Cloud Security Engineer

Summary

The Cloud Security Engineer serves as the liaison for protecting Brown University Health’s (BUH) multi‑cloud footprint by designing and hardening secure landing zones, embedding security controls in Infrastructure-as-Code (IaC), operationalizing cloud‑native security services and control‑plane guardrails. Working in close partnership with Security Operations, Network Security, Network Engineering, and Server Engineering, this role translates security best practices and regulatory requirements into practical technical controls, drives Zero‑Trust segmentation, automates preventative and detective controls, and continuously improves BUH’s cloud security posture.

• Own and improve cloud security posture across a multi‑cloud environment (Azure, AWS and/or GCP). Establish, document and enforce secure guardrails and baselines aligned to CIS Benchmarks and NIST CSF 2.0.
• Operate and tune our cloud security posture / CNAPP platform (agentless discovery, misconfiguration/vulnerability/identity risk analysis), drive prioritized remediation with responsible parties.
• Review and advise on policy‑as‑code and infrastructure‑as‑code (IaC) security checks across pre‑commit, CI/CD, and pre‑deployment gates. Conduct security design reviews of IaC to identify and recommend fixes for misconfigurations before provisioning.
• Design and advise on least‑privilege access models (roles, conditional access policies, break‑glass, service principals), secrets management, key management, and encryption (at rest, in transit, and in use where applicable).
• Design secure network architecture: VPC/VNet design, private connectivity/peering, egress controls, segmentation, and zero‑trust‑oriented access to cloud services.
• Centralize logging/telemetry (activity, audit, identity, network, and data access) and integrate with SIEM/SOAR for alerting, correlation, and automated response.
• Design and document data security controls across object storage, databases, and analytics services (classification, access boundaries, tokenization/format‑preserving encryption, key rotation, and auditing).
• Perform periodic control assessments and gap analyses against CIS Benchmarks and NIST CSF 2.0. Publish metrics/KPIs and risk treatment plans for leadership.
• Automate routine security tasks and remediations using scripting and APIs (e.g., Python, Power Shell, serverless functions, workflow automation).
• Partner with IT/Cloud Platform teams to maintain hardened images, patching, and vulnerability management for cloud workloads (VMs, managed services; containers, etc.).
• Partner with Security Operations to translate cloud attack paths into detections (control‑plane logs, API activity, network flow, workload telemetry) and tune SIEM/SOAR playbooks.
• Secure SaaS integrations with cloud accounts (SSO, SCIM/JIT, conditional access, least‑privilege service integrations) and third‑party connectivity.
• Identify, document and report any deviations from policy / standards, recommend corrective actions, and review security policies and control documentation to align with current practices.
• Ensure least‑privilege and MFA with Azure AD (Entra ), AWS IAM, and workload federation are enforced.
• Develop standards, policies, procedures and tabletop exercise scenarios.
• Review and recommend updates to security policies, procedures, and control documentation to ensure they reflect current security best practices and regulatory requirements.
• Monitor emerging threats, vulnerabilities, and industry best practices to ensure security controls remain effective and aligned with the evolving threat landscape.
• Research and assists in the piloting and evaluation of new tools, technologies, technical controls, and processes to support and enforce defined security policies.
• Support incident response (triage, containment, snapshot/metadata collection, forensics coordination, and post‑incident reviews) as required.
• Attend and actively contribute to team, project, project management, problem management, cloud migration and major incident conference calls as required.
• Performs other duties as assigned.

• A minimum of ten years of IS experience, with five years of hands‑on cloud…