This role is delivered within secure environments. Candidates must be eligible for UK SC and DV clearance and hold UK Citizenship.
Opening: Join the Mission
At ByDesign Secure, we believe that world-class security shouldn't be an afterthought—it should be the foundation. We are an independent, outputs-based consultancy dedicated to solving the most complex data assurance challenges in the UK public sector. Currently, we are working on a landmark transformation of a cross-government secure IT system. This is an exciting opportunity to help architect a private cloud environment from the ground up and modernize the end-user services that power national decision-making. We don't believe in "billing by the hour" or rigid hierarchies; we are a lean, expert team focused on delivering high-impact technical outcomes. If you are a self-starter who thrives on autonomy and wants to see your engineering or architectural decisions shape the future of sovereign security, we want to talk to you.
About the Opportunity
- We are seeking a skilled Cloud Security Engineer to design and implement secure workloads within a Google Distributed Cloud (GDC) environment.
- This role is ideal for a security professional with a strong GCP background (Other CSP experience also considered) and an active Professional Cloud Security Engineer certification, as these competencies are directly transferable to managing security in air-gapped or edge configurations.
- You will be responsible for ensuring security, rigour, and compliance within mission-critical government secure delivery.
What You’ll Be Doing
- Identity & Access Management: Designing and managing complex identity architectures, including single sign-on (SSO) integration, multi-factor authentication (MFA), and the automated lifecycle management of privileged user accounts.
- Authorisation & Resource Hierarchy: Defining granular resource hierarchies and implementing the principle of least privilege using advanced identity policies, conditions, and organizational constraints.
- Boundary & Perimeter Protection: Configuring robust network defences, including next-generation firewalls, web application firewalls (WAF), and secure service perimeters to isolate sensitive workloads.
- Data Protection & Encryption: Implementing discovery and redaction services for sensitive data (PII) and managing full-lifecycle encryption through hardware or software-based key management systems.
- Securing the Software Supply Chain: Automating vulnerability scanning and policy enforcement within continuous integration and delivery (CI/CD) pipelines to ensure only authorised code is deployed.
Key Tools/Working practices
- Use GDC Console, gdcloud CLI, and kubectl to manage infrastructure, users, workloads, security policies, and platform resources across projects and clusters
- Implement Terraform and Ansible with Git‑based workflows to deliver repeatable, version‑controlled infrastructure and configuration (GitOps), including Config Sync for consistent environments
- Configure IAM, RBAC, service accounts, and identity provider integration to enforce least‑privilege access and secure authentication, with policy enforcement via OPA Gatekeeper
- Define and secure network boundaries using project network policies (ingress/egress control) and manage encryption and trust with KMS and Certificate Authority services
- Build and package applications using Docker and Helm, store images in Harbor, and integrate vulnerability scanning (e.g. Trivy) to detect and remediate issues before deployment
- Test and interact with APIs using curl/REST tools and develop AI capabilities using Vertex AI libraries and notebook environments (e.g. JupyterLab)
- Monitor and troubleshoot using Grafana, Prometheus, and Loki for metrics and logs, with audit logging and SIEM integration for security and compliance
- Configure alerting for failures, anomalies, and SLO breaches, and implement backup and restore processes for resilience and disaster recovery
- Use platform documentation and support channels to validate configurations, follow operational procedures, and resolve issues
What You’ll Bring
- Demonstrable experience as a practicing Security Engineer, with the ability to transition cloud-native security best practices to a distributed/edge platform.
- Deep proficiency in configuring network security defences, threat monitoring, and regulatory compliance controls.
Bonus Points For
- Current, non-expired Professional Cloud Security Engineer certification.
- Experience operating within or alongside classified UK Government secure environments (e.g., SECRET or above).
- Familiarity with GDS Service Standards or equivalent public sector delivery frameworks.
- Experience working in air-gapped or disconnected environments with little or no internet connectivity
Clearance Requirements:
- This role requires either an existing Security Clearance (SC level) or for one to be passed before commencement. There must be a willingness to undergo Developed Vetting (DV).
Work Location: Hybrid remote in London
Job Types: Temporary, Fixed term contract (Outside of IR35)
Job Types: Fixed term contract, Temporary
Pay: £650.00 per day
Application question(s):
- Do you currently hold active UK SC clearance?
- Do you hold UK nationality? (Required due to client security restrictions)
- Are you eligible and willing to undergo UK SC/DV clearance for this role? (Applications without this cannot be considered)
- Does your delivery approach allow for on-site presence in London when required (typically around 3 days per week)?
Work Location: Hybrid remote in London