elastic
diff --git a/‎deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md‎
Lines changed: 1 addition & 1 deletion b/‎deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎deploy-manage/security.md‎
Lines changed: 119 additions & 59 deletions b/‎deploy-manage/security.md‎
Lines changed: 119 additions & 59 deletions
diff --git a/‎deploy-manage/security/secure-your-elastic-cloud-organization.md‎
Lines changed: 19 additions & 13 deletions b/‎deploy-manage/security/secure-your-elastic-cloud-organization.md‎
Lines changed: 19 additions & 13 deletions
@@ -55,7 +55,7 @@ Elasticsearch APIs
 $$$ec-restrictions-apis-kibana$$$
 
 Kibana APIs
-:   There are no rate limits restricting your use of the Kibana APIs. However, Kibana features are affected by the [Kibana configuration settings](/deploy-manage/deploy/self-managed/configure-kibana.md), not all of which are supported in {{ecloud}}. For a list of what settings are currently supported, check [Add Kibana user settings](edit-stack-settings.md). For all details about using the Kibana APIs, check the [Kibana API reference documentation](https://www.elastic.co/guide/en/kibana/current/api.html).
+:   There are no rate limits restricting your use of the Kibana APIs. However, Kibana features are affected by the [Kibana configuration settings](kibana://reference/configuration-reference.md), not all of which are supported in {{ecloud}}. For a list of what settings are currently supported, check [Add Kibana user settings](edit-stack-settings.md). For all details about using the Kibana APIs, check the [Kibana API reference documentation](https://www.elastic.co/docs/api/doc/kibana/).
 
 
 ## Transport client [ec-restrictions-transport-client]
 
@@ -75,102 +75,162 @@ $$$maintaining-audit-trail$$$
 
 # Security
 
-This section covers how to secure your Elastic environment. Learn how to implement TLS encryption, network security controls, and data protection measures.
+This overview page helps you understand Elastic's security capabilities across different deployment types. You'll find:
+
+- Key security features for protecting your Elastic deployment
+- Security capabilities specific to each deployment type
+- Comparison tables showing feature availability and configurability by deployment type
+- Links to detailed implementation guides
 
 ## Security overview
 
-An Elastic implementation comprises many moving parts: {es} nodes forming the cluster, {kib} instances, additional stack components such as Logstash and Beats, and various clients and integrations communicating with your deployment.
+An Elastic implementation comprises many moving parts: {{es}} nodes forming the cluster, {{kib}} instances, additional stack components such as Logstash and Beats, and various clients and integrations communicating with your deployment.
 
 To keep your data secured, Elastic offers comprehensive security features that:
 - Prevent unauthorized access to your deployment
 - Encrypt communications between components
 - Protect data at rest
 - Secure sensitive settings and saved objects
 
-Security requirements and capabilities vary by deployment. Features may be managed automatically by Elastic, require configuration, or must be fully self-managed. Refer to [Security by deployment type](#security-by-deployment-type) for details.
+:::{note}
+The availability and configurability of security features vary by deployment type. Refer to [Security by deployment type](#security-features-by-deployment-type) for a comparison table.
+:::
 
-::::{tip}
-See the [Deployment overview](/deploy-manage/deploy.md) to understand your options for deploying Elastic.
-::::
+## Security topics
 
-### Security by deployment type
+The documentation is organized into four main areas.
 
-Security features have one of these statuses across deployment types:
+:::{note}
+Throughout the documentation, you'll see deployment type indicators that show which content applies to specific deployment types. Focus on sections tagged with your deployment type and look for subsections specifically addressing your deployment model.
+:::
 
-| Status | Description |
-|--------|-------------|
-| **Managed** | Handled automatically by Elastic with no user configuration needed |
-| **Configurable** | Built-in feature that needs your configuration (like IP filters or passwords) |
-| **Self-managed** | Infrastructure-level security you implement and maintain |
-| **N/A** | Not available for this deployment type |
+### 1. Secure your hosting environment
+
+The [security of your hosting environment](security/secure-hosting-environment.md) forms the foundation of your overall security posture. This section covers environment-specific security controls:
 
