Multi-Cloud, Sovereign, And Air-Gapped Deployment
MeshGuard is one product across deployment modes. Feature differences should come from policy and operational constraints, not separate SKUs.
| Mode | Substrate | Notes |
|---|---|---|
| Managed SaaS US | AWS US regions | Default deployment. |
| Managed SaaS EU | AWS EU or Azure West Europe | EU data residency. |
| Managed SaaS UK | AWS eu-west-2 | UK data residency. |
| Dedicated tenant | Single-tenant MeshGuard cloud | Isolation for mid-enterprise. |
| Customer cloud operated by MeshGuard | Customer AWS, Azure, GCP, OCI | Enterprise procurement and residency. |
| Customer-operated cloud | Customer account | Regulated and sovereign operations. |
| On-prem Kubernetes | Customer cluster | Sovereign and disconnected-preferred environments. |
| Air-gapped | Offline bundle | Defense and disconnected environments. |
Required Artifacts
- Single Helm chart with values profiles for managed, dedicated, customer-operated, on-prem, and air-gapped deployments.
- Terraform modules for AWS, Azure, GCP, OCI, identity, networking, archive, SIEM, KMS, and MeshGuard provider bootstrap.
- Signed OCI image bundle, SBOM, provenance statement, and vulnerability scan report.
- Offline license activation and renewal path.
- Offline audit anchor verification and witness proof cache.
- Customer-managed key integration and documented rotation procedure.
- Region-pinning policy checks and egress destination allowlist.
- Evidence export profile for HIPAA, FedRAMP Moderate, FINRA, SOC 2, ISO 27001, and PCI-DSS.
Deployment Control Plan
| Control area | Managed SaaS | Dedicated/customer cloud | On-prem/air-gapped |
|---|---|---|---|
| Identity | MeshGuard-hosted SSO integrations. | Customer IdP, SCIM, and optional private connectivity. | Customer IdP or offline identity bridge with periodic sync. |
| Network | Public gateway with tenant isolation. | Private ingress, egress proxy, region pinning, customer firewall policy. | No default internet egress; signed offline allowlist updates. |
| Keys | MeshGuard-managed keys with tenant separation. | Customer-managed key option. | Customer-owned offline KMS/HSM path. |
| Audit | Managed audit store and SIEM egress. | Customer archive, SIEM, witness proof, and retention policy. | Local archive with removable evidence media and offline verification. |
| Updates | Continuous managed release. | Maintenance windows with preflight validation. | Signed bundle import, staged rollout, rollback media. |
| Evidence | SaaS evidence export. | Deployment-specific bundle with inherited control notes. | Offline evidence bundle, verification transcript, and transfer chain of custody. |
Regulated Deployment Profiles
| Profile | Required controls |
|---|---|
| HIPAA | BAA path or customer-controlled boundary, ePHI redaction profile, metadata-only payload logging, SIEM/archive export, quarterly evidence verification. |
| FedRAMP Moderate | Approved federal substrate, FIPS cryptographic path where required, SSP boundary notes, monthly continuous-monitoring evidence, POA&M linkage. |
| FINRA | Supervisory approval, WORM-compatible archive export, surveillance egress, communications traceability, monthly retrieval test. |
| Sovereign EU | Region pinning, data residency proof, customer key control, local operator access review, cross-border transfer denial policy. |
| Air-gapped defense | Offline image bundle, offline license, no public egress, local witness proof cache, removable-media evidence workflow. |
Air-Gapped Install Runbook
- Prepare offline media containing signed OCI images, Helm chart, Terraform modules, SBOM, checksums, license file, policy bundle, and verification tooling.
- Verify signatures and checksums from the disconnected administration workstation.
- Install or upgrade MeshGuard namespace, control plane, gateway, guardian sidecar, egress proxy, audit store, and local archive.
- Apply environment values for IdP, KMS/HSM, archive, SIEM mirror, and region/destination policy.
- Apply MeshGuard provider bootstrap for agents, policies, and alert channels.
- Run smoke tests for policy allow, policy deny, sidecar heartbeat, egress denial, audit write, evidence export, and offline signature verification.
- Store installation transcript, SBOM, checksums, applied values, Terraform plan/apply output, and evidence verification transcript.
Terraform And Policy Bootstrap
For regulated deployments, Terraform should create MeshGuard resources after the platform substrate is available:
hcl
resource "meshguard_agent" "regulated_agent" {
name = "clinical-assistant-prod"
trust_tier = "trusted"
tags = ["production", "hipaa", "ephi"]
metadata = {
owner = "clinical-platform"
evidence_profile = "hipaa-quarterly"
environment = "production"
}
}
resource "meshguard_policy" "regulated_policy" {
name = "hipaa-agent-governance"
content = file("policies/hipaa-agent-governance.yaml")
}
resource "meshguard_alert_channel" "regulated_alerts" {
type = "webhook"
endpoint = var.security_webhook_url
webhook_secret = var.security_webhook_secret
severity = "critical"
triggers = ["deny", "error", "rate_limit"]
}Evidence Acceptance Tests
Before production cutover, prove that:
- A policy denial appears in the audit trail, SIEM, evidence bundle, and offline verification transcript.
- A policy change records old/new digest, approver, change ticket, deployment timestamp, and rollback reference.
- A sidecar bypass attempt generates a critical alert and deny event.
- An evidence bundle verifies offline without network access.
- Archive retrieval returns the same root hash and bundle manifest that MeshGuard exported.
Acceptance Target
An air-gapped install must complete from offline media in 60 minutes or less including data initialization.