tag:blogger.com,1999:blog-87141087320053856712024-03-13T04:34:51.708+01:00identity ideasHow to cope with digital identitiesAndré Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.comBlogger75125tag:blogger.com,1999:blog-8714108732005385671.post-1645035543580036642020-06-12T10:34:00.001+02:002020-06-12T10:34:52.271+02:00Internet voting<div></div><div>Gene Spafford is one of my old security heroes. As you may know, not having an ICT background I'm not an expert in technical IT security, but what I learned about Unix and Internet security, I learned from <a href="https://www.amazon.com/Practical-Unix-Internet-Security-3rd/dp/0596003234/ref=sr_1_1?dchild=1&keywords=gene+spafford+security&qid=1591949277&s=books&sr=1-1-catcorr">Simson and Spafford</a> (great introduction into security, also for Windows users...).<br /></div><div><br /></div><div>And if he speaks, you need to listen. This time he spoke about Internet Voting. The occasion being the US presidential primary elections. There are lots of voices who claim that internet voting is essential for democracy. Spaf is cautious, and with lots of reason, because, as he shows, technology is not stable and secure enough to facilitate free elections, there are too many obstacles from a technology point of view. No, not even Blockchain will make it secure enough. Here's the link to the<a href="https://www.darkreading.com/risk/qanda-eugene-spafford-on-the-risks-of-internet-voting/d/d-id/1338011"> interview with Spaf</a>. And to all politicians: this expert knows more about security than all of you combined. <br /></div><div><br /></div><div>Why this post if I can just point to the interview?</div><div>Well, first the aspect of Identity was not mentioned. And we should of course touch on that as well. And second: this topic is a global topic, not just covering the US primaries.</div><div><br /></div><div>Even though elections are anonymous, anonymity only extends to</div><ul><li>the knowledge of who voted for whom</li><li>the knowledge of who voted</li></ul><div>Those are the only anonymity requirements. The latter may not even be required if voting is mandatory by law, but then again, even in that case privacy may be relevant amd anonimity may extend to that topic.</div><div><br /></div><div>But just the possibility, the justification for voting does require knowledge of the voter:</div><ul><li>you are only allowed to vote if according to legislation you are considered to be a voter<br /></li><li>you can only vote once</li><li>unless you have a uniquely identified mandate from another voter<br /></li></ul><div>And this is where Internet Voting is hurt even more than just by the techology part. <br /></div><div><br /></div><div>In order to make Internet Voting possible, these requirements have to be met:</div><ul><li>you need to have a trusted identity</li><li>an identity that is recognized in a 'voter directory'</li><li>there must be a transaction log to prevent multiple voting by one identity<br /></li><li>there must be a mandate register, to enable mandated unique votes</li></ul><div></div><div>Just imagine the first requirement in relation to Internet Voting. <br /></div><div><br /></div>André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-57805490613716287832019-05-22T13:18:00.000+02:002019-05-22T13:21:11.945+02:00Password non-compliancyGoogle reported that for 14 years passwords for G Suite have been <a href="https://cloud.google.com/blog/products/g-suite/notifying-administrators-about-unhashed-password-storage">stored in a less than secure way</a>: "<i>We made an error when implementing this functionality back in 2005</i>". Interesting. Now how about compliancy?<br />
<br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:HyphenationZone>21</w:HyphenationZone>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>NL</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
</style>
<![endif]-->Below a less than complete overview of laws and regulations defining policies with regards to authentication practices, like password storage. It looks like Google and G Suite users are non-compliant...<br />
<br />
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;">
<span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span>International</div>
<ul>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"> </span></span></span>ISO 27001 / 27002 ch9</li>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>ISO 27017 ch9</li>
</ul>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;">
<span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span>EU</div>
<ul>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>GDPR Appropriate controls Article 32, ‘security
of processing’</li>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>ENISA IAF 6, R-11 SO11</li>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>PSD2 – Strong Customer Authentication</li>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>eIDAS safeguard S 2.11</li>
</ul>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;">
<span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span>France</div>
<ul>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>SecNumCloud 9.5.a</li>
</ul>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;">
<span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span>Germany</div>
<ul>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>BSI C5 IDM-11</li>
</ul>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;">
<span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span>US</div>
<ul>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>SOX 404</li>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>NIST SP 800-53 R3</li>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>NIST SP 800-63b</li>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>US DoD Instruction 8500.2</li>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>Army Regulation 25-2</li>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>GLBA - Gramm-Leach-Bliley Act</li>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>CJIS Criminal Justice Information Services</li>
<li><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>COPPA 312 </li>
</ul>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;">
<span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";"> </span></span></span>California</div>
<ul>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>Information Privacy: Connected Devices (SB-327)</li>
</ul>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;">
<span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span>Canada</div>
<ul>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>Pipeda Section 5</li>
</ul>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;">
<span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span>Ontario</div>
<ul>
<li><span style="font-family: "courier new"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>GO-ITS 25 3.1</li>
</ul>
<br />
India<br />
<ul>
<li>Information Technology Act </li>
</ul>
<br />
Austalia<br />
<ul>
<li>Protective Security Policy Framework </li>
</ul>
<br />
New Zealand <br />
<ul>
<li>NZISM 5.2.3 and 16.1<span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;"> </span></span></li>
</ul>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;">
<br /></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;">
<span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span>Industry specific regulations<span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;"></span></span></div>
<ul>
<li><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>PCI DSS 3, 7, 8, 12</li>
<li>HIPAA 45CFR164</li>
<li>NERC - North American Electric Reliability -CIP-007-3 </li>
</ul>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;">
<span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span>Best Practices</div>
<ul>
<li><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>OWASP Password Storage Cheat Sheet</li>
<li><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>SANS Password Construction Guidelines</li>
<li><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>CSA CCM IS07</li>
<li><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>AICPA SOC2SM S3.2.0</li>
<li><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>BITS AUP & SIG v6</li>
<li><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>COBIT DS05</li>
<li><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>HiTrust 01a</li>
<li><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>ITAR CFR 120.17, EAR 15 CFR 736.2</li>
<li>xkcd 936</li>
</ul>
<br />
<br />André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-74463420101863304512016-12-07T21:51:00.001+01:002016-12-07T21:51:34.687+01:00Ransomware incident analysis<br />
- Lets start with a disclaimer... I wrote this post a while back, but forgot to publish it, sorry...- <br />
<br />
Ransomware encrypted all of the New Jersey Spine Center's electronic health records of patients of the practise. That's interesting news. And I don't believe the explanations in the <a href="http://www.njspinecenter.com/wp-content/uploads/2016/09/Press-Release-11.pdf">press release</a>. They were not the victim of some advanced malware sample, I my opinion they did not apply the correct basic security controls.<br />
<br />
Ransomware typically encrypts documents, like word, excel, powerpoint. Reading between the lines of the press release, it seems that the practise doesn't use a document management system, a content management system, or an electronic health records system, the practise stores all data in files.<br />
Managing files is a big problem. Ransomware is just one of the problems: if your account is compromised, the ransomware software acts on your behalf and encrypts the documents that you have access to. This is an even bigger problem when using shared folders on a filesystem: the ransomware software not only encrypt your documents, but also all other documents that you can edit. The more permissions you have, the bigger the risk. And if your account is privileged, the problem may even lead to a catastrophe.<br />
<br />
In this case there are more strange <span class="lemma-container"><span class="wordentry" id="word1">phenomena</span></span>. According to the press release the malware would have used passwords that are stored in a file. Do I believe this? No way, the ransomware we know is not actively searching for documents with passwords and when found decrypt the passwords in order to be able to login. No, ransomware makes use of naivity of people by making them activate the ransomware. The only way passwords can be reused by criminals is by criminals remotely hijacking sessions. That's a different problem.<br />
<br />
The press release suggests that all of a sudden the virus protection software blocked the malware. That's not how it works. The more logical explanation is that the malware has been active for a while, without anyone noticing. After an update of the antivirus signatures the notifications of the antivirus software showed the presence of the malware and the malware protectoin software may have blocked instances of the ransomware from staying active. The longterm presence of the malware can be assumed by the fact that even the backups of the data were encrypted. In my opinion the backup software has backuped the encrypted files on the backup drive, thereby overwriting possible older original files. And that must have been a while... Or there is not a backup system, but the files have been copied to another filesystem, on which the victims had too many permissions.<br />
<br />
Why did I make this analysis? A while back I wrote a <a href="http://id-use.blogspot.fi/2015/03/beat-cryptolocker-ditch-documents.html">blog about ditching documents</a>. It may have been a creative way of solving the problem, but I feel that it may well be a valuable advice.<br />
In electronic healthcare systems and content management systems you don't manage documents, but the content is stored in a database. Malware cannot encrypt data in the database: it would require system authorizations in order to abuse the database management system to be able to encrypt the data. And no, I don't believe that ransomware is able to crack the system password. It would require knowledge of the system used and of the infrastructure the system is running on.<br />
<br />
And by the way, ransomware doesn't happen all of a sudden. It requires user interaction. Users visiting infected links, websites or users opening malicious documents.<br />
<a href="http://www.hipaajournal.com/new-jersey-spine-center-pays-ransom-to-unlock-ehrs-3612/">The hospital paid the ransom fee</a> in order to get the keys to decrypt the data. Waiting for the next instance of malware infecting more data.<br />
<br />
<br />André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-65342618634439213952016-12-07T17:51:00.000+01:002016-12-07T17:59:33.002+01:00Parts 3 and 4 of the blog series from RBAC to ABACThis year I joined the new Dutch subsidiary of Nixu Oyj, the Finnish cybersecurity company, as a security and IAM consultant. Nixu employs over 50 IAM consultants, so it feels like a great place to have conversations about digital identity, access control and to share knowledge. What better place to post my blogs?<br />
<br />
Parts 3 and 4 of my blog series about migrating from RBAC to ABAC have been published at the nixu site:<br />
<br />
<a href="https://www.nixu.com/en/blog/2016-11/how-to-cope-with-digital-identities-migrating-from-rbac-to-abac-part-3">Part 3 About the need for dynamic access rules</a> <br />
<br />
<a href="https://www.nixu.com/en/blog/2016-11/how-to-cope-with-digital-identities-migrating-from-rbac-to-abac-part-4">Part 4 Using roles as attributes</a><br />
<br />
Enjoy these reads and feel free to contribute to the discussions!André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-53757233223357351052016-09-12T19:53:00.000+02:002016-09-12T19:59:28.057+02:00Migrating from RBAC to ABAC, part 2: Access control fundamentals<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><br />
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:HyphenationZone>21</w:HyphenationZone>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>NL</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
</style>
<![endif]-->
<br />
<div class="MsoNormal">
<span lang="EN" style="mso-ansi-language: EN;"></span></div>
<div class="MsoNormal">
<span lang="EN" style="mso-ansi-language: EN;">Down with the
role! That's actually been my motto for quite a while. But getting rid of the
role cannot be done overnight. Especially since we are rolling out roles in
great numbers. And that, by itself, is not all wrong. Just the pursuit of
greater control of authorizations is good. However, as explained <a href="http://id-use.blogspot.com/2016/08/migrating-from-rbac-to-abac-part-1.html">in my previous blog</a>, a role is not the most logical, most efficient or most flexible
way of managing authorizations. A role is basically just a concept developed to
make a translation of business functions to technical permissions. And that
requires some quantum leaps.</span></div>
<div class="MsoNormal">
<span lang="EN" style="mso-ansi-language: EN;">One of the leaps is
that we look at what a person must do and not what authorizations a person
needs: When someone has the position of an ‘accounts receivable administrator’,
he or she gets the authorization to manage debtors. But that's really a huge
mental leap. Actually you should argue just in the opposite way: what tasks have
to be done, and then evaluate what access is needed: both for a person and an authorization.