-#### Communication security
+- [**Elastic Cloud Hosted and Serverless**](security/secure-your-elastic-cloud-organization.md)
+- [**Elastic Cloud Enterprise**](security/secure-your-elastic-cloud-enterprise-installation.md)
+- [**Elastic Cloud on Kubernetes**](security/secure-your-eck-installation.md)
+- [**Self-managed environments**](security/manually-configure-security-in-self-managed-cluster.md)
 
-| **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed |
-|------------------|------------|--------------|-----|-----|--------------|
-| **TLS (HTTP Layer)** | Managed | Managed | Configurable | Configurable | Self-managed |
-| **TLS (Transport Layer)** | Managed | Managed | Managed | Managed | Self-managed |
+### 2. Secure your deployments and clusters
 
-#### Network security
+[Secure your deployments](security/secure-your-cluster-deployment.md) with features available across all deployment types:
 
-| **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed |
-|------------------|------------|--------------|-----|-----|--------------|
-| **IP traffic filtering** | Configurable | Configurable | Configurable | Configurable | Configurable |
-| **Private link** | N/A | Configurable | N/A | N/A | N/A |
-| **Static IPs** | Configurable | Configurable | N/A | N/A | N/A |
+- [**Traffic filtering**](security/traffic-filtering.md): IP filtering, private links, and static IPs
+- [**Secure communications**](security/secure-cluster-communications.md): TLS configuration, certificates management
+- [**Data protection**](security/data-security.md): Encryption at rest, secure settings, saved objects
+- [**Session management**](security/kibana-session-management.md): Kibana session controls
+- [**FIPS 140-2 compliance**](security/fips-140-2.md): Federal security standards
 
-#### Data security
+### 3. Secure your personal account
 
-| **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed |
-|------------------|------------|--------------|-----|-----|--------------|
-| **Encryption at rest** | Managed | Managed | Self-managed | Self-managed | Self-managed |
-| **Bring your own encryption key** | N/A | Configurable | N/A | N/A | N/A |
-| **Keystore security** | Managed | Managed | Configurable | Configurable | Configurable |
-| **Saved object encryption** | Managed | Managed | Configurable | Configurable | Configurable |
+[Secure your personal account](security/secure-your-personal-account.md) to help prevent unauthorized access:
 
-#### User session security
+- Multi-factor authentication and account security best practices
 
-| **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed |
-|------------------|------------|--------------|-----|-----|--------------|
-| **Kibana Sessions** | Managed | Configurable | Configurable | Configurable | Configurable |
+### 4. Secure your clients and integrations
 
-### Using this documentation
+[Secure your clients and integrations](security/secure-clients-integrations.md) to ensure secure communication between your applications and Elastic:
 
-Throughout this security documentation, you'll see deployment type indicators that show which content applies to specific deployment types. Each section clearly identifies which deployment types it applies to, and deployment-specific details are separated within each topic.
+- [**Client security**](security/httprest-clients-security.md): Best practices for securely connecting applications to {{es}}
+- **Integration security**: Secure configuration for Beats, Logstash, and other integrations
 
-To get the most relevant information for your environment, focus on sections tagged with your deployment type and look for subsections specifically addressing your deployment model.
+## Security features by deployment type
 
-## Security topics
+Security feature availability varies by deployment type, with each feature having one of the following statuses:
 
-This security documentation is organized into four main areas:
+| **Status** | **Description** |
+|--------|-------------|
+| **Managed** | Handled automatically by Elastic with no user configuration needed |
+| **Configurable** | Built-in feature that needs your configuration (like IP filters or passwords) |
+| **Self-managed** | Infrastructure-level security you implement and maintain |
+| **N/A** | Not available for this deployment type |
 
-% TODO: Add links to the sections below
+Select your deployment type below to see what's available and how implementation responsibilities are distributed:
 
-### 1. Secure your hosting environment
+::::{tab-set}
+:group: deployment-type
 
-The security of your hosting environment forms the foundation of your overall security posture. This section covers environment-specific security controls:
+:::{tab-item} Elastic Cloud Hosted
+:sync: cloud-hosted
 
