About The Role

OpenLoop is seeking a Cloud Security Engineer, remote or Des Moines, IA, to design, implement, and maintain security controls across our cloud environments (AWS, GCP, SaaS). This role partners closely with engineering and business teams to embed secure-by-design and privacy-by-design principles throughout the development lifecycle. You will help protect our platform, data, and clients while enabling scalable, resilient systems and ensuring compliance with healthcare regulations such as HIPAA and HITRUST.

What You’ll Do

• Embed security into cloud architecture, application design, and CI/CD pipelines (shift-left).
  
  
• Define and maintain cloud security standards, policies, and best practices.
  
  
• Secure applications and infrastructure across public, private, and hybrid cloud environments.
  
  
• Implement strong identity and access management (IAM) and configuration management controls.
  
  
• Monitor emerging threats, assess risk, and drive remediation efforts.
  
  
• Serve as a security advisor to engineering teams and stakeholders.
  
  
• Support incident response, vulnerability management, and security assessments.
  
  
• Automate security testing and remediation where possible.
  
  
• Maintain documentation and evidence for audits and regulatory compliance (HIPAA, HITRUST, PCI, NIST).
  
  
• Partner with vendors and internal teams to reduce third-party and platform risk.
  
  

Who You Are

• Bachelor’s degree in Computer Science or related field (or equivalent experience).
  
  
• 3–5 years of cloud security engineering experience; 7+ years in security or systems administration.
  
  
• Hands-on experience with AWS and/or GCP cloud environments.
  
  
• Strong knowledge of cloud architectures, networking, and security protocols (OAuth2, OIDC, JWT, mTLS).
  
  
• Experience with DevSecOps, CI/CD pipelines, and automation tools.
  
  
• Familiarity with OWASP, CVSS, MITRE ATT&CK, and SDLC security practices.
  
  
• Working knowledge of healthcare and financial security frameworks (HIPAA, HITRUST, PCI, NIST, ISO).
  
  
• Strong communicator able to translate technical risk for technical and non-technical audiences.
  
  
• Self-motivated, organized, and effective in fast-paced environments.
  
  
• Healthcare or digital health experience is a plus.