From 2acc02c70999c8e86eee5fbec2c41c390f3e95fa Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Mon, 28 Oct 2024 19:49:02 -0400 Subject: [PATCH 01/24] First draft Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 883 ++++++++++++++++++ .../v1/images/image1.png | Bin 0 -> 26557 bytes .../v1/images/image2.png | Bin 0 -> 62258 bytes .../v1/images/image3.png | Bin 0 -> 41455 bytes .../v1/images/image4.png | Bin 0 -> 31317 bytes 5 files changed, 883 insertions(+) create mode 100644 community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md create mode 100644 community/resources/zero-trust-whitepaper/v1/images/image1.png create mode 100644 community/resources/zero-trust-whitepaper/v1/images/image2.png create mode 100644 community/resources/zero-trust-whitepaper/v1/images/image3.png create mode 100644 community/resources/zero-trust-whitepaper/v1/images/image4.png diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md new file mode 100644 index 000000000..fb20419fa --- /dev/null +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -0,0 +1,883 @@ +CNCF - TAG Security: Designing Zero Trust Using Cloud Native Platforms + +[https://github.com/cncf/tag-security/issues/950](https://github.com/cncf/tag-security/issues/950) + +STAG Representative - Eddie Knight + +Project Lead: Mariusz Sabath, David Hadas + + +Table of Contents + +[TOC] + +**Note**: All tools, projects, libraries mentioned in the paper are mentioned as examples when describing a relevant section. Hence, such mention **should not be** taken as an official recommendation by TAG Security or CNCF. Readers should evaluate adoption of such tools, projects or libraries based on their own understanding and threat model of the system under review. + +# Abstract + +Contrary to what the name might suggest, the real world application of “Zero Trust” is far more nuanced than simply *trusting nothing*. The Zero Trust defense strategy assumes that the internal network is not to be trusted. This contrasts with a perimeter-based defense, which is designed to construct a trustworthy internal network. Instead, we can introduce measures to evaluate trustworthiness, then use such evaluations to control the network communications and its connected devices. + +While many of the well-worn concepts behind Zero Trust apply to *any* system, there remains a gap with regards to discussing Zero Trust from a Cloud Native perspective. This document seeks to codify the philosophy alongside an ideal design for implementing it in a Cloud Native system. + +The authors have compiled their experience and research findings into a set of principles and approaches. While many of the concepts herein are a distillation of past publications, extending those findings has led to a new proposal to standardize the generation and utilization of “Confidence Levels” as a data type. Confidence Levels quantify the trustworthiness of entities within a system, allowing for more dynamic and responsive security measures. + +Confidence Levels can be produced by “Active Observers,” a previously unnamed category of tools. Active Observers continuously monitor and analyze the security-related attributes and behaviors of entities in the system to quantify trustworthiness. + +By applying the philosophies of Zero Trust to an entire Cloud Native system with consideration paid to the unique context, this paper crafts a Cloud Native Zero Trust Architecture design. Using the latest technologies, it is becoming possible to build a system in such a way that Active Observers assign Confidence Levels to every entity in the system. This enables the architecture to adapt in real-time to emerging threats and anomalies, reinforcing the Zero Trust stance. + +By incorporating the concepts of Confidence Levels and Active Observers, a cloud architect may come closer to true *Zero Trust* than previously imagined. + +# 1. The Philosophy of Zero Trust + +The concept of Zero Trust has undergone significant evolution, transitioning from a philosophical notion to a foundational cybersecurity model. The term "Zero Trust" was first coined by [Stephen Paul Marsh in his 1994 doctoral thesis at the University of Stirling](https://www.cs.stir.ac.uk/~kjt/techreps/pdf/TR133.pdf). In this work, titled "Formalizing Trust as a Computational Concept," Marsh introduced the idea that trust could be mathematically quantified, separate from human moral and ethical considerations. This theoretical framework established the groundwork for what would later become known as the Zero Trust philosophy. + +The practical application of Zero Trust coalesced in 2010 when John Kindervag, an analyst at Forrester Research, introduced a model that operationalized these principles. In his paper, ["No More Chewy Centers: Introducing the Zero Trust Model of Information Security,"](https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdf) Kindervag proposed a security architecture where trust is never assumed and must be continually verified. This model, which segmented networks into zones with varying levels of trust, aimed to eliminate the vulnerabilities of traditional perimeter-based security systems, where internal networks were often overly trusted. + +The implementation of Zero Trust principles was notably advanced by [Google's BeyondCorp initiative in 2009](https://www.beyondcorp.com/#:~:text=The%20BeyondCorp%20Story,and%20devices%20access%20internal%20applications.). BeyondCorp shifted security focus from the perimeter to individual users and devices, emphasizing continuous verification and least-privilege access. This approach was driven by the need to address sophisticated threats, as demonstrated by incidents like [Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora) and the [MUSCULAR joint surveillance program](https://en.wikipedia.org/wiki/MUSCULAR) operated by the NSA and GCHQ against the internal networks of Google and Yahoo. + +The proliferation of open-source projects such as Istio, Knative, SPIFFE, and OpenFGA has also played a crucial role in advancing Zero Trust. These projects provide robust frameworks for identity management, policy enforcement, Security Behavior Analytics, and secure communication within cloud native environments. + +The National Institute of Standards and Technology (NIST) has been pivotal in formalizing the Zero Trust model. [NIST's guidelines on Zero Trust Architecture](https://csrc.nist.gov/pubs/sp/800/207/final) outline key tenets such as continuous verification, least-privilege access, and micro-segmentation. These principles ensure that security measures are consistently applied across all network layers and endpoints, reinforcing the Zero Trust approach. + +The history of Zero Trust started as a theoretical concept and evolved into a practical, essential cybersecurity framework. The contributions of early theorists, pioneering implementations by industry leaders, and the formalization by standardization bodies like NIST have collectively shaped the Zero Trust model, making it a cornerstone of modern cybersecurity strategies in cloud native environments. + +We advise that the tenets of Zero Trust are considered during the design of any networked system. There are many opinions and recommendations regarding what may suffice to construct a Zero Trust Architecture, and the reader is always advised to consider their organizational needs when tailoring a solution suitable for the protected system. + +In this paper, we wish to emphasize critical elements that we consider as important to construct a Zero Trust Architecture, collate commonly accepted concepts related to Zero Trust and, in isolated cases, propose novel approaches to improve Zero Trust implementations. + +## Cloud Native Principles of Zero Trust + +Building on the extensive discourse surrounding Zero Trust principles over the years, two foundational tenets have been established: *Assume a Breach* and *Always Verify*. When applying these tenets to cloud native environments, we have delineated eleven governing principles. + +To follow the tenet of *Assume a Breach*, organizations must operate as if their systems are already hacked. This mindset encourages the development and implementation of security strategies that are inherently resilient and capable of detecting, containing, and mitigating threats in real time. + +The tenet of Always Verify emphasizes the necessity of continuous authentication, authorization, and monitoring for every interaction within the system, regardless of its origin. This tenet rejects the notion of implicit trust, instead insisting on rigorous verification of all entities — users and services, internal and external. In practice, this involves the actions of eliminating implicit trust, minimizing explicit trust, and monitoring behavior to verify trustworthiness. + +The following table summarizes the Cloud Native principles of Zero Trust as detailed in the remainder of this chapter. The evidence for the principles below is discussed in **[NIST SP 800-207](https://csrc.nist.gov/pubs/sp/800/207/final)** chapter 2 *“Zero trust Basics”* with further details in chapter 3 “*Logical Components of Zero Trust Architecture*”*.* While the NIST paper discusses all kinds of systems, in generic terms such as assets and resources, here we focus solely on Cloud Native systems with a higher level of nuance. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ Tenet + Cloud Native Principle +
1 + Assume a Breach + Every Image Includes Vulnerabilities +
2 + Assume a Breach + Every Service is Vulnerable +
3 + Assume a Breach + Every Service will be Exploited +
4 + Assume a Breach + The Cluster Network is Hostile +
5 + Assume a Breach + Clients will Send Malicious Requests +
6 + Always Verify - Eliminate Implicit Trust + Authenticate the Service +
7 + Always Verify - Eliminate Implicit Trust + Authenticate Service Request Senders +
8 + Always Verify - Monitor Behavior + Verify the Service Instance Behavior +
9 + Always Verify - Monitor Behavior + Verify Service Request Behavior +
10 + Always Verify - Monitor Behavior + Verify the Client Behavior +
11 + Always Verify - Minimize Explicit Trust + Enforce Least Privilege Universally +
+ +### 1. Every Image Includes Vulnerabilities + +Organizations must recognize that all cloud native images inherently contain vulnerabilities. It is imperative to understand that no image is free from potential security flaws. Dependencies, base images, development tools, repositories, and continuous integration/continuous deployment (CI/CD) tools are all susceptible to exploitation, leading to vulnerable images. The extensive amount of code that constitutes these systems presents numerous opportunities for malicious actors over a large period. + +### 2. Every Service is Vulnerable + +Organizations must acknowledge that all deployed services are inherently vulnerable. This assumption should guide the planning and implementation of security measures. Any service deployed within a cloud native environment should be presumed to operate based on a vulnerable image and/or vulnerable configuration and to expose vulnerabilities through its service API. + +It is common for organizations to become aware of vulnerabilities when Common Vulnerabilities and Exposures (CVEs) related to their services are published. However, this awareness often comes after a period during which the services were susceptible to attack. The absence of a known vulnerability does not equate to security; vulnerabilities may exist that have yet to be discovered or disclosed. CVEs are typically published following the detection and reporting by white hat security researchers, but malicious actors may exploit these vulnerabilities long before they are publicly known. + +### 3. Every Service Will be Exploited + +Organizations must adopt the perspective that any cloud native deployed service is susceptible to exploitation at some point. When deploying a service, it is essential to assume that it may be exploited through various vectors, including internal malware infiltration, insider misuse, or unauthorized access to credentials or control systems. + +This assumption necessitates a comprehensive and proactive approach to security, wherein continuous monitoring and rapid response mechanisms are integral components. By acknowledging the inevitability of exploitation attempts, organizations can better prepare to detect and mitigate threats promptly, minimizing potential damage. + +### 4. The Cluster Network is Hostile + +Organizations should treat the internal cluster network as inherently hostile and untrusted. This assumption is critical for developing a robust security posture. It is essential to recognize that the cluster network can be compromised, and malicious entities may have the capability to inject and extract traffic within it. + +Treating the cluster network with the same level of suspicion as external networks necessitates the implementation of stringent security measures. These measures include robust network segmentation, continuous monitoring, and the application of advanced security protocols to detect and mitigate potential threats. + +### 5. Clients Will Send Malicious Requests + +Organizations should operate under the assumption that clients may send malicious requests — even those presenting valid credentials and exhibiting consistent behavior over time. + +Credentials can be stolen, and users may intentionally or unintentionally abuse their access rights. Legitimate user accounts, or seemingly benign machines, can be appropriated by malicious actors to send hostile service requests. Therefore, it is imperative to monitor and scrutinize each request thoroughly to identify and mitigate potential exploitation attempts. + +### 6. Authenticate the Service + +Organizations must ensure that clients verify the identity of any service before initiating a service request. This authentication process is crucial for both internal and external clients interacting with services within the cloud native environment. + +This action necessitates the implementation of robust identity verification mechanisms to confirm that the service being approached is legitimate and not a fraudulent entity. Such measures are essential to prevent impersonation attacks and to maintain the integrity of service interactions. + +### 7. Authenticate Service Request Senders + +Organizations must ensure the identity verification of all service request senders before processing their requests. This verification process applies to both internal and external senders, including users and machines interacting with cloud native services. + +Implementing robust identity verification mechanisms is essential to confirm the legitimacy of each request sender. This includes verifying credentials and continuously monitoring the behavior of request senders to detect any anomalies that might indicate a compromised identity or malicious intent. + +### 8. Verify the Service Instance Behavior + +Organizations must continuously monitor and verify the behavior of service instances to ensure they are not being exploited. This necessitates the implementation of dynamic, per-instance evaluation processes that assess whether service instances are operating as expected. + +Organizations should promptly identify and mitigate misused service instances — restoring expected behavior and removing malicious actors — while maintaining overall service stability. The faster a compromised service instance is terminated, the lower the gain obtained by the attacker, resulting in a reduced overall value to attackers. + +### 9. Verify Service Request Behavior + +Organizations must operate under the assumption that even clients providing credible credentials may exhibit malicious behavior, such as when an offender has stolen client credentials. Furthermore, organizations should consider that a client with a history of good behavior might attempt to compromise the system in future requests. An attacker might leverage a legitimate user’s credentials or embed malicious code within a legitimate machine to send service requests. + +Therefore, it is crucial to always assume that any request made to a service API could potentially contain an exploit. Requests should be regarded as potential vectors for exploiting vulnerabilities within the service API. Relying on the implied trustworthiness of requests from authenticated senders is insufficient. Instead, a dynamic, per-request evaluation process must be employed. Each request should be meticulously assessed and assigned an appropriate Confidence Level, based on its potential to be an exploit. This continuous scrutiny ensures that organizations can effectively mitigate risks associated with seemingly legitimate but potentially harmful requests. + +This principle is discussed in NIST 800-207 Section 3.3: “Trust Algorithms.” + +### 10. Verify the Client Behavior + +Organizations must not assume that a duly authenticated service client is not a potential attacker. Trustworthiness should