That seems trivial, but it is a fundamental reversal of the authorization
model.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN" style="mso-ansi-language: EN;">Access Control in Reverse</span></b></div>
<div class="MsoNormal">
<span lang="EN" style="mso-ansi-language: EN;"><br /></span></div>
<div class="MsoNormal">
<span lang="EN" style="mso-ansi-language: EN;">Access should really work
out this way:</span></div>
<div class="MsoNormal">
<span lang="EN" style="mso-ansi-language: EN;">Records of
Accounts Receivable should be managed within the finances process. The process
owner of this process is accountable for managing this process. The
requirements for performing a certain task in that process, as defined by the
process owner, are: relevant education, experience, organization (department),
location, time of day, device. And perhaps even some extra quality requirements
defined by the process owner to ensure that the processing is carried out
correctly. For example: that the person executing a task cannot manage his own
customer records and that no two critical consecutive tasks in the same process
may be performed by the same person. And the process owner defines these rules
to prevent fraude and misuse of controls. Yes, this is Separation of Duties.
This is where SoD comes from!</span></div>
<div class="MsoNormal">
<span lang="EN" style="mso-ansi-language: EN;">If a process
owner already captures such a lot of quality criteria, for the process owner it
is completely irrelevant to define who may perform the task, provided that the
person performing the task meets all criteria. A process owner doesn’t have to
define who should receive the authorization, he just needs to be able to verify
that someone who performs the job meets all the criteria defined.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN" style="mso-ansi-language: EN;">Fundamentally different</span></b></div>
<div class="MsoNormal">
<span lang="EN" style="mso-ansi-language: EN;">This in fact is a
fundamentally different way of thinking about authorizations. We no longer assume
that the user of an information system has the correct role, but that he has to
meet the defined criteria, competences and context. And those are the
attributes of a person's identity or context. If those attributes correspond to
the required quality standard that have been defined in the form of measurable
criteria, then there is a match and only then this person may perform the task.
And as a bonus… the calculated access permissions can even differ per session,
or moment, based on context or whatever dynamic criteria were defined… </span></div>
<div class="MsoNormal">
<span lang="EN" style="mso-ansi-language: EN;">So, yes, it looks
very logical to adopt such a model. But then other questions emerge:</span></div>
<div class="MsoNormal">
<span lang="EN" style="mso-ansi-language: EN;">Where do these
attributes come from? And how do we know if these attributes are correct? We
will discuss this matter in a future post. And it will imply some serious
changes to migrate from RBAC to ABAC. But based on the old Role Model we can imagine
a migration scenario from RBAC to ABAC.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN" style="mso-ansi-language: EN;">As I wrote in the
first blog, RBAC is aimed at providing authorizations to people to perform
certain tasks. If we can assume that the person who has to perform the tasks
effectively meets the quality criteria as defined by the process owner, then we
*could* say that this person’s role *implicitly* has the right attributes. That
means that we could consider this role as all required attributes… And if
so, migration of RBAC to ABAC only is a technical migration:</span></div>
<div class="MsoNormal">
<span lang="EN" style="mso-ansi-language: EN;">Instead of
logging into the application with a username and password, the user now just
connects to a business function through a federated protocol, using a SAML
message containing an indication of the identity and the role in the form of
attributes. One does, of course, need to adapt the application to allow for
access using a federative SAML protocol…</span></div>
<div class="MsoNormal">
<span lang="EN" style="mso-ansi-language: EN;">The migration of an
application from traditional RBAC (=through provisioning of account and
authorizations) means that we just need to change the login facility, because
the authorization model in itself does not change. The application needs an
interface to be able to parse the SAML message and to map the attributes to the
RBAC model of the application. That’s all: Since we still use the Role metaphor,
the authorization model and the permissions don’t change.</span></div>
<div class="MsoNormal">
<span lang="EN" style="mso-ansi-language: EN;">And of course we
need to add an 'Identity Provider', because such specific component must
generate the SAML message that contains the ‘traditional’ user identity
(account) and role (as an attribute). In a future blog I will expand on this,
since this may be the most important migration aspect.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN" style="mso-ansi-language: EN;">Hybrid ABAC model</span></b></div>
<div class="MsoNormal">
<span lang="EN" style="mso-ansi-language: EN;">The new access
control model, using a traditional Role in the form of an Attribute, can be
regarded as a hybrid ABAC model. Hybrid in the sense that authorizations are
still linked to roles, but that modern federation technology is applied. Hybrid
means that an RBAC authorization model is used, but that the underlying
technology for ABAC, ie federation, is deployed. We no longer provide accounts
and authorizations to target applications, we use federation techniques. Real
ABAC would mean that we no longer use Roles but just rely on attributes. But
this full (dynamic) ABAC model requires some more fundamental changes to access
management and ICT infrastructure, ABAC requires a new architecture.</span></div>
<div class="MsoNormal">
<span lang="EN" style="mso-ansi-language: EN;">The hybrid model
is a pragmatic solution to switch from the traditional IAM technology to the
modern technology. </span></div>
<div class="MsoNormal">
<span lang="EN" style="mso-ansi-language: EN;">In the next part
in this series I will explore more about attributes and information security.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-81256362518455827712016-08-28T22:27:00.000+02:002016-08-28T22:27:05.437+02:00Migrating from RBAC to ABAC (Part 1)<style type="text/css">p { margin-bottom: 0.25cm; direction: ltr; line-height: 120%; text-align: left; }a:link { color: rgb(5, 99, 193); }</style>
<br />
<div style="line-height: 108%; margin-bottom: 0.28cm;">
<span lang="en">A
long time ago I wrote the following statement on my LinkedIn profile:
"RBAC is EOL". And in my not so youthful
overconfidence I mentioned this during an intake with a potential
customer, who asked me how they could introduce </span><span lang="en"><span lang="en">Role Based Access Control (RBAC)</span> as conveniently
as possible. That talk never materialized into an assignment…</span>
</div>
<div style="line-height: 108%; margin-bottom: 0.28cm;">
‘<span lang="en">RBAC
is EOL’ clearly was a premature statement. I must admit Role Based
Access Control is far from End-Of-Life. Rather, in practice, we see
RBAC becoming more popular and we see more and more organizations
starting RBAC projects. Following on the heels of financials and
government, other industries are becoming aware of the need to
address authorization management. IAM projects and RBAC solutions are
increasingly embraced and most of the major information systems, such
as SAP, Oracle EBS, CODA, EPIC, Salesforce, Chipsoft, have been built
in such a way that RBAC is the de facto authorization model. RBAC is
a well-known, but not well understood, way to think about
authorizations and access control. Surely I can help customers with
that, of course ;)</span></div>
<div style="line-height: 108%; margin-bottom: 0.28cm;">
<br /></div>
<div style="line-height: 108%; margin-bottom: 0.28cm;">
<b><span lang="en">Why
on earth do we use RBAC?</span></b></div>
<div style="line-height: 108%; margin-bottom: 0.28cm;">
<span lang="en">RBAC
promises to be a simple access control model, but it’s very
difficult in theory, here’s a link to the original NIST
publication: </span><a href="http://csrc.nist.gov/rbac/ferraiolo-kuhn-92.pdf"><span lang="en-US">http://csrc.nist.gov/rbac/ferraiolo-kuhn-92.pdf</span></a></div>
<div lang="en" style="line-height: 108%; margin-bottom: 0.28cm;">
<br />
<span lang="en">But
also in real life RBAC is very complex. Let me explain why RBAC
should be EOL.</span>
</div>
<div style="line-height: 108%; margin-bottom: 0.28cm;">
<span lang="en">First
let me explain why we use RBAC: Ease of operation.</span></div>
<div style="line-height: 108%; margin-bottom: 0.28cm;">
<span lang="en">Yes,
really, that's really the only reason that we use RBAC. It is an easy
understandable method to grant access to read a file, a record or to
allow access to a location for a person. It’s also easy to control
access: you can find out if a person has access, you may well be able
to explain why that is the case and whether the granted access is
correct.</span></div>
<div style="line-height: 108%; margin-bottom: 0.28cm;">
<span lang="en">Because
of use of the concept of a 'role', we can disconnect an
'authorization' from a 'someone'. That saves a lot of administration.
If two employees have to perform the same tasks, they need to have
the same authorizations. If we give both persons the same ‘role’,
then they have the same permissions, at least if the permissions that
are required for execution of those tasks are bound to that same
role. If someone else is assigned the same role, that person will
also get the same permissions. So it's really a lot easier to grant
permission by assigning roles than to provide the individual
authorizations to everyone separately. We start having problems when
there are roles within roles, nested roles: In that case it’s
getting foggy what authorizations a person effectively has. The best
thing about direct assignment of authorizations is that it’s much
easier to show what permissions someone has effectively. You can tell
right away after all. Not that we gain much insight because after
all, we still have to interpret all these granted permissions once
again for every individual assignment of authorizations. Role
management does make life easier.</span></div>
<div style="line-height: 108%; margin-bottom: 0.28cm;">
<span lang="en">But
by just managing roles we’re not done yet. On the contrary. There
is not one single type of role, there are different kinds of roles
and different levels of roles and of course there are nested roles.
There are roles in an organization and there are roles in
applications. No, these are not the same!</span></div>
<div style="line-height: 108%; margin-bottom: 0.28cm;">
<span lang="en">There
are lots of roles in an organization. And there are also positions in
an organization. Positions in an organization result in a view of an
organization for providing a wage to employees and it a position is
created in the hierarchy of an organization. But roles are a view on
combined activities within an organization, our way of organizing
authorizations. It may look like a position, but it is not.</span></div>
<div style="line-height: 108%; margin-bottom: 0.28cm;">
<span lang="en">And
here the difficulties start. Is there a relation between a position
and a role. Is there a hierarchy? Can people have more than one
position and more than one role? Can roles be shared between
departments? And do all identical positions result in the identical
roles? So, as you can see, the easy concept is getting a bit less
easy.</span></div>
<div style="line-height: 108%; margin-bottom: 0.28cm;">
<span lang="en">In
RBAC, roles are assigned in order to grant authorizations to perform
certain tasks. Roles are in fact a set of tasks carried out by a
person. A credit manager uses the financial system (the debt
management part of course), Office365 (the share of his or her
department perhaps?), the intranet, perhaps a module in a CRM system.
In addition, a credit manager must have access to the sales
administration, e-banking environment, the general ledger. But there
are other roles with overlapping authorizations, roles for people
that have an almost similar set of applications, but with different
access within. That means that an authorization cannot be related to
a single person. Here the perceived advantage of RBAC disappears.</span></div>
<div lang="en-US" style="line-height: 108%; margin-bottom: 0.28cm;">
<br />
<b><span lang="en">Tasks</span>
</b></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<span lang="en">Now,
who decides which tasks our staff with the role credit management has
to execute? The hierarchical manager of our employee. And perhaps
there’s also a process owner. But these managers have a different
focus… the line manager obviously wants optimal performance within
his department, but the process owner has different requirements,
such as competent, capable and high-quality staff and separation of
duties within the process. This can result in conflicting interests.
