Platform Security Engineer - A Venture Between Thales And Google
Thales
Job Title
Location: Bucharest, Romania
Thales is a global technology leader trusted by governments, institutions, and enterprises to tackle their most demanding challenges. From quantum applications and artificial intelligence to cybersecurity and 6G innovation, our solutions empower critical decisions rooted in human intelligence. Operating at the forefront of defence and security, aerospace and space, cybersecurity and digital identity, we're driven by a mission to build a future we can all trust.
In Romania, we are advancing innovation through software engineering, research and development, delivering solutions in key markets in which Thales Group operates. Our engineers design, develop and integrate solutions that impact global industries – from fully operational systems and subsystems for naval warfare and maritime security operations, to air traffic management systems, satellite-based solutions, tactical indoor simulations, identity and biometric technologies and more.
Bucharest - Hybrid (3 office / 2 remote) | Occasional travel to Paris Start: ASAP | English-speaking team
In most jobs, security is bolted on. In this one, you design what "after" looks like before there's an after.
The Project
A trusted, sovereign Google Cloud region - operated end-to-end from within Europe by the joint venture between Thales and Google Cloud.
Same Google Cloud power you know (GKE, compute, data, Vertex AI). European jurisdiction. European operators. Thales-grade cybersecurity.
In the last 6 months alone, the platform: Achieved a world-first regulatory qualification - IaaS + CaaS + PaaS in a single decision Named 2026 Google Cloud Partner of the Year - Sovereign Cloud Runs 3 data centres, 10,000+ devices, H100 GPU clusters in production
Your job: design how every credential, every key, every identity flows through the platform - at regulator-grade.
What You'll Own
Operate HashiCorp Vault as a platform-wide secrets service
Maintain Identity Providers (Keycloak, Workspace) and access control
Design credential management for humans and machines
Drive encryption & key management (KMS, HSM, rotation, BYOK/HYOK)
Secure communication patterns - TLS, certificates, trust boundaries, mTLS
Bake security-by-design into every deployment
Lead hardening & compliance - audit evidence, regulator-facing docs
What We're Looking For
Must-have: 7+ years in Security / DevSecOps / Platform Security
Strong hands-on with HashiCorp Vault (or equivalent enterprise secrets management)
Solid IAM / Identity Providers (Keycloak, Workspace)
Hands-on KMS / encryption key management - design and ops
Cloud security best practices, Linux fundamentals
Network security (TLS, proxies, segmentation)
Experience in high-security or regulated environments
Nice to have: Kubernetes secrets patterns (ESO, sealed-secrets, CSI driver)
Terraform / IaC
SIEM exposure (ELK)
Sovereign cloud experience
Why This Role Is Different
Identity and secrets ARE the security perimeter of a sovereign cloud. One leaked key, one misconfigured IDP - and the regulatory posture collapses. You design the patterns that prevent that. Greenfield, real stakes, real ownership.
What You Get
Competitive package + standard Thales benefits (private medical, meal vouchers, sport). Real ownership in a Bucharest team protecting European critical infrastructure.
Sound Like You?
If you've operated Vault at scale, designed KMS rotation strategies in anger, and treat security-by-design as a real engineering discipline - let's talk.