Beschreibung
Main tasks/activities:
- Understand all infrastructure as code (IaC) artefacts in Azure DevOps, with specific focus on Kubernetes, Kafka, Zookeeper, NoSQL (eg Couchbase)
- Secure the CI/CD process for IaC and Microservice (Spring Boot, Python) deployments
- Design and own the (policies for) our docker registry
- Implement and maintain in the pipelines the company wide scanning tools such as Aqua, NexusIQ, Qualys etc
- Implement and ensure Encryption at rest and in transit
- Design, implement and ensure best practices of AuthZ, eg via token rotation: both for human and non-human
- Design, implement and maintain secrets management
- Design and implement a security aspect for configuration management
- Work with developers to understand the security context of the apps and their interaction with Apache Kafka, candidate will design & own the implementation of how Kafka will be secured
- Align with Automation lead on quality controls and continuous testing best practices especially including blue/green and canary
- Design and maintain the availability and stability of all long-living state (eg the event store)
- Secure the state against unauth access: design and implement life cycle (non-prod vs prod) for data (incoming as Kafka messages using the event carried state transfer paradigm)
- Consult with Automation lead on network layouts and negotiate with other network teams on integration/segregation topics
- Support and give guidance on the test driven development practices and the implementation thereof in the pipelines in a DevSecOps style (eg Chaos Monkey, auto-pen-test)
- Implement continuous improvements on governance aspects (eg Azure Policies)
- Efficiently leverage Azure services for addressing security concerns (ie WAF)
- Own the integration with Azure Active Directory and IAM
- Continuously work with the teams to improve all components as the use-cases grow more complex
- Own validity and applicability of libraries and licenses of all vendors (eg for Hashicorp Vault)
- Design observability (especially logging) concept and implement reactions to incidents
- Design High Availability and Disaster Recovery Strategies (incl multi zone deployments and consistency) in the context of event-sourcing with special focus on securing and protecting the event-store and guaranteeing replayability
- Design and maintain a holistic security concept for VMs, stateful apps, stateless apps, running on K8S or running as container instances
- Design and maintain holistically Monitoring and telemetry
- Design and take ownership of the security incident process
- Train other engineers
- Ensure compliance with the company wide digital governance framework, audit
- Documentation of all of the above (readme, wiki and JIRA)
Must have skills:
- Public Cloud relevant experience with practical implementation of the security standards: OWASP 10, ISO/IEC 27002, ISO/IEC 17788
- Expert Knowledge in zero trust networking and service meshes
- Expert Knowledge of AuthN concepts and techniques, eg RBAC, ABAC
- Expert Knowledge of AuthZ techniques and tools
- Strong and proven Automation experience with CI/CD in the public cloud using industry standards such as maven, gradle
- Expert Knowledge of git
- Knowledge of Kubernetes deployments (eg sidecar), container isolation, multi-tenancy and software defined networking
- Knowledge of static code scanning best practices
- Expert knowledge of Continuous Monitoring and usage of Telemetry
- Test driven development: understands semantics of unit tests and end to end integration tests and the imperative for continuous testing
- Worked with CI/CD for integration, migration and deployment: Experience in automated build, test & deploy with an explicit focus on state-management and state-handling
- Strong understanding of networks: especially how Layer 7 design needs to align with Layers 3-6 in the public cloud, Expert Knowledge of multi-cloud Firewall design
- Excellent communication in English, written and spoken
- Delegation and (self-)management skills for working in a flat and distributed team
- Encryption tools and techniques
- Strong Experience with "Infrastructure as Code"
- Linux OS (alpine, Ubuntu, SLES) and Unix
- Knowledge of event-driven architecture and micro-services
Frameworks/Tools:
- Azure DevOps, Ansible, yaml-pipelines, Helm, build agents, Scripting (bash, python)
- Container-based (Docker/Kubernetes) orchestration
- High availability of statefulness using cloud-native techniques
- Can read code written in industry standard polyglot (Java/Spring/Python/JS)
- DB-queries (also NoSQL) eg Couchbase, SAP HANA, Postgres
- Cloud managed services (eg Blob Storage, databases, Insights, Security Center)
- Build and deployment tools such as Git, Gradle, Maven
- API Gateways, HTTPS, REST/ODATA/GraphQL/etc API-specs
- State-management eg Zookeeper, Schema Registry, Event Store
- Aqua, Qualys, DataDog, Grafana, Prometheus, Zeebe, Vault