[sec-guide] Edits to the compliance chap

1. Minor editorial changes to the compliance chapter
2. Also creates new 'case studies' folder and moves case
studies into the folder for appropriate reviews.

Change-Id: I3035510a6d66348fdd8ad3e6fce8f2133db7c744
Implements: blueprint sec-guide-overhaul

case-studies/compute-case-studies.rst

@@ -0,0 +1,69 @@
+============
+Case studies
+============
+
+Earlier in :doc:`../introduction/introduction-to-case-studies` we
+introduced the Alice and Bob case studies where Alice is deploying a
+private government cloud and Bob is deploying a public cloud each with
+different security requirements. Here we discuss how Alice and Bob
+would ensure that their instances are properly isolated. First we consider
+hypervisor selection, and then techniques for hardening QEMU and applying
+mandatory access controls.
+
+
+Alice's private cloud
+~~~~~~~~~~~~~~~~~~~~~
+
+Alice chooses Xen for the hypervisor in her cloud due to a strong internal
+knowledge base and a desire to use the Xen security modules (XSM) for
+fine-grained policy enforcement.
+
+Alice is willing to apply a relatively large amount of resources to software
+packaging and maintenance. She will use these resources to build a highly
+customized version of QEMU that has many components removed, thereby reducing
+the attack surface. She will also ensure that all compiler hardening options
+are enabled for QEMU. Alice accepts that these decisions will increase
+long-term maintenance costs.
+
+Alice writes XSM policies (for Xen) and SELinux policies (for Linux domain 0,
+and device domains) to provide stronger isolation between the instances. Alice
+also uses the Intel TXT support in Xen to measure the hypervisor launch in the
+TPM.
+
+She then ensures there are restrictive file permissions, such as 640, on all
+sensitive files, such as ``nova.conf``, and directories. After outlining
+a process for creating and updating 'golden images' that will be the templates
+for images, she also tests and then configures the ``AvailabilityZoneFilter``
+to enable regional zones, and the ``ServerGroupAffinityFilter`` with the
+``AggregateIoOps`` filters to distribute load across systems.
+
+
+Bob's public cloud
+~~~~~~~~~~~~~~~~~~
+
+Bob is very concerned about instance isolation since the users in a
+public cloud represent anyone with a credit card, meaning they are
+inherently untrusted. Bob has just started hiring the team that will
+deploy the cloud, so he can tailor his candidate search for specific
+areas of expertise. With this in mind, Bob chooses a hypervisor based on
+its technical features, certifications, and community support. KVM has
+an EAL 4+ common criteria rating, with a labeled security protection
+profile (LSPP) to provide added assurance for instance isolation. This,
+combined with the strong support for KVM within the OpenStack community
+drives Bob's decision to use KVM. Bob weighs the added cost of
+repackaging QEMU and decides that he cannot commit those resources to
+the project. Fortunately, his Linux distribution has already enabled the
+compiler hardening options, so he decides to use this QEMU package. Bob
+decides to use AppArmor to secure the hypervisor images due to their
+ease of use in a significantly large fleet. Bob considered using
+GRSecurity; however, it would have required significant time to tune all
+his applications to be properly covered by GRSecurity. Then, any
+applications he wanted to use in the future would need to be
+compatible as well.
+
+Bob also ensures that sensitive files and folders on hypervisors are
+owned by their respective services and have 640 permissions. Finally,
+Bob uses the ``AvailabilityZoneFilter`` to enable his regional zones and
+``JsonFilter`` to be able to add tenants through a JSON file as needed.
+He also tests his scheduler filters at scale so that he does not run
+into resource or filter issues.

security-guide/source/compliance.rst

@@ -32,4 +32,4 @@ This chapter has several objectives:
    compliance/compliance-activities.rst
    compliance/certification-and-compliance-statements.rst
    compliance/privacy.rst
-   compliance/case-studies.rst
+..   case-studies/compliance-case-studies.rst

security-guide/source/compliance/certification-and-compliance-statements.rst

@@ -11,8 +11,9 @@ standards.
 