not be inferred based on authentication alone, as credentials can be stolen, insiders may become malicious, and attackers might be present within the sender’s system. Consequently, a dynamic, per-client evaluation process is necessary. + +This evaluation should consider the client's past behavior, including both its normal activities and the historical activities. Additionally, any external information about the client’s identity should be considered. For instance, if the identity is another service, this information may encompass the service's behavior, as outlined in the principle of monitoring service behavior. + +### 11. Enforce Least Privilege Universally + +Despite being discussed for twice as long as the concept of Zero Trust, the enforcement of least privilege remains an area of significant vulnerability in many systems. Organizations must implement dynamic and fine-grained access control to ensure that verified identities are only permitted to perform operations that align with their role and trustworthiness. + +Access to services should be evaluated and granted on a per-request basis, taking into account various parameters to make informed access decisions. These parameters include assessing whether the requested operation is appropriate for the identity in question, evaluating the Confidence Level of the sender's true identity, determining the likelihood that the request is not an exploit, and considering the overall context of the request. This context might include factors such as whether the sender is expected to make requests at that particular time of day, from a specific IP range, or in a certain sequence. + +# 2. Modeling a Cloud Native Zero Trust Architecture + +Having established the foundational philosophy of Zero Trust, we now turn our attention to the concepts and approaches necessary for building Cloud Native systems that adhere to these principles. First we will outline a three-step Zero Trust process where entities are identified, verified, and controlled. We will then define what we consider as key elements for constructing a Zero Trust Architecture (ZTA) within a cloud native environment, in-line with the principles as described above. + +We remind readers that the architectural elements outlined here are the result of one way to adhere to the principles as a whole— and there are cases where not all architectural elements may be required. + +## Foundational Terms + +Before we go deeper, we must first establish some key terms: Confidence Levels, Active Observers, and Security Behavior Analytics. + +As discussed in [NIST SP 800-207 Chapter 2: “Zero Trust Basics”](https://csrc.nist.gov/pubs/sp/800/207/final), a **Confidence Level** refers to the dynamically calculated level of trust, based on the assessment of a subject and its context. At the end of this chapter, we will discuss an opportunity to enhance the use of Confidence Levels across the cybersecurity ecosystem. + +**Security Behavior Analytics (SBA)** refers to the field of Machine Learning and associated data analytics technologies that analyze entity behavior to inform security and confidence decisions. SBA compares an entity's security-related behavior to its norm or other predefined known criteria. The entity’s standard behavior is first examined through security glasses, and the behavior exposed is recorded. Once standard behavior is recorded, *Confidence Levels* can be deducted by evaluating the changes in the security-related behavior of the entity. SBA is a superset of traditional data analytics such as User-Entity Behavior Analytics (UEBA). + +According to [NIST SP 800-207](https://csrc.nist.gov/pubs/sp/800/207/final), the policy decision/enforcement point “passes proper judgment to allow the subject to access the resource.” In this paper we name this essential functionality “Active Observer” while discussing its use and implementation. An **Active Observer** is a process that continuously monitors factors which influence an entity's Confidence Level within the system by collecting comprehensive Security Behavior Analytics. + +## The Zero Trust Process + +In ZTA, authentication and authorization are managed on a per-request basis rather than per session. Every action is either authorized or restricted, and every behavior is monitored. This rigorous approach ensures that even if credentials are compromised, malicious actions can be blocked. + +The Zero Trust process can be distilled into three fundamental steps. + +![drawing](images/image1.png) + +*Image 1. Three steps of the Zero Trust process* + +### Step 1: Identify + +Regardless of the client’s location, whenever a client tries to access a resource, their identity must be validated. Clients should never be trusted based on other attributes, such as their location within the network. It is also essential to maintain an auditable record of all clients based on their individual identities, and to periodically revalidate their credentials (*see [NIST SP 800-63](https://pages.nist.gov/800-63-3/)*). + +### Step 2: Analyze + +Successful client identification should not lead us to fully trust a client’s requests. All internal or external traffic should be evaluated to ensure it is not malicious. Bad actors may gain access to secure areas or valid credentials, and legitimate clients may be compromised to act maliciously. + +Continuous analysis of clients, client requests, and services should compare actual behavior to an expected criteria. Organizations must regularly analyze all network and system activity to evaluate the actions and reassess the Confidence Level for each entity. + +### Step 3: Control + +Restricting access to resources based on client identity, client behavior, request behavior, device posture, and other contextual factors is essential for maintaining security. Specific controls and checks should be applied in front of every service, governing each action of every client. This includes avoiding long sessions based on previous credential validations to limit the impact of potential compromises. + +The principle of least privilege must be strictly enforced, ensuring that clients have access only to the minimal resources necessary for their tasks. Unnecessary access should be eliminated, even if the associated risk is perceived as low. + +Zero Trust advocates for network segmentation into smaller, isolated segments or microsegments. Each service should be treated as a microsegment, with dedicated access controls to contain breaches and limit lateral movement within the network. By dividing the network into small segments, each containing a single microservice, more granular access controls can be applied, thereby reducing the attack surface. This approach prevents lateral movement between microservices, as each microservice operates with its own access control and is safeguarded from neighboring services. + +## Cloud Native Zero Trust Architectural Elements + +To build a robust ZTA for cloud native environments, we draw inspiration from established frameworks, such as the [US Department of Defence Reference Architecture](https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf), which identifies seven core pillars essential for securing modern systems. + +In alignment with these pillars, we identify seven key elements of a Cloud Native ZTA. + +**Service Instances** are the individual services offered using containers on cloud native clusters. Securing these includes implementing DevSecOps practices to secure applications from inception through production. Adopting secure-by-design practices, robust image build methodologies, comprehensive image scanning, and secure storage are critical. Service runtime protection methods, such as behavioral monitoring, help establish Confidence Levels for services. + +**Client Identities** refer to the unique identifiers of clients sending service requests, whether external or internal. Ensuring the security of these identities involves verifying and monitoring their behavior to form Confidence Levels. Continuous monitoring helps detect and mitigate potential threats from compromised or malicious clients. + +**Service Requests** are the interactions initiated by clients to access services. Securing these requests involves monitoring the risks they pose and forming Confidence Levels to assess their trustworthiness. Each request must be scrutinized to prevent exploits and ensure safe interactions. + +**Data** encompasses all the information that services handle and store. Effective data security requires categorizing data to apply appropriate security measures based on data types. This ensures that sensitive information is adequately protected. Data classification helps in enforcing policies tailored to the sensitivity and importance of the data. + +The **Network** comprises the communication channels between clients and services. Securing the network involves protecting service requests and responses through encryption and other measures to prevent unauthorized access and data breaches. Network security encompasses measures to protect data in transit and to monitor for any suspicious activities. + +**Access Control** refers to the policies and mechanisms that govern who can access what resources. Implementing comprehensive access control policies is essential for securing services. This includes enforcing micro-segmentation within clusters and applying granular access controls using gates in front of services. Access control decisions should consider the Confidence Levels of identities and requests, as well as the data types of both requests and responses. + +**Automation** involves using tools and processes to manage the deployment, configuration, and auditing of cloud native components. Ensuring that zero trust principles are followed throughout these automated processes is essential. Automated removal of suspected service instances based on their Confidence Levels further enhances security. + +![image2](images/image2.png) + +*Image 2. Note that the service request sender (aka client) may be malicious. \ +The Network and Data may also be compromised.* + +In cloud native environments, client identities may be malicious, service requests may include exploits, service instances may be compromised, data may contain vulnerabilities, and the network may be hostile. Given these potential threats, it is imperative to deploy an "Active Observer" to continuously assess the Confidence Levels of these entities. + +Cloud Native Zero Trust extends access control to include the assessment of Confidence Levels for client identities and service requests. Additionally, Zero Trust extends automation processes to consider the Confidence Levels of service instances. This comprehensive approach ensures that security measures are dynamically adjusted based on real-time assessments, maintaining the integrity and security of the cloud native environment. + +## New Proposal for Confidence Levels + +Confidence Levels have been an integral component of the discussion in this chapter, and their proper implementation is crucial to the success of modern ZTAs. However, as previously mentioned, there is a notable deficiency in the technical ecosystem regarding the generation and utilization of Confidence Levels as a data type. + +While many types of services can function as an Active Observer or Security Behavior Analytics platform, the ability to rapidly interpret and respond to Confidence Levels depends on a system designer's ability to effectively integrate disparate tools. + +This presents a significant opportunity: if the community were to rally around a centralized standard for communicating Confidence Levels, it would enable tools to speak a shared language, facilitating easier integration and more precise responses across the board. + +Adopting a centralized standard for Confidence Levels would not only enhance integration and precision across security tools but also pave the way for developing advanced tooling solutions that can fully leverage these improvements. + +However, this level of maturity is not required to make early strides incorporating Confidence Levels, and is simply proposed here as the logical next step for gaining the highest value from the technologies in a ZTA. + +# 3. Cloud Native Zero Trust Architecture Design + +With the key elements of Cloud Native Zero Trust Architecture (ZTA) now established, we turn to the process of translating these concepts into a cohesive, practical design. The strength of any Zero Trust system lies in its ability to continuously verify and control every entity interacting within the environment. This chapter focuses on how to build such a Cloud Native system and cope with the different potential breaches as shown in Image 3. + +![image3](images/image3.png) + +*Image 3. All potential breaches in a Cloud Native system should be addressed as part of a \ +Zero Trust Architecture design* + +To deal with a breached cloud network, we introduce Peer Identities and Secure Communication. Then, to handle breached clients, we introduce Behavior Verification enhanced Access Control. Last, to mitigate the impact of breached cloud service instances, we introduce Behavior Verification enhanced Instance Confidence Automation. Together, this creates a robust system that aims to cope with the different potential breaches. + +At the heart of Cloud Native ZTA is the concept of identity—every ZTA entity must have a unique, verifiable identity. Traffic from unknown entities, lacking an identity which cannot be traced to its source, leaves us unable to track and control the entity in question. In this chapter, we will explain how to establish these identities, secure their communications, and ensure that the behavior of all entities is constantly scrutinized and verified. + +## Peer Identities + +In a Cloud Native Zero Trust Architecture (ZTA), every entity—whether acting as a client, a service, or peer in a peer to peer network—must be uniquely identifiable. This identity forms the foundation of all security mechanisms, enabling the system to trace actions, control access, and verify trustworthiness in real-time. + +Cloud Native applications typically consist of multiple **microservices**, each composed of **Pods** that handle specific requests from internal or external clients. These Pods may also serve as clients themselves, sending requests to other microservices or external cloud services. When designing a cloud native ZTA, each microservice must be assigned a unique and verifiable identity, allowing us to track their behavior and enforce security policies. + +Assigning a single identity to all Pods within a microservice could limit visibility and control. When pods of a microservice send requests to other services, it is recommended to enable tracing the requests back to a specific Pod. This can allow identifying misbehaving, potentially rogue Pods. Depending on policy, such Pods may be restarted without affecting other pods of the microservice. + +**Hierarchical identities** for Pods within microservices therefore may offer us the ability both to associate all behaviors of a microservice to the microservice identity; And, at the same time, the ability to associate all behaviors of a specific Pod in a microservice, to the Pod identity, allowing us to perform an appropriate policy based action. + +Note that **containerized environments** such as Kubernetes may group multiple containers within a Pod. Under Kubernetes, all containers in the same Pod are managed as one unit and therefore may share the same identity. The Pod's identity can be used to represent both the service it provides and its interactions as a client to other services. + +External client entities— whether human users or external systems— must also be uniquely identified to ensure traceability and control over their actions. + +After identities are assigned to all clients and services, the next step is to ensure that communication between these entities is secure. + +## Secure Communication +Zero Trust operates under the assumption that offenders may already have control over the cloud network. Therefore, a Zero Trust Architecture (ZTA) must ensure data confidentiality for communication between microservices, or between microservices and external entities. As discussed below, to achieve data confidentiality, we must verify the identity of every service and encrypt all communications. However, a ZTA requires not only data confidentiality, but also fine grained access control as well as behavior monitoring. To achieve either, we are also required to verify the identity of every client. + +### Data Confidentiality + +Every Cloud Native request, whether initiated by an internal microservice or an external client, must be performed using Transport Layer Security (TLS) to encrypt the channel. This guarantees that even if an offender intercepts the data between the client and server from the internal network, it will not gain access to the request and response