-- **Elastic Cloud Hosted and Serverless**: Organization-level SSO, role-based access control, and cloud API keys
-- **Elastic Cloud Enterprise**: TLS certificates, role-based access control, and cloud API keys
-- **Self-managed environments**: TLS certificates, HTTPS configuration
+| **Security Category** | **Security Feature** | **Status** | **Description** |
+|------------------|------------|--------------|-------------|
+| **Communication** | TLS (HTTP Layer) | Managed | Automatically configured by Elastic |
+| | TLS (Transport Layer) | Managed | Automatically configured by Elastic |
+| **Network** | IP traffic filtering | Configurable | Configure IP-based access restrictions |
+| | Private link | Configurable | Establish secure VPC connection |
+| | Static IPs | Configurable | Enable fixed IP addresses |
+| **Data** | Encryption at rest | Managed | Automatically encrypted by Elastic |
+| | Bring your own encryption key | Configurable | Implement customer-provided keys |
+| | Keystore security | Managed | Automatically protected by Elastic |
+| | Saved object encryption | Managed | Automatically encrypted by Elastic |
+| **User Session** | Kibana Sessions | Configurable | Customize session parameters |
 
-### 2. Secure your deployments and clusters
+:::
 
-Protect your deployments with features available across all deployment types:
+:::{tab-item} Serverless
+:sync: serverless
+
+| **Security Category** | **Security Feature** | **Status** | **Description** |
+|------------------|------------|--------------|-------------|
+| **Communication** | TLS (HTTP Layer) | Managed | Automatically configured by Elastic |
+| | TLS (Transport Layer) | Managed | Automatically configured by Elastic |
+| **Network** | IP traffic filtering | Configurable | Configure IP-based access restrictions |
+| | Private link | N/A | X |
+| | Static IPs | Configurable | Enable fixed IP addresses |
+| **Data** | Encryption at rest | Managed | Automatically encrypted by Elastic |
+| | Bring your own encryption key | N/A | X |
+| | Keystore security | Managed | Automatically protected by Elastic |
+| | Saved object encryption | Managed | Automatically encrypted by Elastic |
+| **User Session** | Kibana Sessions | Managed | Automatically configured by Elastic |
 
-- **Authentication and access controls**: User management, API keys, authentication protocols, and traffic filtering
-- **Data protection**: Encryption, sensitive settings, and document-level security
-- **Monitoring and compliance**: Audit logging and security best practices
+:::
 
-### 3. Secure your user accounts
+:::{tab-item} ECE/ECK
+:sync: ece-eck
+
+| **Security Category** | **Security Feature** | **Status** | **Description** |
+|------------------|------------|--------------|-------------|
+| **Communication** | TLS (HTTP Layer) | Configurable | Configure custom certificates |
+| | TLS (Transport Layer) | Managed | Automatically configured by Elastic |
+| **Network** | IP traffic filtering | Configurable | Configure IP-based access restrictions |
+| | Private link | N/A | X |
+| | Static IPs | N/A | X |
+| **Data** | Encryption at rest | Self-managed | Implement at infrastructure level |
+| | Bring your own encryption key | N/A | X |
+| | Keystore security | Configurable | Configure secure settings storage |
+| | Saved object encryption | Configurable | Enable encryption for saved objects |
+| **User Session** | Kibana Sessions | Configurable | Customize session parameters |
 
-Individual user security helps prevent unauthorized access:
+:::
 
-- **Multi-factor authentication**: Add an extra layer of security to your login process
+:::{tab-item} Self-managed
+:sync: self-managed
+
+| **Security Category** | **Security Feature** | **Status** | **Description** |
+|------------------|------------|--------------|-------------|
+| **Communication** | TLS (HTTP Layer) | Self-managed | Implement and maintain certificates |
+| | TLS (Transport Layer) | Self-managed | Implement and maintain certificates |
+| **Network** | IP traffic filtering | Configurable | Configure IP-based access restrictions |
+| | Private link | N/A | X |
+| | Static IPs | N/A | X |
+| **Data** | Encryption at rest | Self-managed | Implement at infrastructure level |
+| | Bring your own encryption key | N/A | X |
+| | Keystore security | Configurable | Configure secure settings storage |
+| | Saved object encryption | Configurable | Enable encryption for saved objects |
+| **User Session** | Kibana Sessions | Configurable | Customize session parameters |
 
