GCP Cloud Security Architect jobs in United States
cer-icon
Apply on Employer Site
company-logo

Donyati · 21 hours ago

GCP Cloud Security Architect

positionUnited States
timeContract
remoteRemote
senioritySenior Level
date7+ years exp

Donyati is seeking a senior-level GCP Cloud Security Architect to lead the design, implementation, and governance of a large American retail brand’s new Google Cloud Platform (GCP) landing zone. The role involves building a secure environment that protects customer data and ensures compliance with PCI DSS, while also translating security principles into enforceable policies.

AnalyticsConsultingEnterprise Resource Planning (ERP)
check
Growth Opportunities
check
H1B Sponsor Likelynote

Responsibilities

Develop and maintain a comprehensive Technical Security Design document for the GCP security framework, ensuring it aligns with the existing OCI/OSHI standards
Design, implement, and document security controls to meet and maintain PCI DSS compliance within the GCP environment, preparing for and facilitating audits
Translate high-level security principles into detailed, enforceable Organization Policies and governance standards
Drive the full adoption and operationalization of Google Security Command Center (SCC) Premium for continuous posture management, threat detection, and compliance reporting
Conduct a deep-dive review of all foundational infrastructure, including VPCs, private interconnects, and ingress/egress traffic patterns
Design and implement a hardened VPC Service Controls (VPCSC) perimeter, moving from the current monitoring mode to a fully enforced posture to protect the Cardholder Data Environment (CDE) and other sensitive data
Lead the migration from legacy GCP firewall rules to modern, centralized GCP firewall policies, ensuring strict enforcement and proper segmentation (especially for CDE isolation)
Design and configure security solutions for e-commerce web applications and APIs using Cloud Armor
Validate and optimize security service SKU selections to ensure maximum value and protection
Serve as the lead technical expert for all GCP IAM strategy and implementation, with a focus on least-privilege access to sensitive consumer data
Design and enforce granular Organization Policies to restrict high-risk permissions (e.g., denying firewall modifications or public IP creation)
Implement time-bound access and privileged access management (PAM) solutions for elevated permissions, especially for systems within the CDE scope
Architect and execute the transition from service account keys to a keyless/credential-less model using Workload Identity Federation between Azure AD and GCP
Design and implement a best-practice RBAC model for Google Secrets Manager
Establish comprehensive logging and alerting for all critical identity, access, and permissions-related events, per PCI DSS requirements
Perform a security-focused review of the Terraform automation and GitHub Actions CICD pipelines
Implement DevSecOps best practices to harden pipelines, manage access controls, improve error handling, and minimize the blast radius of deployments, ensuring compliance is built into the pipeline
Establish security-focused housekeeping and hygiene plans for pipeline maintenance, API versioning, and credential management
Provide expert guidance on the security implications of migrating from Azure ARM/Jenkins to Terraform/GitHub Actions

Qualification

GCP Cloud SecurityPCI DSS ComplianceWorkload Identity FederationTerraform (IaC)DevSecOpsGCP IAMVPC Service ControlsGCP Firewall PoliciesSecurity Command Center (SCC)Cloud ArmorCICD PipelinesNetwork SecurityDocumentation Skills

Required

7+ years of experience in a senior cloud security or cloud architect role
Google Cloud Certified: Professional Cloud Security Engineer or Professional Cloud Architect
Deep, hands-on expertise with core GCP security services: GCP IAM, VPC Service Controls, GCP Firewall Policies, Organization Policies, and Security Command Center (SCC) Premium
Demonstrable experience designing, implementing, and auditing controls for regulatory compliance frameworks, specifically PCI DSS, within a major cloud provider (GCP preferred)
Proven experience designing and implementing Workload Identity Federation, specifically for federating identities from Azure AD
Strong understanding of Terraform (IaC) and CICD pipelines (e.g., GitHub Actions, Jenkins) from a security (DevSecOps) perspective
Expertise in cloud-native network security, including CDE segmentation, VPC design, private interconnects, and WAFs (Cloud Armor)
Demonstrated ability to create high-quality TDDs and security policy documentation for compliance and audit purposes

Preferred

Experience in multi-cloud environments, especially with Azure security (Azure AD, ARM)
Familiarity with other consumer data privacy regulations (e.g., CCPA/CPRA, GDPR)
Hands-on experience with Google's Privileged Access Management (PAM) solutions

Company

Donyati

twittertwitter
company-logo
Donyati provides data analytics, enterprise performance management and ERP consulting services.
dateFounded in 2015
location
Detroit, Michigan, USA
people-size201-500 employees
web-link
https://www.donyati.com/

H1B Sponsorship

Donyati has a track record of offering H1B sponsorships. Please note that this does not guarantee sponsorship for this specific role. Below presents additional info for your reference. (Data Powered by US Department of Labor)
Distribution of Different Job Fields Receiving Sponsorship
Represents job field similar to this job
Trends of Total Sponsorships
2025 (3)
2024 (11)
2023 (7)
2022 (8)
2021 (5)
2020 (7)

Funding

Current Stage
Growth Stage

Leadership Team

leader-logo
Moe Gohary
Founder & CEO
linkedin

Recent News

Google Patent
Data reconciliation system
2025-02-16
Google Patent
Dynamic application builder for multidimensional database environments
2025-02-16
Dallas Innovates
Patented: Hunt Energy's 'Road‐Embedded' Electrical Storage ...
2023-12-22
Company data provided by crunchbase