data. However, to encrypt the data, the client and server must first agree on encryption keys. An offender may redirect the client traffic to a fake server and gain access to the pre-agreed upon encryption keys. + +Such an attack can be part of a full fledged man-in-the-middle attack or may be used to obtain the Request data without involving the true server. To protect against offenders introducing fake servers, the client must first verify the identity of the service before sending the Request. Therefore, the microservice or external service must present a **certificate** signed by an entity that the client trusts apriori. Clients should only send requests to a service after verifying the authenticity of the certificate and verifying that the certificate was indeed provided to the identity of the service being approached. + +Combining service certificate verification with encryption suffice for achieving data confidentiality, protecting against data leakage in a cloud native environment under the control of potential offenders. However, a Zero Trust Architecture requires more than data confidentiality. It requires fine grained access controls, allowing each client to access only the subset of services as may be needed. It also requires monitoring the behavior of each client. We are therefore required to also verify the identity of every internal or external client. + +### Client Credentials + +Clients, whether embedded in a microservice or any external systems, must present credentials that are verified by the receiving service. This can be done through tokens—such as JWT (JSON Web Tokens)—or by presenting client certificates that are verified by service instances using mutual Transport Layer Security (mTLS). Note that verifying the identity of clients or servers only ensures that the peer has the necessary client credentials and is not indicative of whether the peer is offensive or benign. + +As will be discussed further in the following sections, once a client identity is verified, active observers should evaluate the confidence level of the specific client request behavior and the confidence level of the overall accumulative client behavior. The client identity and the respective confidence levels then need to be considered as part of Access Control to check whether the identity in question with the confidence levels in question, should be allowed. + +Identity management in a cloud native environment is further detailed in the [Identity and Access Management section of tag-security whitepaper](https://github.com/cncf/tag-security/blob/main/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper.md#access). + +Now that all communications are peer authenticated and offer data confidentiality, the next step is to verify the behavior of all entities such that we may identify compromised authenticated clients, malicious client requests, and compromised service instances. + +## Behavior Verification + +In a Zero Trust Architecture (ZTA), identity verification alone is not enough to ensure security. Even if credentials are verified, they can be stolen or compromised. Further, an offender may be co-residing as part of a true client, using a communication channel established by the benign client to send malicious requests. To truly establish trust, continuous behavior verification is required. This is where *Active Observers* play a central role. + +An **Active Observer** continuously monitors the behavior of clients, services, and interactions within the system, providing insights into potential anomalies that may indicate malicious activity. By analyzing the behavior of these entities, the Active Observer helps determine their **Confidence Level**, a dynamic metric that quantifies the trustworthiness of a given entity based on observed behavior. + +![image4](images/image4.png) + +*Image 4. Active Observers in a Cloud Native system* + +In a Cloud Native environment, behavior verification focuses on three key entities: + +1. **Service Requests**: Requests made by clients to services must be monitored to detect irregularities. \ +See Security Behavior Analytics for Service Requests (SBA-SR) in image 6. \ + +2. **Service Instances**: The behavior of individual service instances should be tracked for signs of compromise. \ +See Security Behavior Analytics for Service Instances (SBA-SI) in image 6. \ + +3. **Client Identities**: Both internal and external client behaviors are evaluated based on the requests they generate. The behavior of external clients is evaluated through their stream of **Service Requests**. For internal clients, their behavior is derived by combining the Confidence Level of the associated **Service Instance** with the behavior exposed by their respective **Service Requests**. + +### Input from Continuous Monitoring and Logging + +To enable effective behavior verification, **continuous monitoring and logging** are essential. By collecting and analyzing logs in real-time, organizations can detect unusual activities and trigger alerts for potential security incidents. These logs provide valuable input to Active Observers, enabling them to detect compromised clients or service instances. It also allows them to observe deviations from normal patterns that may indicate exploitation. + +### Security Behavior Analytics for Service Requests (SBA-SR) + +A common attack vector on services involves manipulating requests sent to service APIs. Such an attack may include reconnaissance - surveying the service to identify potential weaknesses, or it may include an actual attempt to exploit the service either through known or unknown vulnerabilities. Security Behavior Analytics for Service Requests (SBA-SR) is designed to detect irregularities in the communications between clients and services. SBA-SR distinguishes between benign requests and those that are potentially malicious. It analyzes request patterns to identify deviations from expected behavior which may signal dubious intentions by the sender. It consequently assigns a Confidence Level to each request. + +Requests flagged as suspicious should be handled by **Access Control** mechanisms (discussed later), ensuring that any potential threats are mitigated before they can exploit vulnerabilities or offer the offender more information to further the attack. + +### Security Behavior Analytics for Service Instances (SBA-SI) + +Cloud Native often uses horizontal scaling such that every microservice is offered from a set of interchangeable Pods, each offering the service and each sharing the overall service load. Each pod is therefore an instance of the same service. A service instance may be compromised in advance and include malware that is triggered by some event or by the passage of time after the deployment. A service instance may also include a backdoor or may be ill configured or otherwise vulnerable allowing an offender to run malware as part of the service instance following some sequence of events. An exploited service may therefore include one or more exploited instances, while others instances may continue to behave as expected. Monitoring the behavior of instances is key to identify occurrences where an instance is being exploited. + +SBA-SI monitors service instance behavior to detect irregularities indicating that a given instance is compromised, by discerning normal service behavior from malicious activity. When suspicious irregular behavior is detected, the Confidence Level of the service instance is adjusted. As discussed below, an **Instance Confidence Automation** should monitor service instance Confidence Levels to facilitate automated response, when a service instance is suspected as being exploited. + +## Access Control {#access-control} + +Given the harsh assumption that all systems including all clients and services may be breached, Zero Trust introduces new and more stringent requirements for Access Control compared to traditional models. It mandates continuous per request verification, fine-grained authorization, and dynamic responses to emerging threats based on real-time behavior analysis. + +### Fine-Grained Authorization + +Access Control policies under a ZTA must ensure **least privilege access**. This means clients are granted only the minimum permissions necessary to perform their specific role or task—nothing more. Fine-grained authorization applies to individual entities, whether they are human users, machines, or services. For instance, rather than granting access to a broad group of clients or services, Access Control policies should consider the unique identity of each client and the specific resource being requested. + +Each client must be authorized not just for the resource they are requesting, but for the specific action they wish to take. For example, an access control policy should define the specific APIs a client is allowed to access, or if the client is merely allowed to read a specific resource type or also to modify resources of this type. This prevents over-permissioning and enforces least-privilege principles. + +### Microsegmentation and Service-Level Access Control + +Every service in the architecture must be protected by an Access Control layer. This layer regulates the flow of incoming requests and determines whether a request should be processed or rejected. Note that each service maintains its own access control policy. Access decisions depend on the permission granted to a specific client identity to perform specific actions against a specific service. + +This approach of dividing the service network into small segments, is also known as **microsegmentation.** Microsegmentation is a key ZTA strategy for limiting the impact of potential breaches and controlling traffic between services. We first divide the network into smaller, isolated segments. Then, we introduce access control in front of every segment which allows for more granular security controls and reduces the risk of lateral movement during an attack. + +While implementing a ZTA under Cloud Native, we introduce a segment per microservice. All instances (pods) of the same microservice use the same segment, while being separated from other pods of other microservices. As a result, any microservice to microservice communication is controlled using Access Control and a set of policy rules dedicated for that service. + +### Per-Request Access Control + +Unlike traditional perimeter-based models, where trust is typically established once, followed by a stream of service-requests sent by the client, Zero Trust requires that every single request is evaluated independently **in real-time**, regardless of whether the client was previously verified. This allows access control decisions to factor the updated Confidence Levels calculated by **Active Observers**, as well as other per request attributes. + +The access control decision, taken per request, considers not only the updated accumulated client confidence level, but also the request specific confidence level. As indicated earlier, the access control decision is also based on the specific action being made by the client, as part of the request. Additionally, the decision takes into account other contextual attributes of the request such as the time of day, day of week, source IP, etc.. + +For example, even if a client’s credentials are valid, its access may be restricted if recent behavior suggests a potential compromise, or if its current request is suspected as being an exploitation or reconnaissance attempt, or if it is made from a peculiar source or at a peculiar time, or if the service being approached is considered potentially compromised, or any combination of the above raised to the level justifying to block the request from this specific client to this specific service, given the action requested. All as defined by the service access control policy for this client identity. + +Secure Communication as described earlier, protects the Cloud Native system against offenders controlling the internal system network. The addition of Access Control utilizing Behavior Verification, further protects the system from offenders controlling legitimate clients or using legitimate client credentials to send traffic on behalf of some client identity. The next step is to utilize Behavior Verification to also consider the case of offenders controlling the service instances. + +## Instance Confidence Automation + +A foundational tenet of Zero Trust is that all services may be breached. Offenders may have different incentives to breach a service. For example to gather information about requests made to the service or the responses provided; Or to use the service to access data sources that the service has access to; Or to perform lateral movement and breach other target services; Or to use the service as a jumping stone in a covert, potentially distributed attack on other systems; Or even to mine cryptocurrency. In all such cases, a quick and immediate response of shutting down or limiting the breached service, can help curb the attack and prevent further damage. + +We therefore need to introduce Instance Confidence Automation as part of the ZTA. Instance Confidence Automation leverages the continuously updated Confidence Levels provided by Service Instance Active Observers. When the Confidence Level of a Service Instance falls below a certain threshold—indicating potential compromise—automated systems can immediately take corrective actions, for example by shutting down compromised service instances. Under Cloud Native, if an instance is deemed compromised, automation can trigger the deletion of the compromised instance, replacing it with a clean, well-behaving instance. Note that when replacing compromised instances, automation tools must also consider the overall availability of the service. + +The combined introduction of Peer Identities, Secure Communication, Behavior Verification, Access Control and Instance Confidence Automation, allows us to construct a cohesive, practical design for a Cloud Native ZTA and concludes the primary contribution of this paper. Next we collected techniques of best practices that can be helpful for implementing the Cloud Native ZTA design discussed above. + +# 4. Techniques and Best Practices + +The Cloud Native Zero Trust Architecture (ZTA) design described in the previous section gives an overview for how organizations deploying Cloud Native systems can effectively follow Zero Trust principles. This chapter increases the level of detail to discuss techniques, best practices, and specific CNCF solutions that can help construct a Cloud Native ZTA. + +## Protect Data Confidentiality and Integrity + +Ensuring the security of Service Requests****is paramount in Zero Trust. Any request from one entity to another must be encrypted, as the network cannot be trusted. + +Additionally, requests must be monitored by an Active Observer utilizing Security Behavior Analytics for Service Requests (SBA-SR) to assess the risk associated with servicing the request through a service instance and to identify compromised client identities from which the request originated. + +Service instances must also be continuously monitored by an Active Observer utilizing Security Behavior Analytics for Service Instances (SBA-SI) to assess the risk from allowing the service instance to continue running within the system. This monitoring enables the identification and replacement of compromised instances, prevents the spread of breaches when affected instances act as clients to other services, and facilitates forensic analysis of ongoing attacks. + +We assume all services may have vulnerabilities and classify them based on their known status: + +1. **Not Known to be Compromised Service:** The service is intact, with no foothold for an offender. An attacker must exploit a vulnerability in the service API to compromise the service. +2. **Compromised Service:** The attacker has a foothold in the service or infrastructure through an exploitable vulnerability or dormant malware that activates at some stage of the service lifecycle. +3. **Exploited Service**: At least one service instance is under an attacker's control, with active malware running as part of the deployment. + +Organizations should identify and immediately stop exploited service instances that are being misused. Depending on the use case, organizations may or may not shutdown an entire service when an exploited service instance is detected. Offenders should not be allowed to maintain a presence in clusters after detection. + +### Verify Service Requests + +Ensuring the security of service requests is a critical aspect of ZTA. An essential component of this is the use of Security Behavior Analytics for Service Requests (SBA-SR). For instance, the Knative project from CNCF has a [Security-Guard](https://knative.dev/docs/serving/app-security/security-guard-about/#security-guard-profile-and-criteria) extension (Guard), which serves as an SBA-SR tool. + +Guard can