A line manager wants to perform as many operations with a full
occupancy, but the process owner wants a high-quality high governance
process.</span></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<span lang="en">However,
there is still another important player: the system owner. The line
manager may well want an employee to perform various tasks, but that
collection of tasks should be supported in the information system in
the same way. What if the role model developed in an information
system conflicts with the organization roles and process roles? This
is not a theoretical issue, this happens every day in every
organization.</span></div>
<div lang="en" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<b><span lang="en">Authorizations</span></b></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<span lang="en">Last
but not least: what effective authorizations are there in a role?
Employees in AGSAPAX-IAM-DEB-Linux-WS seems to get access to
GRXACZP-LEDG02Q-File Transfer-RW. Is this? Who knows if this access
rule (the kind you see in a lot of Excel sheets) is permitted? And is
this authorization granted explicitly or implicitly? Who's in that
group? Is that correct? Is that authorization still accurate and up
to date? Is the authorization not too broad? How much do these rights
cost? Who granted such access rights? Who linked these authorizations
to the role? Has this been approved?</span></div>
<div lang="en" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<span lang="en">In
my experience there are dozens more of these question. And they all
lead to the same conclusion: the RBAC model may look like a practical
access management method, but it is not. There are so many
complications that have to be managed, that it’s hard to be in
control. </span>
</div>
<div lang="en" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<span lang="en">Done
with complaining. What are we going to do about it?</span></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<span lang="en">In
part 2 in this series we start migrating from roles to attributes, my holy grail
and I’ll introduce a hybrid A</span><span lang="en">B</span><span lang="en">AC
model.</span></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<span lang="en">(this blog first appeared in Dutch at <a href="https://www.cqure.nl/kennisplatform/van-rbac-naar-abac-deel-1">https://www.cqure.nl/kennisplatform/van-rbac-naar-abac-deel-1</a>) </span></div>
André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-19133466496103448552016-05-13T14:16:00.000+02:002016-05-13T14:43:19.258+02:00That was the EIC16 that was<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><span style="font-family: "verdana" , sans-serif;"><br /></span>
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:HyphenationZone>21</w:HyphenationZone>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>NL</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
</style>
<![endif]--><span style="font-family: "verdana" , sans-serif;"><span lang="EN" style="font-size: 12.0pt;">Each year, the German security consultancy firm KuppingerCole in Munich is
organizing a multi-day conference on the theme of identity and access
management. </span></span>
<br />
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm;">
<span style="font-family: "verdana" , sans-serif;"><span lang="EN" style="font-size: 12.0pt;">The KC conference was well organized. Nice location for both sessions and
the inevitable vendor marketplace. Lovely brochures, event app, fine
catering and a lot of famous people. We'll get back to that later. KC is a large
company, has many expert analysts and these are actively present. They moderate
panels, are chairing different tracks and give presentations.<br style="mso-special-character: line-break;" />
<br style="mso-special-character: line-break;" />
</span></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm;">
<span style="font-family: "verdana" , sans-serif;"><span lang="EN" style="font-size: 12.0pt;">The conference lasts three days, long days ... the first keynote generally
starts at half past eight and the day closing somewhere between 19 and 20. But
that's not all, there are also pre- and post-conference workshops. I decided to
join a preconf day this year, namely the workshop on the theme blockchain. I cannot
give a full overview of the conference, but I will point to a few highlights.<br style="mso-special-character: line-break;" />
<br style="mso-special-character: line-break;" />
</span></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm;">
<span style="font-family: "verdana" , sans-serif;"><span lang="EN" style="font-size: 12.0pt;">The hype of this moment is Blockchain. The pre-conference workshop lasted a
whole day and treated the backgrounds and ideas around Blockchain and also
bitcoin. Also on the third day there was extensive attention given to
blockchain in one of the four parallel tracks. Briefly: Blockchain is a
promising technology (immutable storage of transactions, transparent, fast and
cheap), but so far it’s little used (not really an anonymous platform, ‘bitcoin
image’ is not very positive). But biggest problem is the issue of trust. Can
you trust the blockchain, do you trust the longevity and continuity? But the advice
is: go play with it, within a year or three there are business cases and apps
to make use of blockchain technology.</span></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm;">
<span style="font-family: "verdana" , sans-serif;"><span lang="EN" style="font-size: 12.0pt;"><br />
Second hype: CIAM, customer Identity & Access Management. And yet, actually
not quite a hype, we have already know, <span style="mso-spacerun: yes;"> </span>implement
and use it. More importantly is the underlying mechanism, namely federation.</span></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm;">
<span style="font-family: "verdana" , sans-serif;"><span lang="EN" style="font-size: 12.0pt;"><br />
More or less the same applies to IoT and Big Data. These developments also look
at federated solutions to preserve both the business benefits and guarantees
regarding privacy.</span></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm;">
<span style="font-family: "verdana" , sans-serif;"><span lang="EN" style="font-size: 12.0pt;"><br />
Federation was not only reflected in many presentations. There was a separate
track in which the OpenID Foundation presented the many developments. Of course
there was OpenID Connect (yes, we really should implement this as often and as broad
as possible) and OIX (OpenId Exchange, it so looks like the implementation of
what I wished for in my old blogs - <span style="color: #3d85c6;"><a href="http://id-use.blogspot.com/2008/06/trust-model-for-identity-providers.html">http://id-use.blogspot.com/2008/06/trust-model-for-identity-providers.html</a></span>
), but also a number of working groups on the themes of health (the OpenID Heart
working group led by <span style="color: #3d85c6;"><a href="https://twitter.com/xmlgrrl">Eve Maler</a></span> of Forgerock) and the Financial Services API WG.</span></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm;">
<span style="font-family: "verdana" , sans-serif;"><span lang="EN" style="font-size: 12.0pt;"><br />
But not everything topic at EIC16 was about IAM technology, unquestionable the
most impressive presentation was by <span style="color: #3d85c6;"><a href="https://twitter.com/miaharbitz">Mia Harbitz</a></span> of the World Bank. She
described identity management in a world where a birth certificate is already a
challenge. Children with a birth certificate get a vaccination three times as often
as children without a birth certificate. She had more shocking numbers of
people without a formal identity, without access to life saving services
because of it.<br style="mso-special-character: line-break;" />
<br style="mso-special-character: line-break;" />
</span></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm;">
<span style="font-family: "verdana" , sans-serif;"><span lang="EN" style="font-size: 12.0pt;">Providing an identity to refugees is also a hot topic (especially in
Germany, with 800,000 refugees in the past year). This was discussed in a
separate track with an interesting panel discussion. It soon turned out that we
give refugees an identity because we want to avoid them actually abusing the
services paid by us. Not because we want to offer our refugees just enough
identity to survive. Sad really ...<br />
<br />
An interesting development was an initiative by <span style="color: #3d85c6;"><a href="https://twitter.com/iglazer">Ian Glazer</a></span> (Salesforce). He and
Kantara (for example known for User Managed Access – we should make this a
default way of customer access control) took the initiative to investigate
whether the Identity professionals can unite. The "Keepers of
Identity" are increasingly more import, cooperation is essential. More
info: <span style="color: #3d85c6;"><a href="https://kantarainitiative.org/digital_identity_professional/">https://kantarainitiative.org/digital_identity_professional/</a></span>
<br style="mso-special-character: line-break;" />
<br style="mso-special-character: line-break;" />
</span></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm;">
<span style="font-family: "verdana" , sans-serif;"><span lang="EN" style="font-size: 12.0pt;">And for those of us who are in despair… there are still use cases for on
premise use of Active Directory. <span style="color: #3d85c6;"><a href="https://twitter.com/kim_cameron">Kim Cameron</a></span> (Microsoft) sees a shift to Azure
AD, but an on premise AD will still remain for the coming years.</span></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm;">
<span style="font-family: "verdana" , sans-serif;"><span lang="EN" style="font-size: 12.0pt;"><br />
These were intense days. I finally met with many digital friends. And I advise you
to look up the hashtag #eic16 on twitter. Lots of nice tweets, many photos and
video’s and links to interesting articles.<br />
</span></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm;">
<span style="font-family: "verdana" , sans-serif;"><span lang="EN" style="font-size: 12.0pt;"><br /></span></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm;">
<span style="font-family: "verdana" , sans-serif;"><span lang="EN" style="font-size: 12.0pt;">And do yourself a pleasure and visit the blog of my good friend <a href="http://alfweb.com/bg/byoi-bring-your-own-identity-me-things-and-the-relationship-between/">Al</a><span style="font-family: "verdana" , sans-serif;"><a href="http://alfweb.com/bg/byoi-bring-your-own-identity-me-things-and-the-relationship-between/">essandro Festa</a>...</span><span style="color: white;"></span> </span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span lang="EN" style="font-size: 12.0pt;">
<br style="mso-special-character: line-break;" />
</span></span></div>
<div class="MsoNormal">
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-2543826739415962252016-05-08T22:31:00.002+02:002016-05-08T22:31:30.090+02:00European Identity & Cloud Conference 2016This year I managed to plan my trip to the European Identity & Cloud Conference 2016 in Munich, again hosted by KuppingerCole. I have visited this event before (had a talk about some ABAC developments), This time I'm just a conference consumer. But I will try to post some news now and then. For real-time notifications, follow my Twitter account @meneer, but you get a lot more information by following the conference hashtag, that should be #EIC16 :)<br />
<br />
Hot topics: #blockchain, #CIAM (Consumer Identity and Access Management), Privileged Account Management (#PAM), #Cloud and #Governance<br />
<br />
You can find out about the program <a href="https://www.id-conf.com/events/eic2016/agenda_overview">here</a>.André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-78381128729843073052016-04-20T23:19:00.002+02:002016-06-02T07:51:35.052+02:00An unexpected ABAC challengeCurrently three of my assignments have an interesting similarity: attribute based access control, all at the same time. And for all customers the choice for ABAC is related to rebuilding the internal application landscape. These customers are not implementing ABAC to facilitate federation of external identities, they're implementing ABAC for internal users of internal systems. There are multiple drivers for this change. There is, of course, the desire to publish internal services to external parties, some day. But there's also the concept of service orientation and the use of service buses and web services. But the concept of separation of identity provisioning and service provisioning is gaining ground as well. Explaining the pro's and con's of ABAC for both business and ICT is no longer a mission impossible.<br />
<br />
But at the same time I experienced that there is an interesting and unexpected blocking factor: the application developer. It seems that where both the business user and ICT operator like the added value of federation and ABAC, the application developer has some trouble to get a grasp of the new paradigm:<br />
There is no login page for an app anymore, no users table, no account name or password to manage. How do you implement access control without a user database and an authorization table with roles? And if users don't log on to your app, how do you know who they are?<br />
<br />
An unexpected problem for sure. We need to educate developers as well, to ease the paradigm shift.André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-56029957579535230102016-04-06T21:40:00.000+02:002018-11-22T14:37:46.882+01:00How to manage non personal (system) accounts<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><br>
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves>false</w:TrackMoves>
<w:TrackFormatting/>
<w:HyphenationZone>21</w:HyphenationZone>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>NL</w:LidThemeOther>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<w:DoNotOptimizeForBrowser/>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman",serif;}
</style>
<![endif]--><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1027"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1"/>
</o:shapelayout></xml><![endif]-->
<br>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;"></span></b></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Customer often
ask me for best practices regarding management of non-personal or highly
privileged accounts in the process of implementing an Identity and Access
