Data Engineer Azure

Angela Sukwe

Senior Cloud Security Engineer DevSecOps IAM & Zero Trust Architect

210-***-**** ***********@*****.*** linkedin.com/in/ange-sakwe-977aab3b4 San Antonio, TX PROFESSIONAL SUMMARY

Results-driven Senior Cloud Security Engineer with 8+ years of progressive experience securing multi-cloud environments across AWS, Azure, and GCP. Expert in Cloud Governance, IAM/Zero Trust architecture, DevSecOps pipeline security, CSPM/CWPP tooling, SIEM engineering, Kubernetes security, and AI/LLM security. Proven track record of architecting secure cloud landing zones, automating compliance at scale, and driving measurable reductions in organizational risk through engineering-led security programs. Experienced in leading cross-functional security initiatives, mentoring engineering teams, and communicating security strategy and risk posture to C-level executives and board stakeholders. TECHNICAL SKILLS

Cloud Platforms: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP) Cloud Governance: AWS Control Tower, AWS Organizations, Account Factory for Terraform (AFT), SCPs, GuardRails, Landing Zones, OU Design

Identity & Access: Microsoft Entra ID, SCIM Provisioning, AWS IAM Identity Center, Azure AD, GCP IAM, RBAC, PIM, JIT Access, IAM Access Analyzer

AI & LLM Security: LLM Guardrails, Amazon Bedrock Guardrails, Azure AI Content Safety, MCP Security, AI Governance, OWASP Top 10 for LLMs, NIST AI RMF

Security Tools: Wiz (CSPM/CWPP), CrowdStrike Falcon EDR, Splunk, AWS Security Hub, GuardDuty, AWS Macie, AWS Inspector, Microsoft Defender for Cloud, GCP SCC

IaC & Automation: Terraform, Terraform Modules, CloudFormation, StackSets, Ansible, Python (Boto3), Bash, PowerShell, AWS Lambda, Step Functions

Containers & Kubernetes: Docker, EKS, AKS, GKE, OPA Gatekeeper, Falco, Trivy, Helm, Pod Security Standards, Istio mTLS, ECR/ACR Image Scanning

DevSecOps & CI/CD: GitHub Actions, GitLab CI, Jenkins, SonarQube, Checkmarx, Checkov, tfsec, Snyk, GitLeaks, TruffleHog, HashiCorp Vault, Sigstore/Cosign

Logging & Monitoring: Splunk (HEC, TAs, SOAR, RBA), CloudTrail, VPC Flow Logs, GuardDuty, Azure Defender, GCP Cloud Logging, EventBridge, CloudWatch

Compliance & Frameworks: SOC 2 Type II, PCI-DSS, HIPAA, FedRAMP, NIST 800-53, CIS Benchmarks, NIST AI RMF, OWASP, Zero Trust Architecture

PROFESSIONAL EXPERIENCE

Senior Cloud Security Engineer October 2023 – Present IBM San Antonio, TX

• Architect and manage a multi-cloud security governance framework spanning 500+ AWS accounts using AWS Control Tower, AWS Organizations, and Service Control Policies (SCPs) to enforce encryption mandates, region restrictions, and least-privilege guardrails across all organizational units; reduced cloud misconfiguration incidents by 35%.

• Lead enterprise AI and LLM security initiatives, defining standards for prompt injection prevention, input/output validation, PII redaction, and model access governance aligned with OWASP Top 10 for LLMs and NIST AI Risk Management Framework.

• Secure Model Context Protocol (MCP) integrations by implementing authentication controls, input sanitization, tool-call authorization policies, and audit logging to prevent unauthorized data exfiltration through AI agent workflows in production enterprise environments.

• Implement LLM guardrails using Amazon Bedrock Guardrails and Azure AI Content Safety to enforce content filtering, topic restrictions, PII redaction, and grounding validation on model inputs and outputs, enabling safe enterprise AI deployment across business units.

