Cloud Security Engineer – SC Eligible – Government Projects at ByDesign Secure, London, £650 a day

£650 per day

Contract Description

This role is delivered within secure environments. Candidates must be eligible for UK SC and DV clearance and hold UK Citizenship.

Opening: Join the Mission

At ByDesign Secure, we believe that world-class security shouldn't be an afterthought—it should be the foundation. We are an independent, outputs-based consultancy dedicated to solving the most complex data assurance challenges in the UK public sector. Currently, we are working on a landmark transformation of a cross-government secure IT system. This is an exciting opportunity to help architect a private cloud environment from the ground up and modernize the end-user services that power national decision-making. We don't believe in "billing by the hour" or rigid hierarchies; we are a lean, expert team focused on delivering high-impact technical outcomes. If you are a self-starter who thrives on autonomy and wants to see your engineering or architectural decisions shape the future of sovereign security, we want to talk to you.

About the Opportunity

  • We are seeking a skilled Cloud Security Engineer to design and implement secure workloads within a Google Distributed Cloud (GDC) environment.
  • This role is ideal for a security professional with a strong GCP background (Other CSP experience also considered) and an active Professional Cloud Security Engineer certification, as these competencies are directly transferable to managing security in air-gapped or edge configurations.
  • You will be responsible for ensuring security, rigour, and compliance within mission-critical government secure delivery.

What You’ll Be Doing

  • Identity & Access Management: Designing and managing complex identity architectures, including single sign-on (SSO) integration, multi-factor authentication (MFA), and the automated lifecycle management of privileged user accounts.
  • Authorisation & Resource Hierarchy: Defining granular resource hierarchies and implementing the principle of least privilege using advanced identity policies, conditions, and organizational constraints.
  • Boundary & Perimeter Protection: Configuring robust network defences, including next-generation firewalls, web application firewalls (WAF), and secure service perimeters to isolate sensitive workloads.
  • Data Protection & Encryption: Implementing discovery and redaction services for sensitive data (PII) and managing full-lifecycle encryption through hardware or software-based key management systems.
  • Securing the Software Supply Chain: Automating vulnerability scanning and policy enforcement within continuous integration and delivery (CI/CD) pipelines to ensure only authorised code is deployed.

Key Tools/Working practices

  • Use GDC Console, gdcloud CLI, and kubectl to manage infrastructure, users, workloads, security policies, and platform resources across projects and clusters
  • Implement Terraform and Ansible with Git‑based workflows to deliver repeatable, version‑controlled infrastructure and configuration (GitOps), including Config Sync for consistent environments
  • Configure IAM, RBAC, service accounts, and identity provider integration to enforce least‑privilege access and secure authentication, with policy enforcement via OPA Gatekeeper
  • Define and secure network boundaries using project network policies (ingress/egress control) and manage encryption and trust with KMS and Certificate Authority services
  • Build and package applications using Docker and Helm, store images in Harbor, and integrate vulnerability scanning (e.g. Trivy) to detect and remediate issues before deployment
  • Test and interact with APIs using curl/REST tools and develop AI capabilities using Vertex AI libraries and notebook environments (e.g. JupyterLab)
  • Monitor and troubleshoot using Grafana, Prometheus, and Loki for metrics and logs, with audit logging and SIEM integration for security and compliance
  • Configure alerting for failures, anomalies, and SLO breaches, and implement backup and restore processes for resilience and disaster recovery
  • Use platform documentation and support channels to validate configurations, follow operational procedures, and resolve issues

What You’ll Bring

  • Demonstrable experience as a practicing Security Engineer, with the ability to transition cloud-native security best practices to a distributed/edge platform.
  • Deep proficiency in configuring network security defences, threat monitoring, and regulatory compliance controls.

Bonus Points For

  • Current, non-expired Professional Cloud Security Engineer certification.
  • Experience operating within or alongside classified UK Government secure environments (e.g., SECRET or above).
  • Familiarity with GDS Service Standards or equivalent public sector delivery frameworks.
  • Experience working in air-gapped or disconnected environments with little or no internet connectivity

Clearance Requirements:

  • This role requires either an existing Security Clearance (SC level) or for one to be passed before commencement. There must be a willingness to undergo Developed Vetting (DV).

Work Location: Hybrid remote in London

Job Types: Temporary, Fixed term contract (Outside of IR35)

Job Types: Fixed term contract, Temporary

Pay: £650.00 per day

Application question(s):

  • Do you currently hold active UK SC clearance?
  • Do you hold UK nationality? (Required due to client security restrictions)
  • Are you eligible and willing to undergo UK SC/DV clearance for this role? (Applications without this cannot be considered)
  • Does your delivery approach allow for on-site presence in London when required (typically around 3 days per week)?

Work Location: Hybrid remote in London