Security & Infrastructure Engineer - Sovereign Zero-Trust

Bison Bison Cooperative Association
San Francisco, United States of America
19 days ago

Role details

Contract type
Permanent contract
Employment type
Full-time (> 32 hours)
Working hours
Regular working hours
Languages
English
Experience level
Senior
Compensation
$ 180K

Job location

San Francisco, United States of America

Tech stack

Kubernetes Security
Audit Trail
Computer Networks
Continuous Integration
DNS
Key Management
Network Architecture
Public Key Infrastructure
Role-Based Access Control
Zero Trust Network Access
SAP Applications
Kubernetes
Hashicorp
Static Application Security Testing
Dynamic Application Security Testing

Job description

  • Architect end-to-end sovereign security posture across all deployment environments - including zero-trust air-gapped network isolation with no external egress, HIPAA/FedRAMP/ITAR compliance readiness, and certified deployment across 20+ international jurisdictions and DoD environments
  • Enforce cryptographically signed agentic access controls via the Signed Action Protocol (SAP), with RBAC/ABAC governing both human and agent principals across every sovereign stack deployment
  • Maintain immutable JSONL audit trails with OpenTelemetry instrumentation across all agent actions, ensuring every deployment can be fully demonstrated, audited, and certified within a 30-minute live review
  • Design and implement zero-trust network architecture: SPIFFE/SPIRE workload identity and mTLS on all inter-service paths
  • Build per-country sovereign PKI: Ed25519 root CAs, TLS cert lifecycle management, and sovereign certificate issuance
  • Implement the Signed Action Protocol: ECDSA P-256 signing on all agent actions and signature verification
  • Deploy and maintain secrets management via OpenBao (sovereign Vault fork): rotation policies and audit logging
  • Own the air-gap certification process: tcpdump verification, DNS egress blocking, and namespace isolation
  • Enforce data residency via Kubernetes network policies, namespace boundaries, and per-country egress rules
  • Integrate security scanning (SAST/DAST) into the CI/CD pipeline with automated credential exposure detection

Requirements

  • 5+ years security engineering with 2+ years at senior level
  • Expert in zero-trust air-gapped architecture, sovereign security deployment (HIPAA/FedRAMP/ITAR), cryptographically signed agentic access controls (SAP/RBAC/ABAC), and immutable audit trail design (JSONL/OpenTelemetry) across DoD and international jurisdictions
  • Zero-trust architecture: SPIFFE/SPIRE, mTLS, and PKI design at depth
  • Cryptography implementation: Ed25519, ECDSA P-256, AES-256-GCM, TLS 1.3
  • Kubernetes security: RBAC, pod security standards, network policies, and secrets management
  • Secrets management: HashiCorp Vault or OpenBao - rotation, audit logging, and access policies
  • Air-gapped or classified system security experience required

Benefits & conditions

Parental leave, 401(k), Health insurance, Paid time off, Vision insurance, Dental insurance Full-time Hybrid work in San Francisco, CA 94177, * 401(k)

  • Dental insurance
  • Health insurance
  • Paid time off
  • Parental leave
  • Vision insurance

Apply for this position