Senior Technical Data Security Architect

Role Overview

• Design and maintain end-to-end data security architecture across Microsoft Azure, Microsoft Fabric, Azure Synapse Analytics, Azure Data Lake Storage (ADLS Gen2), and Databricks Lakehouse Platform.
• Define and enforce enterprise data classification, labeling, and handling standards aligned with Microsoft Purview Information Protection.
• Develop reference architectures and security blueprints for data ingestion, transformation, storage, and consumption layers.
• Lead threat modeling sessions for data pipelines and analytics workloads, identifying and mitigating risks proactively.
• Establish a Zero Trust data security model across all data platforms and integration points.
• Architect and govern data security controls within Microsoft Fabric, including workspace-level and item-level permissions, sensitivity labels, and OneLake security.
• Design role-based access control (RBAC) and attribute-based access control (ABAC) strategies across Azure Data Factory, Azure Synapse, Azure Databricks, and Azure SQL.
• Implement and operationalize Microsoft Purview for data catalog governance, data lineage, and automated sensitivity classification across hybrid and multi-cloud data estates.
• Configure and manage Azure Private Endpoints, VNet integration, and network security groups for data services to eliminate public exposure.
• Oversee encryption strategies including Azure Key Vault integration, customer-managed keys (CMK), and data-at-rest / data-in-transit encryption standards.
• Partner with identity teams to enforce Entra ID Conditional Access policies, Privileged Identity Management (PIM), and managed identities for data service authentication.
• Lead the implementation and tuning of Microsoft Defender for Cloud data security posture management (DSPM) capabilities.
• Architect and implement Unity Catalog as the enterprise-wide data governance layer across Databricks workspaces, including metastore design, catalog/schema/table-level permissions, and row/column-level security.
• Design Databricks workspace security including network isolation (no-public-IP, vNet injection, private link), cluster policies, and IP access lists.
• Define and enforce Databricks credential passthrough, service principal governance, and OAuth integration with Azure Entra ID.
• Implement dynamic data masking and column-level security policies within Unity Catalog to protect PII, PHI, and sensitive financial data.
• Establish Delta Lake security patterns including table ACLs, fine-grained access control, and audit logging strategies via Databricks system tables.
• Oversee the security of Databricks workflows, notebooks, and job clusters, including secrets management integration with Azure Key Vault-backed secret scopes.
• Conduct security reviews of MLflow models and Feature Store configurations to address data leakage risks in ML pipelines.
• Ensure data platform compliance with relevant regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2 Type II, and PCI-DSS where applicable.
• Design and maintain audit trail and data access logging architectures across Microsoft and Databricks platforms.
• Conduct regular security risk assessments, gap analyses, and maturity evaluations of the data security program.
• Develop and maintain security runbooks, policies, and standards documentation for data platform operations.
• Coordinate with legal, compliance, and privacy teams to respond to data subject access requests (DSARs) and regulatory inquiries.
• Serve as the primary security advisor to data engineering, analytics engineering, and BI teams throughout the development lifecycle.
• Lead security architecture review boards for new data initiatives, third-party data integrations, and major platform changes.
• Develop and lead a structured mentoring program for junior and mid-level engineers and architects, providing one-on-one coaching, career guidance, and skills development roadmaps tailored to each individual’s growth goals.
• Conduct regular knowledge-sharing sessions, lunch-and-learns, and internal workshops to upskill teams on evolving data security threats, tooling, and compliance requirements across the Microsoft and Databricks ecosystems.
• Partner with engineering managers and HR to define data security competency frameworks, leveling guides, and certification pathways that support talent development and retention across the data platform organization.
• Establish and maintain a community of practice around data security, fostering peer learning, documentation culture, and cross-team collaboration on shared security challenges and architectural patterns.
• Collaborate with SecOps and SOC teams to build data-specific detection rules, incident response playbooks, and forensic investigation capabilities.
• Present security posture, risk findings, and remediation roadmaps to executive leadership and board-level stakeholders.

Requirements

• 5+ years of experience in data engineering, data architecture, or information security, with at least 5 years focused on data security architecture.
• Deep hands-on expertise with Microsoft Azure data services: Azure Data Lake Storage Gen2, Azure Synapse Analytics, Azure Data Factory, Azure SQL Database, and Microsoft Fabric.
• Demonstrated expertise in designing and implementing Databricks Unity Catalog, including workspace federation, metastore design, and fine-grained access control.
• Strong proficiency with Microsoft Purview, including data map configuration, classification rules, sensitivity labels, and policy enforcement.
• Expert-level knowledge of Azure identity and access management: Entra ID, Managed Identities, Conditional Access, PIM, and service principal governance.
• Hands-on experience with Azure Key Vault, customer-managed encryption keys, and secrets management integration with data platforms.
• Solid understanding of data governance frameworks and data security principles including Zero Trust, least privilege, and data minimization.
• Experience with regulatory compliance programs (GDPR, CCPA, HIPAA, SOC 2, PCI-DSS) as applied to data platforms.
• Proficiency in SQL and at least one programming/scripting language (Python, PySpark, PowerShell, or Terraform) used for security automation.
• Strong written and verbal communication skills with the ability to articulate complex security concepts to technical and non-technical audiences.
• Demonstrated experience securing data workloads across multi-cloud environments (Azure, AWS, and/or GCP), including cross-cloud data governance, identity federation, and consistent enforcement of security policies across heterogeneous cloud estates.
• Hands-on experience with Snowflake data security, including Snowflake RBAC/DAC models, column-level and row-level security policies, dynamic data masking, network policies, Private Link configuration, and Snowflake Data Sharing governance controls.
• Proven ability to support presales activities, including leading technical discovery sessions, contributing to RFP/RFI responses, delivering solution demonstrations, and authoring security architecture sections of client-facing proposals and statements of work.

Tech Stack

• AWS
• Azure
• Cloud
• DAC
• Google Cloud Platform
• PySpark
• Python
• SQL
• Terraform
• Unity
• Vault

Benefits

• Remote workforce primarily (U.S. based only, some travel may be required for certain positions, working on-site may be required for Federal positions)
• Group Medical Insurance options: Zero Deductible PPO Plan (GuidePoint pays 90% of the premium for employees and 70% for family plans (spouse/children/family) or High Deductible Health Plan with HSA (GuidePoint pays 100% of the employees premiums and 75% for family plans (spouse/children/family). If you choose the High Deductible / HSA plan, GPS will contribute in 4 equal quarterly installments: ($850 per EE annually / $1750 per family annually (includes spouse/children/family options)
• Group Dental Insurance: GuidePoint pays 100% of the premium for employees and 75% of family plans
• 12 corporate holidays and a Flexible Time Off (FTO) program
• Healthy mobile phone and home internet allowance
• Eligibility for retirement plan after 2 months at open enrollment
• Pet Benefit Option