraform (IaC) and CICD pipelines (e.g., GitHub Actions, Jenkins) from a security (DevSecOps) perspective.
Expertise in cloud-native network security, including CDE segmentation, VPC design, private interconnects, and WAFs (Cloud Armor).
Demonstrated ability to create high-quality TDDs and security policy documentation for compliance and audit purposes.
Preferred (Nice-to-Have)
Experience in multi-cloud environments, especially with Azure security (Azure AD, ARM).
Familiarity with other consumer data privacy regulations (e.g., CCPA/CPRA, GDPR).
Hands-on experience with Google's Privileged Access Management (PAM) solutions.
About the Company
Donyati was founded with the intention of challenging traditional business and technology consulting methods. Our approach involves leveraging technology to tackle intricate business challenges and deliver innovative solutions driven by our steadfast commitment, diligence, and passion. We actively listen to our clients, provide seasoned advice, and persevere in pursuit of their goals. Our top priority is always acting in the best interests of our clients. Our team listens carefully to discover the exact solution you need to ...
Know more