basic structure

Author: florent-leborgne

deploy-manage/security.md

@@ -1,4 +1,7 @@
 ---
+applies_to:
+  deployment: all
+  serverless: all
 mapped_urls:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/security-files.html
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-cluster.html
@@ -52,4 +55,54 @@ $$$maintaining-audit-trail$$$
 * [/raw-migrated-files/cloud/cloud-heroku/ech-security.md](/raw-migrated-files/cloud/cloud-heroku/ech-security.md)
 * [/raw-migrated-files/kibana/kibana/using-kibana-with-security.md](/raw-migrated-files/kibana/kibana/using-kibana-with-security.md)
 * [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md)
-* [/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md)
+* [/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md)
+
+An Elastic implementation comprises many moving parts. There are the Elasticsearch nodes that form the cluster, Kibana instances, additional stack components such as Logstash and Beats, and clients and integrations all communicating with your cluster.
+
+To keep your data secured, Elastic offers security features that prevent bad actors from tampering with your data, and encrypt communications to, from, and within your cluster. Regardless of your deployment type, Elastic sets up certain security features for you automatically.
+
+In this section, you’ll learn about how to manage basic Elastic security features. You’ll also learn how to implement advanced security measures.
+
+As part of your overall security strategy, you can also do the following:
+
+- Prevent unauthorized access with [password protection and role-based access control].
+- Maintain an [audit trail] for security-related events.
+- Control access to dashboards and other saved objects in your UI using [Spaces].
+- Connect a local cluster to a [remote cluster] to enable cross-cluster replication and search.
+- Manage [API keys] used for programmatic access to Elastic.
+
+
+
+Keeping your Elastic installation and data safe generally means:
+
+- Securing the hosting environment where your Elastic products are deployed.
+  - self-managed
+    - TLS certificates
+    - HTTPS 
+  - ECE
+    - TLS certificates
+    - Cloud RBAC
+  - ECH and Serverless
+    - SSO
+    - Role-based access control
+- Securing the deployments and clusters within that environment.
+  - Authentication and access
+    - `elastic` power user, built-in and system user passwords
+    - Deployment-level authentication protocols (SAML, OpenID Connect, Kerberos, JWT)
+    - Trust for cross-cluster communication
+    - Traffic and IP filtering
+  - Using the Elasticsearch keystore for sensitive settings
+  - [ECH only] Encryption using a customer-managed encryption key
+  - Keeping deployments up to date
+  - Audit logging
+  - Index and document-level permissions
+  - Kibana security
+    - Kibana sessions management
+    - Spaces
+    - Saved object security
+- Securing your own account and access to the environment and deployments.
+  - [ECH only] Multifactor authentication
+  - User API keys
+- Securing clients and integrations connected to your environment's clusters.
+
+

deploy-manage/security/data-security.md

@@ -0,0 +1 @@
+# Data security

deploy-manage/security/fips-140-2.md

@@ -4,7 +4,7 @@ mapped_urls:
   - https://www.elastic.co/guide/en/kibana/current/xpack-security-fips-140-2.html
 ---
 
-# FIPS 140-2
+# FIPS 140-2 compliance
 
 % What needs to be done: Refine
 

deploy-manage/security/manually-configure-security-in-self-managed-cluster.md

@@ -1,4 +1,8 @@
 ---
+navigation_title: Self-managed
+applies_to:
+  deployment:
+    self: ga
 mapped_pages:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/manually-configure-security.html
 ---
@@ -15,8 +19,9 @@ If you configure security manually *before* starting your {{es}} nodes, the auto
 :alt: Elastic Security layers
 :::
 
+## Common security scenarios
 
-## Minimal security ({{es}} Development) [security-minimal-overview]
+### Minimal security ({{es}} Development) [security-minimal-overview]
 
 If you’ve been working with {{es}} and want to enable security on your existing, unsecured cluster, start here. You’ll set passwords for the built-in users to prevent unauthorized access to your local cluster, and also configure password authentication for {{kib}}.
 
@@ -28,7 +33,7 @@ The minimal security scenario is not sufficient for [production mode](../deploy/
 [Set up minimal security](set-up-minimal-security.md)
 
 
-## Basic security ({{es}} + {{kib}}) [security-basic-overview]
+### Basic security ({{es}} + {{kib}}) [security-basic-overview]
 
 This scenario configures TLS for communication between nodes. This security layer requires that nodes verify security certificates, which prevents unauthorized nodes from joining your {{es}} cluster.
 
