Cloud Network Security Architect - AWS​/Zero Trust

Position: Cloud Network Security Architect - AWS / Zero Trust
Location: New York

Choosing Capgemini means choosing a company where you will be empowered to shape your career in the way you’d like, where you’ll be supported and inspired by a collaborative community of colleagues around the world, and where you’ll be able to reimagine what’s possible. Join us and help the world’s leading organizations unlock the value of technology and build a more sustainable, more inclusive world.

About The Job You're Considering The Cloud Network Security Architect is responsible for designing, implementing, and governing secure cloud network architectures across hybrid and multi‑cloud environments. This role ensures the confidentiality, integrity, and availability of enterprise systems by defining security‑by‑design network frameworks aligned with business, compliance, and risk management objectives.

Your Role Enterprise Zero Trust Network Architect: implement Zero Trust network architecture, including segmentation, least-privilege access, and consistent policy enforcement across users, workloads, and services in hybrid environments.

Network Security Design:
Design and validate secure on-prem and cloud networking patterns (VPC/VNet, subnets, routing, TGW/peering, ingress/egress) using cloud-native controls and enterprise platforms.

Cross-Functional Requirements & Architecture Translation:
Partner with application/platform/infrastructure teams to capture connectivity and security requirements (ports/protocols, data flows, trust boundaries) and translate them into actionable security architectures.

Firewall & Segmentation Strategy Owner:
Define and standardize firewall policies and segmentation models, providing clear guidance on use of Palo Alto/Prisma vs. cloud-native mechanisms (SG/NSG, NACLs, route controls).Architecture Governance & Adoption :
Lead design reviews, threat modeling, and exception handling; produce and maintain standards, reference designs, and architecture decision records to drive secure-by-design outcomes.

Operational Enablement & Continuous Improvement:
Collaborate with perimeter defense/Sec Ops to streamline rule discovery, risk review, approvals, and deployments (including automation); support troubleshooting and optimization for performance and resiliency.

Your Skills And Experience
10+ years of experience in network and security architecture, with strong focus on cloud platforms.

Deep expertise in cloud networking concepts: routing, DNS, load balancing, NAT, private connectivity, and network segmentation.

Hands‑on experience securing AWS and/or Azure networking services (VPC/VNet, Gateway, Firewall, Private Link, NSGs, Route Tables).Strong understanding of network security technologies: firewalls, WAF, IDS/IPS, DDoS, proxy, and micro‑segmentation.

Experience implementing zero‑trust and identity‑centric network access models.

Proficiency with Infrastructure as Code and automation tools (Terraform, Ansible, Cloud Formation).Solid understanding of TCP/IP, BGP, IPSec, TLS, and network encryption mechanisms.

Experience working in regulated and compliance‑driven environments.

Cloud certifications (AWS Certified Security – Specialty, Azure Security Engineer, CCSP).

Experience with multi‑cloud or large‑scale cloud migration programs.

Knowledge of SASE, CASB, and secure access service edge architectures.

Familiarity with SIEM/SOAR and security monitoring integrations.

Experience supporting Dev Sec Ops  and CI/CD security integration.

The base compensation range for this role in the posted location is: $94,248 - $215,050.Capgemini provides compensation range information in accordance with applicable national, state, provincial, and local pay transparency laws. The base compensation range listed for this position reflects the minimum and maximum target compensation Capgemini, in good faith, believes it may pay for the role at the time of this posting.

This range may be subject to change as permitted by law.

The actual compensation offered to any candidate may fall outside of the posted range and will be determined based on multiple factors legally permitted in the applicable jurisdiction.

These may include, but are not limited to:
Geographic location, Education and qualifications,…