Zero Trust Architect (Expert)
BAE Systems, Inc. · Herndon, VA · Yesterday
On-siteArt & Creative$147k–$249k/yrFull-time
About the role
The Senior Zero Trust Architect role at BAE Systems is located at the intersection of networking, identity, and cloud security. This role is responsible for designing, implementing, and operating the Secure Service Edge (SSE) and Zero Trust security architecture.
Responsibilities
- Design and implement secure, scalable access models across hybrid and cloud-first environments.
- Collaborate with security, networking, cloud, and endpoint teams to lead or contribute to architecture decisions.
- Support PoCs and pilot deployments of SSE platforms, Microsoft 365/Azure security, identity and access management, and network traffic engineering.
- Communicate complex concepts to engineers, leadership, and non-technical stakeholders.
Requirements
- Minimum 11 years of relevant experience and a Bachelor's Degree.
- Experience in regulated environments (FedRAMP, DoD, GCC/GCCH/DoD tenants).
- Microsoft certifications: AZ-500, SC-300, SC-200.
- Zscaler certifications: ZCCA, ZCSP.
- Cloudflare certifications: ZIA/ZPA design, policy implementation, app segmentation.
- Experience with Endpoint posture enforcement (Intune, Defender for Endpoint).
- Experience with Browser isolation technologies and API security.
- Experience with SSE platforms, Microsoft 365/Azure security, identity and access management, and network traffic engineering.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with TCP/IP, DNS, HTTP/S, TLS inspection, proxy architectures, routing (BGP), NAT, VPN (IPSec/SSL), SD-WAN integrations.
- Experience with traffic steering methods: PAC files, GRE/IPSec tunnels, agent-based forwarding.
- Experience with Zscaler: ZIA/ZPA design, policy implementation, app segmentation.
- Experience with Microsoft Global Secure Access (GSA) or similar SSE-native integrations.
- Experience with Microsoft Defender Suite (Defender for Cloud Apps, Endpoint, Identity, Office).
- Experience integrating third-party SSE platforms with M365 workloads: Exchange Online, SharePoint Online, Teams, OneDrive.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with TCP/IP, DNS, HTTP/S, TLS inspection, proxy architectures, routing (BGP), NAT, VPN (IPSec/SSL), SD-WAN integrations.
- Experience with traffic steering methods: PAC files, GRE/IPSec tunnels, agent-based forwarding.
- Experience with Zscaler: ZIA/ZPA design, policy implementation, app segmentation.
- Experience with Microsoft Global Secure Access (GSA) or similar SSE-native integrations.
- Experience with Microsoft Defender Suite (Defender for Cloud Apps, Endpoint, Identity, Office).
- Experience integrating third-party SSE platforms with M365 workloads: Exchange Online, SharePoint Online, Teams, OneDrive.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with TCP/IP, DNS, HTTP/S, TLS inspection, proxy architectures, routing (BGP), NAT, VPN (IPSec/SSL), SD-WAN integrations.
- Experience with traffic steering methods: PAC files, GRE/IPSec tunnels, agent-based forwarding.
- Experience with Zscaler: ZIA/ZPA design, policy implementation, app segmentation.
- Experience with Microsoft Global Secure Access (GSA) or similar SSE-native integrations.
- Experience with Microsoft Defender Suite (Defender for Cloud Apps, Endpoint, Identity, Office).
- Experience integrating third-party SSE platforms with M365 workloads: Exchange Online, SharePoint Online, Teams, OneDrive.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with TCP/IP, DNS, HTTP/S, TLS inspection, proxy architectures, routing (BGP), NAT, VPN (IPSec/SSL), SD-WAN integrations.
- Experience with traffic steering methods: PAC files, GRE/IPSec tunnels, agent-based forwarding.
- Experience with Zscaler: ZIA/ZPA design, policy implementation, app segmentation.
- Experience with Microsoft Global Secure Access (GSA) or similar SSE-native integrations.
- Experience with Microsoft Defender Suite (Defender for Cloud Apps, Endpoint, Identity, Office).