Management (IAM) solution. This is an interesting question, because in an IAM
project, we try to manage all kinds of accounts, but this type of account is
different from accounts that are owned by end users. This type of accounts
can’t directly be related to a uniquely identifiable person, nor are they
the result of the 'joiner – mover - leaver' HR processes in an organization. So, how
do you manage the existence of such an account?</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><br></span></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">Types of non personal accounts</span></b></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">There are Non Personal Accounts (NPA’s) and Non-personal System Accounts: (NPSA’s). We can identify:</span></div>
<div class="MsoNormal" style="margin-left: 36.0pt; mso-list: l1 level1 lfo2; text-indent: -18.0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-bidi-font-family: "Liberation Serif"; mso-fareast-font-family: "Liberation Serif";"><span style="mso-list: Ignore;">-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">Admin or root account </span></b></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US;">The admin or root account of Windows and Linux
or Unix servers is highly privileged system account on the respective
platforms.</span></div>
<div class="MsoListParagraphCxSpFirst" style="margin-left: 72.0pt; mso-add-space: auto; mso-list: l1 level2 lfo2; text-indent: -18.0pt;">
<span lang="EN-US" style="font-family: "courier new"; mso-ansi-language: EN-US; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;">o<span style="font: 7.0pt "Times New Roman";">
</span></span></span><span lang="EN-US" style="mso-ansi-language: EN-US;">It
is authorized at the highest level</span></div>
<div class="MsoListParagraphCxSpFirst" style="margin-left: 72.0pt; mso-add-space: auto; mso-list: l1 level2 lfo2; text-indent: -18.0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><span lang="EN-US" style="mso-ansi-language: EN-US;"><span lang="EN-US" style="font-family: "courier new"; mso-ansi-language: EN-US; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;">o<span style="font: 7.0pt "Times New Roman";"> </span></span></span>It has access to every file and process running on a
platform.</span> </span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-left: 72.0pt; mso-add-space: auto;">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><span lang="EN-US" style="font-family: "courier new"; mso-ansi-language: EN-US; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span> </span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-left: 72.0pt; mso-add-space: auto; mso-list: l1 level2 lfo2; text-indent: -18.0pt;">
<span lang="EN-US" style="font-family: "courier new"; mso-ansi-language: EN-US; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;">o<span style="font: 7.0pt "Times New Roman";">
</span></span></span><span lang="EN-US" style="mso-ansi-language: EN-US;">The
‘root’ or 'Admin' has the permissions to change the behavior of their component;</span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-left: 72.0pt; mso-add-space: auto; mso-list: l1 level2 lfo2; text-indent: -18.0pt;">
<span lang="EN-US" style="font-family: "courier new"; mso-ansi-language: EN-US; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;">o<span style="font: 7.0pt "Times New Roman";">
</span></span></span><span lang="EN-US" style="mso-ansi-language: EN-US;">Commands
can be run from it as well as react to responses of the system. </span></div>
<div class="MsoListParagraphCxSpLast" style="margin-left: 72.0pt; mso-add-space: auto; mso-list: l1 level2 lfo2; text-indent: -18.0pt;">
<span lang="EN-US" style="font-family: "courier new"; mso-ansi-language: EN-US; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;">o<span style="font: 7.0pt "Times New Roman";">
</span></span></span><span lang="EN-US" style="mso-ansi-language: EN-US;">Operational
use of the account needs to be monitored continuously.</span></div>
<div class="MsoNormal" style="margin-left: 36.0pt; mso-list: l1 level1 lfo2; text-indent: -18.0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-bidi-font-family: "Liberation Serif"; mso-fareast-font-family: "Liberation Serif";"><span style="mso-list: Ignore;">-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">Superuser account</span></b><span lang="EN-US" style="mso-ansi-language: EN-US;"><br>
It's a business information system or application account, that looks a lot like
‘root’. It is there when the system is installed, it’s a system account. The
Superuser has permission to modify, making it a risk critical account in an
information system. Like Sap* in a Sap environment.</span></div>
<div class="MsoNormal" style="margin-left: 36.0pt; mso-list: l1 level1 lfo2; text-indent: -18.0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-bidi-font-family: "Liberation Serif"; mso-fareast-font-family: "Liberation Serif";"><span style="mso-list: Ignore;">-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">Service account</span></b></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Accounts for middleware processes like DBMS’s,
ESB’s or other ICT components that run on top of the Windows or Linux operating
systems. A special form of a non-personal account is an application account in
a DBMS to give database access to an application.</span></div>
<div class="MsoNormal" style="margin-left: 36.0pt; mso-list: l1 level1 lfo2; text-indent: -18.0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US; mso-bidi-font-family: "Liberation Serif"; mso-fareast-font-family: "Liberation Serif";"><span style="mso-list: Ignore;">-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">Batch user account</span></b></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<span lang="EN-US" style="mso-ansi-language: EN-US;">An account used by a batch job process, it is
most commonly used for scheduled batch jobs, like nightly file transfers. </span></div>
<div class="MsoNormal">
<br></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">NPA characteristics</span></b></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">NPSA’s have
a few characteristics in common. They are non-personal and they are not
directly connected to a person. Login with the account doesn’t leave an audit
trace showing which person is actually using it. And, of course, NPSA's are very
powerful and so use of them should be tightly controlled.</span></div>
<div class="MsoNormal">
<br></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Service and
batch accounts also have a specific similarity: one typically doesn't login
with such an account, these accounts are not used interactively. In most cases
such an account is only used as a placeholder with some permissions to perform
specific tasks, like running a webserver with the limited capability to process
https-requests and write log files.</span></div>
<div class="MsoNormal">
<br></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Modern IAM
solutions can be implemented to facilitate provisioning of personal accounts
for specific user functionality. Since non-personal accounts are not an
attribute of an identity, there is not a sole user that can be connected to an
NPA, so an IAM solution is not suitable to manage them. </span></div>
<div class="MsoNormal">
<br></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">If not an IAM problem, then what?</span></b></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">These
accounts belong to the component that they manage. The Windows operating system
comes with the Administrator account, Linux comes with root. You cannot install
Linux without a root account. You may not by default be able to login with it
(as on Ubuntu), but the account is there. So by installing an OS, you
automatically get the 'God'‑account. There is no choice, it is the result of
the change process that leads to the implementation of the OS. Such an NPSA
should only be used in a controlled manner from specific processes, like an
incident management process (admin may be needed to assist in a catastrophe),
or the change management process (the admin permissions may be required to
perform an infrastructural change).</span></div>
<div class="MsoNormal">
<br></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">The same is
true for service accounts: when installing a middleware component, like a database
management system, the account is created to enable the service, hence the name
service account. Again, you have no choice. You might install the service using
a 'root' – type account, but that will result in a security violation, Thou
shalt not run any service as root!</span></div>
<div class="MsoNormal">
<br></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">And again,
for batch account the same is true again: a batch process is created as the
result of a change request. The batch tasks are created to support an
information system, or a business process. The batch job is created to make it
possible to schedule the automatic execution of the tasks. A batch account is
created to make it possible to use resources on the system.</span></div>
<div class="MsoNormal">
<br></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">This leads
to the following conclusion:</span></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">Non-personal accounts have to be managed in the change management process. </span></i></b></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;"><br></span></b></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">This has the following implications:</span></b></div>
<ul style="margin-top: 0cm;" type="disc">
<li class="MsoNormal" style="mso-list: l0 level1 lfo1; tab-stops: list 36.0pt;"><span lang="EN-US" style="mso-ansi-language: EN-US;">The account has to be
registered in the configuration management database, it is an attribute of
the component that it belongs to. Admin belongs to the Active Directory.
Root belongs to a linux server. The account named 'Oracle' probably belongs
to an Oracle dbms instance: the dbms is a managed component and the
account name is Oracle.</span></li>
<li class="MsoNormal" style="mso-list: l0 level1 lfo1; tab-stops: list 36.0pt;"><span lang="EN-US" style="mso-ansi-language: EN-US;">The account has an owner, who
is accountable for the use of the account. Admin and root belong to the
manager of the ICT department. The SAP account is owned by the system
owner of the SAP system</span></li>
<li class="MsoNormal" style="mso-list: l0 level1 lfo1; tab-stops: list 36.0pt;"><span lang="EN-US" style="mso-ansi-language: EN-US;">The interactive accounts should
only be used for infrastructural changes or calamities.</span></li>
<li class="MsoNormal" style="mso-list: l0 level1 lfo1; tab-stops: list 36.0pt;"><span lang="EN-US" style="mso-ansi-language: EN-US;">The non-personal system accounts
should never be used interactively for operational tasks.</span></li>
<li class="MsoNormal" style="mso-list: l0 level1 lfo1; tab-stops: list 36.0pt;"><span lang="EN-US" style="mso-ansi-language: EN-US;">The passwords of these accounts
must remain secret. They should be secured by means of an envelope
procedure, a password vault, or by using a Privileged Account Management
system (PAM, like CyberArk, Hitachi PAM, Thycotic or CA PAM to name just a few). Any
use has to be related to a service management ticket (an incident or a
change).</span><span lang="EN-US" style="mso-ansi-language: EN-US;"> </span>
</li>
</ul>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">So, there
you have it. Non-personal accounts must not be managed in an IAM solution,
they have to be managed by the Change Management processes in an organization.
Either they are owned by ICT or by the system owner who owns the information
system that the account is used for. You should not manage privileged accounts
in an IAM solution. And if you have to execute tasks with one of these
accounts: use a Privileged Account Management system to secure it.</span></div>
<div class="MsoNormal">
<br></div>
<div class="MsoNormal">
<br></div>
André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-76701570200244923582015-11-02T22:09:00.002+01:002015-11-02T22:11:13.596+01:00No business case for Identity Providers (part 3)<style type="text/css">h3.western { font-family: "Liberation Sans",sans-serif; font-size: 14pt; }h3.cjk { font-family: "Droid Sans Fallback"; font-size: 14pt; }h3.ctl { font-size: 14pt; }p { margin-bottom: 0.1in; line-height: 120%; }</style>
<br />
Would I like to be an identity provider?<br />
Well, of course. I would make sure that my identities were very reliable and reusable. My identities must be trusted in order to make them reusable by different service providers, the government, banks and other websites. This, of course, requires the use of open standards and an auditable governance and trust framework.
To achieve this, I need a business model, because someone has to pay for all this.
In my opinion there are several models:
<br />
<ul>
<li>
<div lang="en-GB" style="margin-bottom: 0in;">
The
citizen/customer pays for his digital identity</div>
</li>
<li>
<div lang="en-GB" style="margin-bottom: 0in;">
The
citizen/customer gets a digital identity for free, no costs</div>
</li>
<li>
<div lang="en-GB">
We license a trust framework
</div>
</li>
</ul>
<h3 class="western" lang="en-GB">
$Identity</h3>
<div lang="en-GB">
Anyone requiring a digital identity by a trustworhy
Identity Provider needs to pay for the use of the digital identity.
The question is if I, as a consumer, would be willing to pay for a
digital identity. If I can't use the identity, I don't want to pay
for it: 'What's in it for me?'. This model requires a convincing
story: as a consumer I need the assurance of the reuse potential.</div>
<div lang="en-GB">
If I were an identity provider, would you pay for my
digital identity if I could guarantee reuse? If so, how much? That's
difficult to calculate. There are many costs attached to running a
trustworthy identity management system. Most of theses costs are
fixed costs. The more identities I can sell, the lower the management
and security costs per identity and thus the lower the price of a
digital identity. How about $20 for every identity? And with a
periodic renewal every 2 years? Because identities erode.<br />
<br />
<h3>
Zero$ identities</h3>
</div>
<div lang="en-GB">
There are different variants of this model.<br />
<br />
<b>1)</b> Like I mentioned in an earlier post, the Dutch DigiD
is an example of a trustworthy free identity. The identity is free,
the costs of the identity are made up for by the identity provider.
