secure ecloud

Author: florent-leborgne

deploy-manage/security/secure-your-elastic-cloud-organization.md

@@ -8,26 +8,32 @@ applies_to:
 
 # Secure your Elastic Cloud organization [ec-securing-considerations]
 
-:::{warning}
-**This page is a work in progress.** 
-:::
+This section describes the settings available for you to secure your {{ecloud}} organization, which is the platform where you can manage your {{ech}} deployments and serverless projects. 
 
+**Managed for you**
 
-## TLS certificate management
+As a managed service, a certain number of [security aspects are handled by Elastic](https://www.elastic.co/cloud/security#details) and don't require specific configuration from you:
 
-TLS certificates apply security controls to network communications. They encrypt data in transit, verify the identity of connecting parties, and help prevent man-in-the-middle attacks.
+- **TLS encrypted communication** is provided in the default configuration. Elasticsearch nodes communicate using TLS.
+- **Encryption at rest**. By default, all of your {{ecloud}} resources are encrypted at rest. Note that you can choose to encrypt your {{ech}} deployments [using your own encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md).
+- **Cluster isolation**. Elasticsearch nodes run in isolated containers, configured according to the principle of least privilege, and with restrictions on system calls and allowed root operations.
 
-For your **{{ech}}** deployments and serverless projects hosted on {{ecloud}}, TLS certificates are managed automatically.
+**Organization-level available security settings**
 
-## Access control
+To reinforce the security of your organization, consider implementing the following measures:
 
-Define which users can access your {{ecloud}} organization using the following methods:
+- **Network security**. Control which systems can access your Elastic deployments and projects through traffic filtering and network controls:
+  - [**IP traffic filtering**](/deploy-manage/security/ip-traffic-filtering.md): Restrict access based on IP addresses or CIDR ranges.
+  - [**Private link filters**](/deploy-manage/security/private-link-traffic-filters.md): Secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
+  - [**Static IPs**](/deploy-manage/security/elastic-cloud-static-ips.md): Use static IP addresses for predictable firewall rules. 
+- **Access control**
+  - [**Organization-level SSO**](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md). Note that for {{ech}} deployments, you can also configure SSO at the [deployment level](/deploy-manage/users-roles/cluster-or-deployment-auth.md).
+  - [**Cloud role-based access control**](/deploy-manage/users-roles/cloud-organization/manage-users.md): Define the roles of users who have access to your organization and its resources. Note that for {{ech}} deployments, you can also [manage non-cloud users and roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md).
+  - [**Cloud API keys**](/deploy-manage/api-keys/elastic-cloud-api-keys.md): Manage API keys used for programmatic access to [{{ecloud}}](https://www.elastic.co/docs/api/doc/cloud/) and [{{ecloud}} serverless](https://www.elastic.co/docs/api/doc/elastic-cloud-serverless/) APIs.
 
-- [SSO](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md)
-- [Role-based access control](/deploy-manage/users-roles/cloud-organization/manage-users.md)
-- [Cloud API keys](/deploy-manage/api-keys/elastic-cloud-api-keys.md)
 
 
-## Next step: secure your deployments and clusters
+**Deployment-level available security settings**
+
+While serverless projects are fully managed and secured by Elastic, additional security settings are available for you to configure individually for your {{ech}} deployments. Refer to [](secure-your-cluster-deployment.md) for more information.
 
-This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on this environment. Refer to [](secure-your-cluster-deployment.md).