• Design and implement Wiz CSPM/CWPP with custom policies and Python API automations to auto-remediate critical findings across AWS, Azure, and GCP, reducing MTTR by 45% by leveraging attack path analysis to prioritize toxic vulnerability combinations.

• Enforce Kubernetes security across EKS, AKS, and GKE clusters using OPA Gatekeeper constraint templates, Pod Security Standards, Kubernetes RBAC, Trivy image scanning, and Falco runtime protection, reducing container attack surface by 70%.

• Architect shift-left DevSecOps pipelines integrating SAST (SonarQube, Checkmarx), SCA (Snyk), IaC scanning (Checkov, tfsec), and secrets detection (GitLeaks, TruffleHog) as automated gates in GitHub Actions and GitLab CI, reducing production security defects by 40%.

• Build Splunk correlation rules, SOAR playbooks, and risk-based alerting (RBA) to detect IAM privilege escalation, unauthorized API calls, data exfiltration, and lateral movement patterns; reduced SOC alert fatigue by 50% while improving threat detection accuracy and coverage.

• Lead SOC 2 Type II, PCI-DSS, HIPAA, and FedRAMP compliance programs with Python-automated evidence collection, control implementation, and direct auditor engagement; achieved zero critical audit findings across two consecutive annual audit cycles.

• Implement zero-trust network architecture across multi-cloud environments including AWS Network Firewall, WAF rules, PrivateLink endpoints, VPC transit gateways, Azure Firewall with Private Endpoints, and GCP VPC firewall rules to enforce microsegmentation and least-privilege network access.

• Develop and maintain encryption strategies using AWS KMS, Azure Key Vault, and GCP Cloud KMS with customer-managed keys

(CMKs), automated key rotation, and envelope encryption for PII, PHI, and financial data stored across cloud workloads.

• Design and enforce AI governance frameworks covering model training data security, model versioning, and responsible AI usage; secure ML pipelines on AWS SageMaker and Azure ML with access-controlled model registries and signed model artifacts.

• Mentor 5+ junior and mid-level security engineers through technical coaching and architecture reviews; lead a security champions program training 25+ developers on secure coding practices and DevSecOps tooling; present risk metrics and security strategy to C-level executives quarterly. Cloud Security Engineer January 2020 – July 2023

Truist Financial Charlotte, NC

• Promoted from Security Analyst to Cloud Security Engineer based on demonstrated expertise and measurable impact; assumed full ownership of cloud security architecture, IAM governance, and infrastructure-as-code security across AWS and Azure environments serving 200+ accounts.

• Configured Microsoft Entra ID as centralized Identity Provider (IdP) with SCIM provisioning into AWS IAM Identity Center; deployed Privileged Identity Management (PIM) for just-in-time elevated access and enforced Conditional Access policies requiring MFA and device compliance, eliminating manual provisioning and reducing standing privilege exposure.

• Provisioned AWS accounts at scale using Account Factory for Terraform (AFT) with global customizations auto-deploying GuardDuty, Security Hub, Config rules, CloudTrail, VPC flow logs, and default EBS encryption; built versioned Terraform module registry consumed by 20+ engineering teams.

• Integrated Checkov, tfsec, and Sentinel policies into CI/CD pipelines with pre-commit hooks reducing IaC security findings by 60%; deployed AWS Security Hub aggregating GuardDuty, Inspector, and Macie findings with automated EventBridge-driven remediation workflows for high-severity alerts.

• Designed and managed AWS VPC architectures with transit gateways, PrivateLink endpoints, and security group policies to enable secure inter-account connectivity; implemented AWS Macie to discover and protect PII exposure across S3 buckets and enforce data loss prevention policies.

• Drove cloud incident response for compromised IAM credentials, cryptomining, and data exfiltration events; conducted forensic analysis via CloudTrail and VPC Flow Logs, developed cloud-specific IR playbooks, and implemented automated containment using AWS Lambda and Step Functions.

