Principal Cloud & DevSecOps Architect (AWS / Azure / Terraform / Kubernetes / CI-CD)

Regulated environment of a German banking group (approx. 8,500 employees, hybrid cloud strategy).

Responsible for operating, provisioning, and continuously securing business-critical platforms – including a GenAI chat application, a big-data/AI platform, and data science workstations based on Azure Virtual Desktops and VMs. Ownership of Azure DevOps projects such as ShaiHulud and React2Shell and BSI warnings - security operations improvements across the SDLC.

Deployment responsibility for the GenAI chat application, big-data/AI platform (BDAI), and data science workstations (AVD/VM-based) in the respective landing zones.

Deployment & release management: end-to-end responsibility for deployments of portal and service applications in multiple Azure landing zones, including technical approvals, approvals according to development teams' deployment guidelines, and ensuring ITIL-based change and release processes in ongoing operations via ServiceNow.

Azure landing zones & network architecture: building, provisioning, and operating Azure landing zones for 3-tier web applications with enhanced network segmentation, VNet peering, hub-and-spoke architectures, private endpoints, and firewall integration in separate subscriptions and tenants.

Azure DevOps governance & operations: ownership of the Azure DevOps organization including projects, repositories, and CI/CD pipelines; implementation of governance requirements such as branch policies, approval gates, permission models, and auditing-capable operating structures.

Infrastructure as Code (Terraform): design, implementation, and operation of a modular Terraform architecture for standardized cloud infrastructure provisioning, including state management, provider versioning, reusability, and policy-as-code approaches.

CI/CD pipeline engineering: designing, operating, and optimizing complex YAML-based CI/CD pipelines with multi-stage deployments, template standardization, self-hosted agents, integrated secret management, and automated quality and security checks.

Git migration & platform consolidation: planning and executing migration of repositories and pipelines from Azure DevOps to GitLab CI/CD, including automated scripts, Git history migration, pipeline porting, and consolidation of development platforms.

Container & platform operations (AKS): running and conducting security assessments of container-based workloads on Azure Kubernetes Service, centralizing on-premises container registry for ACR. OpenShift (OCP) security reviews: security assessment of code baselines, build pipelines, and deployment processes for on-premises OpenShift clusters running critical applications, and deriving concrete hardening recommendations.

Shift-left security & DevSecOps transformation: implementing a company-wide shift-left approach to integrate security early into development and deployment processes, enabling developers to conduct security checks independently, and sustainably reducing vulnerabilities before production (IDE integrations, pre-commit hooks, local scanners).

Software supply chain security: analyzing and mitigating supply chain risks in NPM- and Yarn-based applications through dependency audits, securing CI/CD pipelines, token rotation, and restricting risky build and lifecycle mechanisms.

Frontend & framework security (React/Next.js): security assessment and coordination of remediation for critical vulnerabilities in all platform applications and web frameworks, including alignment and additional technical mitigations with all teams following BSI warnings.

Software composition analysis (SCA): implementing and operating automated vulnerability scans for container images, pipelines/artifacts, and third-party dependencies, including SBOM exports within CI/CD pipelines.

SAST/DAST integration: designing and piloting static and dynamic application security tests in close cooperation with security architecture and development teams to continuously improve code and runtime security, and establishing operational acceptance tests (BATs).

Artifact & registry consolidation: analyzing and consolidating all package and container repositories for service applications and AKS workloads with the goal of a centralized, secured registry strategy, including centralized vulnerability scanning and governance.

Dependency Track & SBOM strategy: advising the compliance board on implementing a central SBOM and vulnerability management platform to increase enterprise-wide dependency transparency and accelerate CVE response times.

CI/CD pipeline hardening: security analysis and cleanup of the existing pipeline landscape by removing unused pipelines, improving secrets hygiene, enforcing the least privilege principle, and isolating build agent environments.

Azure Web Application Firewall (WAF) optimization: analyzing and optimizing existing Azure WAF rule sets (OWASP Top 10 Core Rule Set, DSR/SDC, custom rules) to defend against known vulnerabilities and exploit patterns, including reducing false positives and improving threat detection.

