Senior engineer responsible for the Google Cloud foundation (organisation, IAM, networking, KMS, billing) and the multi-tenant Chronicle architecture (tenant logical model, RBAC, isolation enforcement). This is the most senior of the three contractor profiles and the one with the highest reputational risk if it goes wrong.Required Experience• Minimum 5 years' hands-on Google Cloud Platform engineering, including organisation design, folder hierarchy, IAM baseline, VPC Service Controls, and Cloud KMS.• Minimum 2 years' hands-on Google SecOps (Chronicle) deployment experience, with at least one production multi-tenant or MSSP-style deployment.• Demonstrable experience with Chronicle tenant administration, RBAC modelling, and Workforce Identity Federation.• Experience designing security platforms for regulated environments (telecom, banking, government, or critical infrastructure).• Experience producing reference architecture documents and working under formal acceptance gates.• Strong proficiency in Terraform for automating GCP Org structure and project provisioning.• Specific expertise in VPC Service Control perimeter design for multi-project/multi-tenant environments.Required Certifications (at least one)• Google Cloud Professional Cloud Security Engineer.• Google Cloud Professional Cloud Architect.• Chronicle Security Operations Specialist (or equivalent Google SecOps credential).Strongly Preferred• Prior Chronicle MSSP or multi-tenant deployment delivered to acceptance.• Familiarity with UAE IAS / NESA, ISO 27001, or NIST SP 800-207 (Zero Trust).• Working knowledge of Bindplane (sufficient to validate P2's ingestion design).• Comfort writing technical documentation in English to consulting standards.Engagement Terms• Engagement type: Independent contractor, deliverable-based contract.• Duration: 8 weeks core engagement (Phases 1–5), with optional extension into Phase 6 by mutual agreement.• Working pattern: Remote, with 2–3 hours overlap with GMT+4 (UAE) business hours required daily. On-site travel to UAE for the Phase 1 kick-off and the Phase 5 sign-off may be required (negotiable).• Compensation: Fixed fee per accepted deliverable, milestone-paid. Final compensation to be agreed; this is not an hourly engagement.• Confidentiality: NDA required before scope details are shared.• IP ownership: All deliverables produced under this engagement are the property of OnTime Solutions, assigned in full to the Client at acceptance.