Key skills
PythonJavaC#C.NETPowerShellAILarge Language ModelsAWSAzureTerraformKubernetesGitHub ActionsVaultAKSEntra IDGitHubSaaSCI/CDLeadershipPenetration TestingCloud Security
About this role
Dayforce is a global human capital management company headquartered in Toronto and Minneapolis, seeking a Principal Cloud Security Engineer to serve as a hands-on technical expert across their cloud programs. The role involves leading CNAPP implementation, hardening cloud environments, and ensuring compliance with regulatory requirements while partnering with various teams to deliver secure cloud-based solutions.
Responsibilities:
- Lead CNAPP implementation: Plan and execute end-to-end rollout of Wiz (and related CNAPP tooling) across Azure (and select AWS), including policy design, tuning, and alert-to-action workflows
- Harden clouds at scale: Design and enforce guardrails (Azure Policy, Defender for Cloud plans, identity controls, network segmentation, logging/monitoring) and extend patterns to AWS where applicable
- DevSecOps & IaC governance: Embed security into CI/CD and Terraform workflows (pre-merge checks, plan/policy gates, artifact signing, SBOMs/attestations) and establish reusable modules and policy-as-code patterns to prevent misconfigurations before deploying; enforce baselines at plan time
- Compliance engineering: Translate FedRAMP, CIS, and other frameworks into technical controls, automated evidence, continuous monitoring, and remediation playbooks
- Cloud security architecture & blueprint: Own and evolve the cloud security reference architecture (standardized landing zones, identity and access patterns, network segmentation, encryption standards, logging/monitoring baselines, and guardrails) for Azure (primary) and AWS (in scope); advise product and platform teams on secure designs, lead design reviews, and mentor engineers
- Incident & posture improvement: Partner with SecOps and AppSec teams to triage findings, evaluate risks, recommend remediation steps, and drive measurable improvements across vulnerabilities, identities, data, and workloads
- Executive advisory: Communicate risk, trade-offs, and roadmaps to senior leadership; influence prioritization through clear metrics and business outcomes
- Build automated guardrails and drift detection/auto-remediation using Terraform (and/or Bicep/ARM where applicable), integrating controls into CI/CD to consistently enforce secure defaults
- Kubernetes/AKS security: Partner with platform teams to harden AKS (RBAC, network policies, workload identity), implement admission controls, and operationalize Wiz Sensors and CNAPP findings into engineering workflows and secure runtime baselines
Requirements:
- Bachelor's degree in Computer Science, Engineering, or related field (or equivalent experience)
- 10+ years in security engineering/architecture with significant cloud security experience (SaaS or technology companies preferred)
- Deep, hands-on expertise with CNAPP (Wiz or equivalent) deployment at scale, policy design, tuning, automation; and Microsoft Defender for Cloud (policies, plans, recommendations, regulatory compliance, alerting)
- DevSecOps / CI/CD: integrating security tests and gates in GitHub Actions (or similar), artifact/image scanning, and automated compliance evidence; securing pipeline identities, secrets, and supply chain integrity
- Infrastructure as Code (IaC): production-grade Terraform Enterprise/Terraform Cloud (modules, registries, workspaces), plan-time checks, and drift control
- Policy engineering: designing and implementing cloud security policies (Azure Policy initiatives; OPA/Sentinel policy-as-code) and mapping to frameworks (NIST, CIS)
- Azure security (Entra ID/AAD, RBAC, networking, Key Vault, monitoring)
- Multi-cloud, hands-on experience with Azure and AWS services
- Container and Kubernetes security: cluster hardening, workload identity/RBAC, network policies, admission controls, image signing/verification, runtime protection, and container registries (ACR/ECR, JFrog Artifactory)
- Security automation: scripting (e.g., Python/PowerShell) to build guardrails, detections, and tooling
- Experience establishing and reporting KRIs/KPIs and improving cloud security posture at scale using data-driven metrics (e.g., NIST, CIS, STIG)
- Experience delivering cloud implementations in regulated environments, including U.S. Government / U.S. Public Sector requirements (FedRAMP, NIST SP 800-53) and Canadian Government / Public Sector requirements (PBMM, GC Cloud Guardrails, ITSG-33 or equivalent) — including control mapping, automation, and continuous monitoring
- Excellent stakeholder skills—operate as a trusted advisor to product, platform, compliance, and executive teams
- Self-starter who can work independently, communicate clearly, and drive cross-functional outcomes with a bias for automation and measurable posture improvement
- Proven track record operating as a Cloud Security Architect across CNAPP, Wiz, Terraform, and CI/CD pipeline architectures—defining cloud policies, integrating cloud-native and CNAPP controls, and leveraging their control frameworks for continuous compliance
- Hands-on experience securing Kubernetes (AKS) using Wiz Sensor tooling (deployment, operations, and integration with detection and remediation workflows)
- Microsoft AZ-500, SC-100, SC-200 certifications strongly preferred
- One of the security certifications, such as CISSP or CCSP
- DevOps experience with infrastructure, cloud, and application pipelines
- Hands-on experience with container and image scanning; SAST, DAST; and penetration testing tools
- Knowledge of large language models (LLMs) and hands-on experience designing and building generative-AI–powered agents
- Experience with Python, Java, .NET, C#, Rego, and YAML