Because of the use of DigiD, Dutch citizens can perform a lot of G-C
transactions online, data entry is moved from the civil service to
the citizen. The disadvantage of this model is that the reuse
potential is low. The identity can only be used at a fw service
provider within the trust framework, like local government and a
limited number of legally appointed third parties.</div>
<div lang="en-GB">
<br />
<b>2)</b> Another
instance of this model is a company that pays for the costs of
identity management and provisioning for it's own customers. Just
like the mentioned Digid case, but with a larger reuse objective. All
parties in the trust framework abide by the rules of the trust
framework and guarantee the conformance to the rules. This means that
there should be auditable quality and trust criteria, resulting in
some kind of a seal of approval... It looks a lot like the OpenID+
model <a href="http://id-use.blogspot.nl/2015/07/the-business-case-for-identity.html">I wrote about in a previous post</a>.</div>
<div lang="en-GB">
An identity that can be used often, has a higher
value that an identity without reuse potential, hence an identity
provider with high reuse value identities will have a better
reputation and may be willing to invest in this identity provisioning
service. What will this cost? The trust framework will be expensive,
so the costs of such an identity will be higher than the costs of the
first model, let's say $50 per identity. Investments with a positive
Return on Investment, even more if the service will result in
frequent customer contact as well, for instance because of periodic
renewal of the identity.</div>
<div lang="en-GB">
<br />
Commercial providers of free identities like
Facebook, Twitter and LinkedIn, implement this model in some way. The
reuse potential of this model is moderate to low, because of the lack
of a Trust Framework. Only service providers within the trust
framework of the identity provider (think of Blogspot, that enables
you to use your Gmail account to logon) offer the reuse potential.
Other SP's, who don't require trust, but who just rely on the
identification and authentication of a customer, may allow the use of
a free account.
</div>
<div lang="en-GB">
What is the business case for identity provisioning
for these commercial IdP's? They offer a free digital ID, but who is
paying for it? Because when using it, by logging in using open
protocols like Oauth, there is no transaction fee for authentication.
This is an interesting question. These IdP's seem to gain a lot of
money by managing your digital ID in a different way. Managing and
securing identities is costly, but their business model has an
enormous ROI because of the services they offer by analysing the
value of your identity, your profile. <a href="http://id-use.blogspot.nl/2008/12/behavior-centric-identity-management.html">Your behavior is valuable…</a> </div>
<div lang="en-GB">
Is such an identity a good match for all purposes?
Obviously not. there is no trust in your digital ID, because, no
matter what 'real name' policy, the IdP doesn't really know you, it
only knows your profile. And the provider knows every service
provider you use, based on your logon.</div>
<div lang="en-GB">
You could upgrade the value of an untrusted digital
ID, by using a third party verification schema. For instance upgrade
your twitter account by having it validated by another trust
framwork. This of course creates a larger reuse potential (in the
other trust framework) with your simple logon feature. But of course,
someone will have to pay for the added trust by verification in a
third party trust framework. There's no free lunch...</div>
<div lang="en-GB">
<br /></div>
<div lang="en-GB">
<b>3)</b> The third instance of this model is that an identity
provider gives out free identities, but makes service providers, who
trust the identity, pay the fee. That could be based on a per per use
fee, or in a subscription kind of fee. This creates a high reuse
potential, within this trust framework. In this way the service
provider doesn't have to pay all costs for identity provisioning,
thereby saving a lot of money and limiting compliance risks – if
you don't manage identity data, you can't lose them… How much
should this cost? Hard to say, but I think that $0.10 per reliable
authentication could well be feasible. Or a subscription fee of,
let's say, $10 per customer per year?</div>
<div lang="en-GB">
For IdP's there is a real incentive to create as much
reuse potential as possible. The more often an identity is used, the
higher the profit. But reuse potential is a result of reliability and
reputation, Identity Provisioning is an expensive business model. And
if a digital identity is not used often enough, this will result in a
financial loss.</div>
<div lang="en-GB">
<br /></div>
<h3 class="western" lang="en-GB">
Last model...</h3>
<div lang="en-GB">
Let's just create a trust framework and have anyone
use it. Both identity providers and service providers pay a license
fee and can start using it. The trust framework guarantees reuse and
every party can decide their own business model
(<a href="http://id-use.blogspot.nl/2008/06/trust-model-for-identity-providers.html">I wrote about this long ago...</a>).
But the trust framework has to be developed, managed and monitored,
according to open standards and governed by legal standards. But
someone has to pay for this model too. And there is an example, <a href="http://openidentityexchange.org/">OIXby the Open Identity Foundation</a>.</div>
<div lang="en-GB">
<h3>
</h3>
<h3 class="western" lang="en-GB">
Lingering business case problems...</h3>
</div>
<div lang="en-GB">
There are some other problems for identity providers
and service providers. From the business case the main driver for
profit is the reuse potential of digital identities. Only if there is
any reuse capability, operating an IdP can be affordable. When not,
there is no business case. If an identity cannot be reused, it may
well be too expensive for the customer, the IdP or the SP.</div>
<div lang="en-GB">
<br /></div>
<div lang="en-GB">
But there is a strange oxymoron… The better the
reuse potential, the less I am inclined to use other identities, the
one with the best reuse potential will be my preferred ID. This means
that I don't need another IDP. And same is true for other consumers as well. This means that there is limited room for other IDP's. (I know, you may want to use more than one identity, but that's out of scope for this post :) )</div>
<div lang="en-GB">
<br />
<br />
<h3>
Is there a business case for IdP's?</h3>
</div>
<div lang="en-GB">
No trust framework, no reuse. No reuse no business
case. No business case no digital identities. No digital identities, no
trust framework. No trust framework, no reuse, no business case.<br />
<br />
I may want to be an Identity Provider, but I don't believe that there is a business case, unless you manage to be the same league as facebook and friends...<br />
<br />
<br />
<br />
(based on my Dutch language post https://www.cqure.nl/kennisplatform/digidem-4-het-opbrengstenmodel) </div>
André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-43674373198503190672015-07-27T22:14:00.000+02:002015-07-27T22:14:44.977+02:00The business case for Identity providers (part 2)<a href="http://id-use.blogspot.it/2015/07/the-business-case-for-identity.html">In my previous post</a> I wrote about about the costs of identity provisioning. Yes, a digital identity doesn't come for free, although you may experience otherwise. Lots of digital identities you get are free. For you, as a consumer or citizen. But the costs connected with your identity can be quite high. As I showed in my previous posts, costs of compliance and governance are high. And depending on the trust model that comes with the identity, the value of an identity can be high too. An identity is valuable if you can use it often en reuse it as well. The better the reuse potential, the higher the value of the digital identity that you may experience. And the higher the value that you experience, the more you will be inclined to use it.<br />
But not every identity is equally valuable for us as citizens or consumers. In my opinion there are two major factors that impact the value: Trustworthiness and Reusability. Let me expand on this:<br />
<br />
Trustworthiness is an interesting concept. In my country, The Netherlands, a few digital identities are trusted by almost everyone. A good example is a banking account. I can use my banking account at almost every webshop to perform transactions, limited only by the balance of my bank account. The banks in our country created a strong trust framework. They have to, of course, as they have to comply with lots of (international) rules and regulations. They made agreements with several trust brokers, so that even small shops could be part of the trust framework. Yet, the reuse potential of my bank ID is very low. I cannot use by bank ID to login to other sites, or webshops, or to login to a governmental site. Banks don't want you to reuse the identity. In fact, it is just an authorization ID, it only let's you perform a financial transaction... Don; t ask me why...<br />
Interestingly: the bank ID may look free, but we have to pay a subscription fee every year in order to be able to use it.<br />
<br />
The Dutch digital government identity is less trustworthy. Mostly because the provisioning takes place without a visual verification of the identity of the citizen. But although the trust level is quite low, the reuse potential is better than the bank ID, because the government want the citizens to use the citizen ID to perform transactions with all kinds of governmental sites and even some external parties can be accessed with 'DigID'.<br />
The best part of this ID is that it's free... Until you remember that it is free because you, as a citizen, perform several tasks that, until a few years ago, were performed by civil servants. The cost savings for the govenrment must be enormous. That more than pays for the costs of ID compliance and ID governance.<br />
<br />
There are other free digital identities. Just look at this account, a Google account, or Facebook or Twitter. These accounts can be reused. But reuse is limited to parties within the Trust framework of the identity providers. I can use my Gmail account to create posts on Blogger, but not to post a Twitter status update. Although Oauth kind of obfuscates the reuse bouderies, thank you OAuth ;)<br />
<br />
Strangely I cannot recall a paid trustworthy digital identity that can be reused. Could that be a feasible option? I feel that there could well be a paid model. Of course there should be a trust model and of course that will be expensive. But perhaps there could be a business case for such a proposition.<br />
<br />
To sum it up:<br />
<ul>
<li>We do have free digital ID's that we can reuse, but with little trust</li>
<li>We do have paid trustworthy digital ID's that we cannot reuse</li>
</ul>
<br />
So, there may be room for<br />
<ul>
<li>Free trustworthy ID's that we can reuse</li>
<li>Paid ID's that we can reuse</li>
</ul>
<br />
But... do we need all that?<br />
I will try to answer this question in my next post.<br />
(this post is a translated version of <a href="https://www.cqure.nl/kennisplatform/digidem-3-wie-betaalt-de-identiteit">my earlier Dutch language post</a>)André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-52912742677106930682015-07-06T22:28:00.002+02:002015-07-06T23:04:40.556+02:00The business case for Identity providers (part 1)<style type="text/css">p { margin-bottom: 0.25cm; line-height: 120%; }</style>
<br />
<div style="line-height: 100%; margin-bottom: 0cm;">
In the Netherlands
the government provides a reusable digital identity, DigiD, to it's
citizens. DigiD can be used for different G-C transactions, for
tax-return forms, getting certain licenses from local government,
communicating with healt insurance companies and pension funds. The
uses are strictly defined by law, you can't use DigiD for commercial
transaction, like webshops or for other transaction. And DigiD can
only be used in the Netherlands, not abroad. There is another 'minor'
problem with DigiD: any Dutch citizen can request a DigiD and the
DigiD Identity Provider (IdP) sends an activation code by
snail-mail. Not the most secure way of identity provisioning and
there have been some incidents of criminals fishing the activation
letters from the mailbox. And if a criminal first requested a DigiD
on behalf of a victim, of course he knows when to lookout for the
mail to capture it…</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
Anyway the Dutch
government is in the process of building a new identity framework,
thereby making it possible for third parties to act as an identity
provider within the Dutch eID framework.</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
In a series of
blogposts (Dutch: <a href="https://www.cqure.nl/kennisplatform/digidem">First post</a> and
<a href="https://www.cqure.nl/kennisplatform/de-case-voor-de-idp-business-case">second one</a>)
I asked myself the question: is there a business case to become an
IdP? Is there any commercial driver to become an IdP? Or are there
other drivers?</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
I found out that it
is very hard to answer these questions positively…</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
A few years ago I
was at the European Identity conference in Munich and on one of the
panels Kim Cameron remarked that everyone wants to be an IdP. If
consumers use your Identity, the single fact that people use one your
Identities creates a brand value. You grow a valuable reputation.</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
But if everyone
becomes an IdP, what does that mean? Can you use and reuse every one of those
identities? That makes for an interesting problem: at this moment
noone wants to accept just any third party digital identities. The
reuse capability is very small, too small to make people use a third
party identity. We have a deadlock situation. Why is that?