 Commercial standards
 ~~~~~~~~~~~~~~~~~~~~
-For commercial deployments of OpenStack, it is recommended that SOC 1/2
-combined with ISO 2700 1/2 be considered as a starting point for
+
+For commercial deployments of OpenStack, we recommend SOC 1/2
+is combined with ISO 2700 1/2 to be considered as a starting point for
 OpenStack certification activities. The required security activities
 mandated by these certifications facilitate a foundation of security
 best practices and common control criteria that can assist in achieving
@@ -27,9 +28,10 @@ government may require FedRAMP/FISMA, and ITAR, certifications.
 
 SOC 1 (SSAE 16) / ISAE 3402
 ---------------------------
+
 Service Organization Controls (SOC) criteria are defined by the
 `American Institute of Certified Public
-Accountants <http://www.aicpa.org/>`__ (AICPA). SOC controls assess
+Accountants <http://www.aicpa.org/>`_ (AICPA). SOC controls assess
 relevant financial statements and assertions of a :term:`service provider`,
 such as compliance with the Sarbanes-Oxley Act. SOC 1 is a replacement for
 Statement on Auditing Standards No. 70 (SAS 70) Type II report. These
@@ -50,17 +52,18 @@ There are two types of SOC 1 reports:
 
 For more details see the `AICPA Report on Controls at a Service
 Organization Relevant to User Entities' Internal Control over Financial
-Reporting <http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC1Report.aspx>`__.
+Reporting <http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC1Report.aspx>`_.
 
 SOC 2
 -----
+
 Service Organization Controls (SOC) 2 is a self attestation of controls
 that affect the security, availability, and processing integrity of the
 systems a service organization uses to process users' data and the
 confidentiality and privacy of information processed by these system.
 Examples of users are those responsible for governance of the service
-organization; customers of the service organization; regulators;
-business partners; suppliers and others who have an understanding of the
+organization, customers of the service organization, regulators,
+business partners, suppliers, and others who have an understanding of the
 service organization and its controls.
 
 There are two types of SOC 2 reports:
@@ -79,10 +82,11 @@ There are two types of SOC 2 reports:
 For more details see the `AICPA Report on Controls at a Service
 Organization Relevant to Security, Availability, Processing Integrity,
 Confidentiality or
-Privacy <http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC2Report.aspx>`__.
+Privacy <http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC2Report.aspx>`_.
 
 SOC 3
 -----
+
 Service Organization Controls (SOC) 3 is a trust services report for
 service organizations. These reports are designed to meet the needs of
 users who want assurance on the controls at a service organization
@@ -96,10 +100,11 @@ Confidentiality, and Privacy. Because they are general use reports, SOC
 3 Reports can be freely distributed or posted on a website as a seal.
 
 For more details see the `AICPA Trust Services Report for Service
-Organizations <http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC3Report.aspx>`__.
+Organizations <http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC3Report.aspx>`_.
 
 ISO 27001/2
 -----------
+
 The ISO/IEC 27001/2 standards replace BS7799-2, and are specifications
 for an Information Security Management System (ISMS). An ISMS is a
 comprehensive set of policies and processes that an organization creates
@@ -108,10 +113,11 @@ based upon the confidentiality, integrity, and availability (CIA) of
 user information. The CIA security triad has been used as a foundation
 for much of the chapters in this book.
 
-For more details see `ISO 27001 <http://www.27000.org/iso-27001.htm>`__.
+For more details see `ISO 27001 <http://www.27000.org/iso-27001.htm>`_.
 
 HIPAA / HITECH
 --------------
+
 The Health Insurance Portability and Accountability Act (HIPAA) is a
 United States congressional act that governs the collection, storage,
 use and destruction of patient health records. The act states that
@@ -122,7 +128,7 @@ encryption for data 'at-rest' and 'inflight' should be addressed.
 HIPAA is not a certification, rather a guide for protecting healthcare
 data. Similar to the PCI-DSS, the most important issues with both PCI
 and HIPPA is that a breach of credit card information, and health data,
-does not occur. In the instance of a breach the cloud provider will be
+does not occur. In the instance of a breach, the cloud provider will be
 scrutinized for compliance with PCI and HIPPA controls. If proven
 compliant, the provider can be expected to immediately implement
 remedial controls, breach notification responsibilities, and significant
@@ -133,15 +139,15 @@ merchant ID (PCI), and massive reputation impact.
 Users or organizations that possess PHI must support HIPAA requirements
 and are HIPAA covered entities. If an entity intends to use a service,
 or in this case, an OpenStack cloud that might use, store or have access
-to that PHI, then a Business Associate Agreement must be signed. The BAA
-is a contract between the HIPAA covered entity and the OpenStack service
-provider that requires the provider to handle that PHI in accordance
+to that PHI, then a Business Associate Agreement (BAA) must be signed.
+The BAA is a contract between the HIPAA covered entity and the OpenStack
+service provider that requires the provider to handle that PHI in accordance
 with HIPAA requirements. If the service provider does not handle the
 PHI, such as with security controls and hardening, then they are subject
 to HIPAA fines and penalties.
 
 OpenStack architects interpret and respond to HIPAA statements, with
-data encryption remaining a core practice. Currently this would require
+data encryption remaining a core practice. Currently, this would require
 any protected health information contained within an OpenStack
 deployment to be encrypted with industry standard encryption algorithms.
 Potential future OpenStack projects such as object encryption will
@@ -149,10 +155,11 @@ facilitate HIPAA guidelines for compliance with the act.
 
 For more details see the `Health Insurance Portability And
 Accountability
-Act <https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/downloads/HIPAALaw.pdf>`__.
+Act <https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/downloads/HIPAALaw.pdf>`_.
 
 PCI-DSS
 -------
+
 The Payment Card Industry Data Security Standard (PCI DSS) is defined by
 the Payment Card Industry Standards Council, and created to increase
 controls around card holder data to reduce credit card fraud. Annual
@@ -161,7 +168,7 @@ Assessor (QSA) who creates a Report on Compliance (ROC), or by a
 Self-Assessment Questionnaire (SAQ) dependent on volume of card-holder
 transactions.
 
-OpenStack deployments which stores, processes, or transmits payment card
+OpenStack deployments that store, process, or transmit payment card
 details are in scope for the PCI-DSS. All OpenStack components that are
 not properly segmented from systems or networks that handle payment data
 fall under the guidelines of the PCI-DSS. Segmentation in the context of
@@ -169,15 +176,16 @@ PCI-DSS does not support multi-tenancy, but rather physical separation
 (host/network).
 
 For more details see `PCI security
-standards <https://www.pcisecuritystandards.org/security_standards/>`__.
+standards <https://www.pcisecuritystandards.org/security_standards/>`_.
 
 Government standards
 ~~~~~~~~~~~~~~~~~~~~
 