Documentation & stakeholder communication: creating and maintaining technical documentation, runbooks, and architecture diagrams in Jira and Confluence, as well as actively transferring knowledge between operations, development, security, and compliance stakeholders.

2,500 workloads for over 17,000 employees worldwide.

Multi-account AWS landing zone, deployment of multi-stage Kubernetes clusters with Amazon EKS and ECS, as well as AWS Fargate; hybrid networking with global IP address management (IPAM) and WAN; use of transit gateways and Palo Alto firewalls (Pan-OS) across six operational cloud regions.

Service ownership of AWS cloud landing zones, including operation, further development, and ensuring compliance with corporate standards and governance policies for all subsidiaries.

Conducted security and compliance analyses (DevSecOps) and mapped findings to common frameworks like NIST, ISO 27001, and PCI DSS.

Performed AWS Well-Architected Reviews to assess and optimize existing multi-account landing zone architectures.

Centralized and consolidated multiple AWS landing zones and built a global network architecture to the Azure Prisma Hub.

Managed and optimized incident, change, and problem management processes via ServiceNow for AWS Global Networking / Azure Global WAN.

Analyzed, optimized, and migrated DaaS workloads (Desktop-as-a-Service), including comparing and transitioning from Nutanix Frame and AWS WorkSpaces Classic to AWS WorkSpaces Pools.

Tuned storage performance and throughput for Amazon FSx for Windows File Server.

Introduced and operated a centralized firewall and traffic inspection setup with Palo Alto Networks (PAN-OS).

Designed and implemented a fully automated AWS landing zone solution with built-in security and compliance mechanisms.

Built and maintained infrastructure-as-code (IaC) pipelines using Azure DevOps for repeatable, secure deployments including security gates.

Rolled out global AWS WorkSpaces Pools for over 500 CAD/engineering end users, including enablement and architecture optimization.

Implemented staging environments for Kubernetes workloads, including separation of dev/test/prod and access control.

Integrated Dependency-Track for SBOM analysis and implemented additional security services like AWS Inspector, GuardDuty, and Security Hub.

Connected the AWS environment to external SOC providers, including SIEM integration.

Onboarded the new landing zone into the CSPM tool (SentinelOne Singularity Cloud Platform), including continuous security posture management.

Documentation, quality assurance, and knowledge transfer to internal engineering and security teams.

Various clients from different industries, over 1,500 users in the EUC context, five main applications including infrastructure migrations.

AWS Cloud MSP, multi-account AWS landing zone, multi-tenant AppStream 2.0 fleets, and Amazon WorkSpaces Classic provisioning using Terraform and AFT.

Configured multiple AWS multi-account landing zones, including workload accounts and organizational units (OUs).

Implemented and managed SCPs and guardrails in AWS Control Tower and AWS Organizations, including regional usage restrictions and establishing an account security and compliance concept according to AWS best practices.

Planned, configured, and automated provisioning of multiple VPCs and infrastructures for AWS VDI technologies, focusing on Amazon AppStream 2.0 and Amazon WorkSpaces.

Developed, automated, and deployed images for Amazon AppStream 2.0 and AWS WorkSpaces services using Terraform and image pipelines.

Designed migrations and planned and executed strategic migration of client applications and application servers to AWS cloud through rehosting/lift-and-shift.

Fully automated provisioning of client infrastructures and applications in multi-stages and multi-accounts via Terraform and CI/CD pipelines.

End-to-end configuration and testing for multiple user streaming via AppStream 2.0, including autoscaling and fleet management.

Created and deployed standardized Amazon WorkSpaces, including Active Directory domain join and standard GPOs.

Connected AWS WorkSpaces services to Microsoft Active Directory workloads and integrated with identity provider services for user synchronization including single sign-on (via SCIM).

Implemented Azure Active Directory synchronization for Microsoft 365 and Entra ID with Entra ID Connect.

Configured CloudWatch monitoring and enabled application monitoring for applications.

