SimpleRisk Hosted Small, Medium, and Large Enterprise Architecture

We build in the Amazon cloud as they have outstanding physical security practices.  Each customer has dedicated Amazon EC2 hosts that are in a segregated network.  Each server uses UFW for local firewall rules in addition to the network segmentation provided by Amazon.  From the Internet, only the web server tier is accessible via port 443 (and 80 for HTTPS redirects).  We use a wildcard SSL certificate and an "A-rated" SSL configuration via SSLLabs.  SSH access to the servers is only allowed from a single bastion host and only with the proper key and password.  Each customer receives a dedicated Amazon RDS database instance provisioned with a unique username and long and random password.  We also offer the the Encrypted Database Extra, which has the ability to do encryption of sensitive database fields.  We do not enable this feature by default as it will cause queries to take longer, but it is available for those who have concerns about the sensitivity of their data.