SimpleRisk Hosted Small Enterprise Architecture

We build in the Amazon cloud as they have outstanding physical security practices.  Each customer has the SimpleRisk application and database provisioned inside of a dedicated Docker container.  Command line access to the container is restricted to only the Docker host system and SSH access to that system is only allowed from a single bastion host and only with the proper key and password.  From the Internet, only the web server tier is accessible via port 443 (and 80 for HTTPS redirects).  We use a wildcard SSL certificate and an "A-rated" SSL configuration via SSLLabs.  The web server tier is simply a HTTP proxy server that is configured to redirect requests to the proper Docker container based on the hostname.