 FedRAMP
 -------
+
 "The `Federal Risk and Authorization Management
-Program <http://www.fedramp.gov>`__ (FedRAMP) is a government-wide
+Program <http://www.fedramp.gov>`_ (FedRAMP) is a government-wide
 program that provides a standardized approach to security assessment,
 authorization, and continuous monitoring for cloud products and
 services". NIST 800-53 is the basis for both FISMA and FedRAMP which
@@ -190,6 +198,7 @@ For more details see `FedRAMP <http://www.gsa.gov/portal/category/102371>`_.
 
 ITAR
 ----
+
 The International Traffic in Arms Regulations (ITAR) is a set of United
 States government regulations that control the export and import of
 defense-related articles and services on the United States Munitions
@@ -206,6 +215,7 @@ For more details see
 
 FISMA
 -----
+
 The Federal Information Security Management Act requires that government
 agencies create a comprehensive plan to implement numerous government
 security standards, and was enacted within the E-Government Act of 2002.

security-guide/source/compliance/compliance-activities.rst

@@ -3,17 +3,18 @@ Compliance activities
 =====================
 
 There are a number of standard activities that will greatly assist with
-the compliance process. In this chapter we outline some of the most
+the compliance process. This chapter outlines some of the most
 common compliance activities. These are not specific to OpenStack,
-however we provide references to relevant sections in this book as
+however references are provided to relevant sections in this book as
 useful context.
 
