Cloud Engineer

About the Role

We're seeking a hands-on engineer with proven experience in cloud infrastructure, network security/firewall configuration, a practical understanding of SAP landscapes, and Privileged Access Management (PAM) operations. You will design, secure, and optimize hybrid environments, enforce least-privilege across critical systems, and support SAP availability, performance, and compliance requirements.

Key Responsibilities

Cloud Infrastructure (AWS/Azure/GCP)

• Design, deploy, and maintain cloud landing zones using IaC (Terraform/CloudFormation/Bicep) and CI/CD pipelines.
• Implement network segmentation (VPC/VNet), routing, security groups/NSGs, and hybrid connectivity (VPN/ExpressRoute/Direct Connect).
• Monitor and optimize performance, cost, and reliability; apply autoscaling, backup/restore, DR strategies, and patching baselines.
• Enforce cloud security best practices (identity, key management, encryption at rest/in transit, logging/monitoring).

Firewall & Network Security

• Configure, harden, and maintain enterprise firewalls (e.g., Palo Alto, Fortinet, Check Point) including policies, NAT, routing, zones, and objects.
• Implement content inspection (App-ID, IPS/IDS), SSL decryption where appropriate, and micro-segmentation.
• Conduct rule reviews, cleanup, and change management aligned to least-privilege; respond to and remediate security incidents.
• Integrate firewalls with SIEM/SOAR for monitoring and automated response.

SAP (Basis & Infrastructure Perspective)

• Support SAP system landscape (DEV/QA/PRD) from infra side: sizing, OS/DB basics, HA/DR, backups, and performance troubleshooting.
• Coordinate with SAP Basis/application teams on transport strategy, interface connectivity, and secure network paths to SAP services.
• Implement and validate SAP-specific network and identity controls (e.g., secure RFCs, SNC, SAPRouter hardening, certificate management).
• Ensure infrastructure changes do not impact SAP SLAs; participate in cutovers and maintenance windows.

Privileged Access Management (PAM)

• Deploy and administer PAM solutions (e.g., CyberArk, BeyondTrust, Delinea), vaulting privileged credentials, onboarding target systems, and managing session recording.
• Implement least-privilege policies, JIT access, MFA/strong authentication, and periodic access reviews with audit-ready evidence.
• Integrate PAM with directories/IDP and critical platforms (firewalls, servers, databases, SAP).
• Monitor PAM logs/alerts, remediate misconfigurations, and run continuous improvement cycles.

Governance, Risk & Compliance

• Document architectures, runbooks, and standard operating procedures.
• Maintain compliance with internal policies and external frameworks (e.g., ISO 27001, NIST CSF, SOC 2); support audits with evidence.
• Participate in security assessments, threat modeling, and incident response drills.
• Drive continuous improvement: automation, standardization, and measurable risk reduction.

Required Qualifications

• Experience: 5+ years in cloud infrastructure & network security, including hands-on firewall configuration; exposure to SAP landscapes; operational experience with a PAM tool.
• Technical Skills:
• Cloud: VPC/VNet, IAM, KMS, security groups/NSGs, load balancers, autoscaling, backup/DR, IaC (Terraform/CloudFormation/Bicep), CI/CD.
• Network/Firewall: L3/L4/L7 policy design, NAT, routing, VPN, site-to-site, SSL decryption, IPS/IDS, log forwarding/SIEM.
• SAP: Basic Basis/infrastructure understanding (S/4HANA or ECC), SAPRouter/SNC, OS/DB fundamentals, HA/DR, performance troubleshooting.
• PAM: Vaulting, policy setup, session management/recording, onboarding systems, access reviews, integrations with AD/IDP.
• Scripting/Automation: Python/PowerShell/Bash for ops automation and API integrations.
• Methodologies: Change management, incident/problem management (ITIL concepts), RBAC/least-privilege.
• Soft Skills: Clear communication, documentation, stakeholder engagement, and on-call readiness.

Preferred/Nice-to-Have

• Certifications: AWS/Azure/Professional; Palo Alto PCNSA/PCNSE; Fortinet NSE; CyberArk Trustee/Defender; SAP Technology Associate; ISO 27001 Lead Implementer/Auditor.
• Experience with Kubernetes, container security, WAF, Web gateways, ZTNA/SASE.
• Familiarity with SIEM (e.g., Splunk, Sentinel), vulnerability management (Qualys/Nessus), and EDR/XDR.
• Experience with regulatory requirements in [your region], and audit support.

Key Competencies

• Security-by-design mindset; strong troubleshooting and root-cause analysis.
• Structured documentation and runbook creation; change control discipline.
• Cross-functional collaboration with application, security, and infrastructure teams.
• Ownership and accountability for uptime, performance, and security outcomes.

Performance Indicators (KPIs)

• Firewall rule hygiene (e.g., reduction in overly-permissive rules by X%).
• Mean time to detect/respond (MTTD/MTTR) for infra/security incidents.
• PAM onboarding coverage (percent of privileged accounts/systems vaulted).
• SAP infra change success rate and SLA adherence.
• Cost optimization and reliability metrics in cloud (e.g., rightsizing savings, backup/DR test success).
• Audit readiness: evidence quality and number of nonconformities.