01 / Compute
Containerized workloads
Each site in its own container with scoped credentials. A compromise in one tenant can’t reach another.
Services →
Infrastructure security
Containerized hosting we operate. RPKI + IPv6. 24/7 monitoring on holidays.
Consumer hosting fails the audit. YesGov runs every government site on hardware we control — isolated containers, segmented networks, monitored endpoints. RPKI keeps your IP space from being silently re-announced; IPv6 keeps you reachable for the residents whose ISPs already cut over.
What we operate
Six layers of defense, all of them ours.
No third-party shared hosting, no “cloud reseller,” no opaque control plane. We run the boxes; we know the patch level.
02 / Routing
RPKI origin validation
Cryptographic proof of which AS is allowed to announce your prefix. Hostile re-announcement is rejected by validating networks.
RPKI guide →03 / Networks
IPv6 dual-stack
AAAA records, dual-stack reachability. Residents on IPv6-first ISPs reach the site without v4 fallback.
IPv6 guide →04 / Backups
3-2-1 backup strategy
Three copies, two media, one off-site. Daily snapshots, weekly point-in-time, monthly cold-storage. Restore drills documented.
Backups & DR →05 / Monitoring
24/7/365 NOC
Humans on call every day. Automated containment, escalation runbooks, every incident logged for the audit trail.
Services →06 / Reputation
IP reputation hygiene
Sender IPs monitored against blocklists. Mail flow watched for delivery anomalies before they impact residents.
IP reputation →
Why it matters
What goes wrong on consumer hosting.
BGP redirection
Another network announces your IP space. Traffic meant for your .gov gets silently diverted through a hostile transit provider.
Blocked by: RPKI origin validation
Tenant cross-contamination
Shared-hosting neighbor gets compromised. Without container isolation the attacker can pivot to your filesystem and database.
Blocked by: per-tenant containers + scoped creds
Untested restore
Ransomware encrypts everything — you find out at the worst moment that backups can’t actually restore.
Blocked by: tested 3-2-1 backups + DR drills
IPv6-only resident locked out
Resident on T-Mobile or another v6-only network can’t reach your v4-only site. Quiet failure, no error visible to you.
Blocked by: IPv6 dual-stack with AAAA records
Learn more
Free guides for every infrastructure control.
RPKI origin validation
How ROAs sign your prefixes and why validating networks reject hostile announcements.
IPv6 readiness
AAAA records, dual-stack reachability, and the residents who can’t reach you without it.
IP reputation
What blocklists watch, why your mail starts bouncing, and how to recover.
3-2-1 backups
Three copies, two media types, one off-site — and how to actually test the restore.
Next step
Move off shared hosting onto infrastructure built for government.
Same annual fee covers the migration, the hardware, the monitoring, and the documented restore procedure your insurer needs.