- Experience integrating third-party SSE platforms with M365 workloads: Exchange Online, SharePoint Online, Teams, OneDrive.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with TCP/IP, DNS, HTTP/S, TLS inspection, proxy architectures, routing (BGP), NAT, VPN (IPSec/SSL), SD-WAN integrations.
- Experience with traffic steering methods: PAC files, GRE/IPSec tunnels, agent-based forwarding.
- Experience with Zscaler: ZIA/ZPA design, policy implementation, app segmentation.
- Experience with Microsoft Global Secure Access (GSA) or similar SSE-native integrations.
- Experience with Microsoft Defender Suite (Defender for Cloud Apps, Endpoint, Identity, Office).
- Experience integrating third-party SSE platforms with M365 workloads: Exchange Online, SharePoint Online, Teams, OneDrive.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with TCP/IP, DNS, HTTP/S, TLS inspection, proxy architectures, routing (BGP), NAT, VPN (IPSec/SSL), SD-WAN integrations.
- Experience with traffic steering methods: PAC files, GRE/IPSec tunnels, agent-based forwarding.
- Experience with Zscaler: ZIA/ZPA design, policy implementation, app segmentation.
- Experience with Microsoft Global Secure Access (GSA) or similar SSE-native integrations.
- Experience with Microsoft Defender Suite (Defender for Cloud Apps, Endpoint, Identity, Office).
- Experience integrating third-party SSE platforms with M365 workloads: Exchange Online, SharePoint Online, Teams, OneDrive.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with TCP/IP, DNS, HTTP/S, TLS inspection, proxy architectures, routing (BGP), NAT, VPN (IPSec/SSL), SD-WAN integrations.
- Experience with traffic steering methods: PAC files, GRE/IPSec tunnels, agent-based forwarding.
- Experience with Zscaler: ZIA/ZPA design, policy implementation, app segmentation.
- Experience with Microsoft Global Secure Access (GSA) or similar SSE-native integrations.
- Experience with Microsoft Defender Suite (Defender for Cloud Apps, Endpoint, Identity, Office).
- Experience integrating third-party SSE platforms with M365 workloads: Exchange Online, SharePoint Online, Teams, OneDrive.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with TCP/IP, DNS, HTTP/S, TLS inspection, proxy architectures, routing (BGP), NAT, VPN (IPSec/SSL), SD-WAN integrations.
- Experience with traffic steering methods: PAC files, GRE/IPSec tunnels, agent-based forwarding.
- Experience with Zscaler: ZIA/ZPA design, policy implementation, app segmentation.
- Experience with Microsoft Global Secure Access (GSA) or similar SSE-native integrations.
- Experience with Microsoft Defender Suite (Defender for Cloud Apps, Endpoint, Identity, Office).
- Experience integrating third-party SSE platforms with M365 workloads: Exchange Online, SharePoint Online, Teams, OneDrive.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with TCP/IP, DNS, HTTP/S, TLS inspection, proxy architectures, routing (BGP), NAT, VPN (IPSec/SSL), SD-WAN integrations.
- Experience with traffic steering methods: PAC files, GRE/IPSec tunnels, agent-based forwarding.
- Experience with Zscaler: ZIA/ZPA design, policy implementation, app segmentation.
- Experience with Microsoft Global Secure Access (GSA) or similar SSE-native integrations.
- Experience with Microsoft Defender Suite (Defender for Cloud Apps, Endpoint, Identity, Office).
- Experience integrating third-party SSE platforms with M365 workloads: Exchange Online, SharePoint Online, Teams, OneDrive.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with Azure networking constructs: VNets, NSGs, Private Endpoints, Virtual WAN.
- Experience with Azure Firewall, Application Gateway/WAF, and private access models.
- Experience with TCP/IP, DNS, HTTP/S, TLS inspection, proxy architectures, routing (BGP), NAT, VPN (IPSec/SSL), SD-WAN integrations.
- Experience with traffic steering methods: PAC files, GRE/IPSec tunnels,