Principal CPE Engineer GCP

Mozn

About The Role

We are looking for an experienced and hands-on Principal GCP Engineer to design, build, and secure Google Cloud Platform environments across multiple business lines. In this role, you will lead initiatives to implement Just-In-Time (JIT) access, enforce strong Identity and Access Management (IAM) controls, ensure separation of duties between authentication and authorization, deliver advanced network and network security architectures including secure connectivity to on-premises environments, implement Web Application Firewall (WAF) solutions, and manage secure migrations of workloads into GCP. Over time, you will expand your expertise to support other cloud platforms and containerized services such as Kubernetes to enable secure multi-cloud and modern application delivery. Your work will ensure that our cloud environments remain secure, compliant, and scalable, supporting critical services while enabling innovation.

What Youll Do

GCP Architecture, Networking & Engineering

• Design, implement, and manage secure, scalable GCP environments for multiple business lines with compliance and security boundaries.
• Architect network segmentation, private connectivity, hybrid connectivity to on-premises (e.g., Cloud Interconnect, VPN), and service perimeters to enforce least privilege and data protection.
• Implement advanced network security controls, including firewall rules, DDoS protection, intrusion detection/prevention, secure routing, and WAF policy enforcement.
  
  

Identity & Access Management (IAM), JIT Access & Separation of Duties

• Build and maintain robust IAM strategies, including fine-grained roles, service accounts, and workload identities.
• Implement and manage Just-In-Time (JIT) access models using GCP-native tools (e.g., Access Context Manager, IAM Conditions) or third-party solutions.
• Enforce clear separation of authentication (identity verification) and authorization (permissions and entitlements) to minimize insider and systemic risk.
  
  

Secure Migrations

• Lead migration of workloads from on-premises or other clouds to GCP, ensuring encryption, identity mapping, and compliance validation.
• Conduct pre- and post-migration reviews to ensure security and operational readiness.
  
  

Multi-Business Line Enablement

• Design GCP organization resource hierarchies, access controls, and network architectures to support isolated workloads for different business units.
• Implement organization policies to enforce consistent security baselines across all projects and folders.
  
  

Automation & Infrastructure as Code

• Develop and maintain Terraform modules or Deployment Manager templates for repeatable, secure deployments.
• Automate compliance checks, security guardrails, and access provisioning.
  
  

Security & Monitoring

• Integrate GCP-native security services (Security Command Center, Cloud Armor, IAM Recommender) into operational workflows.
• Implement and manage WAF solutions to protect applications from common and emerging web threats.
• Collaborate with MSSP or internal SOC teams to ensure log coverage, detection capabilities, and incident readiness.
  
  

Collaboration & Mentorship

• Partner with engineering and application teams to enable secure-by-design cloud adoption.
• Mentor cloud engineers on GCP security, IAM, networking, migration best practices, WAF management, and future multi-cloud and Kubernetes adoption.
  
  

Qualifications

Education

• Bachelor s degree in Computer Science, Engineering, or related field (or equivalent experience).
  
  

Experience

• 10+ years in cloud engineering, with at least 5+ years of hands-on GCP architecture and implementation.
• Proven expertise in GCP IAM, including custom roles, service accounts, and policy troubleshooting.
• Experience implementing JIT access workflows for production and sensitive systems.
• Experience designing and enforcing separation of authentication and authorization in cloud access control.
• Demonstrated ability to design and implement advanced networking and network security solutions, including hybrid connectivity to on-premises.
• Hands-on expertise in implementing and managing WAF solutions.
• Demonstrated ability to manage secure environments for multiple business lines in a single GCP organization.
• Hands-on experience with secure workload migrations to GCP.
• Willingness and capability to expand into multi-cloud and Kubernetes environments.
  
  

Technical Skills:

• Expert-level knowledge of GCP networking (VPC, Shared VPC, Cloud Interconnect, VPN, firewall rules, private service connect, service perimeters).
• Expertise in WAF policy creation, tuning, and integration with GCP and hybrid application stacks.
• Proficiency with Terraform and automation scripting (Python, Bash, Go).
• Familiarity with GCP security tools (Security Command Center, Cloud Armor, IAM Recommender).
• Understanding of compliance frameworks (PCI-DSS, ISO 27001, SOC 2, NIST) in financial or regulated industries.
• Knowledge of Kubernetes security concepts and containerized workload protection.
  
  

Soft Skills:

• Strong communication, stakeholder management, and problem-solving abilities.
  
  

Preferred Qualifications:

• GCP Professional Cloud Architect or Professional Cloud Security Engineer certification.
• Experience with BeyondCorp Enterprise or Access Context Manager for Zero Trust architectures.
• Exposure to MSSP oversight, including detection capability testing and SLA verification.
• Experience integrating GCP identity with Keycloak, Azure AD, or Okta.
• Knowledge of hybrid and multi-cloud security architectures.
• Experience in securing Kubernetes workloads and service meshes.