Senior DevOps Engineer
CMG Financial · United States · 6 days ago
RemoteRemoteInformation TechnologyFull-time
ESSENTIAL DUTIES and RESPONSIBILITIES
- Operate and tune Microsoft Defender for Cloud (CSPM/CNAPP) across Azure subscriptions, remediating misconfigurations and excessive access.
- Enforce preventative guardrails with Azure Policy and benchmark configuration against CIS Benchmarks and the NIST Cybersecurity Framework.
- Apply least-privilege access in Microsoft Entra ID using Azure RBAC, PIM, and Conditional Access, and run periodic access reviews and attestations.
- Use Microsoft Purview and Defender for Cloud data-aware posture (DSPM) to classify and protect sensitive cloud data.
- Embed security into Terraform and GitHub Actions pipelines, including IaC scanning, policy-as-code, and secrets management.
- Support threat modeling and secure design reviews for new and changing cloud workloads.
- Engineer Microsoft Sentinel data ingestion (data connectors, Data Collection Rules and Endpoints) and build detections.
- Integrate Microsoft Defender for Cloud and Defender XDR signals into Sentinel for unified detection and response.
- Support cloud threat hunting, incident response, and automation of enrichment and remediation.
- Map cloud controls to recognized frameworks and produce control evidence for regulatory examinations and investor and agency audits.
Required Qualifications
- Bachelor's degree in Computer Science, Cybersecurity, Information Systems, or a related field, or equivalent practical experience.
- 3+ years in cloud security or cloud engineering, including hands-on Microsoft Azure security.
- Core Cloud Security Skills (Azure): Microsoft Defender for Cloud, Azure Policy, and Microsoft Entra ID (Azure RBAC, PIM, Conditional Access).
- Cloud security posture management (CSPM/CNAPP), with the ability to find and remediate misconfigurations and excessive access.
- DevSecOps and Automation Infrastructure-as-Code with Terraform and CI/CD security in GitHub Actions.
- Scripting and automation with Python, PowerShell, and KQL.
- Using GenAI to generate and validate scripts is welcomed and approved.
- Detection and Monitoring: Microsoft Sentinel, including Log Analytics ingestion (data connectors, DCR/DCE).
- Security architecture, design review, and threat modeling, with working knowledge of NIST CSF and CIS Benchmarks.
Preferred Certifications
- AZ-500, SC-100, or a relevant GIAC credential (GCSA, GCDA, or GCFR).
Nice to Have
- Hands-on AWS security (the role is Azure-primary; AWS is a plus).
- GitHub Advanced Security (GHAS); container and Kubernetes (AKS) security.
- Secrets and key management (Azure Key Vault).
- Experience in financial services, mortgage, or other highly regulated industries, including producing audit and examination evidence.