Security & Infrastructure Engineer - Sovereign Zero-Trust
Bison Bison Cooperative Association
San Francisco, United States of America
19 days ago
Role details
Contract type
Permanent contract Employment type
Full-time (> 32 hours) Working hours
Regular working hours Languages
English Experience level
Senior Compensation
$ 180KJob location
San Francisco, United States of America
Tech stack
Kubernetes Security
Audit Trail
Computer Networks
Continuous Integration
DNS
Key Management
Network Architecture
Public Key Infrastructure
Role-Based Access Control
Zero Trust Network Access
SAP Applications
Kubernetes
Hashicorp
Static Application Security Testing
Dynamic Application Security Testing
Job description
- Architect end-to-end sovereign security posture across all deployment environments - including zero-trust air-gapped network isolation with no external egress, HIPAA/FedRAMP/ITAR compliance readiness, and certified deployment across 20+ international jurisdictions and DoD environments
- Enforce cryptographically signed agentic access controls via the Signed Action Protocol (SAP), with RBAC/ABAC governing both human and agent principals across every sovereign stack deployment
- Maintain immutable JSONL audit trails with OpenTelemetry instrumentation across all agent actions, ensuring every deployment can be fully demonstrated, audited, and certified within a 30-minute live review
- Design and implement zero-trust network architecture: SPIFFE/SPIRE workload identity and mTLS on all inter-service paths
- Build per-country sovereign PKI: Ed25519 root CAs, TLS cert lifecycle management, and sovereign certificate issuance
- Implement the Signed Action Protocol: ECDSA P-256 signing on all agent actions and signature verification
- Deploy and maintain secrets management via OpenBao (sovereign Vault fork): rotation policies and audit logging
- Own the air-gap certification process: tcpdump verification, DNS egress blocking, and namespace isolation
- Enforce data residency via Kubernetes network policies, namespace boundaries, and per-country egress rules
- Integrate security scanning (SAST/DAST) into the CI/CD pipeline with automated credential exposure detection
Requirements
- 5+ years security engineering with 2+ years at senior level
- Expert in zero-trust air-gapped architecture, sovereign security deployment (HIPAA/FedRAMP/ITAR), cryptographically signed agentic access controls (SAP/RBAC/ABAC), and immutable audit trail design (JSONL/OpenTelemetry) across DoD and international jurisdictions
- Zero-trust architecture: SPIFFE/SPIRE, mTLS, and PKI design at depth
- Cryptography implementation: Ed25519, ECDSA P-256, AES-256-GCM, TLS 1.3
- Kubernetes security: RBAC, pod security standards, network policies, and secrets management
- Secrets management: HashiCorp Vault or OpenBao - rotation, audit logging, and access policies
- Air-gapped or classified system security experience required
Benefits & conditions
Parental leave, 401(k), Health insurance, Paid time off, Vision insurance, Dental insurance Full-time Hybrid work in San Francisco, CA 94177, * 401(k)
- Dental insurance
- Health insurance
- Paid time off
- Parental leave
- Vision insurance