-### 4. Secure your clients and integrations
+:::
 
-Ensure secure communication between your applications and Elastic:
+::::
 
-- **Client security**: Best practices for securely connecting applications to {es}
-- **Integration security**: Secure configuration for Beats, Logstash, and other integrations
+## Next steps
+
+Refer to the following sections for detailed instructions about securing your hosting environment:
+
+* [Elastic Cloud Hosted and Serverless security setup](/deploy-manage/security/secure-your-elastic-cloud-organization.md)
+* [Elastic Cloud Enterprise (ECE) security setup](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md)
+* [Elastic Cloud on Kubernetes (ECK) security setup](/deploy-manage/security/secure-your-eck-installation.md)
+* [Self-managed cluster security setup](/deploy-manage/security/manually-configure-security-in-self-managed-cluster.md)
@@ -8,26 +8,32 @@ applies_to:
 
 # Secure your Elastic Cloud organization [ec-securing-considerations]
 
-:::{warning}
-**This page is a work in progress.** 
-:::
+This section covers security settings for your {{ecloud}} organization, the platform for managing {{ech}} deployments and serverless projects.
 
+**Managed by Elastic**
 
-## TLS certificate management
+As a managed service, Elastic automatically handles a [number of security features](https://www.elastic.co/cloud/security#details) with no configuration required:
 
-TLS certificates apply security controls to network communications. They encrypt data in transit, verify the identity of connecting parties, and help prevent man-in-the-middle attacks.
+- **TLS encrypted communication** is provided in the default configuration. Elasticsearch nodes communicate using TLS.
+- **Encryption at rest**. By default, all of your {{ecloud}} resources are encrypted at rest. Note that you can choose to encrypt your {{ech}} deployments [using your own encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md).
+- **Cluster isolation**. Elasticsearch nodes run in isolated containers, configured according to the principle of least privilege, and with restrictions on system calls and allowed root operations.
 
-For your **{{ech}}** deployments and serverless projects hosted on {{ecloud}}, TLS certificates are managed automatically.
+**Additional organization-level security settings**
 
-## Access control
+To reinforce the security of your organization, consider implementing the following measures:
 
-Define which users can access your {{ecloud}} organization using the following methods:
+- **Network security**. Control which systems can access your Elastic deployments and projects through traffic filtering and network controls:
+  - [**IP traffic filtering**](/deploy-manage/security/ip-traffic-filtering.md): Restrict access based on IP addresses or CIDR ranges.
+  - [**Private link filters**](/deploy-manage/security/private-link-traffic-filters.md): Secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
+  - [**Static IPs**](/deploy-manage/security/elastic-cloud-static-ips.md): Use static IP addresses for predictable firewall rules. 
+- **Access control**
+  - [**Organization-level SSO**](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md). Note that for {{ech}} deployments, you can also configure SSO at the [deployment level](/deploy-manage/users-roles/cluster-or-deployment-auth.md).
+  - [**Cloud role-based access control**](/deploy-manage/users-roles/cloud-organization/manage-users.md): Define the roles of users who have access to your organization and its resources. Note that for {{ech}} deployments, you can also [manage non-cloud users and roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md).
+  - [**Cloud API keys**](/deploy-manage/api-keys/elastic-cloud-api-keys.md): Manage API keys used for programmatic access to [{{ecloud}}](https://www.elastic.co/docs/api/doc/cloud/) and [{{ecloud}} serverless](https://www.elastic.co/docs/api/doc/elastic-cloud-serverless/) APIs.
 
-- [SSO](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md)
-- [Role-based access control](/deploy-manage/users-roles/cloud-organization/manage-users.md)
-- [Cloud API keys](/deploy-manage/api-keys/elastic-cloud-api-keys.md)
 
 
-## Next step: secure your deployments and clusters
+**Additional deployment-level security settings**
+
+While serverless projects are fully managed and secured by Elastic, additional security settings are available for you to configure individually for your {{ech}} deployments. Refer to [](secure-your-cluster-deployment.md) for more information.
 
-This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on this environment. Refer to [](secure-your-cluster-deployment.md).