Cloud Security & Compliance Engineer Architect

Job Title: Cloud Security & Compliance Engineer Architect (Azure)

Location: Oeiras, Lisbon, Portugal

Work Regime: Full-time & Hybrid (3x office per week)

Overview / Summary

We are looking for a Cloud Security & Compliance Architect to join our team, in a project from the banking sector. As a senior member of the Cloud Co
E you will own the security and compliance strategy for our partners Microsoft Azure and Oracle Cloud Infrastructure (OCI) estates. You will translate the Azure & OCI Well-Architected Frameworks, the Azure Security Benchmark/Baseline, CIS Foundations Benchmark v2. 0, NIST SP 800-190
- security guidance, and other industry standards into practical, automated controls—designing, building and continuously improving the secure landing zones that power our business‑critical workloads.

Responsibilities and Tasks

• Propose and follow up with the various teams, the necessary improvements to increase the Security Score in Defender.
• Design secure
  - subscription /
  - tenant landing zones in Azure and OCI, aligned to the five Well‑Architected pillars (Security, Reliability, Performance Efficiency, Operational Excellence, Cost).
• Drive container‑security reference architectures (AKS, OKE, ACI, OCI Containers, Kubernetes on Iaa
  S) that satisfy NIST SP 800-190 and NSA/CISA hardening guidance.
• Map regulatory and internal requirements to the Azure Security Benchmark/Baseline, CIS Azure/OCI 2. 0 controls, PCI DSS, ISO 27001 and SOC 2.
• Build automated policy as code (Azure Policy, OCI Guardrails, Terraform Sentinel, OPA/Gatekeeper) to enforce guardrails and generate evidence for auditors.
• Develop and maintain Ia
  C modules (Bicep/Terraform/OCI Resource Manager) with integrated security controls, reusable across product teams.
• Integrate static/dynamic Ia
  C security scans (Azure Defender for cloud, Oracle Guard tfsec, Trivy, Dockle) and container image signing into the CI/CD pipeline (Git
  Hub Actions/Azure Dev
  Ops/Argo
  CD).
• Configure Azure Security Center/Defender, Microsoft Sentinel, and OCI Cloud Guard to detect, triage and respond to threats.
• Establish KPIs/KRIs and real‑time dashboards for cloud posture, vulnerability debt and compliance drift.
• Act as a trusted advisor to engineering teams, running threat‑model workshops, training on secure coding, and championing a “paved‑road” Dev
  Sec
  Ops culture.
• Evaluate emerging controls (Confidential Computing, SBOM, DICE‑based attestation) and present recommendations to the Architecture Review Board.

Requirements

Mandatory Requirements

• Hands‑on experience in improving the Security Score in Defender, through configuring Microsoft Security tools (Microsoft Defender for Cloud CSPM/CWPP, Defender for Endpoint, Defender for Cloud Apps, Microsoft DLP, Microsoft for Identity).
• 5+ years in infrastructure or security engineering, with 5+ years focused on public cloud (Azure and/or OCI).
• Proven design and delivery of secure landing zones at scale, including micro‑segmentation, identity & access boundary, logging pipeline, data‑classification and encryption strategy.
• Deep knowledge of Azure Well‑Architected Framework, Azure Security Benchmark/Baseline, CIS Foundations Benchmark v2. 0 (Azure & OCI), NIST SP 800-190, NIST CSF/800-53, and MITRE ATT cloud tactics.
• Hands‑on mastery with Terraform/Bicep, Kubernetes security (RBAC, network policies, Pod
  Security standards), container registry hardening and image‑signing (Cosign/Notary v2).
• Experience integrating cloud workloads with SIEM/SOAR platforms (Sentinel, Splunk, QRadar), EDR and CSPM tools (Wiz, Prisma Cloud, Microsoft Defender CSPM).
• Scripting / coding proficiency (Power
  Shell, Python, Go or similar) for automation and custom control development.
• Certifications: AZ-305 / AZ-500, OCI Architect Professional, CCSP or CISSP‑ISSAP (or equivalent demonstrable expertise).
• Preferably with Cloud Oracle knowledge.
• Portuguese C1; English B1.

Complementary Requirements

• Experience with Confidential VMs/OCI Shielded Instances, Azure Arc/OCI Hybrid control plane, and Zero Trust reference implementations.
• Background in highly regulated sectors (financial services, life sciences, government).
• Contributions to open‑source security tools or benchmarks (CIS community, open‑policy‑agent policies, etc. ).

Benefits

• Our company does not sponsor work visas or work permits. All applicants must have the legal right to work in the country where the position is based.
• Only candidates who meet the required qualifications and match the profile requested by our clients will be contacted.