[D&M] Orchestrator security (#727)

^^ 

- Refocuses the 1st subsection on "orchestrators"
- Left the self-managed section as an outlier and with some notes but I
think currently it's the best place to provide a "360" centered on
self-managed installs

---------

Co-authored-by: Liam Thompson <32779855+leemthompo@users.noreply.github.com>

Author: 2 people

deploy-manage/security.md

@@ -100,18 +100,19 @@ The availability and configurability of security features vary by deployment typ
 
 The documentation is organized into four main areas.
 
-:::{note}
-Throughout the documentation, you'll see deployment type indicators that show which content applies to specific deployment types. Focus on sections tagged with your deployment type and look for subsections specifically addressing your deployment model.
-:::
+On every page, you'll see deployment type indicators that show which content applies to specific deployment types. Focus on sections tagged with your deployment type and look for subsections specifically addressing your deployment model.
 
-### 1. Secure your hosting environment
+### 1. Secure your orchestrator
 
-The [security of your hosting environment](security/secure-hosting-environment.md) forms the foundation of your overall security posture. This section covers environment-specific security controls:
+The [security of your orchestrator](security/secure-hosting-environment.md) forms the foundation of your overall security posture. This section covers environment-specific security controls:
 
 - [**Elastic Cloud Hosted and Serverless**](security/secure-your-elastic-cloud-organization.md)
 - [**Elastic Cloud Enterprise**](security/secure-your-elastic-cloud-enterprise-installation.md)
 - [**Elastic Cloud on Kubernetes**](security/secure-your-eck-installation.md)
-- [**Self-managed environments**](security/manually-configure-security-in-self-managed-cluster.md)
+
+:::{note}
+There is no orchestration layer for self-managed deployments because you directly control the host environment. Refer to [](security/manually-configure-security-in-self-managed-cluster.md) to learn more about securing self-managed installations.
+:::
 
 ### 2. Secure your deployments and clusters
 

deploy-manage/security/install-stack-demo-secure.md

@@ -1,10 +1,16 @@
-# Tutorial 2: Securing a self-managed {{stack}} [install-stack-demo-secure]
+---
+applies_to:
+  deployment:
+    self: ga
+---
 
-This tutorial is a follow-on to [Tutorial 1: Installing a self-managed {{stack}}](/deploy-manage/deploy/self-managed.md). The first tutorial describes how to configure a multi-node {{es}} cluster and then set up {{kib}}, followed by {{fleet-server}} and {{agent}}. In a production environment, it’s recommended after completing the {{kib}} setup to proceed directly to this tutorial to configure your SSL certificates. These steps guide you through that process, and then describe how to configure {{fleet-server}} and {{agent}} with the certificates in place.
+# Tutorial: Securing a self-managed {{stack}} [install-stack-demo-secure]
+
+This tutorial is a follow-on to [installing a self-managed {{stack}}](/deploy-manage/deploy/self-managed.md) with a multi-node {{es}} cluster, {{kib}}, {{fleet-server}} and {{agent}}. In a production environment, it’s recommended after completing the {{kib}} setup to proceed directly to this tutorial to configure your SSL certificates. These steps guide you through that process, and then describe how to configure {{fleet-server}} and {{agent}} with the certificates in place.
 
 **Securing the {{stack}}**
 
-Beginning with Elastic 8.0, security is enabled in the {{stack}} by default, meaning that traffic between {{es}} nodes and between {{kib}} and {{es}} is SSL-encrypted. While this is suitable for testing non-production viability of the Elastic platform, most production networks have requirements for the use of trusted CA-signed certificates. These steps demonstrate how to update the out-of-the-box self-signed certificates with your own trusted CA-signed certificates.
+Since {{stack}} 8.0, security is enabled by default, meaning that traffic between {{es}} nodes and between {{kib}} and {{es}} is SSL-encrypted. While this is suitable for testing non-production viability of the Elastic platform, most production networks have requirements for the use of trusted CA-signed certificates. These steps demonstrate how to update the out-of-the-box self-signed certificates with your own trusted CA-signed certificates.
 
 For traffic to be encrypted between {{es}} cluster nodes and between {{kib}} and {{es}}, SSL certificates must be created for the transport ({{es}} inter-node communication) and HTTP (for the {{es}} REST API) layers. Similarly, when setting up {{fleet-server}} you’ll generate and configure a new certificate bundle, and then {{elastic-agent}} uses the generated certificates to communicate with both {{fleet-server}} and {{es}}. The process to set things up is as follows:
 
@@ -23,7 +29,7 @@ It should take between one and two hours to complete these steps.
 