 Information Security Management system (ISMS)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
 An Information Security Management System (ISMS) is a comprehensive set
 of policies and processes that an organization creates and maintains to
 manage risk to information assets. The most common ISMS for cloud
-deployments is `ISO/IEC 27001/2 <http://www.27000.org/iso-27001.htm>`__,
+deployments is `ISO/IEC 27001/2 <http://www.27000.org/iso-27001.htm>`_,
 which creates a solid foundation of security controls and practices for
 achieving more stringent compliance certifications. This standard was
 updated in 2013 to reflect the growing use of cloud services and places
@@ -22,17 +23,19 @@ ISMS is performing.
 
 Risk assessment
 ~~~~~~~~~~~~~~~
+
 A risk assessment framework identifies risks within an organization or
 service, and specifies ownership of these risks, along with
 implementation and mitigation strategies. Risks apply to all areas of
 the service, from technical controls to environmental disaster scenarios
-and human elements, for example a malicious insider (or rogue employee).
-Risks can be rated using a variety of mechanisms, for example likelihood
-vs impact. An OpenStack deployment risk assessment can include control
-gaps that are described in this book.
+and human elements. For example, a malicious insider.
+Risks can be rated using a variety of mechanisms. For example, likelihood
+versus impact. An OpenStack deployment risk assessment can include control
+gaps.
 
 Access and log reviews
 ~~~~~~~~~~~~~~~~~~~~~~
+
 Periodic access and log reviews are required to ensure authentication,
 authorization, and accountability in a service deployment. Specific
 guidance for OpenStack on these topics are discussed in-depth in
@@ -47,15 +50,16 @@ information, see the
 
 Backup and disaster recovery
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
 Disaster Recovery (DR) and Business Continuity Planning (BCP) plans are
 common requirements for ISMS and compliance activities. These plans must
-be periodically tested as well as documented. In OpenStack key areas are
+be periodically tested as well as documented. In OpenStack, key areas are
 found in the management security domain, and anywhere that single points
-of failure (SPOFs) can be identified. See the section on secure backup
-and recovery for additional details.
+of failure (SPOFs) can be identified.
 
 Security training
 ~~~~~~~~~~~~~~~~~
+
 Annual, role-specific, security training is a mandatory requirement for
 almost all compliance certifications and attestations. To optimize the
 effectiveness of security training, a common method is to provide role
@@ -65,9 +69,10 @@ training based on this hardening guide would be ideal.
 
 Security reviews
 ~~~~~~~~~~~~~~~~
+
 As OpenStack is a popular open source project, much of the codebase and
 architecture has been scrutinized by individual contributors,
-organizations and enterprises. This can be advantageous from a security
+organizations, and enterprises. This can be advantageous from a security
 perspective, however the need for security reviews is still a critical
 consideration for service providers, as deployments vary, and security
 is not always the primary concern for contributors. A comprehensive
@@ -75,11 +80,12 @@ security review process may include architectural review, threat
 modeling, source code analysis and penetration testing. There are many
 techniques and recommendations for conducting security reviews that can
 be found publicly posted. A well-tested example is the `Microsoft
-SDL <http://www.microsoft.com/security/sdl/process/release.aspx>`__,
+SDL <http://www.microsoft.com/security/sdl/process/release.aspx>`_,
 created as part of the Microsoft Trustworthy Computing Initiative.
 
