KPMG’s Cyber & TechLaw practice enables clients to design and operate secure‑by‑default Microsoft Azure platforms. As an Azure Security Manager/Expert, you lead the design, build and hardening of cloud landing zones and core services, embedding zero‑trust, policy‑as‑code and identity‑first controls across enterprise and regulated environments.

Cloud platform architecture & landing zones

• Design Enterprise‑Scale Azure Landing Zones per CAF (management groups, subscription strategy, naming/tagging).
• Engineer guardrails using Azure Policy/initiatives and automate subscription vending with Bicep/Terraform.

Data protection & key management

• Enforce encryption by default; apply CMK for PaaS; govern secrets/certificates with Azure Key Vault.
• Adopt Microsoft Purview‑aligned protection patterns and define DR/backup guardrails for critical data services.

Container & platform hardening

• Define AKS standards (policy for Kubernetes, RBAC, network policies, ACR signing/scanning gates).
• Secure PaaS (App Service, Functions, Storage, SQL, Cosmos DB) with least privilege and network isolation.

Identity & privileged access (Microsoft Entra)

• Establish Conditional Access baselines, authentication strengths, workload identities and B2B collaboration.
• Implement PIM (just‑in‑time), RBAC/ABAC models, break‑glass design and access reviews.

Network & perimeter security

• Architect hub‑and‑spoke or Virtual WAN with zero‑trust segmentation.
• Implement Private Link/Endpoints, Azure Firewall/WAF, DDoS Protection, and NSG/ASG/egress controls.

Posture & compliance (build‑time/run‑time)

• Own Defender for Cloud CSPM enablement and risk‑based remediation (agentless assessments, vuln management).
• Map controls to CIS Azure, Microsoft Cloud Security Benchmark and NIST CSF 2.0; run exceptions/RA processes.

DevSecOps guardrails & automation

• Integrate security in CI/CD: IaC policy checks, code‑to‑cloud mapping and signed artifacts.
• Automate platform changes with Bicep/Terraform, GitOps and change approvals; publish reusable modules.

Collaboration & handover

• Lead multi‑disciplinary teams, coach consultants and communicate design trade‑offs to senior stakeholders.

Impact you’ll make in the first months

• Accelerate secure landing zone rollout with automated subscription vending and policy packages.
• Reduce standing privileges via PIM and staged Conditional Access baselines.
• Improve secure score through prioritized CSPM remediation and IaC‑enforced guardrails.

• 7–12 years in cyber/cloud security with 3+ years leading Azure platform security architecture and hardening.
• Hands‑on depth in Entra ID (CA, PIM), Azure Policy, Bicep/Terraform, Key Vault, network security and Defender for Cloud (CSPM).
• Ability to map designs to CAF/Enterprise‑Scale, Well‑Architected (Security), CIS Azure and NIST CSF 2.0.
• Consulting skills: stakeholder management, clear storytelling and delivery leadership.
• Typical certifications: SC‑100, AZ‑500, SC‑300.

• Salary between EUR 5,100 and EUR 6,500
• 30 vacation days (based on full-time employment), with the option to buy additional days or sell your vacation days.
• A lease car + NS business card or a mobility allowance.
• A flexible pension scheme with no mandatory personal contribution.
• A wide range of training and educational programs to support your professional and personal development.
• Focus on vitality! Work out at the office in Amstelveen or get a discount at a gym near you, plus access to coaching, health, and wellness programs.
• ‘Together’ is one of our core values. You can expect various social activities such as team outings, drinks, and events with your colleagues.