Senior Infrastructure & Security Engineer

Kurv is executing a fundamental digital transformation, moving from legacy monolithic systems to a resilient, cloud-native enterprise leveraging AWS and Databricks
.

We are seeking a Senior Infrastructure & Security Engineer to join our team as a full-time, permanent stakeholder
. This role is for a long-term owner who will bridge the gap between our robust on-premise networking foundation and our future cloud state. Your primary responsibilities include the expert operational management of our newly established SQL Server High-Availability (HA) Cluster
, the maintenance of our Cisco and Palo Alto networking core
, and the ongoing build-out of our AWS Landing Zone
.

• Core Network Management: Maintain and optimize the existing physical network stack, including Cisco, Palo Alto, and Brocade networking equipment
• Perimeter Security: Manage Palo Alto firewalls, ensuring all inter-VLAN and inter-company traffic is scanned and secured.
• Connectivity Resilience: Oversee internet circuits and connectivity for the organization.
• Hybrid Integration: Implement and govern AWS Transit Gateway and Direct Connect (or IPsec VPN tunnels) to ensure seamless, secure communication across our hybrid environment.

• Operational Ownership: Serve as the primary owner for the newly created SQL Server HA environment, managing Windows Failover Clustering and Always On/Basic Availability Groups
  .
• Performance Optimization:
• Maintain a working understanding of performance characteristics within a high-utilization SQL Server environment, including memory configuration, temp
  
  DB structure, and index health, to support troubleshooting and prevent resource saturation.
• Licensing & RPO: Manage SQL Server licenses with Software Assurance (SA) and conduct regular failover drills to guarantee zero data loss (Zero RPO) for our payments business.
• Infrastructure as Code (IaC): Maintain and expand our "Zero-Touch" production environment using Terraform to manage all AWS and Databricks resources.
• Landing Zone Governance: Govern the AWS Organization through Control Tower and Service Control Policies (SCPs) to ensure multi-account security.
• Fin Ops: Monitor real-time cloud spend; enforce mandatory tagging for departmental showback and manage auto-shutdown scripts for non-prod environments.

• PCI-DSS 4.0 Compliance: Lead the technical maintenance of strict network segmentation and isolation for PCI-scoped systems.
• Identity-Based Perimeter: Maintain AWS IAM Identity Center and Databricks Unity Catalog to enforce granular, identity-based access.
• Threat Management: Drive remediation of security findings (e.g., XSS, NTLMv2) and monitor real-time events via Splunk and AWS Security Hub
  .

• Air-Gapped Data Protection: Maintain and manage enterprise backup operations using Veeam, ensuring secure, immutable backups within an air-gapped architecture to protect against ransomware and catastrophic data loss.
• Recovery Assurance: Validate backup integrity through routine restore testing and verification procedures to support business continuity, disaster recovery objectives, and regulatory compliance requirements.
• Operational Governance: Monitor backup job health, retention policies, and storage lifecycle management to ensure consistent protection across on-premise and hybrid workloads.

• 7+ years of enterprise experience in infrastructure, networking, and security.
• Networking Mastery: Advanced hands‑on experience with Cisco switching/routing and Palo Alto firewall administration.
• AWS & IaC: Hands‑on experience with AWS core services and Terraform for multi‑account environments.
• Practical PCI
  
  Experience:
  
  Proven track record of supporting and passing audits in PCI‑compliant environments.
• Hybrid Systems Knowledge: Strong background in VMware vSphere and Windows Server (AD/GPO).

The following certifications are highly desired for this permanent role:

• Networking & Security:
• CCNP (Routing and Switching) or PCNSE (Palo Alto Networks Certified Network Security Engineer)
• PCI Professional (PCIP) or Internal Security Assessor (ISA)
• CISSP or CISM
• AWS Certified Solutions Architect – Associate (SAA-C03)
• Hashi Corp Certified:
  Terraform Associate
• AWS Certified Security – Specialty

• A Full-Time Stakeholder: Someone who wants to take long‑term pride in Kurv’s stability.
• The "Bridge" Engineer: Someone comfortable configuring a physical Cisco switch one hour and writing Terraform for an AWS Transit Gateway the next.
• Knowledge Capture: A willingness to collaborate with subject matter experts to translate deep institutional and technical knowledge into automated, scalable cloud patterns.