@@ -37,7 +42,7 @@ Your external HTTP traffic between {{es}} and {{kib}} won’t be encrypted, but
 [Set up basic security](secure-cluster-communications.md)
 
 
-## Basic security plus secured HTTPS traffic ({{stack}}) [security-basic-https-overview]
+### Basic security plus secured HTTPS traffic ({{stack}}) [security-basic-https-overview]
 
 This scenario builds on the one for basic security and secures all HTTP traffic with TLS. In addition to configuring TLS on the transport interface of your {{es}} cluster, you configure TLS on the HTTP interface for both {{es}} and {{kib}}.
 
@@ -50,6 +55,24 @@ You then configure {{kib}} and Beats to communicate with {{es}} using TLS so tha
 
 [Set up basic security plus HTTPS traffic](secure-http-communications.md)
 
+## Considerations
+
+### TLS certificate management
+
+TLS certificates apply security controls to network communications. They encrypt data in transit, verify the identity of connecting parties, and help prevent man-in-the-middle attacks.
+
+On **self-managed** installations, you manage certificates for both HTTP and transport layers.
+
+### Network security
+
+Control which systems can access your Elastic deployment through traffic filtering and network controls:
+
+- **IP traffic filtering**: Restrict access based on IP addresses or CIDR ranges.
+
+## Next step: secure your deployments and clusters
+
+This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on your installation. Refer to [](secure-your-cluster-deployment.md).
+
 
 
 

deploy-manage/security/secure-hosting-environment.md

@@ -0,0 +1,18 @@
+---
+applies_to:
+  deployment: all
+  serverless: ga
+---
+
+# Secure your hosting environment
+
+Whether you're running Elastic on {{ecloud}}, through an {{ece}} or {{eck}} orchestrator, or self-managed on your own premises, it is critical that you secure the layer responsible for deploying and hosting your Elastic products.
+
+This section covers security measures specific to:
+
+- [{{ecloud}}](secure-your-elastic-cloud-organization.md)
+- [{{ece}}](secure-your-elastic-cloud-enterprise-installation.md)
+- [{{eck}}](secure-your-eck-installation.md)
+- [Self-managed](manually-configure-security-in-self-managed-cluster.md)
+
+Learn how to manage security certificates, configure TLS versions, and implement additional security controls at the environment level.

deploy-manage/security/secure-your-eck-installation.md

@@ -0,0 +1,27 @@
+---
+navigation_title: "{{eck}}"
+applies_to:
+  deployment:
+    eck: ga
+---
+
+# Secure your {{eck}} installation [eck-securing-considerations]
+
+**This page is a work in progress.**
+
+## TLS certificate management
+
+TLS certificates apply security controls to network communications. They encrypt data in transit, verify the identity of connecting parties, and help prevent man-in-the-middle attacks.
+
+With **{{eck}}**, you manage HTTP layer certificates. The transport layer is managed by ECK.
+
+## Network security
+
+Control which systems can access your Elastic deployment through traffic filtering and network controls:
+
+- **IP traffic filtering**: Restrict access based on IP addresses or CIDR ranges.
+
+## Next step: secure your deployments and clusters
+
+This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on your installation. Refer to [](secure-your-cluster-deployment.md).
+

deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md

@@ -1,38 +1,56 @@
 ---
+navigation_title: "{{ece}}"
+applies_to:
+  deployment:
+    ece: ga
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-securing-considerations.html
 ---
 
 # Secure your Elastic Cloud Enterprise installation [ece-securing-considerations]
 
-Elastic Cloud Enterprise can run on shared and less secure environments, but you should be aware of some limitations when deploying our product.
+**This page is a work in progress.**
 
+When securing your {{ece}} installation, consider the following:
 
-### Users with admin privileges [ece_users_with_admin_privileges] 
+## TLS certificate management 
 
-In Elastic Cloud Enterprise 3.8.1, every user who can manage your installation through the Cloud UI or the RESTful API is a user with admin privileges. This includes both the `admin` user and the `readonly` user that get created when you install ECE on your first host. Initially, only the `admin` user has the required privileges to make changes to resources on ECE.
+TLS certificates apply security controls to network communications. They encrypt data in transit, verify the identity of connecting parties, and help prevent man-in-the-middle attacks.
 