 ## Prerequisites and assumptions [install-stack-demo-secure-prereqs]
 
-Before starting, you’ll need to have set up an on-premises {{es}} cluster with {{kib}}, following the steps in [Tutorial 1: Installing a self-managed {{stack}}](/deploy-manage/deploy/self-managed.md).
+Before starting, you’ll need to have set up an on-premises {{es}} cluster with {{kib}}, following the steps for [installing a self-managed {{stack}}](/deploy-manage/deploy/self-managed.md).
 
 The examples in this guide use RPM packages to install the {{stack}} components on hosts running Red Hat Enterprise Linux 8. The steps for other install methods and operating systems are similar, and can be found in the documentation linked from each section.
 
@@ -227,7 +233,7 @@ Now that communication between {{es}} nodes (the transport layer) has been secur
             ```
 
         2. When prompted, confirm that the settings are correct.
-        3. Add the network IP address that clients can use to connect to the first {{es}} node. This is the same value that’s described in Step 2 of [Tutorial 1: Installing a self-managed {{stack}}](/deploy-manage/deploy/self-managed.md), for example `10.128.0.84`:
+        3. Add the network IP address that clients can use to connect to the first {{es}} node. For example `10.128.0.84`:
 
             ```shell
             10.128.0.84
@@ -617,7 +623,7 @@ Now that the transport and HTTP layers are configured with encryption using the
 
     Open a web browser to the external IP address of the Kibana host machine: `https://<kibana-host-address>:5601`. Note that the URL should use the `https` and not the `http` protocol.
 
-15. Log in using the `elastic` user and password that you configured in Step 1 of [Tutorial 1: Installing a self-managed {{stack}}](/deploy-manage/deploy/self-managed.md).
+15. Log in using the `elastic` user and password that you configured when [installing your self-managed {{stack}}](/deploy-manage/deploy/self-managed.md).
 
 Congratulations! You’ve successfully updated the SSL certificates between {{es}} and {{kib}}.
 

deploy-manage/security/manually-configure-security-in-self-managed-cluster.md

@@ -9,7 +9,11 @@ mapped_pages:
 
 # Manually configure security in a self-managed cluster [manually-configure-security]
 
-Security needs vary depending on whether you’re developing locally on your laptop or securing all communications in a production environment. Regardless of where you’re deploying the {{stack}} ("ELK"), running a secure cluster is incredibly important to protect your data. That’s why security is [enabled and configured by default](../deploy/self-managed/installing-elasticsearch.md) in {{es}} 8.0 and later.
+:::{note}
+This page describes important aspects to consider and common end-to-end scenarios for securing your self-managed {{stack}}. For a more granular view of the available security options for your clusters and nodes, refer to [](secure-your-cluster-deployment.md).
+:::
+
+Security needs vary depending on whether you’re developing locally on your laptop or securing all communications in a production environment. Regardless of where you’re deploying the {{stack}} ("ELK"), running a secure cluster is incredibly important to protect your data. That’s why security is [enabled and configured by default](../deploy/self-managed/installing-elasticsearch.md) since {{es}} 8.0.
 
 If you want to enable security on an existing, unsecured cluster, use your own Certificate Authority (CA), or would rather manually configure security, the following scenarios provide steps for configuring TLS on the transport layer, plus securing HTTPS traffic if you want it.
 
@@ -59,24 +63,6 @@ You then configure {{kib}} and Beats to communicate with {{es}} using TLS so tha
 
 [Set up basic security plus HTTPS traffic](secure-http-communications.md)
 
-## Considerations
-
-### TLS certificate management
-
-TLS certificates apply security controls to network communications. They encrypt data in transit, verify the identity of connecting parties, and help prevent man-in-the-middle attacks.
-
-On **self-managed** installations, you manage certificates for both HTTP and transport layers.
-
-### Network security
-
-Control which systems can access your Elastic deployment through traffic filtering and network controls:
-
-- **IP traffic filtering**: Restrict access based on IP addresses or CIDR ranges.
-
-## Next step: secure your deployments and clusters
-
-This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on this environment. Refer to [](secure-your-cluster-deployment.md).
-
 
 
 

deploy-manage/security/secure-hosting-environment.md

@@ -4,19 +4,18 @@ applies_to:
   serverless: ga
 ---
 
-# Secure your hosting environment
+# Secure your orchestrator
 
-:::{warning}
-**This page is a work in progress.** 
-:::
-
-Whether you're running Elastic on {{ecloud}}, through an {{ece}} or {{eck}} orchestrator, or self-managed on your own premises, it is critical that you secure the layer responsible for deploying and hosting your Elastic products.
+Whether you're running Elastic on {{ecloud}} or using an {{ece}} or {{eck}} orchestrator, it is critical that you secure the layer responsible for deploying and hosting your Elastic products.
 
