Security Solutions Architect - Cloud Security Consultant at a consultancy with 10,001+ employees
500 people affected
18 month project
Project Description
Developed High-Level (HLD) and Low-Level (LLD) design documents, ensuring full compliance with Danske Bank’s policies. Documentation covers items listed in Design and Planning and cloud account onboarding, a custom RBAC model, entitlement matrix for user and API permissions, detailed network and data flow diagrams.
Managed technical planning such as Integration of CSPM, CIEM, and Code Security components (Checkov). Outbound integrations and alert distribution via ServiceNow (on-premises, not out-of-the-box integration). Prisma Cloud custom user role and permission planning (RBAC). Integration planning for Checkov in CI/CD pipelines and Azure AD for IdP/SSO. Policy selection aligned with regulatory needs and best practices (12+ frameworks/standards). Configuration management of Prisma Cloud using API and Terraform. Trusted Logon IP filtering, Conditional Access policy requirements including and MFA, managed device status, etc (Azure side).
Project Planning & Execution:
- Directed project milestones and release plan for the Prisma Cloud rollout.
- Defined and planned operational tasks for effective transition into regular operations, including:
-- SSO setup and API key rotation procedures
-- Policy applicability review
-- Cloud resource owner support/consulting
-- Initial CSPM alert review in collaboration with cloud platform teams (reviewed 150+ policies for AWS and Azure)
-- Defined a detailed process for custom CSPM policy creation, review and testing
-- Contribution in selecting and interviewing external consultants for custom RQL policy development.
-- Supported the team in escalating product issues, notably in CIEM policy and AWS root account (16 built-in policies correct by the vendor as a result).
Lessons Learned
Push back on GDPR concerns from legal team more, opt to deploy outpost and a full-fledged CNAPP, including DSPM and workload protection (at least runtime visibility) capabilities, request for budget increase, reevaluate the tool selection, since I have been brought in after the solition was already chosen.