Jonatas Winston
Cloud Security Specialist
I define and implement cloud security standards and remediation plans across AWS, Azure, and GCP. I focus on CNAPP (CSPM, CWPP), security automation, and maturidade aligned with CSA CSMM.
7+ years in security · AWS · Azure · GCP · CNAPP · DevSecOps · Security as Code · Compliance
About
I've built my career in cloud security from Porto Seguro (CASB, CSPM, Cloud WAF, Azure AD, DevSecOps workshops) to XP Inc. (Security as Code, Terraform, hardening for Azure and AWS) and now Grupo Boticário, where I lead cloud security standards, CNAPP, and remediation. I focus on automation, CSA CSMM maturity, and secure cloud adoption.
- Define and implement cloud security standards and remediation plans for vulnerabilities.
- Implement and optimize CNAPP (CSPM and CWPP) and cloud security governance.
- Automate security and governance in the cloud; Security as Code with Terraform and scripting.
- Drive cloud security maturity aligned with CSA CSMM and support high-severity incident response.
- Lead CloudSec initiatives and coordinate with squads; act as focal point for cloud security issues across AWS, Azure, and GCP.
Technical Skills
CASB, CSPM, WAF, IAM, Zero Trust, CNAPP (CSPM, CWPP)
Terraform, Python, Shell Script, Secure CI/CD, Palo Alto, Akamai, Jira
LGPD, ISO 27001, OWASP
Third-Party Security Compliance, Governance, Risk & Compliance (GRC), DLP & Email Security, Leadership & squad coordination, Workshops & webinars on cloud security
Experience
Cloud Security Specialist
Grupo Boticário
Apr 2023 – Present
Tools & frameworks
- Define and implement security standards and principles for cloud environments.
- Develop and execute remediation plans for vulnerabilities in cloud environments.
- Coordinate with other departments to continuously improve security processes.
- Document and recommend enhancements for the cloud security program.
- Assess and enhance cloud security maturity, aligned with CSA CSMM practices.
- Automate cloud security and governance processes.
- Analyze and recommend cloud technologies to support business objectives.
- Manage critical cloud security projects and act as the focal point for issue resolution in AWS, Azure, and GCP.
- Implement and optimize CNAPP tools, focusing on CSPM and CWPP.
- Plan and execute security tests, prioritizing the mitigation of critical findings.
- Lead CloudSec initiatives and support strategic security decisions.
- Support incident response for high-severity issues and propose new security indicators.
- Monitor trends and implement innovative solutions for cloud security.
Cloud Security Engineer
XP Inc.
Nov 2021 – Apr 2023
Tools & frameworks
- Definition of cloud service security best practices.
- Definition and implementation of security policies (hardening) for Azure and AWS cloud services.
- Deployment of network security mechanisms in cloud environments.
- Automation of cloud security infrastructure and Security as Code (SaC).
- Automation of firewalls in cloud environments using Terraform and Palo Alto.
- Automation of security resource provisioning on the Akamai platform.
Cloud Security Architect & Tech Lead
Porto Seguro
Aug 2020 – Nov 2021
Tools & frameworks
- Deployment of cloud security solutions: CASB, CSPM, Cloud WAF.
- Implementation of cloud identity solutions: Azure Active Directory.
- Conducting workshops on CI/CD pipeline development (DevSecOps) and Git integration.
- Participation in internal webinars and security awareness sessions on best practices and secure development.
- Creation of scripts using Shell Script and Python.
- Definition of security requirements and development of baselines for AWS, Azure, and GCP cloud environments.
- Development of cloud security policies and guidelines.
- Definition and design of cloud security architectures.
- Support in security definitions related to DevSecOps.
- Experience with security frameworks and regulations: LGPD, OWASP, ISO 27001.
- Cloud security squad management.
- Demand management using Jira.
Security Analyst
Porto Seguro
Aug 2019 – Aug 2020
Tools & frameworks
- Assessment of business areas within the group to identify potential information security weaknesses in their processes.
- Evaluation of information security in service provider companies to validate security controls and processes.
- Participation in business area projects, identifying risks and recommending information security requirements based on ISO 27000, LGPD, and OWASP.
- Monitoring corporate emails using DLP tools to prevent data leaks or other actions that could harm the organization.
- Analysis of exception requests to the company's Information Security Policy.
- Conducting security awareness talks and presentations, covering topics such as DevSecOps and other relevant security issues, identifying potential proactive security measures for the company.
Information Security Intern
Porto Seguro
Feb 2018 – Jul 2019
Tools & frameworks
- Conducted security assessments in business areas to identify potential information security weaknesses in their processes.
- Evaluated third-party information security compliance to validate security controls and processes.
- Participated in business area projects, identifying security risks and recommending information security requirements based on ISO 27000, LGPD, and OWASP.
- Monitored corporate emails using DLP tools to prevent data leaks and mitigate security risks.
- Reviewed and analyzed exception requests to the company's Information Security Policy.
- Delivered security awareness presentations and talks, covering DevSecOps and other relevant topics, identifying proactive security measures for the company.
Certifications & Education
Google Cloud
