Cloud Network Security Architect - AWS​/Zero Trust

Cloud Network Security Architect - AWS / Zero Trust

The Cloud Network Security Architect is responsible for designing, implementing, and governing secure cloud network architectures across hybrid and multi‑cloud environments. This role ensures the confidentiality, integrity, and availability of enterprise systems by defining security‑by‑design network frameworks aligned with business, compliance, and risk management objectives.

• Enterprise Zero Trust Network Architect: implement Zero Trust network architecture, including segmentation, least‑privilege access, and consistent policy enforcement across users, workloads, and services in hybrid environments.
• Network Security Design: Design and validate secure on‑prem and cloud networking patterns (VPC/VNet, subnets, routing, TGW/peering, ingress/egress) using cloud‑native controls and enterprise platforms.
• Cross‑Functional Requirements & Architecture Translation: Partner with application/platform/infrastructure teams to capture connectivity and security requirements (ports/protocols, data flows, trust boundaries) and translate them into actionable security architectures.
• Firewall & Segmentation Strategy Owner: Define and standardize firewall policies and segmentation models, providing clear guidance on use of Palo Alto/Prisma vs. cloud-native mechanisms (SG/NSG, NACLs, route controls).
• Architecture Governance & Adoption : Lead design reviews, threat modeling, and exception handling; produce and maintain standards, reference designs, and architecture decision records to drive secure‑by‑design outcomes.
• Operational Enablement & Continuous Improvement: Collaborate with perimeter defense/Sec Ops to streamline rule discovery, risk review, approvals, and deployments (including automation); support troubleshooting and optimization for performance and resiliency.

• 10+ years of experience in network and security architecture, with strong focus on cloud platforms.
• Deep expertise in cloud networking concepts: routing, DNS, load balancing, NAT, private connectivity, and network segmentation.
• Hands‑on experience securing AWS and/or Azure networking services (VPC/VNet, Gateway, Firewall, Private Link, NSGs, Route Tables).
• Strong understanding of network security technologies: firewalls, WAF, IDS/IPS, DDoS, proxy, and micro‑segmentation.
• Experience implementing zero‑trust and identity‑centric network access models.
• Proficiency with Infrastructure as Code and automation tools (Terraform, Ansible, Cloud Formation).
• Solid understanding of TCP/IP, BGP, IPSec, TLS, and network encryption mechanisms.
• Experience working in regulated and compliance‑driven environments.
• Cloud certifications (AWS Certified Security – Specialty, Azure Security Engineer, CCSP).
• Experience with multi‑cloud or large‑scale cloud migration programs.
• Knowledge of SASE, CASB, and secure access service edge architectures.
• Familiarity with SIEM/SOAR and security monitoring integrations.
• Experience supporting Dev Sec Ops  and CI/CD security integration.

The base compensation range for this role in the posted location is: $94,248 - $215,050
.

Capgemini provides compensation range information in accordance with applicable national, state, provincial, and local pay transparency laws. The base compensation range listed for this position reflects the minimum and maximum target compensation Capgemini, in good faith, believes it may pay for the role at the time of this posting. This range may be subject to change as permitted by law.

The actual compensation offered to any candidate may fall outside of the posted range and will be determined based on multiple factors legally permitted in the applicable jurisdiction.

These may include, but are not limited to:
Geographic location, Education and qualifications, Certifications and licenses, Relevant experience and skills, Seniority and performance, Market and business consideration, Internal pay equity.

It is not typical for candidates to be hired at or near the top of the posted compensation range.

In addition to base salary, this role may be eligible for additional compensation such as variable incentives, bonuses, or…