Cloud Security Engineer in Salford

Finova is the UK’s largest financial services technology provider, supporting one in every five mortgages nationwide. Our agile, cloud-native solutions enable over 60 banks, building societies, specialist lenders, equity release providers and a network of 2,400+ brokers to stay ahead in a competitive market. Built on open architecture and backed by deep industry expertise, our platform is designed to scale. Each year, we process over £50 billion in loans, manage nearly £50 billion in savings, and support the digital servicing of more than 650,000 UK borrower accounts. Be part of a team that’s driving innovation, enabling growth and shaping the future of UK lending.

About the Role

We’re looking for a Cloud Security Engineer to own the security posture of our multi-cloud SaaS fintech platform across AWS, Azure, and GCP. This is a hands‑on, hybrid role. You’ll find yourself reviewing a Terraform pull request before stand‑up, tuning CSPM rules at midday, and tracing a misconfigured storage bucket across three accounts before the end of the day.

About you

Must-Have Experience

• Professional Experience: 4–6 years in cloud security, security engineering, or security-focused platform engineering, with hands‑on production experience in regulated environments.
• Multi-Cloud Mastery: Hands‑on experience securing at least two of AWS, Azure, and GCP in production, and working familiarity with all three.
• Infrastructure-as-Code: Deep experience with IaC security, primarily utilizing Terraform, plus at least one of Bicep, ARM, CloudFormation, or Pulumi, alongside their associated policy-as-code tooling.
• Cloud-Native Security Services: Practical knowledge of tools like Defender for Cloud, AWS Security Hub / GuardDuty / Macie / Inspector, and GCP Security Command Center / Chronicle—including their failure modes, not just their marketing.
• Container Security: Practical experience with Kubernetes security (admission control, pod security, network policy, service mesh) and container supply‑chain security (image signing, SBOMs, SLSA).
• Guardrails as Code: Experience defining and operating cloud guardrails as code (AWS SCPs, Azure Policy, GCP Org Policies), including safe rollout strategies that avoid production disruption.
• Network & Core Security: Solid understanding of cloud network security patterns (VPC/VNet design, private connectivity, egress filtering, DNS security) and secrets management (KMS, Key Vault, Secrets Manager, HashiCorp Vault).
• SecOps & Multi-Tenancy: Familiarity with cloud detection engineering (CloudTrail, Activity/Audit Logs) and an understanding of how cloud-layer choices (account structure, networking, KMS keys, storage layout) dictate real SaaS tenant isolation.
• Consultative Delivery: Experience working as a delivery engineer or consultant for a vendor or consultancy.
• Communication: Clear communicator capable of explaining a cloud risk to a developer, a CFO, and an auditor—adjusting technical depth and language appropriately without compromising facts.

Nice-to-Have Experience

• Experience working within fintech, payments, banking, or insurance environments.
• Hands‑on experience securing AI/ML cloud infrastructure (training clusters, GPU workloads, vector databases, model registries).
• Experience with CNAPP / CIEM platforms (Wiz, Prisma Cloud, Orca, Microsoft Defender CNAPP, etc.) and an understanding of their trade‑offs.
• Familiarity with eBPF-based runtime security tooling (Falco, Tetragon, or commercial equivalents).
• Experience with FedRAMP, ISO 27001, or other formal compliance regimes beyond SOC 2 / PCI-DSS.
• Relevant industry certifications: AWS Security Specialty, AZ-500, GCP Professional Cloud Security Engineer, CCSP, CKS, or CISSP.
• Strong scripting skills (Python, PowerShell, Go) for automation, custom tooling, and detection engineering.
• Background in offensive cloud security, known cloud attack patterns, red team experience, or contributions to cloud security research.

What will you be doing?

1. Multi-Cloud Posture & CSPM
   • Tooling & Baselines: Own and tune CSPM tooling across AWS, Azure, and GCP to ensure continuous drift detection and accurate, prioritized findings aligned with CIS Benchmarks.
   • Remediation & Inventory: Partner with platform teams to fix underlying misconfiguration patterns and template defaults; maintain a real‑time, accurate cloud asset inventory.
2. Infrastructure-as-Code (IaC) Security & Shift-Left
   • Pipeline Integration: Embed security scanners (Checkov, tfsec, KICS) into IaC pipelines and build secure‑by‑default, reusable infrastructure modules.
   • Guardrails & Design: Define production‑grade guardrails as code (SCPs, Azure/GCP Policies) and partner early with developers/SREs to architect secure cloud environments.
3. Network, Workload Security & Data Protection
   • Network & Edge: Design secure multi‑cloud architectures utilizing private connectivity, segmentation, and edge protection (WAF, DDoS).
   • Containers & Serverless: Harden Kubernetes, container supply chains, and serverless workloads from admission to runtime using policy engines, scanning, and strict event/permission controls.
   • Data & Secrets: Enforce cross‑cloud encryption, key management (KMS/BYOK), and hardened secrets infrastructure (Vault) with automated rotation and access logging.
   • Standards: Establish cryptographic baselines and implement continuous discovery controls to detect public exposure and sensitive data leaks.
4. Detection, Response & Cloud SecOps
   • Detection Engineering: Build and tune detections using cloud audit logs and runtime telemetry integrated directly with the SIEM.
   • Incident Response: Own the cloud IR lifecycle—from writing runbooks and running live tablestops to leading active containment, eviction, and root‑cause analysis.
5. AI & ML Infrastructure Security
   • Asset Hardening: Define the cloud security model for AI/ML pipelines, inventorying assets and hardening GPU/compute paths.
   • Isolation & Standards: Design strict multi-tenant isolation for training data and embeddings while translating emerging AI frameworks (NIST AI RMF) into engineering standards.
6. Compliance, Evidence & Enablement
   • Continuous Compliance: Automate continuous evidence collection for SOC 2 Type II and PCI‑DSS to streamline audits and customer reviews.
   • Engineering Enablement: Provide clear standards, office hours, and deep cloud expertise (e.g., IMDS, SSRF mitigation) to help engineering teams safely self‑serve.

What We Offer

• Hybrid working: Work in a hybrid way that suits you. Our model is primarily office-based, with flexibility to work remotely as needed.
• Private medical insurance: Comprehensive health cover, with the option to add your family to your plan.
• Life assurance & income protection: We provide life assurance and income protection to give you peace of mind for the future.
• Family friendly policies: Our enhanced family‑friendly policy goes beyond maternity and paternity leave.
• Work from anywhere: With approval, Finova employees can work abroad for up to 4 weeks each year.
• Flexible holiday package: Enjoy 25 days paid holiday allowance, plus all public holidays.
• Company pension scheme: With salary exchange, you save on tax and can build a secure future.
• Employee assistance programme: Access to a 24/7 confidential counselling helpline.
• Electric car scheme: Get a brand‑new electric vehicle with salary sacrifice as a benefit.
• Health cash plan: Provides reimbursement for everyday healthcare costs.
• Gym discounts: Achieve your fitness goals for less with GymFlex.
• Perks that matter: Fully stocked pantry of fresh fruit and snacks and weekly socials and events.

Equal Opportunity Statement

We value diversity and are committed to creating an inclusive environment for all employees. If you’re passionate about this role but don’t meet all the criteria, please reach out, we’d love to discuss how your skills and experiences align with our needs.