Senior Security Engineer – Cloud & on-Prem (Hybrid Security)

If you love beauty, you're in the right place.

As the ultimate curator of over 100 of the most in-demand, highly innovative and boundary-pushing beauty brands, we are the go-to destination for worldwide beauty discovery.

Together through our neighbourhood stores, online presence and loyalty scheme, Space NK has built a flourishing community in which to discover beauty. The customer is at the heart of everything we do, and we will always endeavour to offer everything they need to help them explore, experiment, and enjoy our brands.

Space NK operates a hybrid environment across Microsoft Azure, corporate offices, datacentres, and a large UK retail footprint. As a Security Engineer, you will design, implement, and operate security controls across cloud platforms, identity systems, endpoints, servers, and business applications. You will support the organisation's security posture by ensuring that identity, cloud security, data protection, threat detection, and compliance controls are consistently applied and continuously improved.

This role is technical and hands‑on, with architectural influence. It requires close collaboration with Network Engineering, Infrastructure, Cloud, and Application teams to ensure secure‑by‑design solutions across the entire ecosystem.

As a Security Engineer, you will be responsible for owning and operating the security controls that protect Space NK's identity, cloud, and on‑premises environments. You will define and maintain security standards, enhance detection capabilities, harden platforms, and support incident response. You will lead improvements across authentication, authorisation, cloud posture, endpoint security, vulnerability management, and compliance frameworks.

You will work closely with Network Engineering, who operate routing, switching, firewalls, VPNs, and connectivity. Your responsibility is to define the security requirements, validate secure configurations, and ensure Zero Trust and compliance controls are met - while Network Engineering implements the network infrastructure itself.

This role bridges strategy and technical execution: shaping identity security, strengthening Azure cloud posture, enhancing monitoring and detection capabilities, advising on architecture, and maintaining a secure foundation for all business platforms.

• Design and implement security controls across Azure cloud services, on‑prem servers, and SaaS applications.
• Define and maintain security baselines, hardening standards, and cloud security benchmarks (Microsoft CSB, CIS, NIST).
• Govern and enforce Azure Policy, Defender for Cloud, and platform‑level security controls.
• Participate in design and architecture reviews to ensure secure‑by‑design deployments.
• Maintain security documentation, operational runbooks, standards, and policy artefacts.
• Support risk assessments, penetration test remediation, and threat modelling activities.

• Define and maintain identity security standards for Microsoft Entra ID and Active Directory Domain Services.
• Provide security requirements for Conditional Access, MFA, SSO, passwordless authentication, and identity governance, implemented by the IAM teams.
• Partner with IAM/Infrastructure teams to ensure privileged access (PIM), RBAC models, and least‑privilege designs meet security requirements.
• Harden identity infrastructure including domain controllers, authentication protocols (Kerberos/NTLM), secure LDAP, and hybrid identity components.
• Monitor identity‑related security signals (Identity Protection, risky users/sign‑ins) and support investigation of identity‑based attacks.
• Validate secure delegation models, access review processes, and identity lifecycle controls defined by IAM.

• Own and operate SIEM and SOAR tooling, including Microsoft Sentinel, Defender XDR, Identity Protection, and threat analytics.
• Develop and refine detection rules, correlation logic, threat hunting use cases, and behavioural analytics.
• Investigate and support incident response for identity compromise, endpoint attacks, Azure cloud events, or server breaches.
• Integrate telemetry from Azure, endpoints, identity platforms, and security tools.
• Produce incident reports, RCA documentation, and post‑incident improvement plans.
• Coordinate with SOC teams or third‑party providers when required.

• Implement CIS/NIST‑aligned hardening across Windows Server, domain controllers, virtual machines, and Azure workloads.
• Deploy and manage endpoint protection and EDR platforms (e.g., Microsoft Defender for Endpoint).
• Enforce secure baselines across virtualisation platforms (VMware/Hyper‑V) and Azure IaaS services.
• Partner with Infrastructure teams on patch governance, vulnerability remediation, and secure configuration management.
• Support security oversight of server migrations, consolidations, and platform modernisation.

• Operate Azure Key Vault and certificate lifecycle management via AD CS/PKI.
• Implement data classification, sensitivity labels, retention controls, and DLP using Microsoft Purview/AIP.
• Enforce encryption‑in‑transit and at‑rest across Azure and on‑prem environments.
• Support GDPR, PCI DSS, and organisational data protection requirements.

• Deliver cloud‑native security configuration for Azure Landing Zones, subscriptions, and resource groups.
• Manage cloud security posture using Defender for Cloud and Azure‑native CSPM controls.
• Configure secure connectivity to Azure services (Private Endpoints, Service Endpoints, segmentation boundaries).
• Collaborate with Network Engineering to validate secure ExpressRoute, VPN, and firewall configurations - Network Engineering operates the underlying infrastructure.
• Ensure consistent security policy enforcement across Azure workloads.

• Support ISO 27001, PCI DSS, Cyber Essentials Plus, and NIST compliance activities.
• Prepare audit evidence, configuration exports, policy documentation, and control validation artefacts.
• Maintain risk registers, track remediation progress, and support risk assessments.
• Participate in CAB/change management from a security perspective.
• Support DR/BCP planning from a security controls perspective.

• Work closely with Network Engineering on segmentation requirements, firewall policy governance, and secure architecture reviews.
• Partner with Infrastructure, Cloud, and Application teams to ensure secure deployments.
• Provide security guidance across projects, deployments, and operational teams.
• Help raise security awareness across the technology organisation.

• Strong experience securing Azure environments, including Defender for Cloud, Conditional Access, and identity protection tooling.
• Deep knowledge of Microsoft Entra ID, AD DS, MFA, PIM, RBAC, and hybrid identity security.
• Hands‑on experience with SIEM (Sentinel), SOAR, EDR (MDE), CSPM, and vulnerability management tools.
• Experience securing Windows Server, PKI/ADCS, domain controllers, and virtualisation environments.
• Practical understanding of Zero Trust security principles and secure‑by‑design.
• Strong understanding of PCI DSS, ISO 27001, Cyber Essentials Plus, and NIST controls.
• Ability to perform forensic investigation, log analysis, and threat triage.

• Awareness of AWS security fundamentals (GuardDuty, Security Hub, KMS, IAM Identity Center).
• Basic understanding of AWS hybrid connectivity and identity integrations (advantageous but not required).
• DevSecOps and secure CI/CD practices.
• IaC security automation (Terraform, Bicep).
• Container security (AKS) and SaaS application security.
• PowerShell/Python scripting for automation.

Please note that only successful candidates will be contacted.

All applicants must have the right to live and work in the UK.

If you want to find out more about us, what it is like to work for us, all about our benefits, and our pledges on Diversity, Inclusion and Belonging, please visit our website.

Space NK are an equal opportunities employer.

We will use the information you provide to us with your job application to help us process your application for the specific job you have applied for. If you apply speculatively, we will process your application for the job/relevant business area that you detail within your email.

Please note that our current system does not use an automated filtering system.

All applications made via the website, through a third‑party website or in‑store will be kept on file for a period of 12 months.

This information will be retained and used to assess your suitability to similar positions that may arise in the future, or if the initial vacancy becomes live again during the 12‑month period. If you would prefer us to not hold your information on file/ you wish to be 'forgotten' if you are not offered a position with Space NK, please email your 'right to be forgotten' to our recruitment email address with RIGHT TO BE FORGOTTEN as the title of the email. We will always inform you when we have deleted your application details, otherwise we will treat your application as consent to us holding this information.