Job Description
Job Title: Cloud Security & Compliance Engineer Architect (Azure)
Location: Oeiras, Lisbon, Portugal
Work Regime: Full-time & Hybrid (3x office per week)
Overview / Summary:
We are looking for a Cloud Security & Compliance Architect to join our team, in a project from the banking sector. As a senior member of the Cloud CoE you will own the security and compliance strategy for our partners Microsoft Azure and Oracle Cloud Infrastructure (OCI) estates. You will translate the Azure & OCI Well-Architected Frameworks, the Azure Security Benchmark/Baseline, CIS Foundations Benchmark v2.0, NIST SP 800-190 container-security guidance, and other industry standards into practical, automated controls—designing, building and continuously improving the secure landing zones that power our business‐critical workloads.
Responsibilities and Tasks:
* Propose and follow up with the various teams, the necessary improvements to increase the Security Score in Defender;
* Design secure multi-subscription / multi-tenant landing zones in Azure and OCI, aligned to the five Well-Architected pillars (Security, Reliability, Performance Efficiency, Operational Excellence, Cost);
* Drive container-security reference architectures (AKS, OKE, ACI, OCI Containers, Kubernetes on IaaS) that satisfy NIST SP 800-190 and NSA/CISA hardening guidance;
* Map regulatory and internal requirements to the Azure Security Benchmark/Baseline, CIS Azure/OCI 2.0 controls, PCI DSS, ISO 27001 and SOC 2;
* Build automated policy as code (Azure Policy, OCI Guardrails, Terraform Sentinel, OPA/Gatekeeper) to enforce guardrails and generate evidence for auditors;
* Develop and maintain IaC modules (Bicep/Terraform/OCI Resource Manager) with integrated security controls, reusable across product teams;
* Integrate static/dynamic IaC security scans (Azure Defender for cloud, Oracle Guard tfsec, Trivy, Dockle) and container image signing into the CI/CD pipeline (GitHub Actions/Azure DevOps/ArgoCD);
* Configure Azure Security Center/Defender, Microsoft Sentinel, and OCI Cloud Guard to detect, triage and respond to threats;
* Establish KPIs/KRIs and real-time dashboards for cloud posture, vulnerability debt and compliance drift;
* Act as a trusted advisor to engineering teams, running threat-model workshops, training on secure coding, and championing a "paved-road" DevSecOps culture;
* Evaluate emerging controls (Confidential Computing, SBOM, DICE-based attestation) and present recommendations to the Architecture Review Board.
Requirements
Mandatory Requirements:
* Hands-on experience in improving the Security Score in Defender, through configuring Microsoft Security tools (Microsoft Defender for Cloud CSPM/CWPP, Defender for Endpoint, Defender for Cloud Apps, Microsoft DLP, Microsoft for Identity);
* 5+ years in infrastructure or security engineering, with 5+ years focused on public cloud (Azure and/or OCI);
* Proven design and delivery of secure landing zones at scale, including micro-segmentation, identity & access boundary, logging pipeline, data-classification and encryption strategy;
* Deep knowledge of Azure Well-Architected Framework, Azure Security Benchmark/Baseline, CIS Foundations Benchmark v2.0 (Azure & OCI), NIST SP 800-190, NIST CSF/800-53, and MITRE ATT cloud tactics;
* Hands-on mastery with Terraform/Bicep, Kubernetes security (RBAC, network policies, PodSecurity standards), container registry hardening and image-signing (Cosign/Notary v2);
* Experience integrating cloud workloads with SIEM/SOAR platforms (Sentinel, Splunk, QRadar), EDR and CSPM tools (Wiz, Prisma Cloud, Microsoft Defender CSPM);
* Scripting / coding proficiency (PowerShell, Python, Go or similar) for automation and custom control development;
* Certifications: AZ-305 / AZ-500, OCI Architect Professional, CCSP or CISSP-ISSAP (or equivalent demonstrable expertise);
* Preferably with Cloud Oracle knowledge;
* Portuguese C1; English B1.
Complementary Requirements:
* Experience with Confidential VMs/OCI Shielded Instances, Azure Arc/OCI Hybrid control plane, and Zero Trust reference implementations;
* Background in highly regulated sectors (financial services, life sciences, government);
* Contributions to open-source security tools or benchmarks (CIS community, open-policy-agent policies, etc.).
Benefits
Important:
* Our company does not sponsor work visas or work permits. All applicants must have the legal right to work in the country where the position is based.
* Only candidates who meet the required qualifications and match the profile requested by our clients will be contacted.
#VisionaryFuture - Build the future, join our living ecosystem
Requirements
Hands-on experience in improving the Security Score in Defender, through configuring Microsoft Security tools (Microsoft Defender for Cloud CSPM/CWPP, Defender for Endpoint, Defender for Cloud Apps, Microsoft DLP, Microsoft for Identity); 5+ years in infrastructure or security engineering, with 5+ years focused on public cloud (Azure and/or OCI); Proven design and delivery of secure landing zones at scale, including micro-segmentation, identity & access boundary, logging pipeline, data-classification and encryption strategy; Deep knowledge of Azure Well-Architected Framework, Azure Security Benchmark/Baseline, CIS Foundations Benchmark v2.0 (Azure & OCI), NIST SP 800-190, NIST CSF/800-53, and MITRE ATT cloud tactics; Hands-on mastery with Terraform/Bicep, Kubernetes security (RBAC, network policies, PodSecurity standards), container registry hardening and image-signing (Cosign/Notary v2); Experience integrating cloud workloads with SIEM/SOAR platforms (Sentinel, Splunk, QRadar), EDR and CSPM tools (Wiz, Prisma Cloud, Microsoft Defender CSPM); Scripting / coding proficiency (PowerShell, Python, Go or similar) for automation and custom control development; Certifications: AZ-305 / AZ-500, OCI Architect Professional, CCSP or CISSP-ISSAP (or equivalent demonstrable expertise); Preferably with Cloud Oracle knowledge; Portuguese C1; English B1.