Set up centralized backup management with AWS Backup service for the respective client organizations.

Advised on the planning, architecture, and full implementation of a scalable Windows Virtual Desktop environment for 500+ users.

Built and configured host pools (pooled & personal) with automated user assignment and load balancing according to the Azure Well-Architected Framework.

Developed and operated a fully automated image pipeline (golden image build & deployment) using Azure Image Builder – including regular updates, security hardening, and CAD application integration.

Implemented MSIX/App Attach for dynamic application delivery: packaging, storage integration (Azure Files), assignment, and lifecycle management for different user groups from Entra ID.

Integrated FSLogix for user profile management (Azure Files) to ensure high-performance, persistent user profiles with GPO enforcement.

Implemented monitoring & logging (Azure Monitor, Log Analytics Workspace) for proactive troubleshooting and capacity planning.

Automated scaling and maintenance processes for session hosts (start VM on connect, scheduled agent updates, autoscaling).

Implemented Conditional Access policies and multi-factor authentication for secure remote access to AVD desktops.

Created operational documentation, runbooks, and handed over to IT operations.

1,250+ workloads and over 5,500 users worldwide.

Provided comprehensive consulting and support to the client during the AWS cloud migration preparation phase.

Performed detailed assessments for around 250+ Linux servers and over 50 Linux applications.

Introduced RedHat Satellite for efficient patch management of RedHat and CentOS servers.

Modernized Linux servers with minor and major release changes in preparation for cloud requirements.

Conducted AWS Migration Readiness Assessments (MRA) for resources, tools, and workforce skills.

Installed AWS discovery and inventory tools to analyze application dependencies.

Created comprehensive documentation of the Linux system landscape as a basis for cloud rehosting.

Healthcare insurance environment, Citrix infrastructure backend services, IGEL thin clients for BARMER.

Initiation and planning of the migration project for Citrix infrastructure outsourcing.

Design and technical implementation of migration paths for the existing Citrix infrastructure.

Development of a new Citrix backend for future operations.

Identification and implementation of migration strategies for user profiles and software packages.

Design and creation of a new Active Directory group structure including naming conventions.

Securing the migration process by identifying critical configurations such as Citrix UPM and GPOs.

Coordination and management of external service providers during the transition.

2nd and 3rd level support for Citrix remote workspaces.

Implementation and rollout of Windows 10 clients using Baramundi.

Interim administration of the Exchange server.

Software packaging and endpoint management.

Mobile device management via MobileIron/MobilePASS.

Quality management and documentation creation.

Over 500 workloads, virtualization of physical and virtual servers.

Execution of P2V (physical to virtual) virtualization of physical servers with VMware.

V2V (virtual to virtual) conversion of KVM/QEMU server systems into VMware vCenter.

Coordination and scheduling of virtualization processes.

Virtualization of RedHat, SLES, and Microsoft Windows servers.

Integration of virtualized systems into the central data center.

Implementation of service and process monitoring as well as quality assurance of migration processes.

Designed and implemented an IAM environment using Microsoft Identity Manager (MIM).

Developed attribute flows and synchronization rules for Active Directory user objects.

Built and secured the perimeter network (DMZ), including a reverse proxy.

Integrated and tested IAM tools for single sign-on (SSO) applications.

Set up the SSO identity provider and integrated it with Active Directory Federation Services (ADFS).

Two data centers, over 2000 server systems, various network components.

Developed a monitoring system architecture based on Nagios.

Implemented the Nagios master server and configured the platform.

Successfully migrated Nagios to Check_MK OMD (Open Monitoring Distribution).

Integrated AIX, Linux, and Windows servers into the monitoring system.

Mapped service dependencies and prioritized business-critical applications.

Monitored systems via SNMP and WMI, including alert configuration.

Integrated monitoring results into the ticketing system (Omnitracker).

Provided 1st and 2nd level support for end users.

Administered and maintained Microsoft Small Business Server for multiple clients.

Diagnosed and resolved issues in real time to ensure smooth operations.

Coordinated support tasks while meeting SLAs and KPIs.