blog.johlem.net

Self-Hosting a Security Stack in Regulated Finance: What’s Actually Defensible

Self-hosting has a reputation problem in enterprise security: it reads as a hobbyist indulgence, the thing you do at home with a Proxmox box and too many VLANs. But the moment you frame a self-hosted stack as a threat model you can fully articulate and defend to an auditor, it stops being a hobby and becomes a legitimate architectural position — sometimes the more defensible one, particularly under EU regulation where data residency and control are not preferences but requirements.

This post is about that reframe: when self-hosting is genuinely defensible in a regulated-finance context, where the isolation boundaries earn their keep, and where the EU-sovereignty angle stops being ideology and becomes a control you can point to.

The reframe: a homelab is a threat model

A well-segmented homelab — hypervisor, software firewall, isolated network segments, analysis tooling kept apart from production — is not interesting because it self-hosts. It is interesting because every boundary in it corresponds to a threat you can name. That is exactly what an auditor wants: not “we use a managed service and trust the vendor,” but “here is the boundary, here is the threat it mitigates, here is how we know it holds.”

The architecture worth defending:

The discipline that makes this defensible: you can draw the diagram, and for every line on it, you can say what gets through, what does not, and why.

Where the isolation boundaries earn their keep

Segmentation is the load-bearing control, and in a security stack specifically it is doing real work, not theatre:

The analysis zone is hostile-by-design. If you run malware analysis or detonate suspicious samples, that zone is expected to be compromised during normal operation. Its isolation from everything else is not defence-in-depth politeness — it is the operating assumption. An auditor understands “this zone is assumed hostile and here is why it cannot reach anything else” far better than they understand a flat network with good intentions.

Detection and management separation. Your detection tooling and your management plane have different trust levels and different blast radii. Collapsing them is convenient and wrong. Keeping them apart means a compromise of one does not hand over the other.

Quarantine as a first-class zone. A place to put things that are suspicious-but-not-yet-classified, isolated by default, is the kind of boundary that turns an incident into a contained event rather than a spreading one.

The general principle: in a security stack, several of your zones exist specifically to contain things you expect to go wrong. That is a stronger story than segmentation built for performance or tidiness, because the threat each boundary addresses is explicit.

The EU-sovereignty angle stops being ideology

For a Luxembourg or broader-EU financial entity, data residency and sovereignty are not philosophical positions — they are regulatory pressure that DORA’s third-party and concentration-risk focus only sharpens. This is where self-hosting (or EU-jurisdiction hosting on providers like Hetzner, OVH, Scaleway, Vultr’s EU regions) becomes a control you can cite rather than a preference you have to justify.

The defensible framing:

This is not an argument that self-hosting is always right. It is an argument that, under EU financial regulation, the sovereignty properties of self-hosted or EU-jurisdiction infrastructure are defensible controls, not ideological preferences — and they answer questions that hyperscaler architectures have to work harder to answer.

The honest counter-case

Defensibility cuts both ways, and a consulting-grade post owes the other side:

The takeaway

Self-hosting a security stack in regulated finance is defensible exactly when you can do for it what you would do for any control: name the threat each boundary addresses, demonstrate the boundary holds, and articulate the jurisdiction and resilience properties in terms a regulator recognises. Done that way, a segmented stack on EU-jurisdiction infrastructure is not a hobbyist’s indulgence — it is a clear, ownable answer to data-residency, concentration-risk, and control-boundary questions that managed hyperscaler architectures have to answer more obliquely.

The homelab aesthetic is incidental. The threat model is the point. Build the second and the first is just where it happens to run.


An independent piece by johlem.net — IT security consulting, Luxembourg. Self-hosted and EU-sovereign infrastructure for regulated financial entities.