be deployed independently from Knative in various cloud native orchestration systems, including vanilla Kubernetes, where it will use machine-learning-based criteria synthesis to identify standard patterns used by service clients. Additionally, Guard supports the setting of manual criteria to enhance its flexibility. + +Guard’s SBA-SR identifies changes in service requests made by clients, calculates a Confidence Level for these requests, and integrates with Access Control to remove any requests suspected of being exploits. It also allows for the detection of unknown exploits targeting unknown vulnerabilities without relying on signatures, thus providing a layer of protection that preempts the usual race between the identification of CVEs, exploits, and the release of patches. + +SBA-SR functionalities can also be integrated into Web Application Firewalls (WAFs) that maintain per-service state, capable of analyzing incoming and outgoing traffic to detect threats and ongoing attacks. + +Solutions like [Coraza](https://coraza.io) or [Curiefense](https://www.curiefense.io/) offer anomaly scoring for requests, making decisions to block them based on predefined thresholds. These anomaly scores can be developed further to incorporate SBA-SR features, enhancing their effectiveness. + +To ensure all communications in-transit are encrypted, all services should use TLS v1.2 or higher, and all clients must verify the certificates presented by the server. CNCF projects [Istio](https://istio.io/), [Linkerd](https://linkerd.io/), [Dapr](https://dapr.io/), and [Knative](https://knative.dev/) provide robust TLS and certificate management solutions to secure inter-service communication. + +### Verify Service Instances + +Profiling the behavior of service instances****and evaluating Confidence Levels can leverage [eBPF](https://ebpf.io/) technology. Several CNCF projects use eBPF-based technology in observability, networking, and security ([Falco](https://falco.org/), [Cilium](https://cilium.io/), [Pixie](https://docs.px.dev/), and [KubeArmor](https://kubearmor.io/)). eBPF can be used to synthesize criteria describing standard service instance patterns, which can then evaluate the Confidence Level of running service instances. + +An Active Observer can also identify changes in the external communication performed by service instances using a network tap, as exemplified by the Knative [Security-Guard](https://knative.dev/docs/serving/app-security/security-guard-about/#security-guard-profile-and-criteria). Regardless of how the Active Observer calculates the Confidence Level of service instances, it should be****integrated with automation to delete suspected compromised service instances. + +Another source for determining the Confidence Level of service instances is intelligence information about CVEs included in the service image, obtainable through image scanning before or during service orchestration. + +## Prevent Unauthorized System Use + +In ZTA, preventing unauthorized system use is crucial for maintaining the security and integrity of the network. This objective is achieved through techniques such as micro-segmentation and fine-grained access control, which are essential for limiting the reach and impact of potential attackers. By applying these methods, organizations can reduce the likelihood of a breach, and ensure that even if one segment is compromised, the attacker’s movement within the network is restricted, thus protecting the overall system. + +### Fine-grained Access Control + +Service mesh based solutions such as [Istio](https://istio.io/) and [Linkerd](https://linkerd.io/) offer opportunities to implement a gate in front of every service instance and support fine-grained access policies. Some tools, such as [Dapr](https://dapr.io/), have built-in access control. + +### Dynamic Access Control + +This type of Access Control can be configured to block service requests based on the request Confidence Level. Tools like [Security-Guard](https://knative.dev/docs/serving/app-security/security-guard-about/) implement dynamic access control by introducing a gate in front of every Service Instance. + +### Micro-Segmentation + +Micro-segmentation allows for the division of a network into smaller, isolated segments. Access control gates must be implemented within the cloud cluster network, ideally in front of every service or service instance. Such gates should support fine-grained access control ensuring access is given to specific client identities approaching specific services. Such gates should also support dynamic access control ensuring that access is granted based on Confidence Levels of the client, the client request, and the service. + +Using this approach, the attack surface is significantly reduced by implementing strict access controls and separating resources into smaller compartments. Even if an attacker manages to compromise one microsegment, their lateral movement is limited, preventing them from accessing other parts of the network. + +## Establish Limited Trust + +Identity verification can be based on either client-sent tokens, mTLS client certificates, or both. Typically, the identity of the workload or service is represented by an Identity Token or Access Token, which is included with every request. This token can be inspected by Policy Enforcement Points to control access. Certificates, on the other hand, are designed to encrypt the connection between two points and can guarantee the identity of one or both access points (via TLS or mTLS). + +Identity verification is the first step in confirming the client’s identity. Verified identities must also be monitored by an Active Observer to ensure credentials are not misused for malicious activity. + +### Token-Based Identity + +With tokens such as [JSON Web Tokens (JWT)](https://jwt.io), the client obtains a token from a trusted third party, included in service requests to verify identity. As the request with the Identity Token travels across the endpoints, the identity attributes can be easily read by Policy Enforcement Points, allowing them to control access along the way. + +CNCF projects related to token-based identity include [Dex](https://dexidp.io/) (an OIDC identity and OAuth 2.0 provider), [Keycloak](https://www.keycloak.org/) (Identity and Access Management), and [SPIFFE and SPIRE](https://spiffe.io/) (a universal identity control plane suitable for managing identities in a multi-cloud environment). + +Best practices for JWT Tokens include verifying the signature, expiration, issuer, audience, and scope claims. + +### Certificate-Based Identity + +Identity may alternatively be established by the client presenting a client certificate using mutual TLS (mTLS). mTLS allows bi-directional, certificate-based verification between server and client. mTLS uses certificates for hop-by-hop identity verification, which allows a service to verify the identity of a directly connected client co-located on the cloud cluster network. + +CNCF projects for managing certificates include [cert-manager](https://cert-manager.io/) (cloud native certificate management). + +Making mTLS standard for all communications in a cloud cluster is often achieved by deploying a service mesh. CNCF Service mesh projects [Istio](https://istio.io/), [SPIFFE](https://spiffe.io/), and [Linkerd](https://linkerd.io/) offer service-to-service identity verification mTLS. [Dapr](https://dapr.io/) also offers mTLS. + +### Active Observer for Client Identities + +The Confidence Level of local clients within cloud clusters can be aggregated from the Confidence Levels of their respective service instances. However, inputs about external clients may or may not be obtainable. + +Additional Confidence Level data can be aggregated from all service requests emitted by the client identity, available for both local and external clients. + +# Conclusion + +While the philosophy behind Zero Trust has been around for decades, its application in cloud native environments introduces unique challenges and opportunities. Protecting data confidentiality and integrity is a paramount in these dynamic and distributed systems. Every service request and instance must be continuously verified to ensure that only authorized entities gain access to sensitive data. Such verification includes both identity verification and behavioral verification using Security Behaviour Analytics. This approach helps cloud systems cope with threats while assuming cyber breaches are unavoidable. + +Defining fine-grain access controls becomes critical in this context, allowing for more precise adjustments to who or what can access specific resources. To further enhance security, dynamic access controls based on the Confidence Level of requests should be introduced, adjusting access privileges in real-time according to the trustworthiness of each interaction. + +Promoting micro-segmentation is another essential strategy, effectively reducing the attack surface by isolating workloads and limiting the potential impact of a breach. In line with the principle of least privilege, resources should only be granted the minimal access necessary for their function, reducing the risk of lateral movement within the network. + +Moreover, establishing limited trust through mTLS and the use of certificate-based short-lived identities ensures that trust is not static but continuously verified. This is vital in cloud native environments where services and workloads are highly dynamic. Active observability is also crucial, with real-time monitoring to detect, respond to, and mitigate potential threats as they arise. + +The next volume of this paper will delve deeper into specific concepts that comprise the ideal state presented in this document, offering comprehensive insights and practical applications. + +The lessons outlined in this document, while particularly relevant to cloud native environments, underscore the importance of these principles across any Zero Trust Architecture. The cloud native context may present new challenges, but it also offers innovative tools and strategies to strengthen security and trust. + +If this article introduced new or challenging concepts, please refer to the Appendix, which contains a glossary of *technologies* related to Cloud Native Zero Trust and a glossary of *terms* used in this paper. + +Together, let’s build a future where trust is earned, verified, and continually reassessed, ensuring the highest standards of security in our cloud native environments. + +# Appendix + +## Glossary + +### Technologies + +#### **[Cert-manager](https://cert-manager.io/)** + +A cloud-native certificate management controller for Kubernetes, which automates the creation, renewal, and management of SSL/TLS certificates within Kubernetes clusters, ensuring secure communication between services. + +#### **[Cilium](https://cilium.io/)** + +An open-source software that provides networking, security, and observability for cloud-native environments using the Linux kernel's extended Berkeley Packet Filter (eBPF) technology. Cilium enables fine-grained security policies and high-performance networking for Kubernetes clusters. + +#### **[CNCF Knative’s Security-Guard](https://knative.dev/docs/serving/app-security/security-guard-about/)** + +A security extension developed as part of Knative. Security-Guard provides capabilities for protecting microservices by monitoring, detecting, and mitigating security threats in real-time. Security-Guard may protect both Kubernetes microservice applications and Knative Serverless applications. + +#### **[Curiefense](https://www.curiefense.io/)** + +An open-source, cloud-native application security platform that integrates a Web Application Firewall (WAF), API security, and bot management. Curiefense provides comprehensive protection for web applications and APIs against a wide range of threats, including injection attacks, cross-site scripting (XSS), and denial-of-service (DoS) attacks. + +#### **[Dapr](https://dapr.io/)** + +Distributed Application Runtime, an open-source project that provides APIs and runtime support for building resilient, stateless, and stateful microservices. Dapr simplifies the development of microservices by providing building blocks for common capabilities such as service invocation, state management, and pub/sub messaging. + +#### **[Dex](https://dexidp.io/)** + +An OpenID Connect (OIDC) identity provider and OAuth 2.0 provider that provides federated authentication for various systems, enabling single sign-on (SSO) and multi-factor authentication (MFA) across multiple platforms. Dex is used for managing user identities and access control in cloud-native environments. + +#### **[Falco](https://falco.org/)** + +An open-source runtime security tool for Kubernetes that uses eBPF and system call monitoring to detect anomalous behavior, threats, and security events in real-time. Falco helps in enforcing security policies and responding to incidents by integrating with various alerting and incident response systems. + +#### **[Istio](https://istio.io/)** + +An open-source service mesh that provides traffic management, security, and observability for microservices. Istio enables secure service-to-service communication, fine-grained access control, and detailed monitoring and tracing of application traffic within Kubernetes clusters. + +#### **[JSON Web Tokens (JWT)](https://datatracker.ietf.org/doc/rfc7519/)** + +A compact, URL-safe means of representing claims to be transferred between two parties. JWTs are commonly used for authentication and authorization in web applications, enabling secure transmission of user identity and access rights information. + +#### **[Keycloak](https://www.keycloak.org/)** + +An open-source Identity and Access Management (IAM) solution that provides single sign-on (SSO), user federation, and fine-grained access control. Keycloak supports various authentication protocols and integrates with numerous applications and services to manage user identities and permissions. + +#### **[KubeArmor](https://kubearmor.io/)** + +A runtime security enforcement system for Kubernetes that provides fine-grained control over the behavior of containerized workloads. KubeArmor uses security policies to restrict system calls, network access, and file operations, helping to prevent security breaches and unauthorized access. + +#### **[Kubernetes Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)** + +A set of rules that define how groups of pods can communicate with each other and with other network endpoints. Network policies provide fine-grained control over network traffic within Kubernetes clusters, enhancing security by restricting access to sensitive resources. + +#### **[Knative](https://knative.dev/)** + +An open-source platform built on Kubernetes that provides components for deploying, managing, and running serverless workloads. Knative abstracts the complexity of Kubernetes, enabling developers to focus on writing code without worrying about infrastructure management. + +#### **[Linkerd](https://linkerd.io/)** + +An open-source service mesh that provides observability, security, and reliability for Kubernetes applications. Linkerd offers features such as automatic mTLS, traffic splitting, and detailed metrics to help manage and secure microservices. + +#### **[Pixie](https://docs.px.dev/)** + +An open-source observability platform for Kubernetes that uses eBPF to collect and analyze performance, debugging, and security data from running applications. Pixie provides real-time insights into the health and performance of cloud-native applications, enabling developers to troubleshoot issues quickly. + +#### **[SPIFFE and SPIRE](https://spiffe.io/)** + +The Secure Production Identity Framework for Everyone (SPIFFE) is a set of open-source standards for securely identifying and authenticating services in dynamic and heterogeneous environments. SPIRE (SPIFFE Runtime Environment) is the reference implementation of SPIFFE, providing tools to manage and distribute service identities across cloud-native platforms. + +### Terms + +#### **Access Control** + +Policies and mechanisms that govern who can access what resources. This includes Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Relationship-Based Access Control (ReBAC), with decisions made in real-time based on Confidence Levels. + +#### **Active Observer** + +An observer function used in a Zero Trust Architecture to continuously evaluate the Confidence Level of a specific entity, monitoring behavior to verify trustworthiness. + +#### **Attribute-Based Access Control (ABAC)** + +An access control method that evaluates attributes (such as user attributes, resource attributes, and environmental attributes) to determine access permissions. + +#### **Behavioral Monitoring** + +The process of continuously observing and analyzing the behavior of systems, services, and users to detect anomalies and potential security