Included Health
Overview
The Staff Cloud Security Engineer is a critical, hands-on technical role responsible for engineering, implementing, and automating robust security controls within our cloud environments (AWS primarily, with GCP considerations). This role is pivotal in maturing our cloud security posture, securing Included Health's product infrastructure, and directly contributing to the prevention of unauthorized PHI exfiltration. You will help design and develop advanced security solutions, often through code (primarily Python and Go) and automation (Terraform), to address challenges in access control, development environment security, and infrastructure hardening. This role requires deep technical expertise in cloud security, strong software development skills for building security tools and automation, and a proactive approach to risk mitigation. You will be a key technical peer to our infrastructure software and engineering teams, driving a culture of security by design and helping to implement solutions that reduce HIPAA incidents. This is a remote role reporting to the Chief Information Security Officer.
Responsibilities
Design, develop, and implement a comprehensive authorization framework for cloud resources, addressing user roles, resource-specific restrictions, task-based access, and granular engineering access
Lead the technical implementation of Just-In-Time (JIT) access control systems for production environments (systems, secrets, data) to minimize standing privileges for engineering and platform teams
Collaborate with engineering to integrate data classification (e.g., safe-harbor annotations) with access control mechanisms, ensuring that data sensitivity directly informs access decisions
Develop and maintain security automation scripts, tools, and services in Python or Go to streamline security operations, vulnerability management, compliance checks, and incident response
Write clean, maintainable, and testable code (primarily Python and Go; familiarity with Ruby is a plus) for security automation, building custom security integrations, and developing security-focused tools
Implement and champion Infrastructure as Code (IaC) principles, specifically using Terraform, for programmatic definition, enforcement, and auditing of security configurations
Contribute to the design and implementation of centralized security controls, such as an engineering-owned Web Application Firewall (WAF), to manage rate limiting, IP blocking, input validation, and request filtering
Partner with engineering teams to establish and implement secure practices for managing the development toolchain (code generation utilities, linters, browser extensions, CLI tools, IDE plugins) to mitigate supply chain risks
Design and help implement a secure, "blessed" mechanism for webhook testing in local development environments, blocking unauthorized tunneling tools
Define, implement, and enforce container security hardening standards (e.g., least privilege, no unnecessary utilities, limited internet access) in collaboration with engineering teams
Drive the remediation of legacy cloud environments, particularly in GCP, by inventorying, assessing, and improving security controls
Design and implement solutions for granular data access control in cloud environments, particularly addressing compliance requirements for handling sensitive data
Collaborate closely with infrastructure software, engineering, DevOps, and product teams to co-design and integrate robust, automated security controls into systems, architectures, and CI/CD pipelines
Act as a subject matter expert on cloud security (AWS, GCP), providing guidance, code reviews (Python, Go), and technical expertise on secure cloud adoption, secure software development, and access control best practices
Support organizational change management efforts related to new security controls and practices by providing technical rationale and assisting in the development of new workflows
Conduct security assessments, threat modeling, and contribute to incident response, developing automation for prevention and faster response
Develop and maintain comprehensive documentation for security architectures, controls, automation scripts, and incident response playbooks
Qualifications
Bachelor's degree in Computer Science, Information Technology, Cybersecurity, or a related field
5+ years of experience in cloud security, with a strong emphasis on designing, developing (primarily in Python and Go), and implementing security solutions in AWS
Proven hands-on software development experience, particularly in Python and Go, for security automation, building security tools, and infrastructure management
Demonstrable experience designing and implementing robust authorization and access control frameworks (e.g., RBAC, ABAC, policy-as-code) and Just-In-Time (JIT) access solutions
Experience with Infrastructure as Code (IaC) with deep proficiency in writing and maintaining Terraform modules for security
Experience with containerization (Docker, Kubernetes/EKS), including hands-on experience hardening containerized environments
Experience with SDLC security, CI/CD pipeline security integration, and secure software development practices
Experience with security logging, monitoring, alerting tools (e.g., SIEM, AWS CloudTrail, CloudWatch, GuardDuty), and scripting against their APIs (Python, Go)
Experience with cloud security frameworks (especially HIPAA), regulations, and standards
Pay The United States new hire base salary target ranges for this full-time position are:
Zone A: 161,410 - 228,000 + equity + benefits
Zone B: 177,551 - 250,800 + equity + benefits
Zone C: 193,692 - 273,600 + equity + benefits
Zone D: 209,833 - 296,400 + equity + benefits
This range reflects the minimum and maximum target for new hire salaries for candidates based on their respective Zone. Below is additional information on Included Health\'s commitment to maintaining transparent and equitable compensation practices across our distinct geographic zones.
