Cloud Security Engineer

SUMMARY:

The Cloud Security Engineer serves as the liaison for protecting Brown University Health’s (BUH) multi-cloud footprint by designing and hardening secure landing zones, embedding security controls in Infrastructure-as-Code (IaC), operationalizing cloud-native security services and control-plane guardrails. Working in close partnership with Security Operations, Network Security, Network Engineering, and Server Engineering, this role translates security best practices and regulatory requirements into practical technical controls, drives Zero-Trust segmentation, automates preventative and detective controls, and continuously improves BUH’s cloud security posture.

Brown University Health employees are expected to successfully role model the organization's values of Compassion, Accountability, Respect, and Excellence as these values guide our everyday actions with patients, customers and one another.

In addition to our values, all employees are expected to demonstrate the core Success Factors which tell us how we work together and how we get things done. The core Success Factors include:

Instill Trust and Value Differences
Patient and Community Focus and Collaborate

ESSENTIAL FUNCTIONS:

Own and improve cloud security posture across a multi-cloud environment (Azure, AWS and/or GCP). Establish, document and enforce secure guardrails and baselines aligned to CIS Benchmarks and NIST CSF 2.0

Operate and tune our cloud security posture / CNAPP platform (agentless discovery, misconfiguration/vulnerability/identity risk analysis), drive prioritized remediation with responsible parties.

Review and advise on policy-as-code and infrastructure-as-code (IaC) security checks across pre-commit, CI/CD, and pre-deployment gates. Conduct security design reviews of IaC to identify and recommend fixes for misconfigurations before provisioning.

Design and advise on least‑privilege access models (roles, conditional access policies, break‑glass, service principals), secrets management, key management, and encryption (at rest, in transit, and in use where applicable).

Design secure network architecture: VPC/VNet design, private connectivity/peering, egress controls, segmentation, and zero‑trust‑oriented access to cloud services.

Centralize logging/telemetry (activity, audit, identity, network, and data access) and integrate with SIEM/SOAR for alerting, correlation, and automated response.

Design and document data security controls across object storage, databases, and analytics services (classification, access boundaries, tokenization/format‑preserving encryption, key rotation, and auditing).

Perform periodic control assessments and gap analyses against CIS Benchmarks and NIST CSF 2.0. Publish metrics/KPIs and risk treatment plans for leadership.

Automate routine security tasks and remediations using scripting and APIs (e.g., Python, PowerShell, serverless functions, workflow automation).

Partner with IT/Cloud Platform teams to maintain hardened images, patching, and vulnerability management for cloud workloads (VMs, managed services; containers, etc.).

Partner with Security Operations to translate cloud attack paths into detections (control-plane logs, API activity, network flow, workload telemetry) and tune SIEM/SOAR playbooks.

Secure SaaS integrations with cloud accounts (SSO, SCIM/JIT, conditional access, least‑privilege service integrations) and third‑party connectivity.

---

Identify, document and report any deviations from policy / standards, recommend corrective actions, and review security policies and control documentation to align with current practices.

Ensure least-privilege and MFA with Azure AD (Entra ID), AWS IAM, and workload federation are enforced.

Develop standards, policies, procedures and tabletop exercise scenarios.

Review and recommend updates to security policies, procedures, and control documentation to ensure they reflect current security best practices and regulatory requirements.

Monitor emerging threats, vulnerabilities, and industry best practices to ensure security controls remain effective and aligned with the evolving threat landscape.

Research and assists in the piloting and evaluation of new tools, technologies, technical controls, and processes to support and enforce defined security policies.

Support incident response (triage, containment, snapshot/metadata collection, forensics coordination, and post‑incident reviews) as required.

Attend and actively contribute to team, project, project management, problem management, cloud migration and major incident conference calls as required.

Performs other duties as assigned.

EXPERIENCE:

A minimum of ten years of IS experience, with five years of hands-on cloud security engineering with Azure, AWS and/or GCP.

A bachelor's degree in information systems or equivalent work experience; an M.B.A. or M.S. in information security is preferred.

Active Certifications Required (3 or more - CISSP, CCSP, GIAC (i.e., GCSA, GCLD, GCAD, GCPN, GPCS, GCTD), CKS, CCAK, Security+.)

Subject matter expert knowledge in encryption, KMS/Key Vault concepts, secrets management, identity federation (SAML/OIDC/OAuth2), and modern access controls.

Hands‑on experience securing both Azure and AWS in production, including IAM, networking, storage, and monitoring across multiple accounts/subscriptions.

Experience designing immutable logging and integrating cloud telemetry with SIEM/SOAR; skillful at alert tuning to reduce noise and surface true risk.

Subject matter expert knowledge in Infrastructure-as-Code and CI/CD security. Proficiency reviewing IaC for security issues and implementing policy‑as‑code guardrails; strong understanding of secure provisioning patterns and drift control.

Subject matter expert knowledge of Kubernetes and API security

Subject Matter Expert level knowledge of security tools, trends, methodologies and best practices for securing platforms and operating systems at the server, client and network level.

Ability to script and automate with Python and/or PowerShell, use cloud CLIs/SDKs, and work with APIs/webhooks for integrations and workflows.

Motivated self-starter who has a track record of taking ownership of information security challenges and driving them to resolution.

Must be able to thrive in a fast-paced, rapidly evolving security department/environment with varying priorities, while interacting with other departments.

Thorough and current understanding of a wide range of threat vectors and their potential exploits against current corporate controls and cloud specific attacks.

Strong knowledge of industry frameworks related to information security (e.g. ISO 27000, NIST CSF, HIPAA Security, CIS Benchmarks, etc.). Ability to implement/enforce industry frameworks using cloud native services and automation.

Maintain an expert knowledge of InfoSec industry trends and developments and advise on changes to the threat landscape.

Knowledge of cloud networking, network infrastructure, including routers, switches, firewalls, and the associated network protocols and concepts.

Excellent interpersonal, verbal and written communication, and organizational skills. Clear, concise communicator with the ability to produce standards, runbooks, diagrams, and executive‑level reporting.

Experience supporting 24×7 incident response, including participation in major incident/problem calls.

Maintains work effort status within SLA’s on Brown University Health’s Service Desk and Task Management Platforms.

INDEPENDENT ACTION:

Functions independently within departmental policies and practices. Must be able to work independently in a manner to achieve goals, objectives and productivity requirements. Refers unresolved complex issues to Manager of Information Security where clarification of department policies and procedures may be required.

SUPERVISORY RESPONSIBILITIES:

Employee functions independently within department policies and practices; refers specific decisions to security management where authority is outside of the defined departmental RACI Matrix or clarification of departmental policies and procedures may be required.

Pay Range:

$108,135.66-$178,417.51

EEO Statement:

Brown University Health is committed to providing equal employment opportunities and maintaining a work environment free from all forms of unlawful discrimination and harassment.

Location:

Corporate Headquarters - 15 LaSalle Square Providence, Rhode Island 02903

Work Type:

M-F 8:30am-5:00pm

Work Shift:

Day

Daily Hours:

8 hours

Driving Required:

No