Senior Cloud Security Engineer

We’re Celonis, the global leader in Process Intelligence technology and one of the world's fastest-growing SaaS firms. We believe there is a massive opportunity to unlock productivity by placing AI, data and intelligence at the core of business processes — and for that, we need your help. Care to join us? The Team: Within our InfoSec organization, our global security engineering team is responsible for designing, building, and enhancing the underlying security components that help with securing the Celonis Application and Platforms stacks. We think about both offensively and defensively. We continuously monitor our global security posture and are always adapting to the ever-changing threat landscape. The security engineering team is always looking for talented subject matter experts in application, platform and offensive security. The Role: The Senior Cloud Security Engineer is a hands‑on technical role focused on safeguarding Celonis’ cloud infrastructure across AWS, Azure, and GCP. In this role, you will design and implement cutting‑edge security measures to protect a large‑scale SaaS platform. You’ll collaborate with cross‑functional teams to ensure security is embedded in our cloud services and automate security processes for efficiency and consistency. This role is ideal for a seasoned security engineer who enjoys solving complex cloud security challenges and wants to have a direct impact on the security posture of a fast‑growing tech company. The work you’ll do: Cloud Security Implementation: Implement and uphold cloud security best practices across multi‑cloud environments. Harden our cloud infrastructure by leveraging native security features (e.g., AWS IAM & KMS, Azure AD & Key Vault, GCP IAM & KMS) and ensuring proper configuration of network controls, encryption, and logging. Infrastructure & Kubernetes Security: Secure Celonis’ use of containerized applications and Kubernetes (EKS, AKS, GKE). This includes setting up container image scanning, enforcing Kubernetes security policies, managing secrets and certificates, and working with engineering teams to ensure microservices follow security guidelines. Automation & Tooling: Develop and maintain automation scripts and Infrastructure‑as‑Code (Terraform, CloudFormation) to embed security into the deployment pipeline. Automate repetitive security tasks (such as provisioning secure configurations, patch management, and compliance checks) to improve efficiency and consistency. Security Monitoring & Response: Enhance cloud security monitoring by tuning and extending CSPM tools and cloud‑native monitoring (CloudTrail, GuardDuty, Azure Security Center, etc.). Identify potential vulnerabilities or misconfigurations proactively and work on fixes. Assist in investigating security alerts or incidents related to cloud infrastructure and coordinate remediation efforts. Identity and Access Management: Continuously improve cloud IAM configurations to enforce least‑privilege access. Manage roles, policies, and access keys across the organization’s cloud accounts. Implement solutions like Teleport to strengthen access controls for engineers and applications accessing sensitive cloud resources. Vulnerability Management: Work with vulnerability scanning tools (such as Tenable Nessus/Tenable.io) to regularly scan cloud assets and container images. Collaboration & Guidance: Serve as a security subject matter expert for cloud projects. Collaborate with developers, DevOps, and SRE teams to advise on secure architecture and coding practices. Contribute to threat modeling exercises and review new features/infrastructure for potential security risks before deployment. Required Qualifications: Proven Cloud Security Expertise: 5+ years of hands‑on experience in security engineering with a strong focus on cloud (AWS, Azure, and GCP). Deep understanding of cloud architecture and services, and proven experience implementing security controls in a production cloud environment. Kubernetes & Container Security: Strong experience securing containerized applications and Kubernetes clusters. Familiarity with tools and practices for container security (image vulnerability scanning, runtime security, Kubernetes network policies, service mesh security). Automation Skills: Proficiency in Infrastructure‑as‑Code and scripting. Demonstrated ability to use Terraform, CloudFormation or similar to deploy secure configurations, and to write scripts in Python, Go, or Bash to automate security workflows. You should be able to build tools or integrations that reduce manual effort and human error. Cloud Security Posture Management: Hands‑on experience with Cloud Security Posture Management (CSPM) solutions or implementing automated checks for cloud compliance. Ability to identify misconfigurations and weaknesses in cloud setups and remediate them (for example, S3 bucket policies, public exposure of resources, etc.). Identity & Access Management: In‑depth understanding of cloud IAM and access control mechanisms. Experience designing role‑based access schemes, managing federated identities (SAML/OIDC), and implementing principles of least privilege across multiple cloud accounts and services. Vulnerability & Threat Management: Experience with vulnerability scanning tools (e.g., Tenable, Qualys) and interpreting their output. Knowledge of common cloud threats and vulnerabilities (OWASP Cloud Top 10, CIS benchmarks) and experience in remediating them. Real‑World Impact: A track record of securing real cloud deployments and solving security incidents or challenges in production. We value hands‑on problem‑solving skills and achievements‑being able to point to projects and outcomes where you made a difference in security. (Formal degrees or certifications are less important than your proven ability to do the job.) Preferred Qualifications: Teleport & Advanced Tools: Experience with Teleport or similar identity‑based access proxies for infrastructure is a strong plus, as is familiarity with the Tenable suite or other vulnerability management platforms. Comfort with other security tools (SIEM, IDS/IPS, container security platforms like Aqua or Prisma Cloud) is beneficial. DevSecOps Mindset: Working knowledge of CI/CD pipelines and how to integrate security testing into them (e.g., integrating SAST/DAST, secret scanning in pipelines). Ability to work in an Agile environment and partner with development teams using a DevSecOps approach. SaaS Security Challenges: Prior experience in a SaaS or cloud‑native product company. Understanding the security considerations of multi‑tenant architectures, data privacy, and scaling security solutions in a customer‑facing cloud service. Continuous Learning & Innovation: Passion for staying up‑to‑date with the latest cloud security threats, tools, and best practices. Participation in security conferences, certifications like AWS/Azure Security Specialty, or contributions to open source security projects are a plus (though we prioritize practical knowledge over credentials). Collaborative Communication: Excellent communication skills to articulate complex security issues to both technical and non‑technical colleagues. Experience writing security documentation or standard operating procedures, and fostering a culture of security awareness within teams. What Celonis Can Offer You: Pioneer Innovation: Work with the leading, award‑winning process mining technology, shaping the future of business. Accelerate Your Growth: Benefit from clear career paths, internal mobility, a dedicated learning program, and mentorship opportunities. Receive Exceptional Benefits: Including generous PTO, hybrid working options, company equity (RSUs), comprehensive benefits, extensive parental leave, dedicated volunteer days, and much more. Interns and working students explore your benefits here. Prioritize Your Well‑being: Access to resources such as gym subsidies, counseling, and well‑being programs. Connect and Belong: Find community and support through dedicated inclusion and belonging programs. Make Meaningful Impact: Be part of a company driven by strong values that guide everything we do: Live for Customer Value, The Best Team Wins, We Own It, and Earth Is Our Future. Collaborate Globally: Join a dynamic, international team of talented individuals. Empowered Environment: Contribute your ideas in an open culture with autonomous teams. About Us: Celonis makes processes work for people, companies and the planet. The Celonis Process Intelligence Platform uses industry‑leading process mining and AI technology and augments it with business context to give customers a living digital twin of their business operation. It’s system‑agnostic and without bias, and provides everyone with a common language for understanding and improving businesses. Celonis enables its customers to continuously realize significant value across the top, bottom, and green line. Celonis is headquartered in Munich, Germany, and New York City, USA, with more than 20 offices worldwide. Get familiar with the Celonis Process Intelligence Platform by watching this video. Celonis Inclusion Statement: At Celonis, we believe our people make us who we are and that “The Best Team Wins”. We know that the best teams are made up of people who bring different perspectives to the table. And when everyone feels included, able to speak up and knows their voice is heard — that’s when creativity and innovation happen. Your Privacy: Any information you submit to Celonis as part of your application will be processed in accordance with Celonis’ Accessibility and Candidate Notices. By submitting this application, you confirm that you agree to the storing and processing of your personal data by Celonis as described in our Privacy Notice for the Application and Hiring Process. Please be aware of common job offer scams, impersonators and frauds. Learn more here. #J-18808-Ljbffr