 This section covers security measures specific to:
 
 - [{{ecloud}}](secure-your-elastic-cloud-organization.md)
 - [{{ece}}](secure-your-elastic-cloud-enterprise-installation.md)
 - [{{eck}}](secure-your-eck-installation.md)
-- [Self-managed](manually-configure-security-in-self-managed-cluster.md)
+
+:::{note}
+There is no orchestration layer for self-managed installations, but you can find a summary of your security options in [](manually-configure-security-in-self-managed-cluster.md).
+:::
 
 Learn how to manage security certificates, configure TLS versions, and implement additional security controls at the environment level.

deploy-manage/security/secure-your-eck-installation.md

@@ -5,26 +5,19 @@ applies_to:
     eck: ga
 ---
 
-# Secure your {{eck}} installation [eck-securing-considerations]
+# Secure your {{eck}} orchestrator [eck-securing-considerations]
 
-:::{warning}
-**This page is a work in progress.** 
-:::
+This section covers security settings for your {{eck}} orchestrator.
 
+**Orchestrator-level security**
 
-## TLS certificate management
+- [Restrict cross-namespace resources associations](/deploy-manage/deploy/cloud-on-k8s/restrict-cross-namespace-resource-associations.md)
+- [Isolate pods with network policies](/deploy-manage/deploy/cloud-on-k8s/network-policies.md)
+- [Secure the metrics endpoint](/deploy-manage/monitor/orchestrators/k8s-securing-metrics-endpoint.md)
 
-TLS certificates apply security controls to network communications. They encrypt data in transit, verify the identity of connecting parties, and help prevent man-in-the-middle attacks.
+Also refer to [](/deploy-manage/deploy/cloud-on-k8s/configure.md) for more information about configuring {{eck}}.
 
-With **{{eck}}**, you manage HTTP layer certificates. The transport layer is managed by ECK.
+**Additional deployment-level security settings**
 
-## Network security
-
-Control which systems can access your Elastic deployment through traffic filtering and network controls:
-
-- **IP traffic filtering**: Restrict access based on IP addresses or CIDR ranges.
-
-## Next step: secure your deployments and clusters
-
-This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on this environment. Refer to [](secure-your-cluster-deployment.md).
+Additional security settings are available for you to configure individually for each deployment orchestrated using {{eck}}. Refer to [](secure-your-cluster-deployment.md) for more information.
 

deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md

@@ -7,23 +7,25 @@ mapped_pages:
   - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-securing-considerations.html
 ---
 
-# Secure your Elastic Cloud Enterprise installation [ece-securing-considerations]
+# Secure your Elastic Cloud Enterprise orchestrator [ece-securing-considerations]
 
-:::{warning}
-**This page is a work in progress.** 
-:::
+This section covers security settings for your {{ece}} orchestrator.
 
+**Orchestrator-level security**
 
-When securing your {{ece}} installation, consider the following:
+- [**TLS certificates**](secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md): Apply security controls to network communications. With {{ece}}, you manage proxy certificates for the HTTP layer. The transport layer is managed by ECE.
+- [**Platform role-based access control**](/deploy-manage/users-roles/cloud-enterprise-orchestrator.md): Define the roles of users who have access to your organization and its resources. Note that you can also [manage non-cloud users and roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md).
+- [**Authentication providers**](/deploy-manage/users-roles/cloud-enterprise-orchestrator.md): Integrate with external authentication providers, including Active Directory, LDAP, and SAML.
 
-## TLS certificate management 
 
-TLS certificates apply security controls to network communications. They encrypt data in transit, verify the identity of connecting parties, and help prevent man-in-the-middle attacks.
+**Additional deployment-level security settings**
 
-With {{ece}}, you manage proxy certificates for the HTTP layer. The transport layer is managed by ECE. Refer to [](secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md).
+Additional security settings are available for you to configure individually for each deployment orchestrated using {{ece}}. Refer to [](secure-your-cluster-deployment.md) for more information.
 
 
-## Users with admin privileges [ece_users_with_admin_privileges] 
+## Notes about {{ece}} security
+
+### Users with admin privileges [ece_users_with_admin_privileges] 
 
 In Elastic Cloud Enterprise, every user who can manage your installation through the Cloud UI or the RESTful API is a user with admin privileges. This includes both the `admin` user and the `readonly` user that get created when you install ECE on your first host. Initially, only the `admin` user has the required privileges to make changes to resources on ECE.
 
@@ -32,7 +34,7 @@ In Elastic Cloud Enterprise, every user who can manage your installation through
 All Elasticsearch clusters come with X-Pack security features and support role-based access control. To learn more, check [Secure Your Clusters](../users-roles/cluster-or-deployment-auth.md).
 