incidents. + +#### **Certificate** + +A digital document used to verify the ownership of a public key in cryptographic communications. Certificates contain the public key and identity information about the entity associated with the key. They are issued and digitally signed by a trusted authority known as a Certificate Authority (CA). Certificates enable secure, encrypted communication and are fundamental in protocols like TLS and mTLS, ensuring that entities can authenticate each other over untrusted networks. + +#### **Certificate-Based Identity** + +Identity verification method where the client presents a client certificate using mutual TLS (mTLS), allowing bi-directional certificate-based verification between server and client. + +#### **Cloud Native** + +Applications and services designed to leverage cloud environments, focusing on scalability, resilience, and dynamic management. + +#### **Common Vulnerabilities and Exposures (CVEs)** + +A publicly disclosed list of security vulnerabilities and exposures that provides common identifiers for publicly known cybersecurity vulnerabilities. + +#### **Compute Resources** + +The computing power, memory, storage, and other hardware resources used by cloud services and applications. + +#### **Confidence Automation** + +Automated processes to manage the deployment, configuration, and auditing of cloud native components, ensuring security measures are dynamically adjusted based on real-time assessments. + +#### **Confidence Levels** + +Quantitative measures of the trustworthiness of an entity within a Zero Trust Architecture, determined by evaluating various factors such as behavior, identity, and service request patterns. + +#### **Continuous Integration/Continuous Deployment (CI/CD)** + +A set of practices and tools used in software development to automate the processes of building, testing, and deploying code changes. + +#### **Continuous Monitoring and Logging** + +The process of collecting and analyzing logs to detect unusual activities and set up alerts for potential security incidents, providing valuable input to Active Observers. + +#### **Containerized Environments** + +Computing environments that utilize container technology to package applications and their dependencies into lightweight, standalone units called containers. These environments enable consistent and efficient deployment across different infrastructures, supporting scalability and agility in cloud native applications. + +#### **Containers** + +Smallest unit associated with a workload or a service in cloud environments. Ensuring container security involves secure configuration, vulnerability scanning, and runtime security. + +#### **Data Classification** + +The process of organizing data into categories that make it easier to manage and protect, typically based on the sensitivity and criticality of the data. + +#### **DevSecOps** + +A practice that integrates security measures within the DevOps process, ensuring that security is incorporated at every stage of application development and deployment. + +#### **Entity** + +An object within a Zero Trust Architecture that can be authenticated, authorized, and monitored. Entities can include users, devices, services, applications, and any other component that interacts within the system. In the context of Zero Trust, each entity is continually verified and assigned a Confidence Level to determine its trustworthiness at any given time. + +#### **Hierarchical Identities** + +An identity management approach where identities are organized in a hierarchical structure, often mirroring organizational charts or relationships between entities. In this model, permissions and attributes can be inherited from parent identities to child identities, simplifying the management of access controls and policies. + +#### **Identity Management** + +Verification of every client's identity attempting to access resources, using tokens or certificates to ensure the legitimacy of each request sender. + +#### **Identity Token** + +A token used to verify the identity of a client or service, often included in service requests to ensure that the requesting entity is authenticated. + +#### **IP-Based Identity** + +A method of identifying and verifying entities based on their IP addresses, which is becoming obsolete in dynamic, cloud native environments. + +#### **JSON Web Tokens (JWT)** + +A token format used for identity verification, where the client obtains a token from a trusted third party included in service requests to verify identity. + +#### **Kubernetes Ingress Isolation** + +A network policy in Kubernetes that controls the traffic allowed to enter the Kubernetes cluster, helping to secure communication between services. + +#### **Micro-segmentation** + +A security technique that divides a network into smaller isolated segments to limit the spread of breaches and enhance access control. + +#### **Mutual TLS (mTLS)** + +A security protocol that uses certificates for hop-by-hop identity verification, ensuring both the server and client authenticate each other. + +#### **Perimeter Security** + +Traditional security approach focusing on protecting the boundary of a network, which is less effective in dynamic and cloud native environments. + +#### **Policy Enforcement Points (PEPs)** + +Components in a Zero Trust Architecture that enforce security policies and make access control decisions based on identity, context, and Confidence Levels. + +#### **Principle of Least Privilege** + +A security principle ensuring that clients have only the minimal necessary access to perform their tasks, reducing the risk of unauthorized access. + +#### **Role-Based Access Control (RBAC)** + +An access control method where permissions are assigned to roles, and users are granted roles based on their job responsibilities. + +#### **Relationship-Based Access Control (ReBAC)** + +An access control model that evaluates relationships between entities to determine access permissions, often used in complex environments where relationships play a significant role in defining access. + +#### **Runtime Security** + +The practice of monitoring and protecting applications and services while they are running, to detect and respond to potential security threats. + +#### **Secure-By-Design** + +A development approach that incorporates security considerations from the beginning of the software development lifecycle, ensuring that security is an integral part of the design and implementation. + +#### **Secure Configuration** + +The practice of setting up systems and applications in a secure manner by following best practices and guidelines to minimize vulnerabilities. + +#### **Security Behavior Analytics (SBA)** + +Technology that analyzes entity behavior to inform security decisions, evaluating Confidence Levels based on deviations from normal behavior. Includes behavior analytics for service requests (SBA-SR) and for Service Instances (SBA-SI). + +#### **Service API** + +An interface provided by a service that allows other services or clients to interact with it, often targeted by attackers to exploit vulnerabilities. + +#### **Service Instance** + +An individual instance of a service running in a cloud environment, which can be scaled up or down based on demand. + +#### **Service Mesh** + +A dedicated infrastructure layer for managing service-to-service communication, ensuring secure and reliable interactions between microservices. + +#### **Service Requests** + +Interactions initiated by clients to access services, which must be monitored and verified to ensure they are not malicious. + +#### **Transport Layer Security (TLS)** + +A cryptographic protocol designed to provide secure communication over a network. It ensures that data transmitted between two parties, such as a client and a server, is encrypted, preventing eavesdropping, tampering, or message forgery. + +#### **Token-Based Identity** + +Identity verification method using tokens such as JWT, which are obtained from a trusted third party and included in service requests to verify identity. + +#### **Vulnerability Scanning** + +Automated process to identify security weaknesses in containers, images, and dependencies to prevent introducing known issues. + +#### **Zero Trust Architecture (ZTA)** + +A security model that follows the Principles of Zero Trust, eliminating implicit trust and ensuring continuous verification and least-privilege access. + +#### **Zero Trust Principles** + +Fundamental ideas and concepts that underpin the Zero Trust security model, including the assumptions of breach and continuous verification. + +#### **Zero Trust Process** + +A structured approach to implementing Zero Trust principles, involving the continuous identification, analysis, and control of entities and interactions within the environment. + +## References & Citations + +## Contributors + +(in alphabetical order): + + Aradhna Chetal + + + Asad Faizi + + + David Hadas + + + Eddie Knight + + + Kishore Nadendla + + + Mariusz Sabath + + + Philip Griffiths + + + Victor Lu + +## Reviewers + +The successful completion of this technical white paper would not have been possible without the invaluable contributions and insights of our esteemed reviewers. We extend our sincere appreciation to: + + Pushkar Joglekar + + + Nate Waddington + + + Andrés Vega + + + Valerie Silverthorne + + + Yoshiyuki Tabata + +## Acknowledgments + +We want to thank several contributors from whom we had excellent input and feedback and, as leading practitioners in the field, did much of the work that we write about in this document: + + José Carlos Chávez + + + Matt Flannery + + + Sundar Nadathur + + + Andrew Martin + + + Matteo Bisi + + + Fabian Kammel + + + Yaron Schneider + +For anyone involved in creating this paper, we express our heartfelt gratitude for your time, dedication, and professionalism. Your contributions have undoubtedly elevated the standard of our research, and we are immensely grateful for your collaboration. + +Thank you for being an integral part of this endeavor! + +## Helpful Links + +* Internet Crime Complaint Center (IC3) Annual report: [https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf](https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf) +* President Biden’s Zero Trust Mandate: [https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf) +* NIST SP 800-190, Application Container Security Guide: [https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-190.pdf](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-190.pdf) +* NIST SP 800-63, Digital Identity Guidelines, [https://pages.nist.gov/800-63-3/](https://pages.nist.gov/800-63-3/) +* NIST SP 800-207, Zero Trust Architecture: [https://csrc.nist.gov/publications/detail/sp/800-207/final](https://csrc.nist.gov/publications/detail/sp/800-207/final) +* CISA Zero Trust Maturity Model: [https://www.cisa.gov/zero-trust-maturity-model](https://www.cisa.gov/zero-trust-maturity-model) +* Department of Defense (DoD) Zero Trust Reference Architecture: [https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf](https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf) +* DoD Zero Trust Strategy (defense.gov): [https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf](https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf) +* DoD Enterprise DevSecOps Reference Design: [https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf](https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf) +* Dorothy Denning- A New Paradigm for Trusted Systems, 1993: [https://dl.acm.org/doi/pdf/10.1145/283751.283772](https://dl.acm.org/doi/pdf/10.1145/283751.283772) +* *A Zero Trust Architecture Model for Access Control in Cloud Native Applications in Multi-Location Environments*: [https://csrc.nist.gov/publications/detail/sp/800-207a/draft](https://csrc.nist.gov/publications/detail/sp/800-207a/draft) +* Identity and Access Management section of tag-security whitepaper: [https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#access](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#access) +* Help implementing zero trust architecture (UK): [https://www.ncsc.gov.uk/collection/zero-trust-architecture/implementing-zta](https://www.ncsc.gov.uk/collection/zero-trust-architecture/implementing-zta) +* Zero Trust Thought Paper (Canada): [https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/information-management-technology/information-security/information-security-awareness/zero_trust_thought_paper.pdf](https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/information-management-technology/information-security/information-security-awareness/zero_trust_thought_paper.pdf) +* Essential Eight Maturity Model (Australia): [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model) +* Cybersecurity Policies (Europe): [https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-policies](https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-policies) +* Success Story: Israel National Cyber Directorate Version 2.0 | NIST: [https://www.nist.gov/cyberframework/success-stories/israel-national-cyber-directorate-version-20](https://www.nist.gov/cyberframework/success-stories/israel-national-cyber-directorate-version-20) +* Government Zero Trust Architecture (GovZTA) | Singapore Government Developer Portal (tech.gov.sg): [https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/government-zero-trust-architecture](https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/government-zero-trust-architecture) +* 2022-2023 Best Undergraduate Cybersecurity Programs - US News Rankings: [https://www.usnews.com/best-colleges/rankings/computer-science/cybersecurity](https://www.usnews.com/best-colleges/rankings/computer-science/cybersecurity) diff --git a/community/resources/zero-trust-whitepaper/v1/images/image1.png b/community/resources/zero-trust-whitepaper/v1/images/image1.png new file mode 100644 index 0000000000000000000000000000000000000000..7e517754a0a2569ef236104c0c849c9870461f85 GIT binary patch literal 26557 zcmeFZg;!invp0$b4=%wixVu}B;1b;39fIpXfZ*=#B)Ge~ySuwPgM7nt-gDmfp6~tx zcdg4>o9Wrz)zw|Qs=BK8uO~!7?)ztWTzD`ru+NebqCddEAnQQobXaK6|7^5yRWLAc z4GR$w1xXPRVg*M#QwwVoFfghZ=V*TEZ{Qd~L}QcHB*o-Z_Ms5y%sGkBamCqPY&FZ} z3sDe)3~J=R>dhm9%&iax%wZ8VpTVclFhnPpXVIGCSI6h1=y@(333b<{*p5%Ei|eko>?u=s zbl5*~ZYZ{e7z-!7kzD^x)rAVv;;Pk|m03q6oZX|^f{dGy6=3FG-whKtCCA5T$2wQz zO!#$~SIN7+U$nxNM*T;RGkM{G+-d4}(|0x*KUl?>FqQpF=Du4&cV9B1uTkPS8T8ZE zKjMe{xNvb|yTf)Bt~Rmmw=kc^1mEBEMrb|t_u)!M=owuQi;|cytlabDzDRs?mRI_@ zcTkd;S{9vp%f6%$cuv;i76I_aKYj?h(q#|#_|#0e`S%{Kf6ypacbc{kBx_X@bxBiM zSuh$<85RsY*a8d+R00QGxS$L4SYm^~U_hT}pi49x;=gMl>#`yLy9}28(NI`PL{bv; zsbu76Vq)uLZuc{mny3ua)x3qW`cHLP86G1$8wLYoJ3|u&Hyis85->hD9#GN7H2G=8PpU4fKrCYCXhO`vz{J2rDgaMROw8wKY|8UP zRQzA$pl|%7=0AVh^Dr{Hy1FvBvNG5?nlUnSb8|B?u`sf*(1TjgJGtBbG;pK0bt3z( zPX4%>Ud4$yorNkMVz=nE-tDb%Q(@ zm=KtxsIamd_-O`=8-@yYP>1Z{oWi#YVp9Ly+}z@9KYd}bm~~|+(LR6J(9e%&#jvDQ zZLUzlLW(@Fxm04xskJB`7se0or&m|x3gO+g}xR)yN1NDIzrz1M4h->3>$cvtTwu zpc`s51xOG{#D9J+B&rKjjp;({sYvM<59OHe)A55K9xK@qV%({-X{~=F&^v~!gY(?c zfOFjoJyqbIYq`!YiVq*Tq7W)x=n*BE$C;*3CNumK0+#lFwsF!xu_zL%Q?BWoh45f0N@=FKF5A5!U${-6d^8>rs>IXZ%_;m**#0?Rgp zV}L~Orkia0rVd-31=5X0E;ejdD_HcJwT-#cGorH$I?Wgr_otC#cpPLGcSxdwU6j}I zkV|5M-#7O!59%$2P~CBz(Ig^Fn>X@Yt!{$n zWiV`ZN1aLpY(GWZGS6m@<|qEaTb7t7^#%p<8T(t6cYG)Mhi&`1!$`iON<3CLVMIh;Ix9p`O)e*-Gb#wcUg zp>vNmDiz65**nQ$_#V-P*2^fiuqjcH+dtb8n|`glA=_L|E78A=t}51Ua-=B8SyP3` z5!U~sL7UAqdfnU*E9U>1ku#m%2#u@I|-8P@@!PvZ8s*E+4QtA+$MUy z9Hd7=P=q{sSjU45WSel9^0SDMg_gq2xUKLHa8qB@nLPt5yr;av-dVaWwa^-$6(0129YnBk*ldkz&yD1|4X?9d2}!Z>63o5y&wzqvOIymy#Y8AS+!Yl9^DwC!!N3bJUY+FqCaa5=0 zS~JE_ky2H~-u2Sh*6JOEDnY^I@@L8@sKwWq(GL`x2}yeWsqFY@*&o6WLNlK~b#Q(4 zwVvHF#ql6z5#H-~x9}SHNxvdvUtJd_EU*83d-NDP(>3fkc%^W7ttIT+{jCvzPq{B`>$uqOZR3@T<;qq-XiGmS$+VGKw%}O1hG~mw%yM7e& zg>p=g-FFSV67cMD8OaG3{$bK7ccY|Wl(kU zvAyrq;PCMvOFn_64h7@}W4{X(f{ms#m~_;@?R<#qaHJ!fz-TLH%bn#C-GKPKsf;QRKT84o%4=f17nr|zHE zv($PmSC@GaRWDH{#p89mxt2hgT;2qsRMf`@6a577lAzw(?3mS_L6GO>WQ2au{y|IIr_etA>gpsVFHF`C<{ewGy_4_u!HmEvO<=ZJ4y9ZnGYUIqMsKGr_C||4xPf-TBOzm z#0qwF^X{GIzV5T5SuCLyXF!Y)c=l!Aidm1aIQUWkI6$z<3~xnmumN)P!qG?<@XyJ8_L)E;oHlg?sd zt*KV9M+=aV-`oU1CUg4=oF8awenv_->OjIl%ElxrP3QAnzmOR7J69Ob;2p>@n^AmJ zBqquuETIO3Qz(>XO!>!AK5bDV}7;TUVVo4gbcAW*!9F10T znD7w>F+I@ub0UKUZ#-CZUahbJjL29CHE1#5fV%JN&lU}-rPh*GfuJT= zXyqcZ>_3;ba2YEC`7t!8QqPhfg=TaiyB_Lr`3Qh?ZN{cAR?8zKgX>t)MJ^NT{DZ1& zVcA;1|acIE( zf(AcX{~I2OrR?33;BouKwasl4x@5cb$HY z43cc9#gig7hgE-2rLhdyk2e>QfhgdrxCcA%^wbi{y$$}Gs z$#Wlxgg3-IkNwi!bJnwcT`w(ZG+9y1Yim>;d_}STSScudO6z<=5cliE$3F(G75*W9 zUX&B58}gnl5NLJxh|OjHPO$zX+fj!tF8-XznsfI5mWLUmD=4N}8>b5YuLSLb-apVU zbXlJpefh)5{_i|Wf&-Lb4T%@x{O<}77m#-T|1AGMC0GF6&^W3;j$AnmLoe><318l5 za{1{Du9tuqii-%L`frj&3mBkP?-wT^5CPk8XuHoXSA$i#M3ugk7f-wmXc2>e%?P1U z1Mx8L{B^13%bRMc-i2e4)gtlHtt3`4+($I+4qm$uvS6MbMO z=d9D(oN!djbXT_?${_bSDy-k>2ma`@&KFL^iL?Mp-?