Senior Cloud Security Engineer

The Team:

Within our InfoSec organization, Our global security engineering team is responsible for designing, building, and enhancing the underlying security components that help with securing the Celonis Application and Platforms stacks. We think about both offensively and defensively. We continuously monitor our global security posture and are always adapting to the ever-changing threat landscape. The security engineering team is always looking for talented subject matter experts in application, platform and offensive security.

The Role:

The Senior Cloud Security Engineer is a hands-on technical role focused on safeguarding Celonis’ cloud infrastructure across AWS, Azure, and GCP. In this role, you will design and implement cutting-edge security measures to protect a large-scale SaaS platform. You’ll collaborate with cross-functional teams to ensure security is embedded in our cloud services and automate security processes for efficiency and consistency. This role is ideal for a seasoned security engineer who enjoys solving complex cloud security challenges and wants to have a direct impact on the security posture of a fast-growing tech company.

The work you’ll do:

• Cloud Security Implementation: Implement and uphold cloud security best practices across multi-cloud environments. Harden our cloud infrastructure by leveraging native security features (e.g., AWS IAM & KMS, Azure AD & Key Vault, GCP IAM & KMS) and ensuring proper configuration of network controls, encryption, and logging.
• Infrastructure & Kubernetes Security: Secure Celonis’ use of containerized applications and Kubernetes (EKS, AKS, GKE). This includes setting up container image scanning, enforcing Kubernetes security policies, managing secrets and certificates, and working with engineering teams to ensure microservices follow security guidelines.
• Automation & Tooling: Develop and maintain automation scripts and Infrastructure-as-Code (Terraform, CloudFormation) to embed security into the deployment pipeline. Automate repetitive security tasks (such as provisioning secure configurations, patch management, and compliance checks) to improve efficiency and consistency.
• Security Monitoring & Response: Enhance cloud security monitoring by tuning and extending CSPM tools and cloud-native monitoring (CloudTrail, GuardDuty, Azure Security Center, etc.). Identify potential vulnerabilities or misconfigurations proactively and work on fixes. Assist in investigating security alerts or incidents related to cloud infrastructure and coordinate remediation efforts.
• Identity and Access Management: Continuously improve cloud IAM configurations to enforce least-privilege access. Manage roles, policies, and access keys across the organization’s cloud accounts. Implement solutions like Teleport to strengthen access controls for engineers and applications accessing sensitive cloud resources.
• Vulnerability Management: Work with vulnerability scanning tools (such as Tenable Nessus/Tenable.io) to regularly scan cloud assets and container images.
• Collaboration & Guidance: Serve as a security subject matter expert for cloud projects. Collaborate with developers, DevOps, and SRE teams to advise on secure architecture and coding practices. Contribute to threat modeling exercises and review new features/infrastructure for potential security risks before deployment.

Required Qualifications:

• Proven Cloud Security Expertise: 5+ years of hands-on experience in security engineering with a strong focus on cloud (AWS, Azure, and GCP). Deep understanding of cloud architecture and services, and proven experience implementing security controls in a production cloud environment.
• Kubernetes & Container Security: Strong experience securing containerized applications and Kubernetes clusters. Familiarity with tools and practices for container security (image vulnerability scanning, runtime security, Kubernetes network policies, service mesh security).
• Automation Skills: Proficiency in Infrastructure-as-Code and scripting. Demonstrated ability to use Terraform, CloudFormation or similar to deploy secure configurations, and to write scripts in Python, Go, or Bash to automate security workflows. You should be able to build tools or integrations that reduce manual effort and human error.
• Cloud Security Posture Management: Hands-on experience with Cloud Security Posture Management (CSPM) solutions or implementing automated checks for cloud compliance. Ability to identify misconfigurations and weaknesses in cloud setups and remediate them (for example, S3 bucket policies, public exposure of resources, etc.).
• Identity & Access Management: In-depth understanding of cloud IAM and access control mechanisms. Experience designing role-based access schemes, managing federated identities (SAML/OIDC), and implementing principles of least privilege across multiple cloud accounts and services.
• Vulnerability & Threat Management: Experience with vulnerability scanning tools (e.g., Tenable, Qualys) and interpreting their output. Knowledge of common cloud threats and vulnerabilities (OWASP Cloud Top 10, CIS benchmarks) and experience in remediating them.
• Real-World Impact: A track record of securing real cloud deployments and solving security incidents or challenges in production. We value hands-on problem-solving skills and achievements—being able to point to projects and outcomes where you made a difference in security. (Formal degrees or certifications are less important than your proven ability to do the job.)

Preferred Qualifications:

• Teleport & Advanced Tools: Experience with Teleport or similar identity-based access proxies for infrastructure is a strong plus, as is familiarity with the Tenable suite or other vulnerability management platforms. Comfort with other security tools (SIEM, IDS/IPS, container security platforms like Aqua or Prisma Cloud) is beneficial.
• DevSecOps Mindset: Working knowledge of CI/CD pipelines and how to integrate security testing into them (e.g., integrating SAST/DAST, secret scanning in pipelines). Ability to work in an Agile environment and partner with development teams using a DevSecOps approach.
• SaaS Security Challenges: Prior experience in a SaaS or cloud-native product company. Understanding the security considerations of multi-tenant architectures, data privacy, and scaling security solutions in a customer-facing cloud service.
• Continuous Learning & Innovation: Passion for staying up-to-date with the latest cloud security threats, tools, and best practices. Participation in security conferences, certifications like AWS/Azure Security Specialty, or contributions to open source security projects are a plus (though we prioritize practical knowledge over credentials).
• Collaborative Communication: Excellent communication skills to articulate complex security issues to both technical and non-technical colleagues. Experience writing security documentation or standard operating procedures, and fostering a culture of security awareness within teams.

Visa sponsorship is not offered for this role.