 
-## Encryption [ece_encryption] 
+### Encryption [ece_encryption] 
 
 Elastic Cloud Enterprise does not implement encryption at rest out of the box. To ensure encryption at rest for all data managed by Elastic Cloud Enterprise, the hosts running Elastic Cloud Enterprise must be configured with disk-level encryption, such as dm-crypt. In addition, snapshot targets must ensure that data is encrypted at rest as well.
 
@@ -43,7 +45,7 @@ Elastic Cloud Enterprise provides full encryption of all network traffic by defa
 TLS is supported when interacting with the [RESTful API of Elastic Cloud Enterprise](https://www.elastic.co/docs/api/doc/cloud-enterprise/) and for the proxy layer that routes user requests to clusters of all versions. Internally, our administrative services also ensure transport-level encryption.
 
 
-## Attack vectors versus separation of roles [ece-securing-vectors] 
+### Attack vectors versus separation of roles [ece-securing-vectors] 
 
 As covered in [Separation of Roles](../deploy/cloud-enterprise/ece-roles.md), it is important to not mix certain roles in a production environment.
 
@@ -53,13 +55,10 @@ Elastic Cloud Enterprise is designed to ensure that an allocator has access only
 
 Security comes in layers, and running separate services on separate infrastructure is the last layer of defense, on top of other security features like the JVM security manager, system call filtering, and running nodes in isolated containers with no shared secrets.
 
-## Hardware isolation
+
+### Hardware isolation
 $$$ece_clusters_share_the_same_resources$$$
 
 The Elasticsearch clusters you create on Elastic Cloud Enterprise share the same resources. It is currently not possible to run a specific cluster on entirely dedicated hardware not shared by other clusters.
 
 
-## Next step: secure your deployments and clusters
-
-This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on this environment. Refer to [](secure-your-cluster-deployment.md).
-

deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/allow-x509-certificates-signed-with-sha-1.md

@@ -1,4 +1,7 @@
 ---
+applies_to:
+  deployment:
+    ece: ga
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-allow-x509-sha1.html
 ---

deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/configure-tls-version.md

@@ -1,4 +1,7 @@
 ---
+applies_to:
+  deployment:
+    ece: ga
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-configure-tls-version.html
 ---

deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md

@@ -1,4 +1,7 @@
 ---
+applies_to:
+  deployment:
+    ece: ga
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-manage-certificates.html
 ---

deploy-manage/security/secure-your-elastic-cloud-organization.md

@@ -22,14 +22,9 @@ As a managed service, Elastic automatically handles a [number of security featur
 
 To reinforce the security of your organization, consider implementing the following measures:
 
-- **Network security**. Control which systems can access your Elastic deployments and projects through traffic filtering and network controls:
-  - [**IP traffic filtering**](/deploy-manage/security/ip-traffic-filtering.md): Restrict access based on IP addresses or CIDR ranges.
-  - [**Private link filters**](/deploy-manage/security/private-link-traffic-filters.md): Secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
-  - [**Static IPs**](/deploy-manage/security/elastic-cloud-static-ips.md): Use static IP addresses for predictable firewall rules. 
-- **Access control**
-  - [**Organization-level SSO**](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md). Note that for {{ech}} deployments, you can also configure SSO at the [deployment level](/deploy-manage/users-roles/cluster-or-deployment-auth.md).
-  - [**Cloud role-based access control**](/deploy-manage/users-roles/cloud-organization/manage-users.md): Define the roles of users who have access to your organization and its resources. Note that for {{ech}} deployments, you can also [manage non-cloud users and roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md).
-  - [**Cloud API keys**](/deploy-manage/api-keys/elastic-cloud-api-keys.md): Manage API keys used for programmatic access to [{{ecloud}}](https://www.elastic.co/docs/api/doc/cloud/) and [{{ecloud}} serverless](https://www.elastic.co/docs/api/doc/elastic-cloud-serverless/) APIs.
+- [**Organization-level SSO**](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md). Note that for {{ech}} deployments, you can also configure SSO at the [deployment level](/deploy-manage/users-roles/cluster-or-deployment-auth.md).
+- [**Cloud role-based access control**](/deploy-manage/users-roles/cloud-organization/manage-users.md): Define the roles of users who have access to your organization and its resources. Note that for {{ech}} deployments, you can also [manage non-cloud users and roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md).
+- [**Cloud API keys**](/deploy-manage/api-keys/elastic-cloud-api-keys.md): Manage API keys used for programmatic access to [{{ecloud}}](https://www.elastic.co/docs/api/doc/cloud/) and [{{ecloud}} serverless](https://www.elastic.co/docs/api/doc/elastic-cloud-serverless/) APIs.