Cloud Security Threat Modeler (Service & API Patterns)

Objective

Engineer and standardize reusable security patterns for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). This role provides approved patterns for services, allowing application teams to utilize pre-approved service and API patterns without requiring them to threat model cloud services when developing application threat models.

Primary Responsibilities

Backlog Execution: Conduct deep-dive threat model reviews for an immediate backlog of 22 cloud services.

Pattern Engineering: Develop modular, "Lego-brick" threat models for cloud services and API patterns, defining mandatory security controls and standardized use cases.

Stakeholder Defense: Schedule threat model reviews (TMRs) for cloud services. Present and defend service threat models in formal threat model reviews (TMRs) with the Boeing Enterprise Security (BES) to defend and secure approval for standardized patterns.

Additional Reviews: For services that require changes to environment perimeters, coordinate with landing zone architects to update landing zone architecture standards, schedule reviews, and review changes with the Secure Perimeter Review Board (SPRB) reviews.

Technical Research: Perform manual analysis using  TrustOnCloud research libraries to identify Cloud Service Provider (CSP) specific threats and configuration requirements. Work with CSP subject matter experts to develop service threat models when necessary.

Secondary Responsibilities

Library Stewardship: Manage repository of approximately 200 service and API threat models.

Governance & Maintenance: Execute a manual biennial (2-year) refresh cycle for all models in the library to ensure continued alignment with CSP updates and feature releases.

Key Performance Indicators (KPIs)

Throughput: Following a 1-month ramp-up and shadowing/training period, complete a minimum of 3 service threat model reviews per month.

Backlog Resolution: Clear the initial 22-service backlog within approximately 8 months of the completion of the training period.

Maintenance Compliance: Maintain 100% adherence to the biennial manual refresh schedule for the 200-pattern library.

Required Qualifications

Experience: 5+ years in cloud security architecture or threat modeling.

Technical Depth: Expert knowledge of AWS, Azure, and GCP managed services and the Shared Responsibility Model.

Analytical Skill: Proven ability to synthesize complex technical data (e.g., TrustOnCloud reports) into concise, executable security standards.

Communication: Ability to negotiate and defend technical security positions to central risk and compliance stakeholders.

Preferred Experience

Direct experience using TrustOnCloud for threat research.

Background in creating reusable security patterns in large-scale enterprise environments.

Only shortlisted candidates are going to be contacted

Benefits:

Paid sick leave, Medical/Dental (optional), 401 (k) Retirement Plan (optional), Employer Paid Life Insurance, Employer Paid Short Term Disability, Optional Life Insurance.

ELYON International, Inc. is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.