Senior Security Engineer – Cloud & On-Prem (Hybrid Security)

Space NK operates a hybrid environment across Microsoft Azure, corporate offices, datacentres, and a large UK retail footprint. As a Security Engineer, you will design, implement, and operate security controls across cloud platforms, identity systems, endpoints, servers, and business applications. You will support the organisation’s security posture by ensuring that identity, cloud security, data protection, threat detection, and compliance controls are consistently applied and continuously improved.

Your Role

As a Security Engineer, you will be responsible for owning and operating the security controls that protect Space NK’s identity, cloud, and on‑premises environments. You will define and maintain security standards, enhance detection capabilities, harden platforms, and support incident response. You will lead improvements across authentication, authorisation, cloud posture, endpoint security, vulnerability management, and compliance frameworks. You will work closely with Network Engineering, who operate routing, switching, firewalls, VPNs, and connectivity. Your responsibility is to define the security requirements, validate secure configurations, and ensure Zero Trust and compliance controls are met – while Network Engineering implements the network infrastructure itself. This role bridges strategy and technical execution: shaping identity security, strengthening Azure cloud posture, enhancing monitoring and detection capabilities, advising on architecture, and maintaining a secure foundation for all business platforms.

Key Responsibilities

• Hybrid Security Architecture & Governance
  • Design and implement security controls across Azure cloud services, on-prem servers, and SaaS applications.
  • Define and maintain security baselines, hardening standards, and cloud security benchmarks (Microsoft CSB, CIS, NIST).
  • Govern and enforce Azure Policy, Defender for Cloud, and platform‑level security controls.
  • Participate in design and architecture reviews to ensure secure‑by‑design deployments.
  • Maintain security documentation, operational runbooks, standards, and policy artefacts.
  • Support risk assessments, penetration test remediation, and threat modelling activities.
• Identity & Access Security
  • Define and maintain identity security standards for Microsoft Entra ID and Active Directory Domain Services.
  • Provide security requirements for Conditional Access, MFA, SSO, passwordless authentication, and identity governance, implemented by the IAM teams.
  • Partner with IAM/Infrastructure teams to ensure privileged access (PIM), RBAC models, and least‑privilege designs meet security requirements.
  • Harden identity infrastructure including domain controllers, authentication protocols (Kerberos/NTLM), secure LDAP, and hybrid identity components.
  • Monitor identity‑related security signals (Identity Protection, risky users/sign‑ins) and support investigation of identity‑based attacks.
  • Validate secure delegation models, access review processes, and identity lifecycle controls defined by IAM.
• Threat Detection, Monitoring & Incident Response
  • Own and operate SIEM and SOAR tooling, including Microsoft Sentinel, Defender XDR, Identity Protection, and threat analytics.
  • Develop and refine detection rules, correlation logic, threat hunting use cases, and behavioural analytics.
  • Investigate and support incident response for identity compromise, endpoint attacks, Azure cloud events, or server breaches.
  • Integrate telemetry from Azure, endpoints, identity platforms, and security tools.
  • Produce incident reports, RCA documentation, and post‑incident improvement plans.
  • Coordinate with SOC teams or third‑party providers when required.
• Endpoint, Server, and Infrastructure Security
  • Implement CIS/NIST‑aligned hardening across Windows Server, domain controllers, virtual machines, and Azure workloads.
  • Deploy and manage endpoint protection and EDR platforms (e.g., Microsoft Defender for Endpoint).
  • Enforce secure baselines across virtualisation platforms (VMware/Hyper‑V) and Azure IaaS services.
  • Partner with Infrastructure teams on patch governance, vulnerability remediation, and secure configuration management.
  • Support security oversight of server migrations, consolidations, and platform modernisation.
• Data Protection & Encryption
  • Operate Azure Key Vault and certificate lifecycle management via AD CS/PKI.
  • Implement data classification, sensitivity labels, retention controls, and DLP using Microsoft Purview/AIP.
  • Enforce encryption‑in‑transit and at‑rest across Azure and on‑prem environments.
  • Support GDPR, PCI DSS, and organisational data protection requirements.
• Azure Cloud Security
  • Deliver cloud‑native security configuration for Azure Landing Zones, subscriptions, and resource groups.
  • Manage cloud security posture using Defender for Cloud and Azure‑native CSPM controls.
  • Configure secure connectivity to Azure services (Private Endpoints, Service Endpoints, segmentation boundaries).
  • Collaborate with Network Engineering to validate secure ExpressRoute, VPN, and firewall configurations – Network Engineering operates the underlying infrastructure.
  • Ensure consistent security policy enforcement across Azure workloads.
• Compliance, Audit & Risk Management
  • Support ISO 27001, PCI DSS, Cyber Essentials Plus, and NIST compliance activities.
  • Prepare audit evidence, configuration exports, policy documentation, and control validation artefacts.
  • Maintain risk registers, track remediation progress, and support risk assessments.
  • Participate in CAB/change management from a security perspective.
  • Support DR/BCP planning from a security controls perspective.
• Collaboration & Governance
  • Work closely with Network Engineering on segmentation requirements, firewall policy governance, and secure architecture reviews.
  • Partner with Infrastructure, Cloud, and Application teams to ensure secure deployments.
  • Provide security guidance across projects, deployments, and operational teams.
  • Help raise security awareness across the technology organisation.

Essential Skills & Experience

• Strong experience securing Azure environments, including Defender for Cloud, Conditional Access, and identity protection tooling.
• Deep knowledge of Microsoft Entra ID, AD DS, MFA, PIM, RBAC, and hybrid identity security.
• Hands‑on experience with SIEM (Sentinel), SOAR, EDR (MDE), CSPM, and vulnerability management tools.
• Experience securing Windows Server, PKI/ADCS, domain controllers, and virtualisation environments.
• Practical understanding of Zero Trust security principles and secure‑by‑design.
• Strong understanding of PCI DSS, ISO 27001, Cyber Essentials Plus, and NIST controls.
• Ability to perform forensic investigation, log analysis, and threat triage.

Desirable Skills

• Awareness of AWS security fundamentals (GuardDuty, Security Hub, KMS, IAM Identity Center).
• Basic understanding of AWS hybrid connectivity and identity integrations (advantageous but not required).
• DevSecOps and secure CI/CD practices.
• IaC security automation (Terraform, Bicep).
• Container security (AKS) and SaaS application security.
• PowerShell/Python scripting for automation.