Security Architecture & Compliance Design Targets
Source: Marc Mercer (SRE Lead) —
sre-iacrepository, Rev 1.0, 2026-02-24
This environment is NOT currently certified or audited against SOC 2 or HIPAA frameworks. The controls described here represent design targets that will be formally validated through third-party audit when production PHI processing begins. No real PHI is processed in the staging environment — all patient data is synthetic, generated by Synthea.
Compliance Design Targets
Anshin Health's infrastructure is intentionally designed to align with:
- SOC 2 Type II — Security, Availability, and Confidentiality trust service criteria
- HIPAA Security Rule — Administrative, Physical, and Technical safeguards (45 CFR Part 164)
This ensures security controls, access patterns, and operational procedures established in staging can be carried forward to production environments that handle PHI without requiring architectural redesign.
Data Classification
| Classification | Description | Examples | Handling |
|---|---|---|---|
| PHI | Protected Health Information | Patient records, diagnosis, treatment | NOT present in this environment. All patient data is synthetic (Synthea). |
| Confidential | Business-sensitive | API keys, credentials, certificates, encryption keys | AES-256 encrypted at rest (Ansible Vault / Infisical). TLS 1.2+ in transit. Access restricted. |
| Internal | Non-public business data | Architecture docs, config files, source code, runbooks | Version-controlled in git. Access controlled via FreeIPA. Not exposed externally. |
| Public | Externally shareable | Marketing materials, public API docs | Standard handling. No special controls. |
Access Control Architecture
Centralized Identity — FreeIPA
| Capability | Implementation |
|---|---|
| Directory Services | LDAP (port 389 internal, 636 SSL) |
| Authentication | Kerberos (realm: ANSHINHEALTH.NET) |
| Certificate Authority | Integrated FreeIPA CA for internal certificates |
| DNS | Authoritative for anshinhealth.net internal zone |
| Redundancy | Active-active replication (dc-01, dc-02) |
Service integration: GitLab CE (LDAP via gitlab-binder), Grafana (LDAP via FreeIPA, dc-01:636 SSL), SSH (centralized key management + SSHFP DNS), all LXC containers (automated domain enrollment at provisioning time).
Role-Based Access Control (Least Privilege)
Infrastructure automation:
enroll/automation.anshinhealth.net— Enrollment Administrator only. Can enroll hosts and manage DNS records. Cannot create users or modify security policies.terraform-prov@pve— Proxmox API account. Limited to container management. No storage, networking, or user administration.
Application service accounts:
gitlab-binder— LDAP bind for GitLab and Grafana. Read-only directory access.- Per-service Kerberos principals for host authentication.
Human access: Individual FreeIPA user accounts with role-based group membership. No shared administrative accounts.
SSH Security
| Control | Implementation |
|---|---|
| Authentication | Key-based only. Password authentication disabled. |
| Host Verification | SSHFP records in FreeIPA DNS for all hosts — prevents MITM. |
| Key Types | RSA, ECDSA, Ed25519 supported. SSHFP records maintained for all types. |
| Key Injection | SSH public keys injected at container provisioning via Terraform. |
| Access Restriction | Port 22 restricted to management networks via firewall rules. |
VPN Access
NetBird VPN (nb-01, 10.10.96.21) provides secure remote access. All management interfaces (Proxmox, monitoring dashboards) are VPN-only. VPN does NOT provide access to MGMT VLAN (100) — that requires physical workstation.
Encryption
At Rest
| Data Type | Method | Status |
|---|---|---|
| Infrastructure credentials | Ansible Vault (AES-256) | Implemented |
| Application secrets | Infisical (AES-256-GCM) | Implemented |
| Certificate private keys | Ansible Vault (AES-256) | Implemented |
| Block storage (Ceph) | Ceph dm-crypt/LUKS | Planned (OpenStack environment) |
| Database storage | Not yet encrypted at filesystem level | Gap — planned with Ceph migration |
Ansible Vault practices: Single vault password file (.vault_pass) excluded from git. All sensitive data encrypted before commit. No persistent storage of decrypted credentials. Vault password never logged.
Infisical practices: Self-hosted at infisical.svcs.anshinhealth.net. AES-256-GCM. Kubernetes Secrets Operator CRD for automated injection.
The Infisical ENCRYPTION_KEY is a single point of failure. Loss of this key results in permanent loss of all stored secrets. Backup procedures are essential.
