CloudOkta
Website:
cloudokta.com
Job details:
Network Security Engineer
Infrastructure Security | SASE / SSE | Threat Prevention | NAC & Identity
Location: Remote
Employment Type: Full-Time
ABOUT THE ROLE
We are seeking an experienced and technically accomplished Network Security Engineer to join our enterprise security team. This role is accountable for the design, deployment, and ongoing operational maturity of the organisation's network security controls — spanning cloud-delivered security services, next-generation firewall infrastructure, threat detection, web application protection, and network access control.
The successful candidate will operate as a subject-matter expert across a defined technology stack, drive measurable improvements to the organisation's security posture, and maintain clear ownership of controls performance through defined metrics and executive-ready reporting. This is a hands-on technical role with a strong accountability mandate and genuine scope to shape programme direction.
KEY RESPONSIBILITIES
SASE / SSE & Cloud Security (Netskope)
• Own the full lifecycle of the Netskope SSE platform — tenant configuration, policy authoring, steering configuration, and integration with IdP and SIEM.
• Enforce CASB and DLP policies across SaaS applications, shadow IT discovery, and cloud storage platforms (M365, Salesforce, AWS S3).
• Maintain Netskope Secure Web Gateway (SWG) policies, SSL/TLS inspection profiles, and URL/threat category enforcement aligned to acceptable-use standards.
• Instrument Netskope threat protection, RBI (Remote Browser Isolation), and ZTNA policies for application access; govern client connector deployment via MDM.
• Produce monthly Netskope posture reports covering data-in-motion risk, policy violation trends, and user risk scoring.
Firewall & Perimeter Security (Versa Networks)
• Administer Versa SD-WAN / SASE appliances and VOS policy across branch, data centre, and cloud fabric; manage BGP/OSPF route policies and VPN overlays.
• Design and enforce Versa Next-Generation Firewall (NGFW) zone policies, application-based QoS, and micro-segmentation rules aligned to Zero Trust principles.
• Conduct quarterly firewall rule-base reviews — identify stale, overly permissive, or undocumented rules and drive remediation to a defined ruleset hygiene standard.
• Manage firmware lifecycle, change control, and failover testing for all Versa nodes; maintain topology diagrams and change records in ITSM tooling.
• Coordinate with WAN/ISP providers on circuit provisioning, SLA validation, and path-quality troubleshooting.
Intrusion Detection & Prevention (IDS/IPS)
• Operate and tune inline IPS sensors and out-of-band IDS deployments; manage signature sets, custom rules, and suppression lists to maintain a low false-positive rate.
• Correlate IDS/IPS alert data with SIEM telemetry to identify attack patterns, lateral movement indicators, and policy bypass attempts.
• Conduct regular coverage gap assessments against MITRE ATT&CK network-layer techniques; drive signature and detection rule improvements.
• Maintain IDS/IPS performance baselines; respond to throughput or latency degradation impacting inline enforcement.
• Collaborate with the SOC to escalate confirmed intrusion events and support forensic analysis.
Web Application Firewall (Cloudflare WAF)
• Administer Cloudflare WAF rulesets, rate limiting, bot management, and DDoS protection profiles for internet-facing web assets.
• Manage custom WAF rules and Managed Rulesets (OWASP Core Ruleset, Cloudflare Specials); tune sensitivity thresholds to balance protection and availability.
• Operate Cloudflare DNS, SSL/TLS termination, and certificate management; govern origin IP exposure and authenticated origin pulls.
• Monitor Cloudflare Security Analytics dashboards; investigate spike events, evaluate threat scores, and adjust rule actions (challenge / block / log) accordingly.
• Coordinate WAF exception processes with application owners; document all exclusions with business justification and scheduled review dates.
Network Access Control (Aruba ClearPass)
• Design and operate ClearPass Policy Manager (CPPM) for 802.1X wired/wireless authentication, profiling, and BYOD onboarding.
• Maintain ClearPass Onboard and Guest portal configurations; manage certificate-based EAP-TLS authentication integrations with PKI and Active Directory.
• Define and enforce posture assessment policies — validate endpoint compliance (patch level, AV, disk encryption) before granting network access.
• Administer dynamic VLAN assignment and downloadable ACL (dACL) policies for role-based network segmentation.
• Audit ClearPass access logs for authentication failures, rogue device attempts, and policy bypass events; integrate with SIEM for alerting.
Security Metrics, Reporting & Programme Maturity
• Own and maintain a Network Security KPI dashboard — track controls health, vulnerability age, policy exceptions, and incident trends against defined thresholds.
• Produce monthly operational reports and quarterly executive summaries aligned to framework maturity language (e.g., NIST CSF, CIS Controls, ISO 27001).
• Conduct annual self-assessment of network security controls maturity (Initial → Managed → Optimised); produce gap analysis and roadmap with prioritised remediation items.
• Manage exception and risk acceptance register for network security controls; ensure time-bound approvals with compensating control documentation.
• Support internal audit, external penetration testing, and regulatory assessments; provide evidence packages and close audit findings within agreed SLAs.
• Contribute to security risk register updates — translate technical vulnerabilities into business-risk language for non-technical stakeholders.
REQUIRED QUALIFICATIONS & EXPERIENCE
Education & Certifications
• Bachelor's degree in Computer Science, Information Security, Networking, or a related technical discipline; equivalent professional experience considered.
• One or more active, relevant certifications:
◦ PCNSE, CCNP Security, or equivalent enterprise firewall/network security certification
◦ Netskope Certified Cloud Security Administrator (NCCSA) or Engineer (NCCE)
◦ Aruba ClearPass Professional (ACCP) or equivalent NAC certification
◦ CompTIA Security+, CISSP, or CISM as a supporting credential
Technical Experience (Essential)
• 5+ years of hands-on network security engineering experience in mid-to-large enterprise environments.
• Demonstrable hands-on experience with Netskope SSE/CASB/SWG — policy configuration, log analysis, and API integrations.
• Proven experience administering Versa SD-WAN or comparable NGFW/SASE platforms (e.g. Palo Alto, Fortinet FortiGate, Cisco FTD) at scale.
• Solid working knowledge of IDS/IPS technologies (Snort, Suricata, vendor-specific inline sensors) — signature management and tuning.
• Hands-on experience with Cloudflare WAF, including custom rule authoring, bot management, and DNS/certificate management.
• Proven ClearPass NAC administration — 802.1X, EAP-TLS, endpoint posture, and dynamic role enforcement.
• Strong grounding in network protocols: BGP, OSPF, VLANs, 802.1Q, QinQ, VxLAN, IPsec/SSL VPN, DNS, DHCP, TLS 1.2/1.3.
• Experience integrating security tools with SIEM platforms (e.g. Microsoft Sentinel, Splunk, QRadar) via syslog, CEF, or API.
• Demonstrable ability to design and maintain security metrics frameworks and produce board/executive-level reporting.
Technical Experience (Desirable)
• Experience with additional SASE/SSE platforms: Zscaler ZIA/ZPA, Prisma Access, or Cato Networks.
• Familiarity with cloud network security constructs — AWS Security Groups/NACLs, Azure NSGs/Firewall, GCP VPC firewall rules.
• Exposure to Zero Trust Network Access (ZTNA) architectural principles and implementation patterns.
• Scripting capability (Python, PowerShell, Bash) for automation of policy deployment, log parsing, or reporting pipelines.
• Understanding of OT/ICS network security considerations and DMZ design for operational technology segments.
• Familiarity with CIS Benchmarks, NIST SP 800-53 / CSF, or ISO/IEC 27001 network security control requirements.
Click on Apply to know more.