-[Role-based access control](../users-roles/cloud-enterprise-orchestrator/manage-users-roles.md) for Elastic Cloud Enterprise allows you to connect multiple users or user groups to the platform.
+With {{ece}}, you manage proxy certificates for the HTTP layer. The transport layer is managed by ECE. Refer to [](secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md).
 
-All Elasticsearch clusters come with X-Pack security features and support role-based access control. To learn more, check [Secure Your Clusters](../users-roles/cluster-or-deployment-auth.md).
+## Network security
+
+Control which systems can access your Elastic deployment through traffic filtering and network controls:
 
+- **IP traffic filtering**: Restrict access based on IP addresses or CIDR ranges.
+- **Trust for cross-cluster operations**. Define which environments your {{ece}} installation can connect to and receive connections from. For more details on cross-cluster operations and the required settings, refer to [](/deploy-manage/remote-clusters.md).
 
-### Clusters share the same resources [ece_clusters_share_the_same_resources] 
+$$$ece_clusters_share_the_same_resources$$$
+:::{note}
+Clusters share the same resources
 
 The Elasticsearch clusters you create on Elastic Cloud Enterprise share the same resources. It is currently not possible to run a specific cluster on entirely dedicated hardware not shared by other clusters.
+:::
+
+## Users with admin privileges [ece_users_with_admin_privileges] 
+
+In Elastic Cloud Enterprise, every user who can manage your installation through the Cloud UI or the RESTful API is a user with admin privileges. This includes both the `admin` user and the `readonly` user that get created when you install ECE on your first host. Initially, only the `admin` user has the required privileges to make changes to resources on ECE.
+
+[Role-based access control](../users-roles/cloud-enterprise-orchestrator/manage-users-roles.md) for Elastic Cloud Enterprise allows you to connect multiple users or user groups to the platform.
+
+All Elasticsearch clusters come with X-Pack security features and support role-based access control. To learn more, check [Secure Your Clusters](../users-roles/cluster-or-deployment-auth.md).
 
 
-### Encryption [ece_encryption] 
+## Encryption [ece_encryption] 
 
 Elastic Cloud Enterprise does not implement encryption at rest out of the box. To ensure encryption at rest for all data managed by Elastic Cloud Enterprise, the hosts running Elastic Cloud Enterprise must be configured with disk-level encryption, such as dm-crypt. In addition, snapshot targets must ensure that data is encrypted at rest as well.
 
 Configuring dm-crypt or similar technologies is outside the scope of the Elastic Cloud Enterprise documentation, and issues related to disk encryption are outside the scope of support.
 
-Elastic Cloud Enterprise provides full encryption of all network traffic by default when using Elasticsearch 6.0 or higher.
+Elastic Cloud Enterprise provides full encryption of all network traffic by default.
 
-TLS is supported when interacting with the RESTful API of Elastic Cloud Enterprise and for the proxy layer that routes user requests to clusters of all versions. Internally, our administrative services also ensure transport-level encryption.
-
-In Elasticsearch versions lower than 6.0, traffic between nodes in a cluster and between proxies and the clusters is *not* encrypted.
+TLS is supported when interacting with the [RESTful API of Elastic Cloud Enterprise](https://www.elastic.co/docs/api/doc/cloud-enterprise/) and for the proxy layer that routes user requests to clusters of all versions. Internally, our administrative services also ensure transport-level encryption.
 
 
 ## Attack vectors versus separation of roles [ece-securing-vectors] 
@@ -45,3 +63,7 @@ Elastic Cloud Enterprise is designed to ensure that an allocator has access only
 
 Security comes in layers, and running separate services on separate infrastructure is the last layer of defense, on top of other security features like the JVM security manager, system call filtering, and running nodes in isolated containers with no shared secrets.
 