</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
Of course some
identities can be reused. Think about Facebook, Twitter and LinkedIn identities. These can be reused, but just to a certain
extent. These (free) identites are only trusted by service providers if there's something in for them... For a
service provider these identities make it possible to have an
authenticated account, without the need to store and protect identity
information, like passwords. You can't lose what you don't have. So accepting third party identities is not only useful for consumers, but even more for SP's, as some kind of preventive privacy control against data leakage. But
no service provider will let you make financial transactions using a
facebook account. Facebook (as a service provider) may do so, but
independent third parties will be very reluctant.</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
Why is the reuse
capability of third party identities limited?</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
Well, in my opinion
it's the lack of a transparant, and trusted, Trust Framework.</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
A few years ago we
tried to create a Trust Framework based on the OpenID standard, we
called it OpenID+. The + being the Trust Framework. The group that
worked to create OpenID+ consisted of a government body, a few
financial corporations, some ebusiness companies, media corporations,
all prominently present on the Dutch internet space. Interestingly
both IdP's and SP's took part in the development of the trust
framework. The main principle being that any OpenID+ SP would have to
accept any identty that was provided by any OpenID+ IdP!</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
We started building
the policies and procedures, in our spare time (I know, I was one of
the authors) and when we deemed the framework sufficiently mauture, we decided to go
ahead and to start a few OpenID+ proofs of concept. In order to build
the trust framework, we defined the technical extentions for OpenID,
the policies for the identity provisioning processes, for
deprovisioning, for auditing and legal issues. These were some of
the questions that had to be answered in order to create the trust
framework:</div>
<ul>
<li>Should we create a (secure and trusted) white list of
trustworthy OpenID+ IdP's?</li>
<li>How should an OpenID provider
apply for the white list?</li>
<li>Should there be an audit
guideline for audit or self-assessment?</li>
<li>Can any service provider access
the white list, or should we allow only connected OpenID+ service
providers?</li>
<li>How could we guarantee that all
providers would interprete claims and attributes in the correct
manner?</li>
<li>What should happen if an
incident occurs? For instance in case of misuse or theft of an
OpenID+ identity, or wrong interpretation of an attribute of an
OpenID+ identity by a service provider?
</li>
<li>How about liability in case of
an incident?</li>
<li>How long should a white list
entry be valid?</li>
<li>Would we need an arbitration committee?
</li>
</ul>
<div style="line-height: 100%; margin-bottom: 0cm;">
Quite a lot of question, and this was only a small number of questions. And that was when
trouble started. Defining the standards was okay, but implementing
the standards proved very difficult. We found out that building such
a trust framework was very expensive. Especially the documenting and
auditing of the processes and techniques proved so costly, that the
parties became afraid for what would come next. Who should pay the
costs of such a trust framework?</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
As a result the
OpenID+ framework was never implemented. There was no positive
business case for any of the participants.
</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
That's not the end
of it. Yet. There are several financial models for IdP's. In my next post
I will introduce different models and expend on the business case for
Identity Providers. And I will try to explain why the reuse
capability of digital identities is critical for the succes of IdP's.</div>
<br />
André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-41451312925967490022015-06-28T20:39:00.000+02:002015-06-29T12:24:57.142+02:00Fighting Android insecurity FUD<style type="text/css">p { margin-bottom: 0.25cm; line-height: 120%; }a:link { }</style>
This week Dutch newspaper <a href="http://www.volkskrant.nl/tech/groot-lek-in-android-telefoons~a4089416/">Volkskrant warns</a> against a severe leak
in Android that enables attackers to install software on an Android
device without consent of the user and without even touching the
device. The journalist of the Volkskrant wrote an article about some
Dutch scientists who claim to have discovered a leak in Android
security. They posted their findings with a demo of the leak in a
video (that till this day can be downloaded here:
<a href="https://drive.google.com/file/d/0B73YUDeOq3OWTG93enVYVWN3TXc/view?pli=1">https://drive.google.com/file/d/0B73YUDeOq3OWTG93enVYVWN3TXc/view?pli=1</a>).<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhztBWasxtdepIAYpHxtubnhxUf0GkqZy1aaFlFnsmLQzjfhzwurZBBSSONFHgw2q0qDppRibfzVks3K1JJB5Jvu6bK_3NoFqcbleHtP522S2ymP_oQkJaudwGhY-i8Ckb2lETUQJ4sa40/s1600/G2FA-hacker.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="149" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhztBWasxtdepIAYpHxtubnhxUf0GkqZy1aaFlFnsmLQzjfhzwurZBBSSONFHgw2q0qDppRibfzVks3K1JJB5Jvu6bK_3NoFqcbleHtP522S2ymP_oQkJaudwGhY-i8Ckb2lETUQJ4sa40/s320/G2FA-hacker.png" width="320" /></a></div>
<br />
The video shows some convincing and exciting insights in the hack.
From an infected webbrowser the scientists install malicious software
on a cell phone using the browser version of Google Playstore,
thereby enabling all sorts of abuse on the phone. In the video you
see some very alarming demonstrations and scenario's: abuse of
Paypal-accounts, the option of reading SMS-messages, e-mails, etc.<br />
<br />
<br />
The issue exists because of the tight integration between all
Google services, from Gmail to Play Store, and that extends to
Android devices. This integration is based on the fact that all
Google services are bound to one Google account. The scientists show
that using a stolen gmail account, an attacker could upload malicious
software to an Android device using only the play store web front
end, without touching the device itself. The user takes action on
behalf of the attacker, by activating the malware, thereby opening up
the device for the attacker.<br />
<br />
<br />
The scientists end their performance with the statement that you
should build security into a product, instead of building security on. This statement stems from their claim that they reported the issue to Google, but that they never got a reply. Anyway, all major Dutch media posted the item as well, Android is a big
risk.<br />
<br />
If I were a scientist or a journalist, I would check the facts
before posting these statements and ask some questions first. My Questions would look like this:
<br />
How does a Google account get hacked?<br />
<blockquote>
The scientists claim that a Man in the Browser attack
could be used, but they never say how, when and why. I believe it
could be done, but the first conclusion must be: this Hole, or
whatever it is they found, can only be done if a google account is
stolen, by whatever means. This clearly is not an Android problem. If
a Google account is stolen, there are more problems than just
uploading malware. <br />
But when you think further, the first and
foremost issue is the fact that if a browser gets infected with evil
code, an attacker controls that browser (and sometimes more) which
means that people who use online banking, Paypal, read their e-mail
through a browser or shop online can expect an attacker to harvest
all data. And yes ... obviously use all sorts of logins for evil
purposes: Twitter, Facebook, Microsoft and of course Google. This
isn't new. Investigative journalist Brenno de Winter (@brenno)
demonstrated this a year ago and he explained how you can abuse such
a weakness. In his case he used a KLM-domain that the company had
forgotten
[<a href="http://www.nu.nl/internet/3733033/vergeten-klm-domein-opende-weg-phishing.html">http://www.nu.nl/internet/3733033/vergeten-klm-domein-opende-weg-phishing.html</a>]
(Dutch). The server the domain name pointed to, was vulnereable to
all sorts of attacks. This way an attacker could install webpages
filled with malware, make look-alike (phishing) websites, etc. Using
freely available tools the journalist created a fake Google-loginpage
to harvest credentials or use the credentials that the malware
harvests. Then he installed Cerberus App
[<a href="http://www.cerbereusapp.com/">http://www.cerbereusapp.com/</a>]
on the Android device. With this software you can control the phone,
read SMS-messages, record audio, record video, take pictures and even
worse: you can hide the app from the drawer. So the user won't notice
he is being spied on. This looks remarkably like the new leak by the
scientists. New? No way. Science? No way. Is this an Android, or
Google issue? No way.</blockquote>
How does the malware get installed on an Android device?<br />
<blockquote>
The scientists claim that you can install malware on an
Android device using Google Play services. This clearly is not the
case. There is (almost) no malware on the Play store. Google security
controls towards Play Store are so strong, that malicious software
can hardly be published. Repackaging regular software with a
malicious load and uploading it to Google Play store is not feasible.</blockquote>
<blockquote>
So, no Android issue here either.
</blockquote>
Will Android users activate software on their device?<br />
<blockquote>
Who knows. People are curious and not always security
aware, they might just install malware. For an atacker to create a
business case for this scenario is not realistic.</blockquote>
<blockquote>
But again, this is not an Android issue, as all phishing
tests prove.</blockquote>
How is the tight integration on other platforms?<br />
<blockquote>
Microsoft and Apple use the same kind of integration on
Windows Phone and iOS. I have no experience with those platforms. The
differentiator is that these platforms don't have remote push of
apps. The vulnerability may be different from Android.</blockquote>
<blockquote>
This Android feature could be a risk.</blockquote>
Is there no work-around, what should end users do to prevent compromising of these
leaks?<br />
<blockquote>
No idea, science gives no answer... And the journalist
doesn't show any hints either.</blockquote>
<br />
<br />
Did you examine this exploit on your own systems? Because criticising scientists and journalists without evidence is only too easy... <br />
<blockquote>
Here I go: I installed a new browser on my Windows PC (in order to be able to act as an attacker).</blockquote>
<blockquote>
Next I browsed to play.google.com and behold, all apps are
visible.</blockquote>
<blockquote>
Next I logged into Play service using my single Google
account.</blockquote>
<blockquote>
Yes, logged in, almost... the Google two factor authenticator function popped
up, reporting it sent a text message to my mobile device...