(`Qy4zMClMwDM9CXjSmYq=> zuY!65k58B6_*RBc>L@2fNnOWBmYhGluZ)aP`MXxVbyxmS94m9+*q+aE`2TRuh+{Rks3aKRk^XusvKwk+B%SUps)e-pgjOk zI@n}q>tABBjB5uG0FApnyDYfL8r4~Mf7J4^|3Rz(vElp9uUTh}W9}%M1b`~sdf8h> zcCz|QZO?cy8&OGya-ZvRVZW1(X=Br>w+fE`EO0uW=OO_b>QBcGhQvQMrMW3@?Z%x@Kg3@kGNuX@LWpl(9I(CwR>M zG$O>_LfN#{ZkL5}ofK4&$p`mo3`(Tb8M*a$Du|~WNJ=@dp5Q+X9Eb9m913ty)POfV z`7Q$I*)alKKr9 zVk!!k@_G^iIx@Bj))K^@3V?y)R&1fw`qnXlqhQXj*O5paoBw-b);ib+QJeP92!2J3|`59JG@&4b@=#_YR* zX(x5!jVJ%c)3`Nzq;zWA#-m)#nJn2@2jhUC&lU=0WSNi zs#b%mnXI*~KeQYnZlCb9a4g<|#6CDHKwJ|>hN0$16su1GO>aw3(LVh+H^)0>lk%Wh z_mW*o+#tD~t-XQvBY0|aD)}pYeOq^)Np@g+388#mx{BZ5V8U|-qWEoF-)}f8TuWjp zt9$DSkFN7^q0^1|WJcalhs^p4I&U!fg}m6?%HBe_Js z59B!Ram`i`1)I=rCvn=g7L~ud0L{F9ktO8wUq9R!%HzO9ff4ZXDCR+*P~!(fC^|Im zC34kTpa)-}Z#Rtj9(jnu8S6rzqM|(*61LU zVUyzA{we2%a;FI<*JBALhnfBv^2-Yusp)-xdH-G8DAQcY$yuR5~ew_G>to!4P0 z&g}ZB*c#_NH^P2x-Z}LI^||-6dYwmt;WLW)f37kkqAYVQ@m5;CQ(P$T(Lv(teZqeV zajI6YZy-oF!B1kVLT`)0&2o)knl`3A=JxSmt!#y_EaS9~zG;)IfYGLW8o)zKdH3{U zuWTZ#JaLlGOyBdXX|;%JzDK-0eOO1!A>i$jNGfVRD2BZ_v%@jb%MBRn<2E(ptbR-B zoF{DEYC+=i?TpiH06D}<+0CkX`8?nXk>S~Lo%zrvNiZ_yo5)TJ##-7kRFJpLZ&n_a z$t~&~v-6OB)WHFmAVWRx6uzrOO5{s~iUuQb_ud@E*ef1`))8;*X)jJ*gH&g2QVG#| z{0h}Il!aKQT`Ef3;{9H;SDnYB?{7%fti!y$C%{DCr%nfw$zlL{N7+rh`@tHj`fHft z{NUCbkl8YSMrXtHO?R$&t=OrD0=v8dcYtJ(;bmxJK%^Chw|^tGuEQU-4Zu;RZNAF& zCYv-x>a79+N|}hI6H6bB55KOueAkglX9AxP0G7U1+L{pq9QG%7t}$vjQ%A0AnSzN& z7;As83zbokUkN-+3(3jcFjJ~QU4Mn&W0xW8Nm~G-1hG=n?maTRC78G;))koB44aSS zB_CiD?sU`IhV7l0Ch`UvHloffmO%i?OvdsSbx!gaXwMdIC8T+-cJ|oF1fsfdJj$XB z1#WCjp5k$}+hNs*e)cQ|^SYmopgb4{mldzE4sz8+Y71RaM%cL1&#y1G*9Mc?Mph9F zTIKZnkp;(GPpryCY2Wj=0 zQX%QxuE7S3#`_zx6DrwWqN|^DJ@+}eCN40l?3Pi89@);=0jZ;XL!#r%Mr4=A(aD0$ z!^-NKqU2m-GqFy{oe;gH6R)JK0(a&4FDPi6|}Xts%uT7_gC>acqK2|BQQsoKb(aC+dq}0?V-1jA@>ANx-$FXrW0M_JAM*u*^@T zKuT#=l^tq-LrdFji<`{mj29rOM6g)R4>2GoW_T0|%l8x?bB;*F)Bcis08=0%iTX#} zMv0QLbi{HXAFjXZ`Lml+PkWg2(XJ@ng&~dV?&@|7lJz4k1f|?}!?&n(*ZENiGHVLC z>shnYIW^E~(+X!imPtV5%a7Wy>cH6_K@f(W>ATJw;v;7U;Yqcqs*oSTE_Ods$GM4O zJdzc^>Zf=oYtY&~;I+Dkkx0q706}+4lI+XG-+DLd`1MHveiz5o-KNQx;@XH3p1Dy) zSZ4oTCmn&VK4SZZpXtjli!y3Or_>drSJ=t8(|5F)o|W`W%PO+fg&7&WBoldk0^gc) zn^GsX>n#tZ$9CzhmW^FARrDWr2Go{&MSP~I4utTWxlC;1e>}fe%?pWw?<}rYgg*%B znmkq`8e!ESs2d?alrh)it0_(r9?V=|&ZF+=v}PM}SA23z=G530<8N46^yP1mR`5C~ z8^6DPXPR&pN>QWwDaaZroidPww{oqSOQyG*8Jw}kt9<{pHd(U2eLKoMQp1LEIH!Nl z1M z@AC-mf=QHFnoAHCA>v|}3u4I9o(gR)S6RSh~Gfs5IhkZ}}Z z-I^ZmQly4UR4RH2erPBVOHRAJ10obTre(a$ma|l?x6{(_6p(Pg^%H1YwC^&v^mRw@ zTMg<(%iY9WlXE9{G8cg&g-qcFxnsKB_mmz6eYvX@`0kQXMQd_56t8MZUpY8NVs^4p zbvMLsSCLH5pD{K+Egc)aynr=y6fM#j!H;3qv)r)A^3SaBrui?ElXi~ulF^n84s@6n zLh1I`zAQPdxM2tx%`3+4VHmhak-)Td_alGF%GuVckvF}L_PBXj4pgo|w>t$KW!71Q z31SMC1!TUHBI5#M@tFQbKgGXO1w*aySA9>qVuiUp_$$8U8K8KN3Y}NIlJnGGbO_}4 zG?B1x;#?#YAZdWAIVi45s3Acxl)alEv6Rq<+OthcMavh~GO^mZt!D(Yp;BtyCh zA8FOrQ_YFmqHlK!tH^7X2c=@ZP@2wO;1g}n9Eps2kyvACJEs~u1LJxgYgrs0Ys1Un zh{8_&+4g(yn$`kf+9ceggL&rDbm*yuvCrQa$E~OP@(AYbLlS&&Z=D6JA|f-k>L{SP%HWFV{s0F@!2I>%D$qSwuPQ3w3&Q z6p_afN7~HtEiHSzm@yUCpV>f7=8hAL{|L>XM2RWiaRhOBP&wCB(?o#5Ii3&a;CnNo zf8_OBkEq)M3}vCx)-qW@ejn3QpYQ!Ize@L+=i%O%-FfB(`6E`Ee+~J}@7H7UM6()x zhgHU>3)UHl=A4;h!CnMw|Ak?zvH`8EJuQ)_v#)RW zmU+9h!hn|KZ4dMUXUe!Z6g>*-A-;>Wd|3k~He=D34vQ8+P7X+S z%q!~sZQ0=|^8Wf(!b~%3?BX#>vW71!_d95?$FoHJZ{}$W%B@wH&kkIvM~dt}+;k_d zswM#znG@q-nKnx_^W%?RF6j1-A}>bFWZ@G{)aeC;BjwF2i#*~L7t`?l+PW>BW2%dn zSY`zS8nU1$bQjfp<;moydlM&UvuYcw9-GnQb%vsXOEyCW0^3bCi+ctoCE^im3fIMo zu~1A}WLL72>VjD2{^$A%vViffR!?wh65`mQT(w(_h8`J=ZTr&T-41fUz!RHyDmsG? zoic1=aPD$-@Zl=~8xttWx_@PDy?4c)FTIa9dZ$?m{^2|F=J5lk03NEmL1RgU6pDHE7o`TrX1Uw%$?I$_Xp>J`8uTP2BlT6PuyC;#1uq3IC-aGBQt^VF_EcQge7a!dc;8>A0sF@!% z2+`yA3br}C;kPCy^V6>{V~pK5Eu=QOR}u)$y?SzTTk0btj7iDhMAdrHRx>UygOXV0 zUryG-h5dxXkzPX+K%*!++`0_m9HEWICsiuMkL0f3#4EV1u(g3`SMDah)*bIkKw53m zSi#6EYT&gC6FTGEi4(dM7W^b;s)xpkBlY?)QW{LCje4CR3t-^ns@lNi4yy~*`_|Mj zXa;^_0A#S{%w>??-Lu}~_VVX6-i~0HPJd-0u=C60t(T!`_U)fP3dKRpG;`DfjR z(6D4mw+15eL?b#Zb#4_<8{2b-_`gUC>wB!5Dki^su)MyGewJ)R*xUVaO;Vl%l3 zTj=x+LUD+1bFQOt)%&kc8>-ClRUwjV$Eo|zj~uEKc6TU^i0Cs;6k&#@{^e%Z@9^;6 z_jOOk%F)#0P`Jf|WZQiGle3<%lsS4jo%6-6xFazeXZIk>?Kw`v=BD&Gnyw^KL^A{K z#H3mZ{=c6dUFjcQ`;1sB?kV6!-B%lX@ylQQvOK=BTx%EV_1vH9FTtcx&X-VU>e21^ z@%{Ds)$IZcY>0j$Z?4*lAutHlMs0go{#9CAAsBc|yMMKW(NTkwPa`;^vRB2cu8V*a z)t<_aV1jTq4~@gE(uPE&U`p1nd6>lLFIxlfAD!2pUmcGz%LV!Ds|}IA|}-r{iYgxxqXu|HfeD8 zt|=%dy%m?J-SfUZ)Xcr#L{vh#Ib9AWl*VDvdzi125sZB5SK1us48;Pp=)D!%k9U^5 z#QF|Z6LCf!S#3gT+6xpgoS|`5*vmfMBJiUgwEo(H6coQP9b*dYR;53K3&-DTl91}m zNLV$J`S6f$EFKt{#LRR{Z+rN!c6VF(VtEAY`DG)$KTmy=}nW z+7#oJSY=$Lc-<4#i=ABkP>_`IRkm9&*rqp5rF;&%Gr^M#X85cWk_O!25( zsESCsmT+}>2cQd@wzuL&9Lem>%<8M?sPrX`)%w}9AmGlonJM1tQFjEUfd%m?RqE;n zw`@|)7fQ84H)6r_?%GxT!3+)J>H7OtPeuRE+&De6{icwp>5#vG_p@>Ax|ueo*y0%T zr~KM&X(Ipm7H3j0NX)t@$8`(N(B(KfQGb!S99V6)C4`YM!84c8!4CBc7WmnPXzY^Y z$T#YSiyPGahBP|N*_4q(x_FX20U5qwmK}v$3}E#*zCYiutt>8kj2Y@sa=-XR;~C&H z*9x|8I?`%S=*c82U-)aZvzKd?^&gR3q6%XiqMHlhdY7-{&E&CbfkBhfiy_Nj;MuEA z69BoAuyYwicoyW7KeBUGgOD$t<2k=|+!O|G6p{(nAg<5uHpNJ9?sE)}44mz>qHv#!z*u&&OcK!S;y}ZSrY^E^04aLjR!yqKpasAZ?~sJdwkB7Yq6kR-91a z9!XbNS#AWYDyb5k3GUnTyKjWnmvq>OvI+@)t7qhMMa2ymKeQ}2qC4$MHy&+WC){WT zE6kkLEFxb(AtE(|qpe*_iLQ{%`K_TH7h}J{ZnXTGNDQUiwqUAeD(Yeb(c=<6yHbUK zepb}6&L1}`%J73?JOM9!p572O-NI+YPTaMN>|*CGT*ubvJgeUGzecc~p6AT#1*;|_ zkLj5YWGn-!rB^*yCx>r;zfY>}VW4WrKg??p6f4B!1yhNOnImsci_nfaTek7n{ZP8W zLV9o%Lg0GtXR(sZQ7!Whn=bYes>nor*^$V|(4SSMZV#u?vV8AT zR*Zo6D|Q3&`B^^_Ix*m7P}2S=P>^MkcSa;a;9b77-$Uj)dw;*-Y^)qpP6dySGE&ktUxjb zw^ujtJT~-5%?>|TZD(N8u7ykm=&{tlwq=@n;D}p)3XgTRj$?s4#86zkES1vLpjD+i zmfKlt^KKxqjG|`_dLB-#iEPCfNA{Q=oF7LHpFm@7;#kS36MEUXKJqHH$y$i>;3gHx zHsL0QgLl^dOJa#k&vLEqWNSnIbuoT$63toTt=Hu<*qis%VkE(V#{R%!UIhRJg;6KF zn=<;EP4*D&u)9;yVVo=c$pcKY!7|Wc=TH9Z^e;dD)T>E5QpLyxF<**_{)4eFCu9}E z`-rgIdA;FBU>e_kC(K3DC2x^kI@cKGDy_~r)ZHtfSWW$QjYB35;fQ!ZBH>Qn@I zR~yFC`nvu|iI$%}?O&mx5v~K13nYwGfp{*gw6sB12 zHoN=%0NKQ;Iw$;Kwi({aK<~$~z*J70SE;}F{O2T0*2~`}VAh6fp>pA|`eF1!D{TVb zvb;b+RGa4wku1F|YRHGLp5pfpJLBwcvsDX%VH!@e-`OLok z;LkvKhu@*O$$|#ERUKISB6A12m#b)}Yes^9S3pU_*Ce5?Zn4X*&8o)8bzqdh3kp%| zyN_eoz8=IuUKy^^Su~c89&8eEO{`dNq?;bWWBT!2o`}r6{+0`5S0?(JJ+E$NrXf z8gO!Z6R764H^S703z;cqNO_k-dy_zmb0{d$ueK|ur}d0!al|<`!QQX)6uhiGW#r*|=BEO*W-kv-H`wroOAGX79@h3GM&ZRAbOnj6yfwL`rd@>0dDrN7?s^0h0-ON#qo> zqIZ=O=)FaoVyRHIW^2nZR7uvI52(|sJ*&aoTJ+Jb&njAo_n~UYVBKij`1+_MQbQL~ z-I{`tujW!^wfAR`%=2l>wJ>IDp?x%TS-X3o3uOuWJ&8jU_pBrZNa^WMFL}EzBr{)1 zZz)jL(OWbfGNx0Pq*lz_mcq@o`ygmk;Z3hWtD{U{6?UOP#geuxke2qzmX#xtes8tV z=PD|U(%Izm{m}j3?)KE9MX7wXX&I)9ySs%^#lv%}>T;-eI6V%>t0&}}$V>|@;cCr0 zxM#4_AkITb$l?PMiwXYJ$A;IBZ<~9Zf}%6?@IaW>ZrdBT`Tch);ud9xt%=jS36JKu5vRcs#S8* zAq%8%fY4rYQRm-I62o)jw(rhd)7=i=9=mS_QRQ(xEl9^r#xz6xTN98u^4!jRUP68$ z_M)#8luXUP-#KqBm8UD+mmpNXojpe|v_2)GdvCBG7kg7CrIz4!=-u-;{}a~3iDJ_O z9$+F0D%-$8Xq&#GEFWAqQ`wZS07+B(d?}3R1-<(mip;XSF%h0&{Q5LEq#bh|C-n>8 z!tnAFOt8O^NlCStNrwqP&TIGFGkdb%YsS*n#?MsoSNWzX_}Ui!)HT#3H2s`{Vtrl1 zXd-oKEBm}c4xv@b{^>?v0QNCh;F$F^7;(T>Jf?l{7SZ+cIKWk->xJ83BA}@*q}FBw z_J){93Bx8%;#-ACACH^MDbDtioHcE%|2>UTv{Z9(3wmLF*z${4ETirZyOyB4y~h5< zmNQv>k`BB1jlz1wZ49GPiv*Kjy>exo>)vh4KsqPuvvosH54hhdg)LPFgHfG49t2ni zkgD-UvqtM?(ro76ZN;DPjl-4h@3+l&?dAnYFCl26RDnI!AC2-MJj^oK zJ?y-&LjWCt%cL*lSZ$>#2xaVZOn8&b?lmtz?baf#_%g>NmPt25<|GAK6)b~FZQ*`` zZ}+OUM0sOXGaO_QwHO4e1^lb{rNan*K#+>2A}@QiC#UOLEn}r-G11am3t8zU)Q+~F z!mG@2w~hH=*HL`Sq(=07kDxvx1o5pm3-cjXn4ikbF4rw`-`+Syk8gpl1H9?hcz0i+ zjxJ}}-m@hmJZ-*;gQ~sqLixlp6#ukyfbbTkRZ{&U4?-@MPm|T5@+X!OuG)y zRTkL7qJ1d_ZJQ;K3|AADCJRV zb`LK%z;u`ZU)(GUkWz?Vrt?0|B>J{lU3u9qEd!Qn!k;sblOJo2 zRZ2*!exIDm;ZOLfod(=$^;*M4a-+v=Jow(eT)Rqq?A*+fE0h}Jz^_al-f3$=o1L7s zzX?9z+x5@>kl94`upn=)R5$b=SNl{=H*W8=rm7M2eLq20M6x;S+YPRhdWEaNRqJ}! zGsAVKv&>GLwH(s9#W2fPOXdP7+XzYr{sQMB`;S~4g}<;wBUO|LOa7+Ly61J3Q5q~H zT1RGzp+3lh@M?;}LYQoxIdR}AJig~|f$9cDPf>$ne`J34Ys$!jwf>W8B`xZd{0~3Z z+7OqG0;q@eN|d^4U8}J@Y8V|OpO;p&+CTfCsIyfNGmlc`?ImT@M)ofvtzAfwyGWOy zuWCIEv2RGqT9{U~lOc745%-Aw=N{xZxgzS1Jr{3?iVi_oha?7rQ+0T)a-+vSY`uIR z@|1j0)L>e*!qFP_DzEO=h@%jj7ya$MkO5X^&vGlMOjaTmibMuMBI|p1PJiDwC2ye3 zwoObr9@XzY&?}FC=@suVbF#oI&7@q7x7iOqdJyDNNqLn7fx0>?%?s?2;o+i53_8;d zs0PX_(ip+lNoaBGmLLb{y>jL&+gkhS$}10U#)n|jk&BcCJ*-tbo%H_T>v8PzJ9ArU z#4D`%1(r*;TSA9@E#21QpV7slHa)zy_G1PQS7{S*h-EW!6iul07dKc2ho&q=vhU4V zi@yDLh;#8mQm`_q`fe6lGXbR^xKVp_Dvd&jx9?GBCld{QR{S2s2!S>OW|?s3;#MdA zv3{jBv^_Jz4O8yjU@>`aBSZKI$K^lgad+8 z^&cw@4%gSxPYH2l7gV9a!8K?bM1r|ocMrVMH|GKg4L_RuX9*oSVouq0QYrt{{#4O= z4KE)41@$Fj9t#>1P=--^hI1=fN)arohCHc+r<@_N*I!)3kpL)Ea|p&}nKqH%92FqT zj-O3Sy0JG&A^m3n!9pDq-yNx{(e;oCj(rT@!53ITn6401x4Z^sWLNYZl5`d$VZNTH zUbHRs57nO}R;cfuI|TMgv|f36wl0?8Rol}@t<;B%S|LQ(TF}lU3!y{D#TNK+*b|nU zTtI=+3Mstti)VFC(TVa>63=VSsO+(BzaMi&LFQ()OH#yf=x)A~=Cd}J#L%qfvv?I9 znL`%l4{@XlmBf|L*iqSSNmEgR&kDZdaodFh2||^qRC-nL{PkoC?bCDV!5f%615QV9 z?Bvm~;4#%M!a$A#=#4X@qioSo*cFlEKcAqOw=0cw{3%7{ z3qjcJ=+0ohi0=<_WB=@*U{m|sdO3p5VR)gM&+|cikK}U5M17=X;!-{^Q=WX@&IjQz zsZfgTomFmMt-pG>T1A=Ru>IAnvnlC zd3*ANKde^l2ZCXKnvj(pZpr5cr7Ism7%+$cK@S+CAS8Q)Woo5DsA!Qm&|0<`<`=4| zr~EVPpEen=FMJnTFBJ@XJ39%jZCiK#B+GRLi>UD$dFJll?g;F2@E0G2(gQ z+Lh07`9O^*kXPOgaJyaHVJozXI)oPn*Qbu>!OtoEIRinAL1{=>=cGK)U{~!`Ws)K+ zl|mKb4X(IoUJ#Ez_XF!D!3sf(MK83WJ3+$3qxs1uRdL?`pFwwh-#nSv=(%JRR29ba zDiYVi=!R0B4Z0kfDFh+pQBpytQJPV_^*pf@)pP=<^5#VFQq2^#{z2wR2mlQ9TB8gg z1(k)E)62eS_SKkWPjGmWsNTJ%Jr7Fzg&dh+@w1%oUOPO_U{pH*x5$i z6s*Z;f5scwBQy+h;$PVSuxj~PPYG=W`x!RZyG~|E+bHalT%HW~9nRz-IPMLHT>D)bKiAlEz%=ip}d%kg_lpAd;8sw@>fZhWJCL#hG^U z-AH7%-gYOqcn+^r`Gv+@QHq!fE_~O1CkNk!ZsguPey5gKtjz&G&z^9g^{@J<_vVI* zmrYllj!D}B#C9J%sgt6YuOu@=2dqvErH)oT;=v{N)1aYn4hW}tVy%00gwO-@N4ElC zs`x>&!VUnfm!3~5Z4mkcocR3byWTfRWdSVO3-uB;w1K5hA2~N1K+qTX>7w--QG1+A zCW}M%lZ_Pd^N>@}0}aByClVn)ym+jOhYQq_YW|t#x%U}Tb)luxhkkv6$b)$pP(ws4 z@aMqPf2KAh+P3FJY7R_+)kHOOcHdbIB3v$_HZE>#I810I3T`6M?m&O2lI3>@ zs^)847BeO>FxdO^8E$*XIv)|wh43na`a5@aKg5oDyViCQciYrW6IP%D!`-BZ-(ez} zgc(HI+Y6>$#|ztd7H=50Q@fII+VIQwsGr-taM=nZn~}?%rFMX=jmFE{xIfy8G?>_C zEqV?(NGr-T8exhcYh8p5$GOI7Kiz=&jLW8gY=fJb4s?LhIy}NS0pPoZWRAD$u4hAH zgiY*F?f(F?GhXh;h>=F+yAk9_GgS4(`f)E-#m^|G0iH^`11o9@1JA+qRy~bp)gVn7 zA&>f^ry^`cnYSWE><#zQ=0LFSQAH+~!3W@WIw;PTg?up*$7=v%w}m3KvqaR=ctxnZ zs@QC0SCF^C^@6LFAV>KH)$jev4ekAcbUa@cW-(I)V}Q_;C%HzYOfSrvYPuL=TF5d}hgXQBCU^k*d*5r0e!p`rS?`x@-RwGu}Q)gvl0Z#NJw@&Dcy~LdXb}5rndVc*2|xz<=O>S z3i;|oepdMJW7v<|Jq?O2E;gg7{Jfi9sZ8!rhDXi>eSQjtu8O7gV&z{EzVxQlan97x zHbHNH#bx39VOSqY?c`W^!Y+|w{T!V0cU(beVN>C7wsy{X!P#2L5KvKHb-q&y>{l-5 zWe3J+niQO#=Bu9JD2yvY%Pmh6a8>myxpN?m(XYj1L0)RvT_Btif@{A_#0g5nWs4$+ z%WwoJyGMS}LKyQ5SmFBm=!IDM^l5W-BU4#p1gwwyU@r5W&n`02eGP+t+-jG41-E73*2RoywkYD_V}%{`yMws5s@9;aZpK_@i2cbj3{@< zx4Bujbqi_wYctxpxd%f%|dWF)C1TQ+az z^-dv*vpx{#>Jb3r2e$*j0iCvcu4o)Ga(GN!=uy*k&Ni!nW%DIP>bPzY4q^%0JAnPN z9u7jm+89_HgZ_J){l59+i~UX+>}(6Ck8bc;Lw~9g@Qe;S zmCukbBAt&OLY62jYk=nA%l9peLF|J!F7ryr&*x5?$ME%6qpIHoFYH>6gf;}~p_$g^ z&lr9l?S?P74*A@Sb!JzP+K-I2uWT2E%CxNXRqcAbB45mOnBrwULg}LiBX|2DulL&2 zS#AN{Zy*M9B!5Whxw#0 z?wm_8BX&}~Cb7>dRLB%XT>_Zg@070B-x61toRr$h3UHKD+;j}QsMtIab(7GsfL?3? zH_Rp}o@j^9K**-BxqYuKK`J@Hf?o-+eQge*1$gtRcb@?uyoX}eMh{%6;o7~{tK}%= zS#y$8c+V6|LNWg!jES$nDR%^S2}II377)n-w?_P1Xsbx-%3=>|seY^y;ue;qRS#H+rc~Ky4|QSBby~PFJRXo}q}5vo^y*8t&vh)Fv*W zX?dZyX8HIze=j=uqsAA>Si^C84#x1Cj6t3`sjCu988W%zRKI*xif z!5L2X?ykKVaBeMpcarh3k;}-9QUfLIw;hdt@uRtmRYU>+^;+mPg_kQymL55Z5V3NxcH5lFV^P>Pa z&?ho@E&a<^D+P4kC7_e`}l~a4uI7Box$#> z-k}qKLf1Q91?@?xEx#4uau}d|{Zf;5{`e#A8J5*}D7#%6{=r8uy60=mbxm2A-4;N& z1*ctGOuW%&T(*9Gi-Tvb|EHR>e2Am@ z_I$9Q!QEYh2X`kxkl>bq5Zr@j@IVMI!CgXt06_;E++Bk^K?8#`IBfGg_x|?o?q9I| zqF;1XpQ^U1>T|y56E6bMZG(T8RIAFG(K~Q0_#!8Dtm-dn?#OEeqK|wQN~7j&a{2UQ zlF|O)2Od9bth@3$V?OQOPho6p)TXzZFhE3ax3>W0d>x*R!3tg zn2euedQnLl4{~h8%$$1F_yi+dvn!tB7(sZ#?zF@bIgZh7Lgo506r|N0DjvZ&o7)-M z)6^HdkF|gJvm=YVrM^|yubh9cFKS6*0C&ew^RJZ8s+-auUz1?_emGk(>MQe7#T~Lf zX*SxnS1+e5)te65cjkHfCNr*bq@ck)J{3#be>X^;>r@fX<~J?&BWx{tPS<4H#tB)) z1v$=gGTUdBBIlj=M1WyMtCh?3y-=^A87|wC(*qwrRT56&d#8?bsa&pGs>h_33kIUI zU7j@=eRWxrgUoMtCmy#1!*dUYzK>G>u-5r<=2RK3eVbGpmUG=wpPql3x@Qj84Xf}= z_Kn?^0R@#4Yt0<;4IQZCIE2tpJ7?VEJD=3onGd%9#e(>)3*60(9l-{q#EW{s68d9! z&yDPM$vo{>x#dE7J`y8hPeJ#_P7~KD7XyS7uRyD8ACoUzKyby=0Hx%0*X%PD3%^Lq zdauWW9N1#(?aA0c0?g!S|rWDGPJo|I#$>QeeT0ouOZMjJg-6L-~2*r<(eSZBT&QI_Ru^ zcP~b;aIYXY1?1Ya(>a(o_FUNalZQ~*<94X@Hc46- zKUKsQS<-voa&(TV5l-PtW4A(Ld+a{W!@eQgBv5+iTgD@W2eQs_ zG*Qd@PC|9YHi4trThCSY#Z~A9!KTK`zB%z;Kzbvsn+OwAe)qU=dQ~cv2oFmshP1wU zXWec|QAcfyeRiR;@sQdQQqgjr9TA(&ta`M`Zskz4IgR(s@wW1n7gc;+dh@OI?LpSq zZB04hrPWDMRAKaHSF4r_YHGH=vvbz(Qz2cB2H*I9e(>@wXp~a zGwx74L!3^!BKikx#2V(<&Rgf^kc7<2)_0wSrIu(xrEEN26RM4&^qesP@!@DHV5C{i zgb1%$$wYnmp9XJRRmp-g!}dt)+FKsVHt}jgtc@gZ2zX&bjJS!G$u4!0;5G_5h^g?t zA8of3Ds7Eyaai^lS;fRW>2ZJc8ML7%ufFx5QxXJ5FznMyzGw60E+|dQR$FEJHn(5o z2RA{_-Zp-uOXwGCyRY$E)Heb%EhYDlg;GDm9w{u&a`?I+mzhJXR8gLaEg>kpTZ(_I zwAOj;w)>#wcGqfEh+z~EH)+%6=V+9MlRmv#A-)efufgP_apzP*d1&lNDyCIacLVuP zFxV_Yc0RY`WB+cL2!bAZ(l+I4O{RQ?ksPKr zdl~>ezxO3+^5mTqa6tAI>95aCO4j+gX*;%Q8_x>c$@|5Uf#UCXxw9020E!XPnU$;Be<+5rbxFq9jd1HX5S9HqMlA zmWK5h(258(i42FHFnUFCJUa|D)aci@vrN=e2@2;VA+&&3m<8fIn{2%((U$WLHlt#7mN8FVd^RDhK*Qg;tj%Wz3<4|JTz(;dqjC-38Ffz#b$##|4Ry&ZZm zG@GrzAzVI5v9B0$Nl3!`AzxR)45GLKAc?gHt! zQ2o|Bg;uXfLK9XN@x^UEAQ~Q8pE5FR$wddnGcdH&G)fJyl|M;ft-Cfi+8>k#kysn)>G~npHw}^f;sZ2PY+_NE?NDp+6#Ac!Yl$!eng~?cvrO z!p%)OwqY2cfI#^1qKAh3- zXC&)gHzSbwXHf9Mb> zV)Mvr?npK2Hg=O_gGC7s&e2I&fjWQr88bShXW@Dv7YaD{TnN0c_kI|(yys1RX&Pb2 zN3FxTjP_L-(*54eZ9co3J>b|MH6rZ<%Sz2_J?ey3tm@@!>RWKl&if_Sc-HQ-9iK^& zZ+o?V-I>s)z?IoFlQX@8l~2-IG&qzNWG8>r2ENbkDabu9&R;PKGZ|@T6|--9BO<%l=JDm#m3=fIx!v2 zVHl@yDh-rhDNh|lLmfiR@qCWo`oAO1}3nZE_~ByaU4yD=pI>fn`!KU zW1d~6qjiVFVze?*`&{OebNS;>4mN``_8=anO5cgtR3T?-CkQdmiz)x-7WE(Ij&RPR zlc!6^Ji0KS&kT;5QeKs{(T#q=am&N300*UCepVdNPsm;!oOM~&LDQ`l>mclhY>B7oCnx`Rr%vtQ(kC3bdsfW9;PVGNQWXJVR$cqR1PllQDy* zXkIr<(j;27;!6t_7<#sfSLy(tOU)E_|4P510DYwD*SVB+V+aJ^=|4zGK$bzqm(13Z;0IxcE0AFwm zRLD}71z~vrPb5=XwI4lvDcX%M>~p_eJc%7D>Wn5!`l#1=pK{4KA^Cd8k01exKjfDv z_t|<_!R}pjVS2(;#4?vT>!`&!pSF<@#0P7sMA(v;|op$((tqeWOYU&GNkUo#*acJJ7rN=&^(G(1+=FCa-5w6ttiH z%AIpmy=Li3yM^j^L`yjrzC<}Oh}b$jOYonKt%8@t)UQLE36_2q{rLNDzhuhpiIzLLpQaDp~_d+HRu<3{!gn~U0t%tQRPjMMfky8}zTI?8_VbV93@BAQ`7-|@ci3S#`bg|OfE zRZ`F8W0?dS#*F#(LCQ-*om{78IUq{QiU82e29tO{>}vilDR^WgyC`h<%f6PR|HAb` z-c5?cPAd9#^%k#kyMcNW^6r55`G*9bLcZFWoN!b@Kh=Jz_!#M_grdcp56Sd#fO zg5g4+goLV_3(ox`LXv#yvmDM`U|ZtK8n#;7YzbfI%HPOvPJHuwVceS1>C4q~T7QnI zO7l@$9AsuxHS-dReYu<(LOL=azN)$8Wj4xWwRo9^^|$KIx{-83SMnyu0D9nuwe1)d zxm_B>qLJ0qECyO>cA_)b>l%W(Gen`itmxeBqugNLfKH<3O;?3B(;Uo{Q{2G!NsM01 z&aemJ(pJWueaR5NVQmHB27P&P7g>S3tD-D;vMj0Id@IO+lY+Q&JOE2fS1?;aB%!w1 z?H*3!CzCGCh8X{&;bnTFWJDt%J$JEUlVAmyGhflpdtI?yOxj)3tSyWH=%uf+$9{3E zH3lO7h#_)$>gqH7Uh}6c?5CKwJ0p*I^T}|dDXL#?T+AGV9dIlF&L1=x#PHiyxk|Z( z&F|=$LSZXe^P{KST3{eP=O(Q5wky)*9} zbN2+uUN`(%cssKDI{%i9(*w}YaZymoREN!Xo?En>%HMb^ov;03lozGWDnS zAWIGgms7@yiKt|g=!vi=w$6XG{~f)!_)WUjT;bQvQ!JGIFw^>4xqmtq$Ks;INmNZ2 zfDb`>IslkDM0PjPZep0l_*bs*&%ysD;m|?=#?2ef1f!V$vi!e^JJRUi#Q=rHUW^IH zzrFsSMSxI?J~v+wqHHJfZ!7<8@V}eX`TaxeW4Y#22mX&DKy3=>A{Ktrmu&sNMTyc) zPrRAKeu(V3Kv@b8WIkM%uuX$8msZ!QvW$q+|zeZ{QWTM-0q z5~IqRNtA1Yi@SUN-gz!?X>1IdwKiH_y>ouQ5{Ysf6Q#-V=Ag4z>WU<635o(XRVuV@ z1eE~l3OA)u#^&gAOuM8%3#O6+la0P~ex1z(y>LB?%)8}0WWL1qc}~TPLY1V!aZj5q z6%P2toilX5oOlE<#5560G}@c$-)d#tH~>H>23$;%2x5-p+_=C*yYK`ik1JP1_a=q{ z^vq@R+FZ5yYO-a*au9k5XAr$Yeihhj&Qn8-I3F2)h=QR+f-x~;Uy~$#{B-@E8}E;W z^o&zW&?w!X_4xfm&jP|lF{*u8!ccx~-l@^&B0*=(6QfyDLKuXsxSO2Q+iXGOfW*+- zwp&xWm@UYR9(PEXMj`U=?{8+JEDOoU^t6|H*B`gLov8dN-?0dGgKM%@`v|y5RFYZa zb6F6=7XWbCd+U0Z{t7XGsfgErOAz!vlmJ_*zw)^)Kq$jPC$yx^o|`K(pW}zU1!!Fz z$Ea}YP;nRiCyfXUjgZU4K*4cgeL6u~+N|h0uJC)Twt5kIJuLtp*#Bt#kb8eSsm{%Rpsihb8zJfUu%(#jEp#l(}o+GEkjl@FkI$riB7 zO`fJB_E}IYh>FXhqtNB(C!AXz%{OxDFj?=X4x3CQ5g`=txqgXAz~SGqTEg z0pl%8r8Abx-Z@jP?Xu|d{tQNvv=#k$ovBzNyDp(Nvwdapu=~pA#)?zZm%2@?3n$Qj z2#*VR-rH$0!d-dU1g^|5_KAcf=|JQd-oGc8F~arCM2>$Q5yFiIewX>UWiEp8cng{% z$H$)7fZe0dR1!I3P^o=+?m1@3lcbsHX(ucxg#5A2b`b1mepZgi7fG^0*;i$*xg?ja zTsKEDgjg4gqu(N~%jT+QH8rGniMMrKyX+;v8A8yb{&XezaTOVVyZNiwo)16iqfzQ1 zCvq{1sCW-3uau<_s|bYKzy!zrNU=Xag+|}-`@4~iT;=6w%J4{q^b{PKAIOmvX1Byr zC6tK!z1}`~9BWyQCym|(inmA zVM1RENOk{?6Eyc)QKEdY_H_;h1bBi2=q6sv9^Sioim4JDnCkm}ZZ_Avl%6fWK@Jp8m`USVY8I4a1Y3q9CdUE zvybk?v0WtpBvU^`{JvMAbwulSRq2}%Y7lg6UGlz8(x3c+QH>p95ef(~Dq-%!i6 zNpeNy49j4D9bCT^AQ zbbFx7*$U%ek+(*xS(ewqml-8ZAQE30A;{0-h0J0L*o&x^ZLP>KQQ8hS&Zfq>6^&tZ+yzB&T}ssqm0BI9 zHHBOh6c}gHFLj-9BSV0%%5=80ceW-z%tY-}6*1}cL?|4EJr{IEyZ4x``19go(N;S= z`H8Y3jhrrE-zyT$c|63vHd60SY9u}WN-F{#i*mF3dw6@;IsUa#3QrG;y&^DtB)l=3 z+#F!lZ5D2QKc4Mzo?F5eRLgiwifuu|kxIMYfMUi*?(dK!=6~nyzPCii1Vx;^x~k4=1k! z8rFSpIM-MM?L@u)uMKU&r^parW_vt?l4hM6nU~muj7(yny28NmH~cRzc4cv329m;Q zB5uq;FqeCP`iJ*bmF`CXMSkp*BRO}*bi61LsH#+8Xmc(>gywMc2d{Q@ETag}o2A;} z{qs^R)uJagyfY~!<~sjmDp6O`qdUZlCVsA&X*^C`q^}H+LOBwpk8xQwbDt649e;+( zB<;P;J(ZIrnEG`2^h-NA2UdRnkYPUoz z5<+S_6>~RZKenl1HmJ9vqNjhmW&f!Wd-+MAdVzMnw@6Z;7~7k9MA-oKL~hO4S83^l zd{k)`tm?rsoAN41&{>4p1-ds6=hGI@Yy_|hzogE22Io7+(69Hmi zd_MlMkBX4g_t# zs41__shGL3tc{6^;GSp@O5W`z@j)7>kpWfKP@ z%-%8S2fg~L^AXo-p_cErH=23@HFh3NOD&Fe|3i~21G`>XDm}A4A?qM08WeCZ@Z(KZ z1jzpy<$7qRTQ@dK;RIXykp1D~?!&N(*{b&^%RcLl4xbdwTo*#;uQW2Z*i@PYiqXRn z^0(#4vdQi9HP#bt0RaGLm>htW#xNnOUY`6?gb>7Fg7=}@h2@9Z zU^v8nEO&Bxi_IY;A5bR86&5_n@X$DG_yI;v} zbhcSe>Yzn_PRAbQikayNnoRyePWNL@J{MzV$0T%w*`U<%=#rVG{tei9?0N|f7r)#R zY2p_uQW%=5ZMxa9=xLJI;zYO85a3ITD%=3gMy8Arp}o^QaH{yE7(+;&#KlskW>jU? z?7ZQQzP-%4HabJ&pb}=R_i<9IW3Y~icrnVB+j!!9#Fo?0+RDdLfr|}|01?f-PP*mY zEP>d^BW$PEI{t=}t3WF!8awxM=!S)7MKkQySq})OgS0JZ7~oDK1=0C+6cZmeAIO=Wb@}E<;;v$q=KFm$dHQ zSM5f-8nY+qTr57UT3a(LKdeOCiU>;n3K=ndc)^T}dz=#p4eq@`GuYr#ptyUXxVuBK0Sc7TqJy-!7T3WGlmUtqcXycL zkMG|9z4v?X&01%joSp1!NhaC(C5hM4P{PBe!bUmVVam?0q{PXREVDc3t> zG|wM~j&gEZ%5ri*Ee}^aM`v3kB(_vhA`9%!f*snVJGG;cn4=5yj1(_J>W%)gV z^$S(ADJat1Z<(W-9Fk%j-r)>70C0_Nktc~?$p2cHCT{t-I6kAoC3fmTYqsnu`m#ps zh5G1Rm~&NG?2f(Zy8~+OI{|%8QHmlZZ5$)u3!