In Transit
| Connection Type | Protocol | Status |
|---|---|---|
| External HTTPS | TLS 1.2+ | Implemented |
| Internal service communication | TLS 1.2+ | Partial (some internal services use plaintext) |
| LDAP | LDAPS (TLS 1.2, port 636) | Implemented |
| Kerberos | AES-256 | Implemented |
| VPN tunnel | WireGuard/NetBird | Implemented |
| SSH | OpenSSH | Implemented |
Certificate Management
| Attribute | Value |
|---|---|
| Certificate Authority | ZeroSSL (public, via ACME) |
| Validation Method | DNS-01 challenge via Route53 |
| Certificate Type | ECDSA (Elliptic Curve) |
| Validity Period | 90 days |
| Automation | acme.sh with automated renewal |
| Renewal Threshold | 30 days before expiration |
Certificate domains: *.anshinhealth.net, *.apps.anshinhealth.net, *.svcs.anshinhealth.net
Certificate lifecycle:
- DNS challenge tokens created in Route53
- ZeroSSL validates domain ownership via DNS
- ECDSA certificates generated (90-day validity)
- Private keys and renewal state encrypted with Ansible Vault
- Certificates deployed to reverse proxy (keys: 600, certs: 644, owned by caddy service user)
- Automated renewal triggers at 30 days before expiration
Network Security
Split-Horizon DNS
| DNS Zone | Provider | Purpose |
|---|---|---|
| Internal (anshinhealth.net) | FreeIPA (dc-01, dc-02) | Direct service resolution. Automatic discovery. LDAP/Kerberos integration. |
| External (anshinhealth.net) | Route53 / Cloudflare | Public records pointing to reverse proxy only. Internal IPs never directly resolvable from internet. |
Firewall Zones
| Zone | Purpose | Key Policy |
|---|---|---|
| UNTRUST | Internet-facing traffic | Default deny inbound. Only established/related connections permitted. |
| DMZ | Public-facing services | WAF, rate limiting, SSL termination. Limited access to TRUST zone. |
| TRUST | Internal production services | Inter-service communication permitted. No direct internet access. |
| HOMESTEAD | Bryan's isolated network | WireGuard-only access. Completely separate from TRUST, MGMT, STORAGE. |
| MGMT | Management interfaces | NEVER routed. Physical/direct-connect workstations only. Not available over VPN. |
| STORAGE | Storage network | NEVER routed. Dedicated to Ceph traffic. No access from any other zone. |
Service Firewall Rules
| Service | Permitted Ports | Access Restriction |
|---|---|---|
| Domain controllers | 53, 88, 389/636 | Internal only |
| Reverse proxy | 80, 443 | External (80 redirects to HTTPS) |
| SSH | 22 | Management networks only |
| Kubernetes API | 6443 | Internal and VPN only |
| PostgreSQL | 5432 | Internal only, restricted to application hosts |
Credential Management
Infrastructure Credentials (Ansible Vault)
| Credential | Purpose | Scope |
|---|---|---|
| AWS access keys | Route53 DNS for cert validation | Limited-scope IAM (Route53 only, no EC2/S3) |
| Kerberos principal/password | FreeIPA enrollment automation | Enrollment Administrator role only |
| Proxmox API token | Terraform container provisioning | Container management only |
| ACME account | ZeroSSL certificate issuance | Certificate lifecycle management |
| Docker Hub credentials | Container image pulls | Read-only registry access |
Application Credentials (Infisical)
| Project | Environment | Path | Secrets |
|---|---|---|---|
| anshin-infrastructure | prod | /monitoring | grafana-admin-user, grafana-admin-password, zoho-cliq-webhook-url |
TSIG Keys (DNS Dynamic Update)
TSIG keys authenticate RFC2136 dynamic DNS updates from external-dns to FreeIPA. Key generated and stored in FreeIPA. Distributed to external-dns via Kubernetes Secret. Zone-scoped permissions (ipa-dns-grant.py manages zone delegation).
SOC 2 Control Mapping (Design Targets)
| SOC 2 Criteria | Control | Implementation | Status |
|---|---|---|---|
| CC6.1 — Logical Access | RBAC restricting access to authorized users | FreeIPA RBAC + group-based access. Keystone project isolation planned. | ✅ Implemented (FreeIPA) / Planned (Keystone) |
| CC6.2 — Authentication | Strong authentication | Kerberos, SSH key-based access, SSHFP DNS verification. MFA planned. | ✅ Implemented / Gap (MFA) |
| CC6.3 — Access Removal | Timely access removal | FreeIPA account disable/delete propagates to all integrated services. | ✅ Implemented |
| CC6.6 — System Boundaries | Controls at boundaries | Firewall zones, reverse proxy, VPN-only management access. | ✅ Implemented |
| CC6.7 — Data Transmission | Encryption in transit | TLS 1.2+ external, LDAPS, Kerberos AES-256, WireGuard VPN. | ✅ Implemented |
| CC6.8 — Unauthorized Software | Prevent unauthorized software | Standardized AlmaLinux 9 template, IaC-provisioned containers, no ad-hoc installs. | ✅ Implemented |
| CC7.1 — System Monitoring | Monitoring for anomalies | Prometheus, AlertManager, Blackbox Exporter, Grafana. | ✅ Implemented |
| CC7.2 — Anomaly Detection | Detect anomalous activity | Centralized log aggregation (Loki) planned. | ⚠️ Gap |
| CC7.3 — Security Incidents | Incident response | Certificate and auth incident procedures documented. Formal IR plan not established. | ⚠️ Partial |
| CC8.1 — Change Management | Authorization of changes | Git-based IaC, revision-tracked docs, Terraform plan/apply workflow. | ✅ Implemented |
| CC9.1 — Risk Mitigation | Risk management | Network segmentation, encryption, access controls, monitoring. Formal risk assessment not conducted. | ⚠️ Partial |
Document Control
| Rev | Date | Author | Description |
|---|---|---|---|
| 1.0 | 2026-02-24 | Marc Mercer | Initial release |