CelerData co
Senior Security Engineer, Cloud Platform
CelerData co, Menlo Park, California, United States, 94029
Senior Security Engineer, Cloud Platform
About CelerData At CelerData, our mission is to empower organizations to fully leverage their data. We achieve this with our cutting-edge, cloud-native, high-performance analytical database, specifically designed for modern lakehouse architectures. We're challenging established solutions like Snowflake, ClickHouse, and Trino by delivering unmatched query performance and a simplified architecture to enterprises globally. Join us as we help our customers convert their data into practical insights and attain outstanding technical achievements. As a Product Security Engineer at CelerData, you’ll embed with our platform and cloud teams to design and build secure-by-default features for StarRocks and CelerData Cloud. You will drive threat modeling, security assurance, and automation across our control plane, data plane, and BYOC (bring-your-own-cloud) deployments. Your work will span identity, secrets and key management, container/Kubernetes hardening, operating security tooling , and vulnerability management—scaling security through paved roads, tooling, and code . Key Responsibilities
Secure design & threat modeling:
Partner with PM/engineering to review architectures and data flows (SaaS, on-prem, BYOC). Define security requirements and mitigations for features such as multi-tenant isolation, row/column-level security, auditing, and encryption. Security Process:
Develop processes, tooling and automation to scale security processes and mitigate risks to the business Cloud & Kubernetes hardening:
Establish secure baselines for AWS/Azure/GCP; least-privilege IAM; network segmentation and private connectivity (e.g., PrivateLink/Private Endpoint); runtime policies (e.g., Cilium/Calico), admission controls, and secrets handling for K8s. Identity & secrets:
Advance SSO/MFA for customers and internal systems; standardize OIDC/SAML flows; engineer passwordless and m2m auth; manage KMS/HSM-backed key lifecycles; integrate with Vault for automated rotation. Data protection:
Ensure encryption in transit/at rest for object stores (S3/ADLS/GCS) and internal services; define data classification and tokenization/obfuscation patterns where appropriate. Vulnerability management & assurance:
Run coordinated scanning/fuzzing (including C++ components), triage reports (bug bounty/responsible disclosure), drive fixes to closure with clear SLAs, and commission targeted pentests. Detection enablement:
Improve security telemetry across control and data planes; contribute product-centric detections/runbooks for abuse, exfiltration, or privilege misuse. Incident readiness:
Maintain product incident playbooks; participate in investigations affecting CelerData products and customers; lead post-mortems and drive durable remediation. Developer enablement:
Provide clear guidance, examples, and “paved road” modules (Terraform/K8s manifests, SDK patterns). Deliver practical, lightweight training on secure coding and secrets hygiene. Qualifications
5+ years in product/application, platform, or cloud security supporting engineering teams shipping distributed systems at scale (or comparable impact). Hands-on with at least one major cloud (AWS/Azure/GCP) and Kubernetes security (RBAC, admission, PSP replacements, runtime policies, image signing). Proficiency in
at least one
of: Python or Go for automation; plus the ability to read and review
C++ and/or Java
for security implications. Solid grasp of authN/Z patterns (OIDC/SAML, OAuth2, service-to-service auth), secrets and key management (KMS/HSM, Vault), and TLS mTLS fundamentals. Experience designing controls for multi-tenant SaaS or BYOC architectures (isolation, network egress controls, private connectivity, least-privilege IAM). Clear, pragmatic communicator who can influence design, document decisions, and drive cross-team execution. Preferred Qualifications Fuzzing experience (e.g., libFuzzer/AFL/OSS-Fuzz) or sanitizers for native code; prior work securing OLAP/DB, storage engines, or high-performance C++ services. IaC security (Terraform + Conftest/OPA checks), cloud org guardrails, SCP/Config/Policy, and drift detection. Familiarity with data security features (RLS/CLS, masking, audit/eventing) in analytics platforms. Contributions to open-source projects (StarRocks/ClickHouse/Trino ecosystems a plus).