^l^N=LnuZ(2s{S6*Me_u~`Gie`&# zTe`2hy4?PXtY~+{+sI}-(w~3-Y=)L#EZSf?t+q@=JH5rWhMGR5F2(nHc{4%Lj``(_ zPO{^-A{kMqMK$8f+ogX*b6$Nj7x^@cVD_AhYf%zZ3j=7UCg^RS^7UUz`-d{pF{LO{ ze&vEY>wFvz6Q!a|>rL3yI$I^XUL(C3lYV+MALR(N*v6_D<>K+dEzRP6@y@?Ug8~fl z)_mi&wNsw?xf1gEQfS^V`k1lLFDX3usyC8Jwf!+1L8E z2FiBo>PYO*X#f&(tRoWIa|-$Sp?ZFhkWkZNkT9R$#Ltg>KFa^(qL}5Q{!bct>YswL zZ{(DfpWkn+J#1~?dpfv!E#b-kd9LcWqppFMfx4QQwW|xarH!kVEw`VG+dnKw5`JRO zNf%o$OQ4^N^LtM*KS_rFDk1iq{)f!N0Q|2aUhgCs4AixNa;_e>Kw)lPZe9i{Y#+e?yx;U7W&`}=P_ZT%eoPttqO|Cse` zAkRNJJbc`|JpWtwGpocuR52|_KU-%*c}JIL_dLsx5)>AZ_^cG| zq_BEYN@x7p&D#wj8kR-JeBp^kYNBBJ_U+Sq zA98QgjVgCTUvKZ(icj^0`Q>3BfGU}yFiJa&Pu;NN+~eFmt&^v_<^4aVrlvEddZtUJ zdMAq$m%1~7h$Y{Xladw5okhb(K6#+&ym`b345zmMP@u$w{pY3B z9hW79_J75A(Mqt88O^598af94hxMNt7|niT{J*MWK}+;gC;4?v^>1D(JQTTnV!#*o z0m|b{buwfATaXM5u*UDq>PPV1wHTYSZGr`?yv~nBtWom`QMyEFpPTA{TXFgy zt;UZQTc%7shM6%GXrHBQA@_4<#C8)Y(XMHTA2poQHkJNIlYNZvO5-2D)eYHA3G2_k z3l?VP{@XfqLf&;fB#JiYe;F)OO!Q22l;@KCx8B&mXMK=(edhmVa<~fPGZ7wV6!5>! zdanG1On2N{WQ)VPe+$Y`d?pqXHD3PPLu_GTMAazWbGH8$#Gdp_RAF@5qx`=npw~ir zb}xEZ?dZP+=~6utGZd%c0{?2pd?Xa@3a!=UsH}}~=~l1VG4A8mzSqnozRL&FtUjmNIxJ&xfA*|Pa3HuC_tL)TVb0<@4*c0qBZ5_A96d(1bM5MR*2$`> zQA$M@w?N=K8BuRK-2hYYjMn_K#%wQe9I7)1$V)bk8dco6^=)h3IZK=R_8YVCw=K8P zeGs|O_^^fGL9^4C)6o{k@(Daq`m2+8;K^jra`g$pN4@0ma9KoY8=YtA*Y@ufI~~uF%UkZ3R-`|y?iCEUP8rYM^lVYxRqE4CA;%T$ihW~ z({# zK)4VJ`?fYCw0AH9Oq{k>TBjp+$iD71+gGZ(KC}Y%?2^Wm09ji`yFahwf9%SCm#|v= zVG2D*a37P*lWBa5d>SauY_A*fG)0}KKJ<#rd3q~Dpx*>9 zV9e-qqpj4adiz2y_2Dmu=Wc~}o-2R!H+m!xI`r4Pyg9nq9NYr`6MASe5lQ(f7AmU& z6I5x$&LdlcP6PnL95lglrIQ{EX|RXeG&Jg~QXo=WrZHeuyIH}x*g_&m#_ z^CwkMJIeIyCv1}exxPTrmTS{59#p+zYx}Ys zE9gec;OO&E23I6)ilZwdH$CZNAbD0kx-Poh9-fhaNy4^|%O$&!izz>JX$+GP0otaB zyOK*yOmDi$KBQGGMyRe+I!3r9F<31j4vzDoW~)MCFiD-24}J=sx%*W35HisBSs0qG zSYT@K|a|5?=eA&wC}X(1&eX>-P?LV|x^ zn0??fUHTX7tn8hrRxrCVlmkeQlK0s&CV}iL&v5=BQ*lUx78*(!1+&X@U*O6zy5fmv zFh!*hZqoxox?w=JJAF$f{Y!84DC1qCRLJ{fMf3O(VNlyX}&(;5Ys<;;Vh*axp(&~Q3+ z%`-d6+HXhq9l&A)QRIlL2WiUnS@~X2W~z!d2(ki%v`-! z1})dLfb4?|lBUj{**8Z5HU^J_0J=!w zY%^8KE2YsA=}PCI_8l?2fYHWoDG!6oMr}QVj;_s!0$Gg`Ly%nk%_qL~M(aWRAE8fiMr+r9TzyXh zSMFk}D^1&eUtKx~iA2+X)o6PRsU*9I8l(;U+41yn;`^s*_(=AqlzmHiz9p76V948N z1k&8QXV+CxUOxIT@pPYZSKf8Yfk@B0hn=-)A;pG1Awqpc7TqHM{FuPF28rtZxk^sP z{}G6IKRf&O2HAQvlk5F~{!KIG^!H|blr5yvZ-<`VNa>_K&*4uAa=0V2ncC^o!^+dq z?+U|>aY=*;qM=lB?4eKkKJrhSZ*`@ZA%7_w?j^U$)*T0(sFSf^y|ExSV{pmFQUZYIN#8M-DzeZ5?L&Vy*`$VMc zW~{T~qxfRA;PCyiZ`VQR&6w+Ld^#59p_~P%W3MDf;%0+t^TJ;GF1zhuye%f)HSS&B zOl)@~fzqGavzcALtLFq^LAC`SFD$L^6d%XBH zWr2ID=KCS{*8W}3efBvF?#5-{t%N1?ysY!QKO1aQ<>{C<^_o<`S0>-YP{xr*ORIkl zS`h;xos(ZZMqX7F$gXej_chL%9Z3D{A!zMDhf3lOf%9%L2dI4I6d@|4X>p`E#VhyQ zBF8I_M=Oizn)`7$(dam2&8plju=MfYzx92WTtg3}E(-|!_dvCdWF#la;>T{PS=?7A zVo&oEKK1q~b40R=(zlZ-t?D_#H_+~vhk*#kz%wSW9p6ozXu8s>_{vRkQ3y}-DhguU zw{r?ns`A@7Ft9D~*fa0I>@t%3=skf~b zLBkD?V)!L$x~16ow`C%D{OdpAdfww+-eR5YsKmTgnDnU(4cg13!^|k>CEu0cg7`m-^1F$0LSsRm529;Lh_EGhx4qiOSI#821=gLo6(Mi zM6CUB@e{A73ek4NOm#@(yLZ&{t$E^xvS}f=Q+ch(M747GuVJAWL0Wr3TO8)@h~>a) z<7T&lz_E8`8@cBnOPh7sx7;36Hj(vc()iESX@MEw+{epO=^Ih-U+!s}c-Zty#? zQ{S(5RnQ={LPA)n^uwN+cSF#P2O=%29X6IDGEpw3P1(6lTJ1JSs= z4;Bj*5*GW(%?~w1*U)&r$rVOJ4@S)&>+bHlo&rT&Lk7g}lSGzxFTDP^{AfuD+GLbk z;R#y93Fb?UD)4|-X-GeK`G$|wXzfKz@r0b=V5TbY`)+63w`Q@2F4psQ0Dvuv&F)2! z4SB)W^T!QS8W%WGhV^zgiNJ!^{gLv;CB)*AE{^lQg?b!ld=<&LUX^a7wX}2WNyltdn=mA>>YPyPoc(&85gx z6Zt0m1_bUYy!uJs{uL9w{3R!e55?i`x}B*G%Ck#ErgJNty-%_m6;hV)isd`;KJpkf4x|e;P`>HPFUtgvEFMWJ7#&hwkZ&?m_0Kco$n? zEG(fr@NwJqalkbAYUVgU693#u+qrazZWH7DVm9<)HiVaj0Nf0eYOk)XolF;CQ90); zQ%*#tQl|DF?U;x{+)RXq7@#OF<~`l-ND)BV3H=^jpRQdW*lE9^HA7HIf|lqerBq@Si9j6N~a$ZXyIqgn_t%WR^i^DJtkZj}21ie+^fNq65J zd|jV+<&t7j5B$4E5V|{z)xbe_on`g;Azh&I10f z#Xi82p!O0d^4>M@0g9I>m(PReWH}~e@r&PjyqQ9*O)Tl(o1MH9J)4QZ<%`9YhozMp zui8LM3z#DAFs}Ui^E@;mIUniu0vo~#AcKoCY23^50-&*i3Cc$m_2VAzepk3x2QD47 zn~o(k5-Y0vF8lA?NXXb32no0oVJcIj3J}*>>s{Mzh5vQtl&R|u)?eF1yt++dIvwGt z_VV5J2e6YM=T!{UyIT`4HNMNbd+q~oHO;aGwI=xe3wv$zS=+B0tFK7Bfp06C`ovQU z>E{_H(3m_RuXQ^%F&*jCB%Du%P@$B=RK$W%Rxo+?C6^in=6;^P^4zF|=q} z^2jTa40XbP+_N2)5#76$Wqurw>5>$U=Ka+4qhpMOh{pDY;);)^Vic`x$94zdQ zNz4c!dr0*Kj&0E%A;EhQ7Gz;IWP8MWviRln5IX40$DAe&Lx)*TDg!96R_^xd`bXDN zRz^Se0}*HH3x3)#oUhTyq@GFlfIYlorxsh1pK;GChBh_Y~CSU`=oH z&-9#@)ZIW-eNC@72Uu|~8EJ28jVZ;Jy z@!Sd6!{2`aeYb%=L`2+Jlq@zvLNF~_v5bWaQ{x5KQHTzsijPpVr&>tVV z<=X{0453E8j>4WXX$n>zvc3+UrsUACIE9z=HK^FH%M@asjo`0Fe8*%+c#(XW8pQW2 zUFnhH^i?2GUt&Vsu<}B~xf^I`$;t>L^JtbiVc>F$SuFT$6@d*G)IVw`f61vPjZ)T= z+Fd7$9*>Q&G5yK~UzsfduWD*`7iXH0DIprui4TB&rAZyDmTx5w!te)<$t*no573z8 z8h94`nw3IjdSjNRZ?6u5+hYBGUHh90p)Cl(Id0LSUcBPHQB+8Y5l|x_-cEHs$<=fN0(F@zIDdnwJq8#sFOUK3F#L@WGQlPTEbyOFdWafY zNs=E;W&CG7Mh2$ zbMPuE-KkHSMPv(7ljY^SZ^wb@e0BZFGgbxRMN?FSzv31}C0!43W_9!ImWgZK=XqS` zxks1~6V~;qq{%|`UUO*aFM*AKZ1W_tad{8QFQGaqQnzL1OUX)MpJWWM1c2!x`VE#_ zVzxSoe4bEjkD7{!mP~9QPF26od4n$Cp32OuHxr_%K3XZi^XpT>bJ(9pVdBZr*Z z@i#qB&RXVk#Fm=q#BdKFgCi{)ukz95xu9Ze7%3Ml#qsC&L_EQ-7HtuDx^E~fs z08GF{DVV^q&>6yWD`1V1gSFfB2~Wm(uWc?hT=D_^uFjjG@sbYrh`!k5zoOA$MT-R{ zGh8Ezb^gDW9MP%l;j)k!E8$u|I$9pC)zit-gS6}FSpJaA@CdCQwi7=nZUS-WWpE`h zXSoqAN%5ZgQyd8RJ}w12Y#1{G$=|ld2Ey!e{x|bSd%tRd!I(#q7hm__b$oXtgaD4a zQY%mtR2BoFs(p}#?T|1;UIN-)9l}mUV0WL8LLUyy1NRiFKBw-~Y=Ev1=1*7VW*x`{ zeZMhtI9VbO?+K;FzcA>LkO=J?JNwM($^iWFS8mh|=fGi_tci%!OgEZ9p2OdMSmp+TyI}mm<)Wbq+_db{gwL&y_X)@U{aNdPq{KwqYWHls!#`n-YcXMhGQ1Gao zD%;Gisxf7DXlnkhF#&!`p2|}x$$@Ao3)!m{ZTsAMk~u=g66;9X+nzp0 zSMA-?e9-HJB$CpX%Q!1jbOT?4J)b9?*4p|APHn?E)fy|M43LTb$BNVJzqRV1x<20_ zVmKX`Vxl$&B50T-0N@AmQ_9+TEb;Nq1G!djcnj!htosv|UQEa)QpgOW`m++?>fjbu z1kgMF?JvaLOb7&z4T+Gvu(k6}f`!TE>G2~{@d@)JV(wx`%CeO|A~tL?{JEU z7KS+33xQ`cc%XU8zlJ>*KiMf?rw<->TO?q|C=1NRr(%x0%pF9cOdAneCY{z+bC{;~ zBNi#EtefK5y6dLdX`cSB>OFLlpz2@2y^deeF;u)=en0y3efRuVu7m0{W*Yedi?^Dj z&cr1b7&UKN`n%Es`cazwF6*=-09+n1ohTeHn0{NrbFQ4j9OcWfB#WYG5{Dfex0Z!x&atgZ@vi0@v@&g$kPYX7@+SbI zGC)W6238#Ok=10!@K$6FXj-x&%Leo=(^HOZ&7Y99>ZS++@=v2T3lI?zNQ^Rz?u|Wd zz@H(zq`?r87yZRQf_^_kemhhtcgv@ZR-IZYiC-ahr}>?bk=krvpu3TpQS>^H4`wOs zQ_i_u!U*+!%2Ta=g1nR18rbtQRqtXvHr>H^AKLUTV4#SU15@}T0M+0p-y<45Mg$5O z_Xhec;DXW`8>e>Obli4P{Ipw)2E3MxoLEVMn*s@%p18MXY?|n2y;0~` z;wS`Qi3n^o0O#f8J`j)Rg#oU`ho}bHt}j#6C0TyzIp6un<@FO<=mSARkF@LRm$+vh zc^kf+JD|@kXZ4uN&-SPDR4)46gxE`qOa?<$p2Ng5Ze$kX$#i{TA}-x3H_4#$MR|X0 z_dZsVH`fAdt-%`7C>t{h-&`1eNa}nJn%$+Ie_;Ihx&8F5%d=%e*2mr<BCr)_)N zKnm?4ay(?Qo#hl)N`;UB{bz^zhw-7-R%`zZm z=%>FmqY5qw*i@k|qF)tMQWEggxPTgH;1^MN;$p)75GfK)G<^G6y0>Cw?@|+2F{1IP zMc>)M`!h+EUp6&2AJu5J0b~ZW%^4-5IoGC$3pG2eB2^^iZc_#2MtEJqqiX#uYa?3l zLK}K4Ch&%zo^g-0Kjuda>BBdP%I!`x&EI~8*6`(w_!=zyGyR*OMHu6P$*XwgDtb2K zF2ldVA)G_xKCaGGVL;h@ElfTs^gJ6vwnMFKt=g*%0_8a><-=?ldM{|dw@<9q4o0n2 z1T)v+N)7sks0ft0o%$($cKFe`bvk|61%2v`2Xp|!qefgKY0F5MqxNe%|AUPPA9cUO z8*oca7tELWy1YS1V+?Tpt3fs{q!N?StkEnoGxWbU+f?L{_E5gd3LEjJ($83B3ESaQ zH_#&?B-KJ7tkY@EWS|IzRdJG?f(3B+^nsvyCbUNx3(Tv9CA->8jzY`>mwgz*U<7G7 z@@F$B$kh?WQJry3W1jK0$TqT!-f{?!=;xAPcxHXltJE?=tk=9IE>zX$dJ>`d`eb{SA^~mVJc< z>Lb)y`8n*zMxWNEU8>{62p0>WcczinDb0^Qm&qcX5F^H@ zI?n0m)7!3Fy^~}lxmgt#zUl#w-#WRyNd5A5mR4v6d;+J|<*+EJDP*CSQE1Y^qSar& zg`G(_N$N&`Dd)n6xwC(*n)ry>!gu-LG%Z($pWO$nz?{-pwHueqhl; zH1Hi_xX*+BbeBL@z*;S_c=WUHB&V6q0tUsG*W!^d@^-@yglZT8wbDBW(WKj6nHhbp z*+9Q8qUt^Qki#}!wc-xzcXBc);eDpg)>=2Zs@)W1SIFNZ;(azXY;%V(_XV1Y)9G-3 zxI1B+m5GmFRlu?dwGvha8wEi4%>2SfZ+~Wr6TwdI}cL$#JlLz*_TijZW%ks7I zOA(6?vXD=D!BmzLWOZ$>4wNyK`>sW2U5{yKRT0ofy}U|;CtxnOeReXCtiR6x%m9bu+|e`-!@Z+WO*)c)Vuj%<7YMitjSBk$|EXc zcNRt@Vv{)G5l>!4JQuG-1tHY+D#n1i5{gLK^RIrS-0){IowF*CG+Wi zWJ>o@`V%24Tj6#U#<+iY2Cy1f+xNS$FYNc{3`eJi;lWj@2zhjKrU}wH&-_>i2Q2TR z+pt(H0B^z8EPQpoS;*K=+UM-6XkG8g6()YwH5r>x) zX-c}8KqFGo%H4JEAw8)*|B_Yyb@RAPbS@uqsVRRmkP3~c%m9b- z>y#KC`q>psTGSANCNF`>Uv95aqI(kKsjpCI!n}sX9qZDgkV&wpBUycD1p{>P>3_|o z(mn&oU1$C_pukk0QZ0>fJSKuQFJ%4NRfWNNElM+~h(<_H#ADy; z1O;lrYPtu1NVtd-{t#I(P6g0|kmnX1vFB=`XwE>hAWee(@R=`3O5J1~B4usXh&F(= zpB13k4_=CX95Il|oxh2zm9Q2GMO(lNrGL*xK*3lEj0$X!gcEd8ww0xu*f&BtYThO7 z3@1b{$cOo$v~2U3=W}VTSYDue(rp+yFgo}^stP~gdkO`otP~_sosGm+RIRNh&Hy6` z#mRT)aIFa0#b_hxFpsRt(Z7Weu9_r`k6IwzSZGDXJv;+?^{nX5d?g!jM@j=qQMZAZ zQe)Uwd%}z~gBpMc8hxM!m}9L0MSrTz$QZ##b{8L?2P$r6Ba_k@sl9~uAz`O>uTgJC z*S{p{7s${5Vdv3vN^lM`q?f3;re`9gl;5qmbZ}NfQM1`3y~B{W0sZ_0>kdb_!*Dp9 z^!GNiq`^%7_(|#Qa#d2#DD*AXCwnbr{#q^lIPP?s6PPrP}T`+l*;6I>ID*Vvm_95UdYTBxmwMB&ev z3Zajrs(<&mP&BL`R5`X!k!?Ao!_Xdt9c!wLS9vZVty!(2uxLJTIY ztnGZY0DYm)2fqb25%P+mZdrot>&j!t ziE64!G|4!@I%U?-3b3Cc6Ob>4&5a2YvHP|`Z$Bcy7JbC>f{yhw>-5G7NyOa3wI@WqAQ+ zB@zD9|BBV0)f^_L6HOH#sJ7moe)o|s4U>{F_*~wUf!P{PpPz};w_3z1UVYu+0nqZD zlg)=0nUx8|38ZQ0o|P?rvxnAA)4|^iNl&21ek^CoE?7}}QDz-SPE0q1x%X?wL4@%A z0y{LfA9PL zSah#POM%SoW#w;n(`Anc#w`*)QVDTApkavx$6vN2e@^2Yj(ht)Y0gy+=nqiCIs@HC z*c6JHwA^1bD|p3L=jBh~36>hzV)1QPrWaq1RC# zV-!YSj5XoCk=dMkO|%?)%hk@)9;>-LdWQua_GNM@GXjNa)vU+zMiavEy8Q7Oh=)v@ zM!2A(-znr~2)ohhZvH_LH9yaluSsKq6!Kr*Z()o?pb;tqCoI?!7BUbrQihfF3oKy* zk<#ByJJVg=u=D0`@J_H1eo|lnecYig776}UUmE}-vFu{$L}Wn}*${mzs}o5to`AGK z3)k_9dv?QvT(?7PL2|qjH6Z+Ck-#OxkDeQ`i~4SwoL&zNz8&0P_!G(POT0X0hQH4f z-Vs~7eXG>4zy_K;R&QLAp$}kAYdH)x`13)**Qw;5EF`nVQEq~j`cM*)GDXlWvK)Lh z(C60Vzx%X;g$-I2AqK@c!&0wbvL0_5v3@pK?h_hNs%#I4g6oCre1pQF%4AY;sC<%9 z9kg}2O14fCn_>HmW%b8<3S;Oo@%9KuBlyB)@Ov$&;X@BLTO%?b#MW$r?d{2KY?xE% zB_^yHK`k|*vL1vOhAfQw^JkJ@b5PZg?#O2F6!1gYKA8F& z3LlGus4rH(s@5^P$ruV9_C0V z-iqba(VrGk>n$_QcIcCr%jHy)M46^^Nezg#03I;`y=Bu-DN9@?$sAoFOmY03MZi69 z732fDGBX0=Q^+7Mr2H_o3@B$JEu@*Of*{fNgrBBkGBuZdGMxL>l)4B%c8~+diVST- zCQfPdRs|nonG$?dq!olln~`3_xKl&WgfHo!T3|Fj7;D~T_!)}r20=UIUT1qzW`WS` z*qQ?qAB;gCF=Jzrm*aZp@;snS#me+6ypUud1iL~8@|Qt01Dh!@0H1`DAd54L7YpFn zo+RuUU1W?w7LSzt{sX9OS+|p-j2vm;tPiw91JIUF`gUG?eH3eYMTl8tS^uJ`G6r#a ze26Hr>U*CM{#iLrCZv{9ZXryaG!27=m!-`ai^3mT0g;~m*z-HSJ&n6b@36r}W}C_# zXpj3C1nLADfpM~RdoZprh~_Abhx#=xQo-G$j%qF_SZ-U2tjIvg`czdJ!njW#vRa%E^8LtJ5G zbRE<9^~fkjbePaTC@z%eSIQparSiBibOj=Xz`B$@{A19-E38e>p7ZWf8*B!ilD2qy zKEEonP8cT-9@wuv@BS4!2AcJH#9yK`2M+*$ez?WLb9SL}gM0+8S=LzUC5@r^FwAMY z5rATtqV-;(GDZdh2#GM*nS{Zvy^?Y0s4T)16|LDXDZrGMhHLd6%yboEwdFvXI9xbT zzZdr-Jy4x-33#?9b|Y&P^CCVFx1^$wQf64XJXjy0#x_?VdrJYMS8h+YAEtwgP6uw% z?7bv01CvVtMbvUPQ)sLgS!qAjM5cY0&47t(@1=&0fPvf-K=n<^^9d;6b@Y%6As-|D zW^zy(i?G<-2Cx8F4d$Q2CP;>W&qsn;JoJyjbKMDE!#LMcV6Mmx9LKs=C9yad(qT{8 zM_#wV*W8W!I$1`4*L7&i6Pi)q@pyc@VShUB`dlM1P3nTP-k<_a5Pr#2a9?7ob<#k( zk8&>GVU-|nT)d>+HGQ|m4`IbmAX#`ZLB9p9Oqa@QFx}7X?3R?mf@0ouU#H$fgo#BL z=q76B3h^fC9DO&#g$>jwOnhId4GO)yKIxmpob5slZhI$sU$^$IKd7KG68$LSQGw2~ zy`V$Kr=}=H3x7fEA>k4HI#M_B0DJ_-TkDl-=(0-{9go8){>JIrAOCiU6BVB+OjbgiH{3HN!$KH& zJ-|R{dtk@+T5^5c%$j%0wB;mH0?pgdhe`_hA&aNdEk)2DgE)i6F9td1pyK(+8s@r! z#BnOYNLIB8z3C~IKZu_c{u5|>F<%C=d zYy^v}3(<;Y2P(F+46wm?*GVC(o&oW1`}L9v*y6S>&@sw@jl-RJuB+=Iod-8nvYY4V zEK!Hb^dcIa4WKU|$8)vjSW`0gp3@xrdd%~nJ^Mkt6DzBsSi|c!(Bi4#F6HrsNx^0B z1-;qv$=T^htbHfHU8&;=N2H9@7tiXga=K-W_FvrE@r*O_Y1AN}uRA5#56*EDtVcZN z#w;N|0rL}T2;Xx9w!~PyYk?L&h@DSs3!<;Szl3i6dAHL7z=Rt9iqUL1Y{EZ~T({t6 z$VP{^#^W~`%G_)EZ=hhie|Daqkt~aV=fm?t%I&I+Q=c{u4&CJ}-~bDA$N$N-BV^-@ zofw;VNg3$7lomJ>Lj62QWCP^6_TNMYYQAhl#bJY@r`V4%fXSv)?fGUO|HgB;U=bHMKe{ zPbrai6ewH=>X<+g&j%g5%^?@f2l(V%LHa1F<{GJuXX@5k5_8()ecqRe!l*8f6$zOs zK1~uC=$yHJW3M%S{!RY&GokpaAlkL7_TcPV|2Mda)-;Zqb~(Nq?XRf$*qlt8*q?$*E+)LsxG$3U)vwaxW}&{OM{iB49N#mH6s|ujgV4$x7wNpF<|c0PR%daekFF z!II%!>z#w9i|+LjW^~!z@GNZ`<@BQ0tgX!gj4s@a(PIAc#MNBVWMoCfM{f+93*+B9 zt=;TjVsb?0>4m5*iDqP^MKyGMu2qh8;|XfgKPnj$7n=V; ze6>_gDgNGT^4`9A`pXoF-gO-ghq|2LlOa{;PRnIeb;egU7wNdqXP*1UrB2-6L3%~$ zU~%u$V(y1cJ;hF^w&F3rV|vp)C7!7$_a>H^H!vAR@v^UHxEgOUsO;JthSANUKQ7-k z%BS&wXID#}bf_V&75zM^3!HHudmmo_TDltdD(LWaN9{G`#rY}dcI zCEYhS=h-e0`+&N4YcA6KNK&=-i$K+bv++SNx{%pyGj_(_X*gkNwN=y4S};9G{SDX5 zkoTOkdJgFv_snHhtmnMXnWCDlZ4&+O9JnV2co+nu|9rdFcnEfnF!KKm& zu_#sbU1ATcUTOB5pfla?ew&cGSC)#pQpm=9*1X1ar24=R_8ErfqpWucVfiT?Uw*)r z9lhfi9a6|bOxeStw~%4F6&V;kf%=)ZdiJ|%EZdJtxP@QT&>mGVZ4OO+Ntb}Km`hn4 zLb{+SKS_+A0&#>iT&inl4KZ{c0NBpKO`sR{P`i< zHt1_}YDsQ=$LEB(&*LGv&P2~e(I6naZTRgEJTRoxH2FbiNlNZoLuvO7abEz|oV?XZ zNz=w3$jG4)L5A+7f7T8kzRexnP4$IoghQlL%!3C%ZUYU7WdkHiM%dI?i& z-fkJV-$LJTNh8Cm_qbMmF-;nWFer!A8D1MZ`@0(Lo8(}Cm0Jq0Nr-v&MrN7rSAX0Y zNuRcO<^4Et5B?Kdq$aK`z2e?Ct8$Ze+-&A@!!hnHtutbsk-$;6xtYo0^rd>( zqZlyts&4RgWrJ)=G#wi0dgk(uo?8{-Y)!%nGsEaiUs+0CcLcEKlBL>+DCW0Xq7B(Zd#|G6_ zQ2ZuRNqg8rt>umRck7c&ELfVATBaYK)VUcR)eqIm{EW}A?HNKsOYzj$Y2r$x=~K>4 zrB$AlbIs#1*MOw)N(o2ZC_o_2J?`0jgO+)*lE|xBw!~h7Y9EtJ9rCHivm<6K07oDw zpf41=&!=*q0DDsPG11rL)jfIhZjEo&y|V&s_b2i$lR0-Gu91dllbot}v#14ac#>Zg zASW)GdX5=ulKV+FU{vG*^y^1$Jbc(w`ndBA6e0Uf($+1p=hiD0Y=d&n+{QIq*2$1K zkm0d4ns;mHv@BpMaqz0Qbo5Df7t1|XkW`YOjBhU>yT_XA2j27TlHZ{H8vZxgFzd1b zH`zW4{>0P)GMscJB-OMd3)g==8^( z=H=gPxtV=_Hn}_>TW_}Cz+B2TAkIdg7^CZ{B8x?WC+F+vfvI|v`!{OS5|jg zT08$#z3=+z1pZlTWBKZ{h33mvqXDHU3G(4>e4*;-067^9#NQ9p=j7ySG!p(RLH;+< z(J=32w!O_Mr#9D&lQ zA;v@V!H&lC@sGA)z$;mQSmizW?5}kG^r z?Fm@W!g~^L>wZRCcZBQe!8o>3a3;rJ@}%i1=&7D26@SnFPG-YNHx(|klFsmW&Y#rU z^mFwq(}=cm23Nzrn3@%5`VztBbe^d8EQR43 zdqOwUf{Cqw4(T^Naw@YO_8z~k%h4(^sF^!L3=gJs6JO2l^pihT6s`R$eUr4a78@gO zIb~z|wB?*xN{?&E}}@WX1HMy?(?%zQRUfdVoXCvnGaua`$358SU?4^1hi4_FMBf7}R-!Efr(4BBqXL@upBHlcUw(hm*XWi~3)TKJ;*r~A z??f5ifJTqHFmGPIXwP?RH=gttiF3Z{R;Y56SJo*MDBdYZP6Nk*#daoo2nDXD zuo&a`2Dl$WXN&kRZQDo^$$tB>8i!zXYV~X z^+DewDSbHB9&U#mi!&#^R|qS@X5wWQZ!k}~%1vCaGzQD_LlWG|3@2oji2U`e-%x&6 zoNm!6P^eUz7637lRj%2PrmB=FiT%kMjA{i5HD%@{U&OY6y;n&jk7 z%(GRqmf!X3OxFC1ws>{o_tXnY^_fpg4u^Mw^fl(`7AvHUds_Sa573OuUZZ3QsMDoA^KXyWoF`KsWSpy*23AcQ zVF`MA?Hd@bfqX2pK0SnBBoy~NXZISumtrE79~lNa#H>G}*4opsp6i!Tf6y@#opPU_ z0kh4BO3`1NQo3Ds;RAe9#s_6r&VKq_ zkK>&pv-ptDGJO8Bbf7JSE9g|!)@k63O6Aa{Z!@NlkG_qv_M+E|q0;nAF-E9{b*%1e zi4!MjD{KH!#k5IW+VNO?Ts-YQL(DVF_J^#gdurZ(_iujlUHDI!t*}{f!>a^iWHgoy z(V23}GoO`q`R_k&=}w<7Pf;<*=Z=V$@+}9Z_#RS>DaQrR+9=+yc~Xr^3pAjZ_NA3E zqqTFyOE)__?lpcqcr|fg)4Dco|9+msJLney^V#QujmSBagA^R6FXwd&IJn`?Xo@dO zGmmNMk4-t+xLY8fJe~Nb6C)4dBxmerUld(e{vVpoGAyd@YvTf=gfx-@(%l^*-Q5k6 z(hWm*r!*oVCEeZ9AzedvGk^oq^&X%1`d{;X=FC2OuejIRzcugIos(*xu>`i@6@G9) z(m;YUkhKyIZ%rZy`{IsMy|okKrZ9jC3J~#FQC$u;%()yT9IorEGs656ul|0IPqQo! zJ4BnaiF8-(GRJ5;896525C1#;`yMXX4&C~ z|7oT$Nl`A6s9{TtMQYn9aRR${m_N?_?4$yuz+{7k{*_Djm$2CmuZObN=ow^HVdn^NnHVEgzYFx%k`g zUv3neB*jf~)Eb#Pb8bUu=&VrH-zaEqZ+~(Qao<$6=aiNKmdzw#o1@p%NTb?K2#&z7;d*J=j!^4_AQI>rN-V$ky3aR5wNy8WXSgd9 zDL)THTS8GP;He^^InzV+T8aI0G4$7ZlH6&6^7|D1z@|Pq?+FT80yr*>eK`t8gc7vv z#$8;2Plq?yo{9y+)ec@O+3qDxm){wqI+%x8l#tfD1=@c12E`Qu2ct8l_t=VuTVGKm_eT|p~2|VUi7kc)yDPYXz6zwrtEd(>cnX7WXs%ore zQ)V{PEOQv}A!=}vE?IiP4Kckw+-9?4vQBPvO<~Shk%+r^d7|I(^^(Ey7F6%6OR(No z4-E}ijVTHiJEKy006U9QY zhvw-dJj2xQV^xc)3Ae)#np*UYS}iaINyuGAu5C&w#s+N#{xpHjF@HHT%n(3yf=6o{ zZC&PL`wqD99CbdNZ%~c2LR0zB$ASTcN`n+`={vgH`Y8{TZe6MI;#T5m&1RaP(#p zb)xpqNON@XeevqwVa%FYqBc_Fk+XBVr;(b<6 zF$iI!5EPpj&r(pS1wP;jb1k(@?&LIrY@Kg}lE^BCD^M7}=1`j;DTIm)I+ryar*HGQ z>x}F4q7O%LsM+51{8)4)QmyoQU^&%l`d5-xj}*~+AK_z&U+kqz5F&DlRZWe5d`lKD z{Y^ly+VgWUsw}luGeX@E7ePClBoeAkv0+rax;<~faj&4pLRnj$UvG5O?87^0=a>e> z?`%CpahTj=kSQL09-{<2&EPTqI5qhu5_lqP~NC&d@d~ercN3=KxpOni;`HG#lDbuz)Z#-qa zxDNhC0~UsQA7eBvKy28b-Q+e)$~8w1)c{X=@YZg43K<#if>On&Uw%)9IUrG#{ejJh&OaI9aWS zr|omq{3r7tM2s3=*ToXTbH@kXXMlyLb2hX4a5PL5u~~<-{;UsaaIv4zBW3OFYsLxu z`4vpgHjfm`r^MWIUGhLK>!r2mFlfq%*qBKrG@X?k?bo~g8stP%*+0KuHmhvU;fljAcFG%gW+9A>K!X`ZU*i z!loPUdiGq=rDH|SFl^)j?Y!6GKYEci&PBXw zm2U2v!yK8^jR_=Q4Xv%1J3k_M4wWh{TQ8{X>UyeiQq)H3p-&|11+$oJgav8aEcAz+ zL6j`KHsdpCXsmH)(|!F1bW(PXr;&TE__rbO0(S`Tlevfoc{B(tqHvaN|uGxAsD zjs`!JnWC`SI8SH!TZ9D9RvvJYcAihg3h(wnddqRmmvOYQS2U(1-SQQ3rVH}E0L)p(|1$VPzq9B{^ zp5wy$4%DR89sRZ<@voQe%n;4-?f5(jIR33WW+?@_eY_7O+HE9E;$h^cCDZHYPxifu zdQAke^0G~qJ8uxn>iWL1E%L|Vh?!&6VIoygWpV}R(M5{H;Z$EX*t;jM%B`w;U1(x* zw3{Glpa-=$e!ul|j#u9?gfLV=+ZDz$N?)BfeoE`{HIYqgK2KVcwORk>62aE)g8PLY zsEhv6`4?_q?aP@maTHX|0lb>J%L{=$l-5)NelmS&8y(=1J!X*G&=mz*jQgAQ{%bv> zaXMMMIse#FLh)==bXmJW{^Dt9JG{=G-yi}B2mKs>T&0JSnHLhxNog!2vc08=LA?rQ zP$rF03Pa=L6-(zOKCUYxyNig&xVU=F%&Al=SG3fM*5y;$tm6uiZLH%OA zF@_LilWS;25e+sd?s3nZFC|w|N9y;hQw~+Y-8!dPcaP&OyD8?G)1WVAt6xt@pZOpi zMsU7SQfoq1uWN}?ujVSt+YtRrzAQn)wqrBl?eRPRh&cS;XN2&_U!Eoe89eA^FVYDp zcF0sNfr5|lx@2X{o|ahnP^uH7sDORB!Mi26rJaWN?V50)?K4EGBnUbu;aCDb9|hg| zO@WXFHxzCk2&|)6w6-KX0p_TYfzCI+~W+!J_oW?j>GXLr7)Y z$Cl0{uJj-J-wq{Xe;*>@Q=j)TO-3ytDv;_wMoU&0A>{=DS?YLN3_Gg!L-sGMGH}>0 zlscWs>oDW*6@n$x9Sydo@7v7b%!;@{KVQL78FdO2I6oh$fA#dE*1hbHIhJAeD~*Jl z;*uL(X?AL5+DMX}E$CWeKBhTClfyYafY+Jmq2v>Dv6PKRMY_cJa|Vm_HmmJDkq{*F z>v7BsJ&+q!`o>}S(+?nkD|x%Umw+*omqic+1pGGea30aJ*(61S;H*qlPKP8QG>}o} zjMu2V5v7jW@)RT*@3I9|XE~~dOuR|8&r0vuUw!|~@2g~%_$3lu*vc3?>eYn$%{Rs< z)8npBk?C{X#2?<>tQO;*?Z#t7yT5YgI{6d3WzCMHM=bsW6|_C^y`%O~LP==HPuUz* zlePwdk@9Whlgx|Oo-uYc&@%YV4+5HhpH+g6$5Zv;-=5u}5t()H0dd{b5%!^;(Ar_R zi+0di*xa1}(jo7zmg#WwWT+%7W>Eb|M@fUj4|)}q_K!d%!cU+2G?RO70p)<|48>*; z2Sr+LGn?RpQC*^I-0Q4-o4wQ1cD=^PIu%m*f9IfOenoxV<75k&gm-A&tBeP(@q@M_ zl19hJt3H-Lj&mVB7rRtOxYCQ*Tp$-r0_QA&PxK<=hkx?8^glTRr#EE#R=D;&cs2gO z#`N*s@gqyj@1LzZxsc&_sqA@zrT8fUM^qeKjFn0uq7c0J57R52?q7IN<34c0z$f9J zTUufiAmolSth-~@cGI0Rv4=&D~k{-jQE5=aF)RD4_Y6M`uX^D?AgrbVNRpq z$%pf3Jp--4-m#cAnYZwCp%Hf~-P-fv zE3>5|qIr7E4F_)^zmR};o)l}2QS zLWI1faC-QpkyEp*us?kD(}vo2jM@5Omvp8cS7+ONAeCE2kqQMJ zR94Caf7>EwwTS?hSwqhy7e+Vv0wl|31*2Vzq`-?T z&z|MOBW~wFfjgJmrg5caM@fMN%#pzITT1uRTmDuVM}bqD+ns%fp;hE6H1N0Qa*gt3 zdW!+tZI^ffiw~a8qrN^*A9;Z1UIdT$kMK~xQ(Z%=>_wq1cCM&Z$FVVb-XN4LA&ERyR?hhQ{)96~?0{?Vc`h0*y*JA2Q^CW1sF{u206O=xo}wQY_bZ5M*>mim z^l^!Zx^YSyl@aj_VIxzLJ~H9&bkl=*T0|!!BGvR71wY$5-q;vG?hCX_!1FduWzE;- zlv2cA%Kf(;Unx4-FJ6~hSHwgilQyojBGoVwe=zzlONs?*tg?sw=_Q5-)cSNNL2c#) z>-r3J{3D(JGniA2LK;gD~T;xe@--LvC7&L#qfn=Kh(3PZ^C-4r{8~H z6xj5gfJ%eGv13$byj@iPCx8F0XvHh;ZTcD)XjGgmjRI%+aavHZi{aMtc9e z*a*^QH{%R?rxmd_2{mozE~5F4#Q_&hE8II>kBLiY%Tg|Z`YsNhBGMc)EZ?J3KdN#g zsjYU1VFfco6|jr?k9V<9oiVf$@9j>Gj&ysqIn(xG7ud)XNmgOJKymH4th?u`41x3b zKzYRm0%4T)oXr7OT9~mZX;QUQozzkwco2+_@hYrFF(DW@1(;`(-qX zDk>V0QHS(skwN-0bbANG(rfO8nw*e&!xI-0S69>ZhoY|Pvz-ILX$rz|KUB?