 Vulnerability management
 ~~~~~~~~~~~~~~~~~~~~~~~~
+
 Security updates are critical to any IaaS deployment, whether private or
 public. Vulnerable systems expand attack surfaces, and are obvious
 targets for attackers. Common scanning technologies and vulnerability
@@ -87,24 +93,24 @@ notification services can help mitigate this threat. It is important
 that scans are authenticated and that mitigation strategies extend
 beyond simple perimeter hardening. Multi-tenant architectures such as
 OpenStack are particularly prone to hypervisor vulnerabilities, making
-this a critical part of the system for vulnerability management. See the
-section on instance isolation for additional details.
+this a critical part of the system for vulnerability management.
 
 Data classification
 ~~~~~~~~~~~~~~~~~~~
+
 Data Classification defines a method for classifying and handling
 information, often to protect customer information from accidental or
-deliberate theft, loss, or inappropriate disclosure. Most commonly this
+deliberate theft, loss, or inappropriate disclosure. Most commonly, this
 involves classifying information as sensitive or non-sensitive, or as
 personally identifiable information (PII). Depending on the context of
 the deployment various other classifying criteria may be used
-(government, health-care etc). The underlying principle is that data
+(government, health-care). The underlying principle is that data
 classifications are clearly defined and in-use. The most common
 protective mechanisms include industry standard encryption technologies.
-See the data security section for additional details.
 
 Exception process
 ~~~~~~~~~~~~~~~~~
+
 An exception process is an important component of an ISMS. When certain
 actions are not compliant with security policies that an organization
 has defined, they must be logged. Appropriate justification, description

security-guide/source/compliance/overview.rst

@@ -4,6 +4,7 @@ Compliance overview
 
 Security principles
 ~~~~~~~~~~~~~~~~~~~
+
 Industry standard security principles provide a baseline for compliance
 certifications and attestations. If these principles are considered and
 referenced throughout an OpenStack deployment, certification activities
@@ -25,15 +26,17 @@ protection and minimize exposure.
 
 Fail securely
 -------------
+
 In the case of failure, systems should be configured to fail into a
 closed secure state. For example, TLS certificate verification should
-fail closed by severing the network connection if the CNAME doesn't
+fail closed by severing the network connection if the CNAME does not
 match the server's DNS name. Software often fails open in this
 situation, allowing the connection to proceed without a CNAME match,
 which is less secure and not recommended.
 
 Least privilege
 ---------------
+
 Only the minimum level of access for users and system services is
 granted. This access is based upon role, responsibility and job
 function. This security principle of least privilege is written into
@@ -42,6 +45,7 @@ Section AC-6 within the United States.
 
 Compartmentalize
 ----------------
+
 Systems should be segregated in such a way that if one machine, or
 system-level service, is compromised the security of the other systems
 will remain intact. Practically, the enablement and proper usage of
@@ -49,24 +53,26 @@ SELinux helps accomplish this goal.
 
 Promote privacy
 ----------------
+
 The amount of information that can be gathered about a system and its
 users should be minimized.
 
 Logging capability
 ------------------
+
 Appropriate logging is implemented to monitor for unauthorized use,
-incident response and forensics. It is highly recommended that selected
+incident response and forensics. We highly recommend selected
 audit subsystems be Common Criteria certified, which provides
 non-attestable event records in most countries.
 