</blockquote>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2aRFlTWuAJ0tMtaTEhP9A_Q81Bg9S_rLUm3m5qyvFoIQ46VwsWAxf6pxph4gMXlMHpnj5fxZNSqWlB3uzYNLQfllwbrOL16NY2pR24zqV7Hw5-w4eb0Z4Oo-Xx8oSabJKojOTmOlt4BI/s1600/G2FA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2aRFlTWuAJ0tMtaTEhP9A_Q81Bg9S_rLUm3m5qyvFoIQ46VwsWAxf6pxph4gMXlMHpnj5fxZNSqWlB3uzYNLQfllwbrOL16NY2pR24zqV7Hw5-w4eb0Z4Oo-Xx8oSabJKojOTmOlt4BI/s320/G2FA.png" width="233" /></a></div>
<br />
<br />
My bad, I'm not a hacker, I failed miserably. I could not login to
google play services without entering the text message on my mobile
phone. I could not even push regular software from PlayStore to my
device. Oh no, I am not a scientist or journalist, I couldn't
replicate the findings, I can't exploit the Android leak as an attacker. Or... is activating 2 factor authentication enough to mitigate the risk? <br />
<br />
<br />
So, dear scientists and journalists, before posting FUD, please
investigate the problem, not the symptom. If you claim that there is
a vulnerability (not even a leak), do so from different perspectives. First check the facts. Then check if the issue is new. Then doubt your own findings. That's science. That investigative journalism. If you don't,
you just create FUD.<br />
<br />
<br />
Disclaimer: I'm not an Android user.André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-69561791089473305882015-05-23T08:16:00.001+02:002015-05-23T08:23:08.825+02:00Using Passbook for Attribute ManagementBy now we know all there is to know about managing digital identities <sigh> so the next level of access control is to further investigate managing (defining, granting and revoking) authorizations. And the ideas about granting access to resources, based on certain (user owned) attributes are gaining ground. In the future I will get access to documents, files, databases and locations based on attributes, more than because of who I am (one of my many identities).</sigh><br />
<br />
A while back I wrote some posts ("<a href="http://id-use.blogspot.com/2014/05/i-need-pal-or-pass.html">I need a Pall or Pass</a>" and "<a href="http://id-use.blogspot.com/2014/05/attribute-management.html">Attribute management</a>") about managing attributes and about the lack of information about this issue. And I found one interesting entity providing attributes: ISACA issues attributes in the form of OpenBadges, an open standard to manage whatever attributes in a digital wallet, like Mozilla Persona.<br />
<br />
Only recently did I come across another digital wallet system, Passbook by Apple. According to Wikipedia "Passbook is an application in iOS that allows users to store coupons, boarding passes, event tickets, store cards, credit cards as well as debit cards via Apple Pay." That's interesting. I didn't know about Passbook, because I don't own or use any iThings, but someone crafted <a href="https://openrepos.net/content/p2501/pass-viewer">an app for the Sailfish OS</a> on my Jolla smartphone. So, thank you :)<br />
<br />
A little about the purpose of Passbook: it is there to manage coupons, tickets and all. And those items are valuable items, they have to be protected. So inherently passes are secured to a certain level and Passbook must facilitate that. These items give access to certain features that were defined by the coupon or ticket provider, these permissions were defined by the owner of the resource that the ticket holder wants to have access to.<br />
<br />
This look a lot like the owner's responsibilities that we see in regular IAM environments. Someone, an owner of a resource, a file, a database, a room, defines access rules and decides what identities can have access. Yes, not unlike any theater ticket. And yes, I did write that I need a Personal
Attribute Storage System, a Pass. It could well be a Passbook...<br />
<br />
Can we use some app like Passbook for attribute management. Yes of course, by all means. But I am curious to know if Apple created an open standard to make it feasible to use the platform elsewhere too.André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-6773591251539138342015-03-24T22:37:00.003+01:002015-03-24T22:37:54.218+01:00Beat Cryptolocker - ditch documentsA few years ago, a company I worked for had to upgrade their MS Office version to a more recent version. They had to, because they wanted to move to a new Sharepoint vesion, so they could use Sharepoint as the new document management system. Of course, using Sharepoint as a central document management system only works if all employees learn how to use Office and Sharepoint in the manner that Microsoft designed it. Until today I never saw any company where Sharepoint was implemented in the right way. In many cases documents are stored just like documents are stored on a file server, in a hierarchical way. Resulting in the same mess that you find in any organisation that uses documents: lots of copies, versioning problems, corrupted files and, not in the least, compatibility problems, because MS Office is not capable of storing files in a transparant way. Update and you're doomed...<br />
<br />
A long time ago I wrote a report for a company advising them to do away
with documents and move to a content management system based solution. Write and store your documents in a cms or (enterprise) wiki. I love wiki's. There is only one current version of any document, old versions are available always, with track changes, no compatibility problems, since all text is stored in the most simple way, using a simple markup language and, not in the least, there is are great full text search features. Try that on a file server or in Sharepoint...<br />
<br />
Anyway, the company never followed my advise. They really wanted the Office lock-in, so that you could check the presence of people involved in the document creation process...<br />
<br />
<br />
But now there's a new incentive to ditch documents. Cryptolocker.<br />
<br />
Cryptolocker is malware, intended to extort people by means of encrypting documents on a computer. Or on a server. On Skydrive and perhaps an a Sharepoint server (<a href="http://community.office365.com/en-us/f/154/t/206622.aspx">MS claims that Office365 is not vulnerable</a>). The criminals claim to decrypt the documents after payment of a large amount of money. There have been some reports of cryptolocker software malfunctioning, whose crypto functions can be bypassed, but in most cases an infection with cryptolocker is very bad news for a victim.<br />
<br />
<br />
The only way not to fall prey to these criminals is by not having any documents on a pc or server, or on sharepoint. If you don't have documents, they cannot be locked. In order to do so, move to cms based text creation and storage, use a cms, use a wiki, use presi-like presentation solutions, use ethercalc instead of desktop software. And don't misuse Excel for data manipulation or statistical analysis, use databases and BI tools. Output: why print it? Use a live data viewer or pdf generators if you need a hardcopy.<br />
<br />
<br />And if you really want to use documents, move to platforms that are not vulnerable. Much cheaper than paying for ransomware.André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com1tag:blogger.com,1999:blog-8714108732005385671.post-82486570166756976792015-03-20T21:30:00.000+01:002015-03-20T21:34:11.560+01:00AD is EOLRecently I had this discussion, about managing identities in a
company and what strategy to follow towards future developments like
Attribute Based Access Control. A very interesting discussion,
because this company was quite big and employs several tens of
thousands of personnel. And only a few thousand of those have a
Windows account. These people need an account because they have an
email address and need access to folders and shares. The others don't
have a Windows account, because they don't use any information
systems.<br />
<br />
<blockquote>
AD is a silly tool: it's a user directory, a domain
controller, an authentication service, an authorization server, a
federation server. Too big too fail, but no focus.</blockquote>
<br />
During the discussion the IT manager of the company stated thet he
wants every employee to get an Active Directory account, because he
feels that in the near future everyone need to access some
information resources on a Windows server or Sharepoint. Everyone
needs an AD account (no, licensing costs is not yet a problem, as
long as they don't use the account actively).<br />
<br />
In my opinion this is not the right strategy. In the near future
we don't access data on Windows of Sharepoint servers anymore. We
will use web services on web servers that we access with a digital
identity that can come from any (trusted) source. Active Directory
will become Passive Directory.<br />
<br />
It already happened: my company doesn't even have an AD anymore. I
think it will be end-of-life before it's end-of-support...<br />
<br />
<br />
<br />
Yes, I know, I must be wrong, everyone is expanding AD and so growing their legacy base. And we all move to Azure AD. But just think about this mind experiment... <br />
<br />
<br />
<br />André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-61972718888628473742015-02-25T21:49:00.000+01:002015-02-25T21:49:05.807+01:00OpenBadge Based Access ControlA while ago I posted a few entries about using attributes instead of roles to grant access to resources. At the same time I wrote that the current way of providing attributes is limited. So far attributes are provided by identity providers, hence only parties that trust an identity provider know what attributes can be used and may decide to trust the attributes provided by the identity provider. But as I stated, there are many cases that you do not want to get an attribute from your identity provider. You may have passed an exam, received a compliment or endorsement, or you may be part of another community than the one you work for and the one who provides your (digital) identity. Your digital identity provider may not even know all these attributes. And rightly so, an identity provider needs to provide trustworthy (within the trust framework) identities.<br />
<br />
So I came up with the idea to <a href="http://id-use.blogspot.nl/2014/05/i-need-pal-or-pass.html">make it possible to receive and collect attributes</a>, much in the same way that we are used to receive and collect badges for gaming, or scouting...?.<br />
<br />
And <a href="http://id-use.blogspot.nl/2014/05/attribute-management.html">I showed</a> that such a mechanism is in use at this very moment, although not yet in the way that I want: Isaca provides digital badges to certified members. And you can collect these badges in a digital wallet, that you can also use to present youor badges.<br />
<br />
It's a pity that there is no use other for these Isaca attributes yet. I would like to use my CISA and CISM badges to be elegible as a candidate for a security consultancy project with prospective customers. How easy it would be to just so show my Isaca badge, instead of writing a resume or pointing to my LinkedIn profile. If you need an IT Auditor, here's my Isaca CISA badge... Or if you need a CISM, just search LinkedIn for CISM badges...<br />
<br />
<br />
<a href="http://standardsandfreedom.net/index.php/2015/02/25/badges-for-libreoffice/">Today I learned</a> that there is a another organisation contemplating to provide badges. LibreOffice volunteers may get badges in the OpenBadge format, the same format that Isaca is using. This wil most certainly mean that we will see OpenBadge become a default adopted open standard.<br />
<br />
We probably have to come up with use cases for access control based on OpenBadges. Currently these badges are just that, they just show that you are member of a community, but there are no permissions connected to badges. Yet...<br />
<br />
André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-76729513485099490322014-06-26T09:18:00.003+02:002014-06-26T09:18:56.424+02:00"Authentication versus authorization" - Axiomatics blogIf you're interested in modern acccess management techniques, using, SAML, OAUTH and XACML based access, you should really read the three part blog by <span class="blog-author"> <a href="https://developers.axiomatics.com/blog/bloggers/blogger/listings/ahindle.html" itemprop="author">Andrew Hindle</a> on the Axiomatics website:</span><br />
<a href="https://developers.axiomatics.com/blog/index/entry/authentication-vs-authorization-part-1-federated-authentication.html"><span class="blog-author"><br /></span></a>
<a href="https://developers.axiomatics.com/blog/index/entry/authentication-vs-authorization-part-1-federated-authentication.html"><span class="blog-author">Part 1: Federated Authentication</span></a><br />
<span class="blog-author"><br /></span>
<a href="https://developers.axiomatics.com/blog/index/entry/authentication-vs-authorization-part-2-saml-and-oauth.html"><span class="blog-author">Part 2: SAML and OAuth</span></a><br />
<a href="https://developers.axiomatics.com/blog/index/entry/authentication-vs-authorization-part-3-bringing-it-all-together.html"><span class="blog-author"><br /></span></a>
<span class="blog-author"><a href="https://developers.axiomatics.com/blog/index/entry/authentication-vs-authorization-part-3-bringing-it-all-together.html">Part 3: Bringing it all together</a></span><br />
<span class="blog-author"><br /></span>
<span class="blog-author">Enjoy!</span>André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-83526741507687575592014-05-28T00:11:00.003+02:002014-05-28T00:11:35.457+02:00All your passwords are belong to criminalsAgain a few issues with password being copied by criminals. This week alone saw mentions of ebay, avast (forums) and spotify. In all cases the managed passwords were said to be hashed, so criminals have to brute force the passwords. But that is just a matter of time. And since Moore's law extends to password crackers, chances are that the copied passwords will be guessed shortly.<br />
<br />
What does this mean? The Avast case looks not very critical. <a href="http://id-use.blogspot.nl/2013/11/adobe-lesson-learned-do-not-use-complex.html">As I wrote earlier</a>, many people create account with little security, just for the purpose of connecting to services that are not very critical. But the ebay case is a severe incident.<br />
ebay is not just any website, it's a site that allows you to make transactions and it keeps lots of files and records about you. It's like a digital identity and <a href="http://id-use.blogspot.nl/2008/12/behavior-centric-identity-management.html">they know your behavior</a>. And the criminals not only stole the password and userid, but other sensitive data as well.<br />
<br />
Of course you should change your ebay password. But: since your ebay account is important for you, you may well use the same account information for other sites too. <br />
<br />
If by any chance you use the same ebay password with any account that is connected to the same email address that you registered at ebay, you should change the password for those accounts too!André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-26539729210904267482014-05-12T12:14:00.001+02:002014-05-12T13:44:14.957+02:00Still running XP? Bad for you...Last month <a href="http://id-use.blogspot.nl/2014/04/dont-stop-using-xp-until.html">I wrote that</a>, despite all warnings about the imminent death of Windows XP, until May 13th Windows XP could still be used in a relatively secure way. In fact, the recent off-schedule security patch by Microsoft proved my point. But I also said that from that day on XP is doomed. If you still use an XP system, chances are that the system will be a victim of an attack.<br />