+## Next step: secure your deployments and clusters
+
+This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on your installation. Refer to [](secure-your-cluster-deployment.md).
+

deploy-manage/security/secure-your-elastic-cloud-organization.md

@@ -0,0 +1,30 @@
+---
+navigation_title: "{{ecloud}}"
+applies_to:
+  deployment:
+    ess: ga
+  serverless: ga
+---
+
+# Secure your Elastic Cloud organization [ec-securing-considerations]
+
+**This page is a work in progress.**
+
+## TLS certificate management
+
+TLS certificates apply security controls to network communications. They encrypt data in transit, verify the identity of connecting parties, and help prevent man-in-the-middle attacks.
+
+For your **{{ech}}** deployments and serverless projects hosted on {{ecloud}}, TLS certificates are managed automatically.
+
+## Network security
+
+Control which systems can access your Elastic deployment through traffic filtering and network controls:
+
+- **IP traffic filtering**: Restrict access based on IP addresses or CIDR ranges.
+- **Private link filters**: Secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
+- **Static IPs**: Use static IP addresses for predictable firewall rules.
+
+
+## Next step: secure your deployments and clusters
+
+This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on your installation. Refer to [](secure-your-cluster-deployment.md).

deploy-manage/security/secure-your-personal-account.md

@@ -0,0 +1,9 @@
+---
+applies_to:
+  deployment: all
+  serverless: ga
+---
+
+# Secure your personal account
+
+**This page is a work in progress.**

deploy-manage/toc.yml

@@ -512,17 +512,25 @@ toc:
           - file: remote-clusters/remote-clusters-settings.md
       - file: remote-clusters/eck-remote-clusters.md
   - file: security.md
-    children:
-      - file: security/secure-your-elastic-cloud-enterprise-installation.md
+    children: 
+      - file: security/secure-hosting-environment.md
         children:
-          - file: security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md
-          - file: security/secure-your-elastic-cloud-enterprise-installation/allow-x509-certificates-signed-with-sha-1.md
-          - file: security/secure-your-elastic-cloud-enterprise-installation/configure-tls-version.md
+          - file: security/secure-your-elastic-cloud-organization.md        
+          - file: security/secure-your-elastic-cloud-enterprise-installation.md
+            children:
+              - file: security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md
+              - file: security/secure-your-elastic-cloud-enterprise-installation/allow-x509-certificates-signed-with-sha-1.md
+              - file: security/secure-your-elastic-cloud-enterprise-installation/configure-tls-version.md
+          - file: security/secure-your-eck-installation.md
+          - file: security/manually-configure-security-in-self-managed-cluster.md
+            children:
+              - file: security/set-up-minimal-security.md
+              - file: security/set-up-basic-security.md
+              - file: security/set-up-basic-security-plus-https.md
       - file: security/secure-your-cluster-deployment.md
         children:
           - file: security/secure-endpoints.md
             children:
-              - file: security/secure-http-communications.md
               - file: security/traffic-filtering.md
                 children:
                   - file: security/ip-traffic-filtering.md
@@ -534,31 +542,30 @@ toc:
                       - file: security/claim-traffic-filter-link-id-ownership-through-api.md
                   - file: security/manage-traffic-filtering-through-api.md
               - file: security/elastic-cloud-static-ips.md
-          - file: security/kibana-session-management.md
           - file: security/secure-cluster-communications.md
             children:
+              - file: security/secure-http-communications.md
               - file: security/security-certificates-keys.md
                 children:
                   - file: security/updating-certificates.md
                     children:
                       - file: security/same-ca.md
                       - file: security/different-ca.md
-          - file: security/secure-clients-integrations.md
+              - file: security/supported-ssltls-versions-by-jdk-version.md
+          - file: security/data-security.md
             children:
-              - file: security/httprest-clients-security.md
-          - file: security/encrypt-deployment.md
-            children:
-              - file: security/encrypt-deployment-with-customer-managed-encryption-key.md
-          - file: security/secure-settings.md
-          - file: security/secure-saved-objects.md
-          - file: security/manually-configure-security-in-self-managed-cluster.md
-            children:
-              - file: security/set-up-minimal-security.md
-              - file: security/set-up-basic-security.md
-              - file: security/set-up-basic-security-plus-https.md
-          - file: security/enabling-cipher-suites-for-stronger-encryption.md
-          - file: security/supported-ssltls-versions-by-jdk-version.md
+              - file: security/encrypt-deployment.md
+                children:
+                  - file: security/encrypt-deployment-with-customer-managed-encryption-key.md
+                  - file: security/enabling-cipher-suites-for-stronger-encryption.md
+              - file: security/secure-settings.md
+              - file: security/secure-saved-objects.md
+          - file: security/kibana-session-management.md
           - file: security/fips-140-2.md
+      - file: security/secure-your-personal-account.md
+      - file: security/secure-clients-integrations.md
+        children:
+          - file: security/httprest-clients-security.md
   - file: users-roles.md
     children:
       - file: users-roles/cloud-organization.md