 Common control frameworks
 ~~~~~~~~~~~~~~~~~~~~~~~~~
+
 The following is a list of Control Frameworks that an organization can
 use to build their security controls.
 
-
 `Cloud Security Alliance (CSA) Common Control Matrix
-(CCM) <https://cloudsecurityalliance.org/media/news/csa-releases-new-ccm-caiq-v3-0-1/>`__
+(CCM) <https://cloudsecurityalliance.org/media/news/csa-releases-new-ccm-caiq-v3-0-1/>`_
 
 The CSA CCM is specifically designed to provide fundamental security
 principles to guide cloud vendors and to assist prospective cloud
@@ -85,7 +91,7 @@ operational risk management, and seeks to normalize security
 expectations, cloud taxonomy and terminology, and security measures
 implemented in the cloud.
 
-`ISO 27001/2:2013 <http://www.27000.org/iso-27001.htm>`__
+`ISO 27001/2:2013 <http://www.27000.org/iso-27001.htm>`_
 
 The ISO 27001 Information Security standard and certification has been
 used for many years to evaluate and distinguish an organizations
@@ -100,7 +106,7 @@ a risk management process and gives confidence to interested parties
 that risks are adequately managed.
 
 `Trusted Security
-Principles <http://www.aicpa.org/interestareas/informationtechnology/resources/soc/trustservices/pages/trust%20services%20principles—an%20overview.aspx>`__
+Principles <http://www.aicpa.org/interestareas/informationtechnology/resources/soc/trustservices/pages/trust%20services%20principles—an%20overview.aspx>`_
 
 Trust Services are a set of professional attestation and advisory
 services based on a core set of principles and criteria that address

security-guide/source/compliance/privacy.rst

@@ -12,23 +12,23 @@ an organization's Privacy Policy, with the U.S.-E.U. Safe Harbor
 framework, the ISO/IEC 29100:2011 privacy framework or with other
 privacy-specific guidelines. In the U.S. the AICPA has `defined 10
 privacy areas of
-focus <http://www.aicpa.org/interestareas/informationtechnology/resources/privacy/generallyacceptedprivacyprinciples/>`__,
+focus <http://www.aicpa.org/interestareas/informationtechnology/resources/privacy/generallyacceptedprivacyprinciples/>`_,
 OpenStack deployments within a commercial environment may desire to
 attest to some or all of these principles.
 
-To aid OpenStack architects in the protection of personal data, it is
-recommended that OpenStack architects review the NIST publication
+To aid OpenStack architects in the protection of personal data, we
+recommend OpenStack architects review the NIST publication
 800-122, titled "*Guide to Protecting the Confidentiality of Personally
 Identifiable Information (PII)*." This guide steps through the process
 of protecting:
 
-   "any information about an individual maintained by an agency,
+   "... any information about an individual maintained by an agency,
    including (1) any information that can be used to distinguish or
    trace an individual's identity, such as name, social security
    number, date and place of birth, mother's maiden name, or biometric
    records; and (2) any other information that is linked or linkable to
    an individual, such as medical, educational, financial, and
-   employment information"
+   employment information..."
 
 Comprehensive privacy management requires significant preparation,
 thought and investment. Additional complications are introduced when

security-guide/source/compliance/understanding-the-audit-process.rst

@@ -49,14 +49,14 @@ additionally a number of external entities provide comprehensive lists.
 The following are some examples:
 
 The `Cloud Security Alliance Cloud Controls
-Matrix <https://cloudsecurityalliance.org/group/cloud-controls-matrix/>`__ (CCM)
+Matrix <https://cloudsecurityalliance.org/group/cloud-controls-matrix/>`_ (CCM)
 assists both cloud providers and consumers in assessing the overall
 security of a cloud provider. The CSA CMM provides a controls framework
 that map to many industry-accepted standards and regulations including
 the ISO 27001/2, ISACA, COBIT, PCI, NIST, Jericho Forum and NERC CIP.
 
 The `SCAP Security
-Guide <https://fedorahosted.org/scap-security-guide/>`__ is another
+Guide <https://fedorahosted.org/scap-security-guide/>`_ is another
 useful reference. This is still an emerging source, but we anticipate
 that this will grow into a tool with controls mappings that are more
 focused on the US federal government certifications and recommendations.
@@ -88,7 +88,7 @@ note that the auditors will use a two part process for evaluating the controls
 in place. The first part is evaluating the design effectiveness of the
 control. This is where the auditor will evaluate whether the control is
 capable of effectively preventing or detecting and correcting weaknesses and
-deficiencies. A control must "pass" this test to be evaluated in the second
+deficiencies. A control must pass this test to be evaluated in the second
 phase. This is because with a control that is designed ineffectually, there
 is no point considering whether it is operating effectively. The second part
 is operational effectiveness. Operational effectiveness testing will determine
@@ -170,11 +170,11 @@ audit preparation is so important.
 Compliance maintenance
 ~~~~~~~~~~~~~~~~~~~~~~
 