Starting base salary for you will depend on several job-related factors, unique to each candidate, which may include education; training; skills; years and depth of experience; certifications and licensure; our needs; internal peer equity; organizational considerations; and understanding of geographic and market data. Compensation structures and ranges are tailored to each zone\'s unique market conditions to ensure that all employees receive fair and great compensation package based on their roles and locations. Your Recruiter can share your geographic zone upon inquiry.
Benefits & Perks In addition to receiving a great compensation package, the compensation package may include, depending on the role, the following and more:
Remote-first culture
401(k) savings plan through Fidelity
Comprehensive medical, vision, and dental coverage through multiple medical plan options (including disability insurance)
PTO and Discretionary Time Off (DTO)
12 weeks of 100% Paid Parental leave
Family Building & Compassionate Leave: Fertility coverage, 25,000 for surrogacy/adoption, and paid leave for failed treatments, adoption or pregnancies
Work-From-Home reimbursement to support team collaboration home office work
Your recruiter will share more about the salary range and benefits package for your role during the hiring process
About Included Health Included Health is a new kind of healthcare company, delivering integrated virtual care and navigation. We’re on a mission to raise the standard of healthcare for everyone. We break down barriers to provide high-quality care for every person in every community — no matter where they are in their health journey or what type of care they need, from acute to chronic, behavioral to physical. It’s all included. Learn more about Included Health at the site without a live link.
Equal Opportunity Included Health is an Equal Opportunity Employer and considers applicants for employment without regard to race, color, religion, sex, orientation, national origin, age, disability, genetics or any other basis forbidden under federal, state, or local law. Included Health considers all qualified applicants with arrest or conviction records in accordance with the San Francisco Fair Chance Ordinance, the Los Angeles County Fair Chance Ordinance, and California law.
#J-18808-Ljbffr
The Staff Cloud Security Engineer is a critical, hands-on technical role responsible for engineering, implementing, and automating robust security controls within our cloud environments (AWS primarily, with GCP considerations). This role is pivotal in maturing our cloud security posture, securing Included Health's product infrastructure, and directly contributing to the prevention of unauthorized PHI exfiltration. You will help design and develop advanced security solutions, often through code (primarily Python and Go) and automation (Terraform), to address challenges in access control, development environment security, and infrastructure hardening. This role requires deep technical expertise in cloud security, strong software development skills for building security tools and automation, and a proactive approach to risk mitigation. You will be a key technical peer to our infrastructure software and engineering teams, driving a culture of security by design and helping to implement solutions that reduce HIPAA incidents. This is a remote role reporting to the Chief Information Security Officer.
Responsibilities
Design, develop, and implement a comprehensive authorization framework for cloud resources, addressing user roles, resource-specific restrictions, task-based access, and granular engineering access
Lead the technical implementation of Just-In-Time (JIT) access control systems for production environments (systems, secrets, data) to minimize standing privileges for engineering and platform teams
Collaborate with engineering to integrate data classification (e.g., safe-harbor annotations) with access control mechanisms, ensuring that data sensitivity directly informs access decisions
Develop and maintain security automation scripts, tools, and services in Python or Go to streamline security operations, vulnerability management, compliance checks, and incident response
Write clean, maintainable, and testable code (primarily Python and Go; familiarity with Ruby is a plus) for security automation, building custom security integrations, and developing security-focused tools
Implement and champion Infrastructure as Code (IaC) principles, specifically using Terraform, for programmatic definition, enforcement, and auditing of security configurations
Contribute to the design and implementation of centralized security controls, such as an engineering-owned Web Application Firewall (WAF), to manage rate limiting, IP blocking, input validation, and request filtering
Partner with engineering teams to establish and implement secure practices for managing the development toolchain (code generation utilities, linters, browser extensions, CLI tools, IDE plugins) to mitigate supply chain risks
Design and help implement a secure, "blessed" mechanism for webhook testing in local development environments, blocking unauthorized tunneling tools
Define, implement, and enforce container security hardening standards (e.g., least privilege, no unnecessary utilities, limited internet access) in collaboration with engineering teams
