Azure DevSecOps Engineer

Newpage Solutions is a global digital health innovation company helping people live longer, healthier lives. We partner with life sciences organizations—including pharmaceutical, biotech, and healthcare leaders—to build transformative AI and data-driven technologies addressing real-world health challenges. From strategy and research to UX design and agile development, we deliver and validate impactful solutions using lean, human-centered practices.

Newpage is hiring a Staff DevSecOps Engineer to lead the security engineering posture of a strategic engagement with a global top-tier pharmaceutical company. As the technical anchor for the account, you will define how secure software is built, shipped, and operated across the client's cloud estate — spanning AWS, Azure, and GCP workloads — from research and clinical data platforms through to commercial and supply-chain systems.

You will partner closely with the client's CISO organization, cloud platform team, application teams, and quality and compliance functions to embed security as code into every pipeline. This is a hands-on principal-level role for someone who thrives at the intersection of cloud-native engineering, regulatory rigor, and developer experience.

• Define and own the DevSecOps reference architecture across the client's cloud estate — landing zones, account/subscription vending, identity, secrets, network segmentation, and workload isolation patterns — applied consistently whether on AWS (preferred), Azure, or GCP.
• Set the multi-year roadmap for shift-left security, supply-chain integrity, runtime protection, and continuous compliance evidence collection across regulated and non-regulated workloads.
• Translate regulatory intent into engineering requirements that teams can implement.
• Raise the bar on secure coding, threat modeling, and incident response across the account.

Engineer Security Into the Cloud Estate:

• Design and operate hardened, multi-account or multi-subscription landing zones — AWS Control Tower / Organizations / SCPs / Identity Center (preferred), Azure Landing Zones / Management Groups / Policy, or GCP Organization Policy / Folders — with guardrails enforced as code.
• Build paved-road CI/CD pipelines (GitHub Actions, GitLab CI, AWS CodePipeline, Azure DevOps, or Jenkins) with integrated SAST, DAST, SCA, secrets scanning, IaC scanning, container scanning, and SBOM generation.
• Implement policy-as-code using OPA/Rego, Checkov, and cloud-native equivalents (AWS Config Rules / CloudFormation Guard, Azure Policy, GCP Organization Policy).
• Operationalize cloud-native security services end-to-end — AWS GuardDuty / Security Hub / Macie / Inspector / IAM Access Analyzer / KMS / Secrets Manager / WAF (primary), with working knowledge of Microsoft Defender for Cloud / Sentinel and GCP Security Command Center.
• Engineer controls that satisfy GxP, 21 CFR Part 11, Annex 11, HIPAA, GDPR, and the client's global information security standards — without slowing delivery teams down.
• Design continuous compliance evidence pipelines that auto-generate audit artifacts for FDA, EMA, and internal QA inspections, replacing manual screenshotting and ticket-based attestations.
• Partner with Computer System Validation (CSV) and Computer Software Assurance (CSA) teams to align DevSecOps tooling with validated-state expectations for clinical, manufacturing, and pharmacovigilance systems.
• Champion data protection for sensitive scientific IP, clinical trial data, and patient-adjacent datasets — tokenization, encryption strategy, and least-privilege access across cloud data services (e.g., S3 / Redshift / RDS / Lake Formation on AWS, or equivalents on Azure and GCP).

Build trust with the client's senior security, platform, and quality leadership; 8+ years of professional experience in security engineering, platform engineering, or SRE, with at least 4 years leading DevSecOps initiatives at scale.

• Deep, current expertise with at least one major public cloud at production scale — AWS is strongly preferred (you have personally designed and operated multi-account environments with 50+ accounts).
• Strong hands-on coding skills in at least one of Python, Go, or TypeScript, and fluency in infrastructure-as-code with Terraform (cloud-agnostic mastery preferred; AKS or GKE accepted) — including network policy, admission control, and supply-chain controls.
• Track record of operating in a regulated industry — pharma, healthcare, financial services, or critical infrastructure — and translating compliance frameworks into engineering controls.
• Comfortable presenting to a client CISO one day and pairing with a junior engineer the next.

Nice to have:

• Experience with policy-as-code (OPA/Rego, Cedar) and continuous compliance platforms (Wiz, Prisma Cloud, Orca, Drata, Vanta) at enterprise scale.
• Hands-on with secret management (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager) and zero-trust networking patterns.
• Relevant certifications such as AWS Security Specialty (preferred), Azure Security Engineer Associate, Google Professional Cloud Security Engineer, CISSP, CCSP, OSCP, or GIAC GCSA — credentials are a signal, not a substitute for evidence.
• Familiarity with AI/ML pipeline security and the emerging risks around generative AI in regulated environments.

At Newpage, we’re building a company that works smart and grows with agility—where driven individuals come together to do work that matters. Flexible, remote-first work – Choose where you work best while staying connected to a global, collaborative team. Room to grow – Opportunities for learning, leadership, and career development, shaped around you. Meaningful rewards – Competitive compensation that recognizes both contribution and potential.