Security

Security Overview

Security documentation and threat models for tasmanian.cloud services

This section provides comprehensive security documentation for tasmanian.cloud, including threat models, security controls, and compliance information.

Security Principles

Our security approach is built on these core principles:

  1. Defense in Depth — Multiple layers of security controls
  2. Zero Trust — Never trust, always verify
  3. Least Privilege — Minimum necessary access
  4. Sovereignty by Design — Data stays in Tasmania
  5. Transparency — Open documentation of our security model

Service Threat Models

Each service has a detailed threat model following the OpenBao security model format:

O2S (OpenSelfServe)

Customer portal security, authentication, authorization, and access controls

VPS

Virtual machine isolation, hypervisor security, and network segmentation

Templates

Container security, supply chain integrity, and automatic updates

Kubernetes

Cluster isolation, pod security, RBAC, and runtime protection

RustFS Storage

Post-quantum encryption, access control, and data integrity

Netbird VPN

Mesh VPN security, peer authentication, and network access control

Paymenter

Billing security, payment processing, and PCI compliance

Security Goals by Service

ServiceConfidentialityIntegrityAvailabilitySovereignty
O2SCustomer data encryptedTamper-evident audit logs99.9% uptime100% Tasmanian
VPSVM isolationSnapshot integrity99.95% uptime100% Tasmanian
TemplatesContainer isolationImage verification99.9% uptime100% Tasmanian
KubernetesPod isolationGitOps verification99.9% uptime100% Tasmanian
RustFSPQ encryptionChecksum verification99.99% durability100% Tasmanian
NetbirdWireGuard encryptionPeer authenticationMesh redundancy100% Tasmanian
PaymenterTokenized paymentsInvoice integrity99.9% uptime100% Tasmanian

Common Security Controls

Encryption

LayerAlgorithmImplementation
Data in transitTLS 1.3All external and internal APIs
Data at restAES-256-GCMDatabase and storage encryption
Post-quantumKyber-768 + Dilithium-3RustFS object encryption
VPNChaCha20-Poly1305WireGuard mesh

Authentication

  • Multi-factor authentication — Required for all administrative access
  • API keys — HMAC-SHA256 signed requests with rotation
  • JWT tokens — Short-lived access tokens (15 min) with refresh
  • Hardware keys — WebAuthn/FIDO2 supported

Network Security

  • Default deny — All traffic denied unless explicitly allowed
  • Micro-segmentation — VLANs and network policies isolate workloads
  • VPN-only access — No public IPs for customer resources
  • DDoS protection — Cloudflare Magic Transit

Monitoring and Response

  • Wazuh SIEM — Real-time log aggregation and correlation
  • Tetragon — eBPF-based runtime threat detection
  • Falco — Container runtime security
  • 24/7 alerting — PagerDuty integration for critical alerts

Compliance

Certifications (In Progress)

StandardStatusScope
ISO 27001In progressAll services
SOC 2 Type IIPlannedAll services
Essential 8AlignedAustralian government baseline
PCI DSSSAQ APayment processing

Data Sovereignty

  • 100% Tasmanian — All data stored in Launceston, Tasmania
  • No offshore transfers — Data never leaves Australia
  • Australian jurisdiction — Subject to Australian law
  • Privacy Act compliance — Australian Privacy Principles

Vulnerability Disclosure

We welcome responsible security research.

Scope

  • *.tasmanian.cloud
  • API endpoints
  • O2S portal
  • Customer-facing infrastructure

Out of Scope

  • Social engineering attacks
  • Physical attacks on facilities
  • Third-party services (Stripe, Cloudflare, etc.)
  • Customer applications or data

Security Updates

Subscribe to security advisories:

Getting Started

Documentation for tasmanian.cloud - sovereign cloud infrastructure in Tasmania

Security Overview

Security features and compliance information for Tasmanian Cloud

On this page

Security PrinciplesService Threat ModelsSecurity Goals by ServiceCommon Security ControlsEncryptionAuthenticationNetwork SecurityMonitoring and ResponseComplianceCertifications (In Progress)Data SovereigntyVulnerability DisclosureScopeOut of ScopeSecurity UpdatesRelated Documentation