Drive the remediation of legacy cloud environments, particularly in GCP, by inventorying, assessing, and improving security controls
Design and implement solutions for granular data access control in cloud environments, particularly addressing compliance requirements for handling sensitive data
Collaborate closely with infrastructure software, engineering, DevOps, and product teams to co-design and integrate robust, automated security controls into systems, architectures, and CI/CD pipelines
Act as a subject matter expert on cloud security (AWS, GCP), providing guidance, code reviews (Python, Go), and technical expertise on secure cloud adoption, secure software development, and access control best practices
Support organizational change management efforts related to new security controls and practices by providing technical rationale and assisting in the development of new workflows
Conduct security assessments, threat modeling, and contribute to incident response, developing automation for prevention and faster response
Develop and maintain comprehensive documentation for security architectures, controls, automation scripts, and incident response playbooks
Qualifications
Bachelor's degree in Computer Science, Information Technology, Cybersecurity, or a related field
5+ years of experience in cloud security, with a strong emphasis on designing, developing (primarily in Python and Go), and implementing security solutions in AWS
Proven hands-on software development experience, particularly in Python and Go, for security automation, building security tools, and infrastructure management
Demonstrable experience designing and implementing robust authorization and access control frameworks (e.g., RBAC, ABAC, policy-as-code) and Just-In-Time (JIT) access solutions
Experience with Infrastructure as Code (IaC) with deep proficiency in writing and maintaining Terraform modules for security
Experience with containerization (Docker, Kubernetes/EKS), including hands-on experience hardening containerized environments
Experience with SDLC security, CI/CD pipeline security integration, and secure software development practices
Experience with security logging, monitoring, alerting tools (e.g., SIEM, AWS CloudTrail, CloudWatch, GuardDuty), and scripting against their APIs (Python, Go)
Experience with cloud security frameworks (especially HIPAA), regulations, and standards
Pay The United States new hire base salary target ranges for this full-time position are:
Zone A: 161,410 - 228,000 + equity + benefits
Zone B: 177,551 - 250,800 + equity + benefits
Zone C: 193,692 - 273,600 + equity + benefits
Zone D: 209,833 - 296,400 + equity + benefits
This range reflects the minimum and maximum target for new hire salaries for candidates based on their respective Zone. Below is additional information on Included Health\'s commitment to maintaining transparent and equitable compensation practices across our distinct geographic zones.
Starting base salary for you will depend on several job-related factors, unique to each candidate, which may include education; training; skills; years and depth of experience; certifications and licensure; our needs; internal peer equity; organizational considerations; and understanding of geographic and market data. Compensation structures and ranges are tailored to each zone\'s unique market conditions to ensure that all employees receive fair and great compensation package based on their roles and locations. Your Recruiter can share your geographic zone upon inquiry.
Benefits & Perks In addition to receiving a great compensation package, the compensation package may include, depending on the role, the following and more:
Remote-first culture
401(k) savings plan through Fidelity
Comprehensive medical, vision, and dental coverage through multiple medical plan options (including disability insurance)
PTO and Discretionary Time Off (DTO)
12 weeks of 100% Paid Parental leave
Family Building & Compassionate Leave: Fertility coverage, 25,000 for surrogacy/adoption, and paid leave for failed treatments, adoption or pregnancies
Work-From-Home reimbursement to support team collaboration home office work
Your recruiter will share more about the salary range and benefits package for your role during the hiring process
About Included Health Included Health is a new kind of healthcare company, delivering integrated virtual care and navigation. We’re on a mission to raise the standard of healthcare for everyone. We break down barriers to provide high-quality care for every person in every community — no matter where they are in their health journey or what type of care they need, from acute to chronic, behavioral to physical. It’s all included. Learn more about Included Health at the site without a live link.
Equal Opportunity Included Health is an Equal Opportunity Employer and considers applicants for employment without regard to race, color, religion, sex, orientation, national origin, age, disability, genetics or any other basis forbidden under federal, state, or local law. Included Health considers all qualified applicants with arrest or conviction records in accordance with the San Francisco Fair Chance Ordinance, the Los Angeles County Fair Chance Ordinance, and California law.
#J-18808-Ljbffr