• Deployed CrowdStrike Falcon EDR across EC2 instances, Azure VMs, and GCP Compute Engine via Ansible, SSM, and Terraform with golden AMI baking; developed Python API integrations for automated host containment, IOC ingestion, detection triage, and executive reporting workflows.

• Managed enterprise vulnerability management program using Qualys and Tenable integrated with AWS Inspector and Wiz for unified multi-cloud visibility; established remediation SLAs, tracked MTTR dashboards, and reported aging vulnerability metrics to leadership on a monthly cadence.

• Developed Python-based security automation tools integrating APIs from Wiz, CrowdStrike, Splunk, and AWS Security Hub to create unified incident response workflows, auto-remediate public S3 buckets, revoke overly permissive security groups, and generate compliance audit reports.

• Implemented container image scanning pipelines using Trivy and ECR native scanning to identify vulnerabilities before images were pushed to production; enforced image admission controls ensuring only signed and scanned images from approved registries could be deployed to Kubernetes clusters. Security Analyst April 2018 – December 2019

Truist Financial Charlotte, NC

• Monitored and triaged security alerts in Splunk SIEM across network, endpoint, and cloud log sources; escalated high-severity incidents based on business impact and coordinated initial containment actions including account lockouts, endpoint isolation, and malicious email quarantine.

• Architected centralized log aggregation pipelines ingesting VPC Flow Logs, CloudTrail, GuardDuty findings, and Azure Activity Logs to Splunk via HEC and Heavy Forwarders; developed custom Technology Add-ons (TAs) and sourcetypes for normalized cross-cloud correlation and threat hunting.

• Built Splunk dashboards tracking MTTD, MTTR, compliance scores, and vulnerability aging metrics; developed correlation searches detecting coordinated multi-cloud attacks using identity-based and IP-based pivoting across AWS, Azure, and GCP log sources.

• Performed phishing email analysis, threat intelligence correlation, and security log investigations for potential breaches and policy violations; supported forensic evidence collection and preservation using log exports and disk snapshots to assist security investigations.

• Managed vulnerability scanning operations using Qualys and Tenable; generated risk-prioritized remediation reports, tracked SLA compliance, and coordinated patching efforts across IT and engineering teams to maintain compliance posture aligned with NIST 800-53 and CIS frameworks.

• Assisted in developing cloud security policies, standard operating procedures, and incident response playbooks; contributed to security awareness training programs and phishing simulations that reduced employee click-through rates by 40%. Help Desk Support Specialist February 2017 – February 2018 Carbon Health San Antonio, TX

• Provided Tier 1 and Tier 2 technical support for 500+ end users across multiple clinic locations, resolving hardware, software, and network connectivity issues with a 95% first-call resolution rate while consistently meeting SLA response targets.

• Administered Active Directory user accounts, security groups, and Group Policy Objects (GPOs); managed full on/offboarding workflows including account provisioning, role-based access assignment, and timely deprovisioning for clinical and administrative staff.

• Managed Office 365 and Azure AD user accounts including mailbox configuration, distribution lists, MFA enrollment, and conditional access troubleshooting, supporting the organization's transition to cloud-based productivity tools.

• Deployed and maintained endpoint devices using SCCM/Intune; managed antivirus deployment, patch compliance monitoring, and device enrollment for clinical workstations across the healthcare environment.

• Assisted the security team with endpoint alert monitoring, phishing email triage, and account lockout investigations; documented findings in ticketing system and escalated confirmed security events, building a strong foundation in security operations and incident handling.

CERTIFICATIONS

• AWS Certified Solution Architect

• Certified Cloud Security Professional (CCSP)

• CompTIA Security+

• Microsoft Certified: Azure Security Engineer Associate (AZ-500) EDUCATION

Bachelor of Science in Information Technology 2018 Baptist University of Cameroon Cameroon

Contact this candidate