<br />
On May 13th, Microsoft publishes some security patches that will not be published publicly for Windows XP systems. Only a few organization, who pay dearly for extended extended support, will enjoy the benefit of keeping their XP systems alive. But for the rest of us, XP will be at risk.<br />
<br />
What happens every month: if Microsoft publishes a security patch, criminal minds reverse engineer a vulnerability based on the changes in the patch. They try to figure out ways to penetrate systems that are not (yet) patched. And in many cases within a few days the first exploits are around. Since all Windows generations from NT onwards are very alike, chances are that a vulnerability in a recent Windows version exists in Windows XP too. And if a system is not patched, such an exploit will be a zero-day exploit for ever.<br />
<br />
Can you protect XP systems that are not enjoying extended extended support? No, not unless you never connect it to the outside world directly or indirectly. Even anti-malware software may not guard an XP system against exploits.<br />
<br />
What should you do? Migrate, migrate, migrate, to whatever more recent operating system that you can think of. If you're in a company: get your management fired asap. They are the next vulnerability that will not be patched.André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-13338064653482285992014-05-10T23:32:00.003+02:002014-05-10T23:32:58.117+02:00Attribute managementIn my previous post I said that I need a facility to manage attributes issued by third parties. I have plenty digital identities, but most of them can only be used for a specific purpose. A limited number can be used in a multi-purpose fashion.<br />
There's DigiD, the Dutch digital identity that was provided to me by the Dutch government and that can be used in my relation with a number of national and local government transactions and for a few transactions beyond that, like for my health insurance business. But these services can use only one specific attribute of my DigiD identity, the 'BSN', a unique identifier, like the American SSN.<br />
Another multi-purpose identity is my Twitter account. But it also only has some predefined attributes, but if a service provider needs extra attributes, he needs to capture those through other channels. But there are no attribute providers beside the identity providers we know and love...<br />
<br />
But, a few weeks ago I received an invitation from ISACA to download digital Badges that can be used to indicate that I am a Certified Information Systems Auditor (CISA) and a Certified Information Security Manager (CISM). These badges can then be imported in an 'Acclaim' account, that I can use to present my badges to others. And ISACA mentioned that presenting these badges in my LinkedIn profile is a preferred way to show my certifications.<br />
<br />
How about that? ISACA issues a badge that proves my qualification. It is an attribute of my profile, it belongs to me. Not to one of my identities, but it is an attribute of me as a professional. And ISACA is qualified to issue these attributes, ISACA created these attributes, ISACA is the owner of the CISA and CISM titles.<br />
<br />
ISACA issues badges in the form of an <a href="http://openbadges.org/">Open Badge, an open standard, created by Mozilla</a>. And Mozilla created it's own backpack facility in the Mozilla Persona digital identity. The backpack can be seen as a wallet that contains the badges. Acclaim is another form of a digital badge wallet. <a href="https://www.youracclaim.com/users/76245502-75ea-49e8-b6ee-c87a1fe7dff5">Here is the acclaim page with my ISACA badges</a>.<br />
<br />
I really liked this idea, so I created my own badge issuing process. As you may recall I started the <a href="http://id-use.blogspot.nl/2013/08/ditch-cyber-campaign.html">#ditchcyber campaign</a> and this campaign is supported by the @CyberXpert account. I decided to offer CyberXpert badges to followers of this Twitter account. Any follower who uses the RCX or CCX title can get a digital badge and import that badge in a Persona Backpack. <a href="https://backpack.openbadges.org/share/d88761a65f5d8e6ca1f4f29461c92657/">Here's my backpack, showing a CyberXpert badge</a>.<br />
<br />
Next thing we need to find out is if an Open Badge attribute can be collected by a digital identity and combined to a SAML message.André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-88598996259819061782014-05-08T21:42:00.000+02:002014-05-08T21:42:26.202+02:00I need a PAL or a PASS<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
</div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
There are two IAM concepts that I really like:
</div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<ul>
<li>Identity 2.0, where I can login to a service provider using an
identity that was provided to me by an identity provider, who proofs
that it is really me.</li>
<li><a href="http://csrc.nist.gov/projects/abac/">Attribute Based Access Control</a> (link to the NIST ABAC standard):
you get authorizations not based on your identity, but on your
capabilities that som<span style="font-size: x-small;">e</span>
authority feels you have.</li>
</ul>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
The first development makes it possible to separate responsibilities
for objects on the internet. A service provider only needs to take
care of services and data, an Identity Provider (IdP) only has to
take care of digital identities and authenticating it's users. A
service provider only needs to trust the digital identities provided
by an Identity Provider, and that creates an enormous scalability of
web services.</div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
Attribute Based Access Control enables the authorizing of persons as
requested by a process owner or data owner. This owner has to define
the quality requirements for executing tasks within a process of
towards a data elemen<span style="font-size: x-small;">t</span>.
The process owner or data owner doesn't need to have any knowledge
about the identities or roles or groups that are defined within an
organization. But this is a new concept and a very tough
responsibility: these owners never before had to think about these
requirements. Nevertheless, this is an exciting concept: someone
doesn't get permissions because of his function or role within an
organization, but because of his capabilities. And these capabilities
are called 'attributes' of the identity.</div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
The interesting thought is that an identity provider also provides
some attributes. Such as address, phone number, gender, date of
birth, expiration date and a lot of other variables. The IdP concept
of ABAC is implemented in the SAML message format, where the term
Claim component is used as the attribute component.</div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<blockquote class="tr_bq">
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
One of these attributes could well be the Role of an identity. An
internal identity provider in an organization may well know the
function type or role of an employee, who gets a business identity.
In such a case an attribute can be used to allow Role Based Access
Control capabilities to the access control mechanism.</div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
</blockquote>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
But... what if a process owner requires an attribute outside of the
scope of the identity provider? Where does the extra attribute come
from? In the ABAC concepts attributes are bound to identities, that
means that in order for an employee to prove that he has the extra
required attribute, he in fact needs to provide another identity that
does contain the required attribute. But... in all reality, that's
just not feasible. What might be possible is that the identity
provider forwards the attributes provided to an identity on behalf of
another identity provider. For instance: an internal IdP could add
attributes, like results from a course that the user attended. But
that creates new trust issues (did the user follow the course
successfully, is the attribute really provided by the school, in what
context can the attribute be used and some more).</div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
I am not aware of any implementation. And perhaps we should not want
such an implementation and we should think of another way.</div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
As a user I would not like this hassle of using different identities
or of 'IdP-in-the-Middle' constructs. I want a convenient place to
store my attributes, some kind of a wallet. Not a wallet with
different identities (although I really loved the <a href="http://www.identityblog.com/?p=994">Information Cardmetaphor promoted by Kim Cameron</a>), but a wallet with different attributes. And
the attributes within this store could be used with any of my
identities that I want to use for a specific purpose.</div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
</div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
I need a PAL, a Personal Attribute Locker, or a PASS, a Personal
Attribute Storage System (I'm great with acronyms :) ). Identity
Providers could post digital identities and/or attributes to my
locker and I could mix and match whatever combinations of identities
and attributes I would want to use. Provided that the context and
scope of identity and attribute is a valid combination, but we'll
have to think about this in another post. What would the implication
be? Suppose I am an employee who needs access to the CRM system. But
in order to execute some CRM task, I would have to provide an
attribute that I am an experienced blog poster. This attribute cannot
be provided by the company I work for, but it can be provided by
Google because of this blog. Google could post this
attribute to my PAL and I could use this 'external' attribute with my
company Identity to execute the CRM task.</div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
What do you think? Is this a feasible idea?</div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div class="western" lang="en-GB" style="line-height: 100%; margin-bottom: 0cm;">
In a future post I will expand on this idea, because recently I found
out about an interesting standard that could perhaps be used as the
mechanism that I want...</div>
André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com2tag:blogger.com,1999:blog-8714108732005385671.post-63695291801003520652014-05-03T08:41:00.001+02:002014-05-03T22:36:48.300+02:00Why worry about Facebook Whatsapp - part 2<a href="http://id-use.blogspot.de/2014/02/facebook-and-whatsapp-why-worry.html">A few weeks back I commented on Facebook taking over Whatsapp</a>. As you can see my concern was that only if Facebook knows your phone number, it can datamine on the combined databases. As long as Facebook doesn't know your Whatsapp ID, your phone number, it cannot correlate the events in both social networks.<br />
<br />
But I was naive. Chances are that facebook knows your phone number. Just recently I had to use a Facebook account. I don't have one. A few years ago I had a Facebook account, but I had Facebook delete my account. <br />
<br />
But I needed to have a Facebook account in order to get access to a free wifi spot, I had to logon using a Facebook account. So, I created an account. And at that moment I found out that I had to enter a phone number in order to receive an SMS authentication token. Without a phone number I could only register by sending a copy of an ID card to Facebook. No way, I was in a hurry.<br />
All I could do was enter my own phone number, because I had no time to get a prepaid sim.<br />
<br />
So Facebook now knows my phone number. But, I created a fake Facebook account, with lots of strange likes.<br />
<br />
And behold: Facebook suggested I became friends with a lot of people I know in real life... What other information in my account other than my phone number related to these people. My phone number must already be there, hidden deep within Facebook's treasure chest. I can hardly imagine my friends posting my phone number on their accounts.<br />
<br />
Facebook never deleted my phone number or my friends network. So, am I worried about that Facebook - Whatsapp deal? No. I just kill my Facebook account again. I don't want at. And if I need another Facebook account, I will make sure to have a prepaid sim to use.<br />
<br />André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-91577462473722142442014-04-08T08:26:00.001+02:002014-04-08T09:01:37.089+02:00Don't stop using XP until...There is a lot of misconception about the security of Windows XP. Microsoft extended support ends today, <b>after </b>publishing the final set of security patches for XP that were developed to tackle security issues that occurred in the last few months. Microsoft has a 1 month patch cyclus, every 2nd tuesday of a month patches are published.<br />
What does ending extended support for us mean:<br />
<br />
If Microsoft would still support XP, the next set of security patches would only be published on the 13th of may 2014. Any zero day vulnerability that was discovered today, could, in an ideal world, only be fixed on the 13th of may, thereby leaving your pc vulnerable until the 13th of may. But that is the case for all supported Microsoft operating systems. Your 7, Vista, or 8 system would also be vulnerable until the patches of may 13t. Only in a few instances has Microsoft been pushed to fix earlier, but they keep with their regular scheme.<br />
<br />
What does this mean for poor XP?<br />
<br />
A fully patched XP system will be no less secure than a fully patched Windows 7, Vista or Windows 8 pc! Only on the 13th of may 2014 will the security be affected negatively because no new patches will be published. Your system will be vulnerable for ever...<br />
<br />
Should you migrate?<br />
Yes by all means. You may not be an interesting target for a criminal (you are, but I can probably not convince you today), but your pc is. It will be used as a spambot platform, or for bitcoin mining for others, running porn hubs for criminals, whatever. So migrate: YES<br />
<br />
<br />
Should we panic?<br />
<br />
Yes of course. But not because of today. We should panic because there are still too many XP systems.<br />
Most consumer systems will be fully patched, but I bet that most companies who still run XP have graver problems. Many systems will not even be fully patched. So, consumers, you have one month left to migrate to 7, 8, Apple or Linux. Should you? Yes by all means! <br />
And companies? You are in big trouble. You should fire the responsible management for not preventing this event.<br />
<br />
<br />
===Update===<br />
Hans Bos from Microsoft Netherlands mentioned that a fully patched XP system is less secure than a fully patched 7/Vista/8 system. He is right of course. Just have a look at Internet Explorer.<br />
But then again, this has always been the case, XP has always been in a minor security league than more current systems. The class difference stays the same...André Koothttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0