-The process doesn't end with a single external audit. Most
+The process does not end with a single external audit. Most
 certifications require continual compliance activities which means
 repeating the audit process periodically. We recommend integrating
 automated compliance verification tools into a cloud to ensure that it
 is compliant at all times. This should be in done in addition to other
-security monitoring tools. Remember that the goal is both security *and*
+security monitoring tools. Remember that the goal is both security and
 compliance. Failing on either of these fronts will significantly
 complicate future audits.

security-guide/source/dashboard.rst

@@ -29,5 +29,5 @@ The Dashboard ships with default security settings, and has
    dashboard/cookies.rst
    dashboard/cross-origin-resource-sharing-cors.rst
    dashboard/debug.rst
-   dashboard/case-studies.rst
    dashboard/checklist.rst
+.. case-studies/dashboard-case-studies.rst

security-guide/source/data-processing.rst

@@ -18,4 +18,4 @@ transient groups created for a single workload.
    data-processing/introduction-to-data-processing.rst
    data-processing/deployment.rst
    data-processing/configuration-and-hardening.rst
-   data-processing/case-studies.rst
+.. case-studies/data-processing-case-studies.rst

security-guide/source/databases.rst

@@ -18,4 +18,4 @@ The Security Guide currently focuses on PostgreSQL and MySQL.
    databases/database-backend-considerations.rst
    databases/database-access-control.rst
    databases/database-transport-security.rst
-   databases/case-studies.rst
+.. case-studies/database-case-studies.rst

security-guide/source/documentation.rst

@@ -14,4 +14,4 @@ information up-to-date.
    :maxdepth: 2
 
    documentation/system-documentation-requirements.rst
-   documentation/case-studies.rst
+.. case-studies/documentation-case-studies.rst

security-guide/source/identity.rst

@@ -22,5 +22,5 @@ Documentation <https://docs.openstack.org/developer/keystone/index.html>`_.
    identity/tokens.rst
    identity/domains.rst
    identity/federated-keystone.rst
-   identity/case-studies.rst
    identity/checklist.rst
+.. case-studies/identity-case-studies.rst

security-guide/source/instance-management.rst

@@ -34,4 +34,4 @@ following additional security services:
    :maxdepth: 2
 
    instance-management/security-services-for-instances.rst
-   instance-management/case-studies.rst
+.. case-studies/instance-management-case-studies.rst

security-guide/source/management.rst

@@ -25,4 +25,4 @@ control facilities are understood and secured.
    management/continuous-systems-management.rst
    management/integrity-life-cycle.rst
    management/management-interfaces.rst
-   management/case-studies.rst
+.. case-studies/management-case-studies.rst

security-guide/source/messaging.rst

@@ -38,4 +38,4 @@ operator has secured them.
    :maxdepth: 2
 
    messaging/security.rst
-   messaging/case-studies.rst
+.. case-studies/messaging-case-studies.rst

security-guide/source/monitoring-logging.rst

@@ -18,4 +18,4 @@ collections of logs is well covered in the `OpenStack Operations Guide
    :maxdepth: 2
 
    monitoring-logging/forensics-and-incident-response.rst
-   monitoring-logging/case-studies.rst
+.. case-studies/monitoring-logging-case-studies.rst

security-guide/source/networking.rst

@@ -29,5 +29,5 @@ should be considered when implementing OpenStack Networking.
    networking/services.rst
    networking/securing-services.rst
    networking/services-security-best-practices.rst
-   networking/case-studies.rst
    networking/checklist.rst
+.. case-studies/networking-case-studies.rst

security-guide/source/secure-communication.rst

@@ -23,4 +23,4 @@ attention.
    secure-communication/introduction-to-ssl-and-tls.rst
    secure-communication/tls-proxies-and-http-services.rst
    secure-communication/secure-reference-architectures.rst
-   secure-communication/case-studies.rst
+.. case-studies/secure-communication-case-studies.rst

security-guide/source/tenant-data.rst

@@ -15,4 +15,4 @@ implementations.
    tenant-data/data-privacy-concerns.rst
    tenant-data/data-encryption.rst
    tenant-data/key-management.rst
-   tenant-data/case-studies.rst
+.. case-studies/tenant-data-case-studies.rst