#J-18808-Ljbffr
About CelerData At CelerData, our mission is to empower organizations to fully leverage their data. We achieve this with our cutting-edge, cloud-native, high-performance analytical database, specifically designed for modern lakehouse architectures. We're challenging established solutions like Snowflake, ClickHouse, and Trino by delivering unmatched query performance and a simplified architecture to enterprises globally. Join us as we help our customers convert their data into practical insights and attain outstanding technical achievements. As a Product Security Engineer at CelerData, you’ll embed with our platform and cloud teams to design and build secure-by-default features for StarRocks and CelerData Cloud. You will drive threat modeling, security assurance, and automation across our control plane, data plane, and BYOC (bring-your-own-cloud) deployments. Your work will span identity, secrets and key management, container/Kubernetes hardening, operating security tooling , and vulnerability management—scaling security through paved roads, tooling, and code . Key Responsibilities
Secure design & threat modeling:
Partner with PM/engineering to review architectures and data flows (SaaS, on-prem, BYOC). Define security requirements and mitigations for features such as multi-tenant isolation, row/column-level security, auditing, and encryption. Security Process:
Develop processes, tooling and automation to scale security processes and mitigate risks to the business Cloud & Kubernetes hardening:
Establish secure baselines for AWS/Azure/GCP; least-privilege IAM; network segmentation and private connectivity (e.g., PrivateLink/Private Endpoint); runtime policies (e.g., Cilium/Calico), admission controls, and secrets handling for K8s. Identity & secrets:
Advance SSO/MFA for customers and internal systems; standardize OIDC/SAML flows; engineer passwordless and m2m auth; manage KMS/HSM-backed key lifecycles; integrate with Vault for automated rotation. Data protection:
Ensure encryption in transit/at rest for object stores (S3/ADLS/GCS) and internal services; define data classification and tokenization/obfuscation patterns where appropriate. Vulnerability management & assurance:
Run coordinated scanning/fuzzing (including C++ components), triage reports (bug bounty/responsible disclosure), drive fixes to closure with clear SLAs, and commission targeted pentests. Detection enablement:
Improve security telemetry across control and data planes; contribute product-centric detections/runbooks for abuse, exfiltration, or privilege misuse. Incident readiness:
Maintain product incident playbooks; participate in investigations affecting CelerData products and customers; lead post-mortems and drive durable remediation. Developer enablement:
Provide clear guidance, examples, and “paved road” modules (Terraform/K8s manifests, SDK patterns). Deliver practical, lightweight training on secure coding and secrets hygiene. Qualifications
5+ years in product/application, platform, or cloud security supporting engineering teams shipping distributed systems at scale (or comparable impact). Hands-on with at least one major cloud (AWS/Azure/GCP) and Kubernetes security (RBAC, admission, PSP replacements, runtime policies, image signing). Proficiency in
at least one
of: Python or Go for automation; plus the ability to read and review
C++ and/or Java
for security implications. Solid grasp of authN/Z patterns (OIDC/SAML, OAuth2, service-to-service auth), secrets and key management (KMS/HSM, Vault), and TLS mTLS fundamentals. Experience designing controls for multi-tenant SaaS or BYOC architectures (isolation, network egress controls, private connectivity, least-privilege IAM). Clear, pragmatic communicator who can influence design, document decisions, and drive cross-team execution. Preferred Qualifications Fuzzing experience (e.g., libFuzzer/AFL/OSS-Fuzz) or sanitizers for native code; prior work securing OLAP/DB, storage engines, or high-performance C++ services. IaC security (Terraform + Conftest/OPA checks), cloud org guardrails, SCP/Config/Policy, and drift detection. Familiarity with data security features (RLS/CLS, masking, audit/eventing) in analytics platforms. Contributions to open-source projects (StarRocks/ClickHouse/Trino ecosystems a plus).
#J-18808-Ljbffr