>ksjI3 z664tKxUTLNk*zDsETu%LBAZyM?8^czg zO_pG^NhJ4#>$~@yY~*lBGn-%NJ>VsZ55tOlXufmZ9_uP+lkz&>6ycsR?k>~^{EiFe zuR(d*55NnZ`Bmojf5Dm1gtX$?}UiRlK0Z4m|KGqc*nfaix{I zUJkH8Wa)YrVk95j8a>k`4t7Gv;Fhq<-@}LysoOQt;nx!#0So5LY9p1%q0WhicnXB6 zx`ISLyfTJ^s-l#TX!$YIJ#n&l&hRTEgs-f@hMXXHc(rq%gHoemESBX138Xope@W8J zfM7KQoy5x&$o3UD;c@tt;=r=wd?!}vnUs!Kc%x!u>o-=G(mPqnqu%SJ451O-VvA=7@V_3W;pDg~z~ z3@FE22z8ugz!fK!G0;VcON<<6USbEryc8j%0A&*WIZJBEZwYE*2bNdSQz?&zQ6}BA+rSYn)c7#|CG^57oVu1!-|DDf#G?Iu`jRzR6mo_#|)T|HZ zfD#&3EmiPm3m(u<;6EQOeY21Ftc|*7j#>Ts;8-VQoTc;T3^t-Y@VPM*H3$_5NXETL zid`gBR&8wtlUAaHi?Mp#_Ok|Cd@Aq%2FC1X>A0v}|6|N5#EL+v_1hbhJx30Q*Hc3W z*_KN5=+J`9FSW=D zETJM4k@#WC%mI}#;1|6Rx1hDSr);7?;J3uk2CCBIfmC z46UL>y`rWdyj;|VQ+^pI3rSbI7~tb#3nM5*D|$xU&E*#D$?-+>xfrZB-+^6NpV023`Q={3k{|Cn#LG4 z@x5~>FqDF=)RZ>D(FWNez}3%Wjum12G302A+pSSb_1?~#$|A9ZCDZQ!L}I&J3y=)L@(>hd|~ z+f{-^`y;^f*R9a)Jd}{b(0X5$pu#&h$11TKED**m^~}XCS*2XB3CizbWzQmY9S<*W z`x{tC=|EMHB+xFopd&3^j_UjOo22&Gr!(Q0l=TIHbszYV7E9mo2d4bxRQ=EYIOp<+ zUZsMPBzZt`Qm+IF&-vUJN~D1x7A1bh-;=ul+HMZPy>XnbCwkPE!daQYZdf!TD)%_P z-(wN!`A~`XJIH3o0AUD|E;i7hg)L38KAwSi=mFrF&mbtwCwbr#ZiZ(wt0YtV7p&Ov%g$^tJ~lrKe?L_t5ImYdHI}haPXfLm(P`G8>?^(M1j{8i zz)~d0jPuo%R6x{}HCwTzJMyp1I?Nf*S_2x|oXaqq+;AcSoBcNboEY?Z&n2{xHj-rW zDKO}5c8xhm2^w_dm*|;>i#Y!)xHS)__FE4OH0zjQ%8Ox$&t)Ac;VGOG76tVm zC|zmUe}*lFC1C+=g!_ASw8Tq<`}46Eaqk+12j*g_DFyxpf^$Z}r9yyfGkAB(Fa9|R zQ0T;l&Vj_X&RKyN2489gyW|)`B-f(#44~qxSD+#$g@34aLF!+-iE(2lve-yHdn{-$ zR};>hox2E+~swvP_g{YnN(5KX}Hz9y49+_QUM&D3ZnHl1Nt`z6-e z4S>}7Jg#gwlYrOv1kT%5UIwh$kF1eOi>lp@vU#nhS9dn>Zmjg}R&3Zg?92c8B6v8* zp|CCM_#F-9L31ldn?c#Ya_OBQ!({?Wcp76P%MEURCa=s(f`UP&9dE$cQPuOeJJY_< z$mca-4O8d?=H_2a9fe|_)nA|N?bi3=zi`^}d{gBGw{ps9*JeR)<+FlWlv^ZK8JQ&^zS2>!Wi)ReBPkhpB|3fD6!_P3RuL?_YIDGd9|J$uUu5$;!eg*0`JFJ!1y6Qcw z`mnB_X`#9E8^}UeJ(GP_gdLMBwj(|{$hlr&Nyo06tj^9BIJ3I^W0Xl1L4MplW|*1V zR!%K09>xo@cqx7T66_NZ^`@j8eS^=NoRbQ5kK*K!9YASmu0gnLX~QCMA~b{<}*HDF|4AQ{rh9 zay^(ieChGYi7STC->*BDiPEI7^B|2%pz?92TlF1*(=s<)*6ler1M%Udy8?`~FD<*mQ9h@Q z5cGia!>^m-a7iA8`;L)Is@N@{;K2jf(C^pEBw>V>e!$5DViumB%Nny=J(3{2>z~bKjL;rsD zKtZG<=WLs{s}OvJQDpTY{MRlPpvY%aHK=WcVuDXI-+}ru0 zynqV-aD95&kCN|Rt>F4qLbQ&@ZgDf}-Arj!6-%@Cl?^Z0VXzW~>h*RgmGua=wd=dv zF1J#ROYtDSrS3lWPfT zm0z!BaNy*5d|-u|!CoDqktA+s+k!Vnob1eRRq}F@n5Sa0gz!6c5&xP85U-l7>!3cb zmwYNBFV}sVe+2Ihlvc!Ksjn1X61AV#0c{xYH5?eC4QH(fq%Yu?r&J;4LV;r&i>;I?n&84g`&=QPD|oj(CRmCd z<~{~>{q8Dvzw%62?u^3R%#w;dhJ`E$=;3lq7kC7~gMa{uhv+8H9jN)zij?O!lj}FH zy2P|!j54nMRQyiNAR@D{JrE=GE%3AGPcrSThZO8`WO-ihDk>FDOPpqdI=o0-G7FjU zV8x{>!}itO=fAY9><`lk{<}s1P|=%v51?~?G_kg1=#9m!u4=TUu1rcfc_rH#t`Yj` zPd`AEYyKzlbCXD@IQx?nb9nI1=Wk@q+|YNvn)t0Yj|})oLh*&-5S`m>lDG04L_G!eItSKeTHHY+| zSAs-O{Ba)d6bKJ-uaMpxZrl#?c7&e%>B9gYTb&hy>{zn_`eB5KLW`O6R>}S-FdV6i4TQ*2NDWI%YRUkx9 zsZ<{OND-wgt^*Ieoa?ZqM>V z^>gM%n)wW?tT%j!3*G6YHSrQblA8>JuD=WfxbjB=e!7CR*G~xi?mX74F5}<%v$*29 zc9KsitSf89kcKA#{fA~f`j3IT|K0H#1O<4uRoz<5Gu4FTMo<|$VF?Dp)2d-~f`x=H z2Hh8|>xTsoBwxiDhQgUln|9hx3V$lJFI~`LbH^(QJ_v2K3+t{uoM-Ymc+&Wa0b8T~ zxA`7<#O+XX!q8V8gE&ci^a8rU!3^nr~Mj^M2^8Gqu9MT zt3=M!*5nvdgyh=q+ib_f+PR0a-?6%_crW)GbYvbX+_><DMv@$1;%wh4@e$ z#SV`R?{-^36@9JxLc^jt?M1k64`W^S$~F;ZP&}baVu%VAax|XMP^(`N2A>_w!pG6k zu^Pgf>w7WMx>UP?EJk+LCLJ;@Cfm-TUwcJp?%XX?nv|2k0ca?bCps-4tn zqvQU@K^`*6_>e@TfYyxq;bC!zA??z^TADQA(Ye`XzHFJoa6K&a@t~1}McDgfx3;TE zV;Yk!lmbbvjCw4xzuY-`-X$l)g77o}k!J`IK<^on%H$3zPa|Zq65L`v5ND`Gx)AYgSKDdfm*{mfK0B9Wt4%6(n(Lp=988q8t^1*z!A^pl&eR(?a7&Q#K*SjtHZfuzc0C`6Md3>cax;e z29OcEux>fTePmw;lau*8$%l`v2_=N^G(!Vb%ILBDmer#Op(j=CXD%)2zeG=34{`+e z=?cFw0oI%qWwjH=uG}EDb>q0cP1*$&UhS#A;{;FTc6z6%`bFY=V$UB!J_)*jB%boX ztsAMqtR$D^QFn+M>PSNs2?WK3uc?b*>24`#c~9QH&RzSH;{hHqrG%lLj1JwdswRye(YH*%7zJ)LP+=#u#Mu+ydG9I&gPB4!#D5V zf>%jDo^)K=#D;1b18gS!EX62guDP~bwMT`wC#UV2V# z9%PaIo9Qw2xF4PqUjBCRlYL$iBtrQ7J>aidGwjk>9Bo1EqReSY3s7dW0kW_uBs40IQ4W3VB-nb(`+OlVg4*ZcDug%=i=Ukf=+{rwC zrgO?+d_RY?d-1u!oaPMbCX^JsTHVs!0h4N0wa9X~5?G(-Pr$rEQ%=|sy>EwIa6u&c7bbng7H!(hSs4e8A$;`6-FMbwMSO4WVq_e$K~ z#M$G!4dRL74ebp{M{SOkw$rNOh#h~a3knSrB5RmGUX=cK4T~}D2CrKEOrtO#)(??+*U6@B7`#h|f;^*Rf{g(~~ zAUZ)8RnHcmiX2DbyC=0OcNwm)~$c^b@0cxOBA3Dqi5;VCtjd+ zOR+=%vVIV=;P-;i=ikysn$*qAKK-QpiQl&}s_*0Lg^E=9wFP6N6TMHj)n_F)-IK{B zcks{>jE>3EM1%%r;r7w15_Pw=ayMD=aA()XX#QPAN4HC5{w3xqp6Si_?X3j=vD4NY za`0;RQ;bHO+Rg4)1{v(Zq#7fS)Xj>jjKGwbZ003Uv@Nj$%95CIH~8ErV6Lw>?5$sc zh?^a`E>P25hV76Pvq1PQ1KuIe1~rU-TZy^{5N80@8?vy*mWg{e(Cq*cP z_thpIiwypQU7Z(S;CJ7K<%VRWV^aO`YT2h3tKX*r!H+4X(tfFfmHl8u9)10dLZl)? zA4`X<6$L`-e`^w8L~Z_d$8#8OFW7u*>qBy`x)T3D!1igkmY8h+Ne_naRPqlN*<2(u zBwPq+f{7cxI}8Wo0%cqtubm&eTCAlbm&Fg;NJY_PTdP z2zkb|i^MlsAEAw^$(xY9+gS9rzZ=1I=)>=VqIca|IDGSn+I6K28crmMv^x;GUNjp@ z^~hrg6&2p2SB43a^WD(1SsBSiY}(O95-X|mlaSQXSYLh*{|u}x&~TONrwy@p8TA2T zq2zgxO?ShQU*=PT)$T7S5sJ0q*xLY@Jorpn*x=m}ieyX!T-j4ry%{8dMinY9yai)9FHv4vsMs}|b;m%Ve!uuc`t|~^s;`<(EdTa74 z=|IqzfCHjk1_S+i%eY+QKF49avVJ`Z-7Yr%msE+4oQ``U$kQQB^J8$jC-%VfN7rzP zoTbpR`G-Tf)&*Pv7V1$`+eE6h)Avnl>H>>`(2mrhu8 zsN3tPg?Nxi&Rf|G3RGUSF>1~68Gos%ENOKiKV9~{WOg_;DPO&e{_3`e$EMdbh9)O| zu?y+iivPL>QIP9&xlDT!Opguo8T%3x3zH38{CvDE-0bjHb&riqe5N8dUX;gc9axY891+YRL0;Tl-H zUm5mi{s?_EX3eF>Vntcw^GVZxikE+_w?DlQGJ0O~wNca2ue>nb@GR&iU{&ZZ?01Jf zq%OTf=eSpj_r~hz*!AO-W9N491P+UA#(vJ9cg?q}+zvr*drL`d7g5zIzyq}Ah^T(^ zM43R(I`|J~-+7T*O)S}^A`bA-x?x?ydKS=xoQyZG9=erQVrp^4iNd?G1IrRUK^Y&* z(WvYqy_x5P|FxFJCN7O1+IKbxGL?z$?A}+?Gn$Bk)a;2ICA)~Y;^#5pR#v9B793ZO z@7dKLz24=6mV@^m%#rx=PborM5p_e$(;5B}4iQK$+=(;rZOyHvWrarH#uOigLz##P zI&Eacv<~Sb36knCZ%KyrTGE~fk%%FB>MrD1wtZ8Z4$XfzaUMG|N${C5%o%vu9P!$W zszVv@L&Un}X^apqJ}=U6U_;AYa0bt8t72c~j-}VU4>vyTT1Hh=v>a-h$D93Wu`03F}f1Pro3*Y*2 z2{L~ToNh_<$V>R5Z`-8mFSGIK#l&gxlO7XMIX`kHewmB^Rh6X^q92h~*`Ck=tZ;t~~_`{YONCx)}Q!mfIX z;TE3cVFZjdGNo#7eoP)Dcl3&h-Enl!7O>fgm-j!?dYN6}+_f8~v0dmvZ0X8wUky%H zc1FX7i+BYWQqfpi4|=F{I)AALlR72g&OZwaS-WPAd!?iO>V>C(vc&v?XB_#1h?PPm zqmhKnP8R&<-I%h*UpNLjRS<|Ye^Nv#c(;Wgk>`AO?k1p%Tfe?jXpIy2%r>`AE-5=I zZ>TgMYrB{GyHAv=*KSy~l4;jw(jX-p2O-J!GPP(RZ>nUII}7>imLkR9N%U9@zPb~e zN^*YTnV%B3fiyaqWH2HZ^@N0dn9OMC`rzlgiFRz)gG388; z18)8%zrFCX#$rtnnO`|C5r3$CF0NTipf&Wd;*0Ep#^4s5ZugSce`%e>a}QrFYr1tI zF)*z@;`YtZ=x&zbZFR7gPZ!SOu}h~E48Y8NTTl8)n-@5vE4<7e^)?M^c9%itxI}bS zefy|zG2r`^Z#ECzPFm*Q5yv9ebKef#kF=%WQ-qJOYfV*%E~GK*?{hg;_;SJH#i*D( zDvq&O7#weKs|pr<(HoCli@hHw4TLg>6WqD5Ed~e$iWHg_O1yyrP5zJ54cFSPTTYFE zObhHqlaG`|63keRLiZ)mA~W^#pf(#-d@uXCPNH&JrKD5=bX4KvKJ*bHZb25$BVn~- zi3%fTyp!@W^E#z6MFEk(VffIbnl(OwSM*ov)>zeW$9*8(<;Puh3gc(B_s(SmTsq;T z_vHBK`PkUl(ru>oJIFdv_UAKR3*M!_73h3|V$%J&%6}h#SqjNnfO;?y)TNb8vorFJ z5tE%HKQWkZi*AxPKBPh}c0PWf7^C!l4@f1oM6h}H{xLLT8n>hH8ENj`7e9FdH))MS zvqa2--h|92gGM+na1&hoU(k=!tSa7Rv-4JrMShzufGZ8qK*ZE~mB-ILo-RGuRUal& zcz&kFp~fxUIcRZ$MX21IptLSO6q|PN;?$nyG_h32>OguUOxAbas=cmJK9bgWVtz>e zRHT~QQPn1w`Et*zo6oqVeJtT!^XA|=kOj)HRHORF7CJIbgutXN7F#7;HW2AdY1qTO z6^f(ew6b03!wRW)$%UO(w>4XE5Y81#Rn04!;#EeDq8(%(u$XPZKaUsZ`ror`r6m<% z`DERi->kYOoa~q;6yNji@CZ(^RqdA-N_N~IR{Yp-pybwqNUa^o-Ob0V)z>-SL%Q~R zrQIaj1mH`>(yv`u^C;ewThiC{ftIF)psB;?7j~^8i-?i9@qcf@ces&O-;wAdK70I~ zxByw3z1|-Bbj>bZwVms_p!=ouSIJkdvDo$g!)hNuZeHb-eE}x@bnlIEPOe%6_8-K= z@gp}x@5i|*pu7$G;oOL>VFT}2HS%wf`|>fzwi=WL_-1{*%%Os|NGWLQ_S!dNySl&i zlR}r0n}N&KSniiPm!stz;v{>#*0;gYdyM84@rY(_joV}-Z{L*gJ7dHR5vRIV9+#@;%)+PidxAOo?Jb`knZL%TubE&9wc8TNrGty`_fMq%FAn;w@_j*}qE1 zjD7?L@~+^}RT4Fk9L2T3JLDFqfya`CwS8y5&aET&xkpilc@q0NqS3haMJgUFf2uPa zBQ?`Ppf6!oVIU&4MD21%FWV2q9)I%Wk;{Vc1xk%@vmlidsxyCLxdgMmT$ONHwk~c( zF@L>{t8Fm-Q`NMTAxK#_DDv`A_!)-L+?yC4Oo(ZpZX6V8$(XnwW7Xn|={sQBsE1)) zxSM(`7^oGTz8~OrLWyKhVHuoGl*`8D0G+f@^F(TRqa>uV1MVcB0cT1*Eo^oXV$xvQ z35T)aaF1)h5ox4C!4BGztFR<>PpMEn0od?QDud;&LL7Wm4LI%`IIQC~`Aj~$s)Vj1 zlCWZz>+b`4w{O5y{pY>fUSXN4(>hqw&-W+Q;O0X4u0#Dlnl#y4ZOfOKYijgHZ*D4Q z#V6&fgK$zl$GMJzC`LK2h4MtFkV)gi5Kq+eF-c)Z1J9NQ7B4#*px$t;uLDjJl(+w; ztU3IazDVVvJS;B1=MjF}ju@Q^1SRjg0KdKqDrTMm+DjXMs96KQ%Z=T{Hu3+HJZ-$0AZMW%wd% z2!w3=NzPd3v1ajs!Kgs;zE(`UAV@U7#Er`!0}B|(k~=DTJQbykU)zH@_O(_u*lf18 z`z=DykHit_de9YPgGi774cL*}>?6Z1mG?#1{@c4054+SdWKMPvYLFJlyS&J}Y|zi3 z%eR$jMl-fO;Hr+tD)^WvibcOHIloJd2&Xao?V|s_MWY^Z+0LvJ+Ahf(QJ=8adzrRX zM{I((%=O2l+hK0$zKL%}5mR1k8~bq!gA-@cxYgQ3ceMRC$y$AL)j^VoD5x?N{b;B2 z?hwO+VF(~*tsLnbYQTQxf^x+^shQ-Ch#S%5^peWvuU6yk1?yGQeuLxO*_u6YYYAc&U1B4O} zS8g*34Km|fN3tB>Z-g-{)K$|?OyJn?uzEu*J3d$s%OA@gIb2tmH4?whI(k2{D( zK_*dgmUnavYg8D*!M!%AzYgBq{HX7|M=ISGQV5$z4Gs#d#(O8~>$lv9kUm>BFGIXxtBtyew@aFN^i0>IT4H zTPFMU*4Wv22-D=y0ZKTD@yOzkDo|%8EAc5=&LotkfFFF4F1h@9gB2nH`+j15%SE9O z_YonNE$0cCy4KPm(vd-J;0qf#3p-Nlf&O$N-$W?3;X@{@Q63zNg@qL=e%ogx#RWiy zP>EN@)uJ{z?<+)`KXjMRYa?IG|M*$se$Jed#=DW`FF^BmmK|>9>b(6tk@~!gGQ!w1 zFU961ySkTeprxOMIac^qq4V+Lx6)-OP4sIMLL9UlBEpJ&y^45-j~H?IW<>CJ6yC2g z`S9NQUX>fW|C9%F^u4eTa==Mmr1};qb~x4KI_)1_OlS(H&EGuB4wjB!25bKGrxzFI z(%y0Pqc-6~PUtkA*XfocNp9TQRCrl;-$?&t7CtI7PmxMja)d%er{G^gHvM@TlUygq zQ#4fPsRu=(`t{}HXJLkGXNmSdK>0*TN$6@WbeT1Sznt=^OzLdtXPkE$msy_<8_p&{ zBFy9^w6^8`xZIH7ttA7^U4qC|32e`XyT#F~h^0?EH7svDxiunA-FO?J`lTvG+de%}pw!Zxvhbu6Vw@bJEHti|S^vEpT0Ftm*Z*SM z)`Aw~yY;D0;zJSqPQnJXO}}+oD4i15EXDIwBSWNXYHA>f6<%Z~7~$?7NMPxcYd%|u z0#fMRef7&d>rJ8WpF4&l6q=pM$5>QhmnNo`XT&-=%`AzGh_8wd%X=hARf}J?VvUQQ zwd4b?Y|+ZvWISH3aXA#gG0IK2s?bhYK(6Zqf4s)@E1{#P&Tw2xE~&AA|7H&!4=!HX zWyD=aUrKaJSAL78^45a-VOEVS|8YwDc%5OEouCW#dJqi2Lb6%c+Aeyg?36Me7$ZoC zr8Tbb?1y?LWVZ4;F24)-_QV5<#tRY^K>nm7jv70Sd~KZSD^$)xn>>HdaUDB3EG46zqW{q6U%ZZ#_$dWinX)}BdZ|oDAg@8P z+ROwF{Gr}raKST_`r9KAaH`Xmm;|cCF#aTZdttTF47O<9_3cEnyV=S4aPYa`Myhj` zO#oj`*=HjIk4xs64!?GVk0(@wt{1XO2x-SpwGdIeM>))2(zr)q%pp!yv|7j$uo4Mf zw5aYh{Oa*wnLKWJsuI-?Q-PI5?AEkx@n*LfdB+37Ujl956LEyS@@-SjBA(JANDTrD zyw)N;_Si>))V7v`o?k!SZS$FEV7j(|*>;}-m`=V-YWtcaMTi@I(I+5t4*8sjji61A zgz&QJbqR_{bzi=DIhe$d>oejsPrMgSExWuon0FhWy9^_{MdJkK(Yd`t{L03}$+wO} zm*pS4rupafN!`9Yc$bdQ{fy-+jHyB2Xg2&(uxtD_oBet^UiWG;qSOBQh z+*{}vMPi&w(auZk_!@W&4@0&oP_X~?oxk} zi!bBNV!_wu_wm(fC3237D=#5=QsO@n^fNIl=+`W`m zXg%+#*Z)!XmThfDP1`6EAh^2)Z;J$XhvHI7(c+p?DA1xsgS$&`cM3&HixhX);_eg+ z?(Fn_pLgHSm;D3wr|ZbdktH*kS?gLebDm--mc1pNYoigzwmCk3aEsOS2f&f>7Ry{4 zCqvzil_b~8?m2(G{z2Ocx8=W^4ECli-?IC51)r(@&2{qEzvX^~&pO|(QDM7AQ_p*T z!X7$N?UMJtvin$KI6`rOy5hK5t;K?P6)rT^o|Eo8gY83j)HCF!Q!f5^F;(TLl#^%+l0dx?rk9I3yN`9|9Ibvdc$lNy>JjS1@JeapwT#5=LOJ}+pT})2gVF`? zmEB>{)zwpzJDFX-ewoQHr2|YpEn}wSI{c)XlB{xHb9xmKZ+Uw|+Q*Rt3{fDzDU8rr zL*WR^vvWNzHO+u-my+K?JrdFY8FzVQuME&)YQW@aeB)633dXTN2XkHv3>iyf^C~Mg zpA9C4=IRQh{}^K7eE`n5sUN}BdK18+6wIkxk!GETXYDvJWxNIAHegX-2j)KNg!FeT zDo%gX%i-?0G(NLa5hCLuVc9HN z&#m}yji0pV-8h{mdVq$k!wq`Kw1?o)52p3`7os598?T~QMr|tB0lwOcHZ272ez(OG zXhyqfPBNm?=nkV znf4T;zuz*3?4dbi@1R%SOZ3jA`Ftc&)bHt`VJ4jaoi9CtuXNfue&QxKs_rJ(Gd*99nx)#|SlF3vW%GbG79^)!RaRVF{afOyZ|1!yz zR$_*oHV2H|2W_r*=#WuLROEj29;fHU|5e;&mWu<^+c6?!jzHLKLgs0ufq248tfVyr zVY`4z8mS~`sM+Wt+fY#4+USJ<tIs}-nS@3P*T83(Wj6%PTGsqY8 z4!>F0MF(V7@J=k%v9nn|_t?68;;fUR%L4#s@n!MCaA%&L`InPm`}uIM>E;W>)DaQA zn3a4K(S_$ANO-xD05XP_%&PyDcj^_YQe~TX`{BLZCpQx$|EHC*Ced`W* z{_I9s8WY;@Lnb<3xlD2xtp#&hQ5JbM=eVuay>0#`^W?pnW9^W93{ICZXKdHiFH^EF z4L6Dhv%Z4yQZQ3SVZO;!itLp2*L&9-pn!qPcS5=IYOwvjYb~ach*$Q8TrEX%oacmr z)$c*b1D%*%)OW=eaE9TDEViPogd0fYxj}Ob$YjdmSr8hY7+~D}ssbvy07I}POYTwg z*8_y7+@;@6aIi$e`-W*pIBtzMKuh{6*3) zc(8lzG=)P962<@ZhPu;g6flqjbKjNE8aw`7fH}l z0uvAL3+yLDeXSc8=4nN}Ah)g<${Ik(mC7*J0qRCy2~%G58~Q9vA7psn>F-tq#dU&- z#v@;Gv*U8kxtUMs-^<^3d9Oq?rpHMy*rt72m3qTc!Q6OP`@-}0_qC7FA8MG^SxR`; z-JPS#OFh#Zn~wxbFvYf$w2cbCibm>h1XB{FsFz}a2}G2L40+LsC0#hm_+@hx@*N+f zluGJ8GdKNYiAeJgkz$SWYK7xM0>ohYA!!l?0g z9!BG4+;NQI=*mFqKtfdF?(q6Ozf)=!Sz%P}!jQ9(EU};Js3?S;StvPTcO2PrR6!J{ z*nWF;d(Ah@#NW3}Xihr_OB~Kdk@nCSqthq@+6&2S?fOZ4zuiR7ylC7qVYMOol>WcIt}nx_R_TYjgZzqoFD z_PMQXO=W3Tk1vgJ=Uiw|)fw8BU-T=`sM3Yp%cQ%axK-aZa8AQ=w}e)iH@n$!kWOW% zl=~72t#0$Rty0`J!r2-KUkI|W0@=ZQd?F8&dldSVY2{`ih3C6H<~u9K8$DmrUY`71 z^)0jMs2V~+vCcS2sTHVJo(f~Ke#qN}AgwQ*D8#X!1*2n*V0Fr)C0zVErs-J2WN5D@ zto0X+fu^44h~8?yt;!(hbNYG&=*EgB3uI4!r36G34rJ|!X81CE#b8(%dcs0g=v*#i z%WY<6D{Ui$$!`q_r^p@mji;{{gh6(O(>6z4i(mFz)#cF$Gw`*a8YwBh>Xe9M`!0t% zXcZ?JEeSlQF9g(Kxgw>7a}sZ*Brg$YJ%xnvICo7@dShks> z1+FmBNAR4MAdoiTPtxbyXedm3H4gPB)w`2z1OpSL{{@tAKadiT;3aMl3H~_e%h$0c zA+1Wu-twLna}(!;v5ME2bcKgi1Kt{fNE`SVs+^LNG*~)Oup~UQ9?Zj5wpdmk{Sa|y z?xz=6eYSG!x(S*=i>4K_*OfsfBEzl+dU1~ z%}jeBg&pDnmzB-mgY2#C*J~3_Z?v4Q-mhF6g?6h&-xG>{9Hu;68C^@M8i-4y0ZU8r zp1u3d-u+QUXz4|fK$9I$xIC4va-nlYl7sI%m5-|`pLPDO@0jPrL!KLHO%lrz8$qTm zj^39vbS&EBTT!vyq@M zXx23`AI3GeldOsd*A~=;#}B?z@LDbrg$&qtE3GdasvFh;gBFzl&ZIrLn`Lz0lGdx; z44E&O-;{;M8Db`KYG%}Uq0E!?`J{nr>m?y&aZhng zD0)i7=?GBPdSrfk7?Q!ei^)jvk2DvC(YS^ouIAx*O(%0RHr8bXxA{JQ4gqTzxpnck z?o@nrmN8V-tHB<Ek{+H|Ny#0|5d>;q=SckSkT_-$_cZ0bw7_lj%5Zrkt;a zDu@fp!6ThBav%Cpz3r}VDpjUaU$g6GS9q_ZrltlgAXS_c8$BFx=!zu)b_-((Z)MWS zQ#Ar8K~anM*iPVs{qNwP+d+BhWbrZXHAXZpp4n4kG;p>hxy5PU<91fGh zJ;6xF>?i8X9UP{K2KyDvx64pXQ3UdD_r=YLCtY?jr0^*=zdcIzilR{QL#C)mu85J7TBAxk`^m~D+tQT|# z*oo=3*4rHio!?wGNH@Zcfnojr6WTVB?M`B!V4Gjmxur@gRka{juPD!Y&8m42=KcMQ zkWo>D@_V>ygXfTjMHqIU{fvTaIRTJxbTSEzC_339&Cb1)>CR~Z1pw9^|0F}f;5^Na z!V0+;R-`WcCf(lhGR;l)J|C~)qt^iWMh^hl)@>!rB}jCyN+hAFqXeI0ig2ZeD~;*0 zRkFNL`2L{63T6m1`Fc@(_9tR{@?%y=*@PRlL7PVY-S5`|cGa&4X^X7xlkmq<1CuI~ zyJ5el20m6*a{@PlbCAIxJ9`r+Z-7%!U&F~r^l;|>4NT;Il%5z+K|0|EXKcG)X|4*C zeayz3GHYP}X+LFJWIsK@_`69cOg{DTZ94U=ZI(y!r`ymZ{0Zr=KJF)E{1eG-@hQF5 zlL=@WuX|NqNpY|+jUDRJ1v-qm{e7xhIUFDlv=O8|rnH~1gGZBfkHt`Kf!+^K!`TAX zP9@j1la$VfkVZU3y;hd>JF3IK+@wk)iSquRb4>S|#K} zH|FPlqA5gYb3YzwxX{BTEhJV0;X)wZ&r=h1FNNsu!1WX+FN6ZwcUy9gkSnY@e-Px~ z)I*rOMTtfWZUZVU&Vqy|Y&Qa+ZhJug7 z$oWoLZ-i(h`Jj?lURHO8y@;a8FZ|H23t{AEGGamBw_BIU&b9=!e_NG z>T6v3q_Z=QC7$M479@)+#x9B$+(0^}lCPOx{ngT7-sZh*^$q@$9`8od zpWi6WaJ70q36}W0Ci>m+*k64-sy&WYO{1S4)kxTk(d9)4<+H#-=+tkofBY@`9K0{G z)_3N&AUfKsRJ`e(r;~fk4K_!)U=FdB^@rie_;X9}a({6+Jj`m^HSDKAR4;UU(iBn3 zdzyOsQCjT}gym?qE_s=zzb}RM?ksR9`8^P8A z`a;5de*@ASCjQT@j`_oo!i{@c?#;j)vYPO57btmQ{1cuKx)Q;h6WD{NW=lx_b2OXB z8tN#7`!q11{Y*%nJEgrRmEM7neu=Xmynu7CD7KR*nNIl-&#nBGlXail=}UGCGx3>} z;*Vq)H++#PM?6yb3nPOBkd~QDn}fn1vu%KFU*>fDX6<<=xFs;MuZtdWOu5w1XFQQh zvoq<)!o=J()eEjk8fUAIbqTVS>utU}WTnkHnMsB_Ixf86!xw&&%}k>c_5J607(Okt zCZvs5*9R!oXz4cyQ$5=m3jmq89P__>XmN__d-fk?Y2dRYdmTzA7HH=5{EsKp#HQYK zMJ6?Mn)x2c9oABgx_z3c@rlXAkzI?T%C%2AIm*LY%J%jdpo9huj8{tpuQ1gc!8-Nf zL$6G#M=U@=+_|m_Od&bUsLb+V9m%3afxZ0wUPE3HmI7@C9ij6CpZ!JRktx2ANLu_hxEWuBi53omz-+y$4ie8?Z9u}A#-9iM&IBL~_${ecYaX%x|<=^xPF(iFmH42xT(ww~Lj;VHa% z=H_M=0l_Kh*K}vWf~92t)I>_fF^)%;+WxAJ?=qXcc5% z+}D^Bd|luf;$Orxt=)ntoP7VjzS>Wj-19+AASX4)wV0-H7w2~Wa&`cNO*3Iztlq?W zp%`D-ql&|4TjzGA?dheZ>yL9VxapmZ@AlBA&nbgnI$hLP2*5TjFt%|O9$Xwb6^XWf46Ar*n5w$2CZWo>1Oi?OF_2ct7zyQZveXz96UK>L=L_ z;vV;VBX}0^C(>IE1md>WQIKTd-^y_*e({NZy1qph^|Ooh!`!c2Gi7 z;8SLo3tA1DUl>lY^pgg2+yQ&lug-5I@?xQaXhe#>@Vv9_CPY;d?QL+J9M?-WSB%CY z(;$y2^wY*@a>TnQF-JeXAuo9AZ=~siMFu6cT6;XwY@7pko|<^%eS6$5r+VBwNH6v= zGWA)eW`e3VQzChN<%%Pp&XPwpB{sw4zET}gHQThIz}>0m=Lfx3M)#MPALp9XM_Vt5 z8cnao6d)gS9=pRoe+xX%Ld5od17iLGx6Fc6R^Q3M6t|60wll-{8UiXNr5 z*co%hpSd{RnNJGDUoetPf^M4VJ7e1T%3@M7Jjd}29yy=So{#V-Q2<6w<(dlRp0}m~ z*498$nyV75QN95Kt^=pid{~XFrfYq5AkmuHg2t|g&=leaM9p|4Cpq2)hsl{|_=waj zkG|X=<=LN@RnVxulL@6~6`w@bt>k+jgI^eogN6Ry<9|GCyt5m*4rQ}DXzeHC)nHT| z#14F0VA{N6(9XU}Vng3^DeK?QxVVIn$KS<+iSsJi__{pbnN)Rp}}o4;{jnA z%ylW(%QHH95e-R?GvzblXn09HbjrtSv>IOkE^9sf+1BPm%MJglSLA*iZ3*zk-JCCV z`yROZ#qrkY(r={0Kwu$Hnepz4@cgUdP0OnfTNRcUl-`oXh7m&VDt;*Zl=akq^b*|T zz*e)xr{a*qn}J@8cWs#+d2kb^xzHmNQ$2^wt94A2wX3gq62kT_eA4nw$Q!saGwm`q zWhBez@Z*yK%Ym~*Am169r~j}E^AfeHbUQoYM7W}aPSrbzfmBiY zNTbSVMjFt5?nQxX)KN)dc!fZ~)0d%?!7@8v4(+-NB^{Sats=#;KPSFT=RG}LhFyt; z_rpe}^oAR+jkx+pd1tuR`NKui$)g8f_e5!87!vgp@Ns5}iG3w(M&(cEVq}!7JpE?I zx*;Z#=?|Cchz+v-Gc2AKA6!;&qA_3Rdg76#-qzw7+0v#XMTP7YXvY^{B>JAdV5hX} z5{;%laLI-pzbEAr@0pIhu)ZfQ^gGj&0t#&$>JFuP@Ct>&?q2rF8Y^riai zXqUEF+8URp*DTA8)6KT~-ngyvQ+uhi+M!IkF1yY)vMe96^t?6b*EzH&`hqmOHja;M zC4jp_oY)PNHZyIy)D7RObp07&a#lRL^RvtV>GErxufpu~;Kt%f+&VE^zsI*-t91YF zvc-uQ0wwuY?)8j+@Gc$%X5Jn4smC7Z@Xq{kS{bh>&unKd+PoZ_8u?zpw{Ph*YzKYe zF@(X4dCVrT6a7bdrn?By#hyg2_P&!2u_RfKu*@hwz2cdnN)!tN@zFHM^672_xi?KK zA|}){BL!*Wj+R9^SNS{hOP2W#*_CSF+gZl@cIpv9eK@e-TKhABgKF)46NSa^^aKN4 z%}4b#ci8#4;n!!>(Y}w;`FOb>zU}-}I9~)W_g&9j#n^f6qEz#MnckY5s z1}~QSVkA{mriWoCL@FCSXCG*!4QQw0$s%?5I1+o|*&Q^d6>8Y*5l)j^A`q(t%nAqA zmwarkgwFQ;ez0)8H*N9(P3|nEKAMFe>g3afl$as!gnAE&!6}!TV(T7d#x-vR1q22e zMC&3SR#&a>km-}iF2RsV%GqhnOprjutdh^WK>JsFGQSmE%DfcMo2A?IR13#g!{z@n z0}0_+RC>y9&Ku5Tq8p8VD4{NvKg+zc{lLIvQg2=#18F*C*^i)CuDx!L`A2YdO=xxq zDpcYExM$lp9=Ygd^B&#DJ}se*)>HU7lv#X+g72IfhUW+AlV>^(eqP`ll8cnAA zpnG7Jq9!z#(biVySdS8iAa-;SOhhonE3?NJGeFI$#uvhLN17RbV3V%0h6{d5h!Dk% zoNzP^zse|LX06%$Y)et(MR(3KN6>8h-uN3fiAR6sJg-{#U&}EG_TMJn%B&+F?DWPm{8LcGS@Zvj>Iu$!|FkBeG-rB~XOx-Ru2qL`Ak9doe^v&0X2Yt{80JHkK58 z1a8MiFb2((gb&^`-o`9ed`aCct7S2vD4B|GpwCgze8gjcTX@!+{+OhMpRv=4HCI*m zTiBK$moQeg$WzQg0Oo{BdP8R?Dmo4z*XZActy-3uXq<27FJk0F4jHt5u3z|yChpBJ z8C>lcPVW=zIEb4FWLUb}f4v`_WSRW=Rxi)txBB26e*Dpl&$iDQHD@xz2sSe>Bw^=T zoF$@3`4c|ubs{p#eneG^j9o)@{6X*2+f_hu5$`Y08u`2EguT-`mhx^@6;YGu6plxG z+7gEqM7b+ht;o9OsX@26iCSl2%m8h=edoI^J2z7`*n0ypMgP|p-L*__oLB)HUH38D zrF;zBVCU|Z~U z(kCn=NKBVWykbf}PM93@DYD)YA-XscnIz3{Jh0ES6JWO_V|+6k-+|4t(DLTbpQx#a z1Dl^LRD_M&l0W8ND${rxjw+K|1ItZP)4!=&`5ZBqy^@eV*Jn%~iG5*^S?MYMvc3>o zojfax&DfZM*2M|pO34gFk03ZClH!s57G%7q2eY11-W*DJ@!eK`sGS*63wFnhq7yQo z#ZXBRB4A3u!Y?RM_Cv;8hB}|Vy(F@IEsbd5#ili{D&ZJYE^m%S;u|9HMk+xt467rm z-z>i0zHi0x#$9F*I0uU&xm96#BIn3BQZ?HODl@zNSR2yebI!j83c?DwW^=8VLPU6p zcY=>ZDWX7lE@4^QJ-cOWt%2p_)?T^J1}b=O@U+>Ps7~T!PzCxe@RZ57-4<0LMk)H{ z9rCK@ZqYNfCGUO?PijM%!UOLWS%`=xU;7paI4bF!E6tmTzW*|(8X~aDmh4k55X;8C zKiNORFzo`Tb4_*OsWIchzTbvR=1ByE@l2R?%Cry3$JErgW{$27&v`xrS33{PY5bbm zlc19RM^0xBuh~2mEC-|;+t7=Sj;}P$Fv)^;^H%ihttRV$Z&JJctT+ZkxXB37K=G$0 zHI}M+*ZOKnHitaDe{O8QM1g+JFEn6F5?r~_ARJ`EyM}U56u^eSEgeItlV5re$R|UA zS+9n}>_X8!+sVce&n><7{rOi&R(tVqC1FFfV5EXf7t@hEASyY^er?D%rhC5=5CJA1 zD|Xpz6|pQ$msuXxKupZs>ds_?G{i}CL-8cm{|jHO?-?J};l z6Xrl&>Bos3s7Wr-(o;o&viP@ou1Qj(XaXln4pU0uNdR8{SS9lJdjy*$?CD&C>Mf$W z1a(=!im-{#aITsGo}Fgvp%m*R4>*kyoy~^;QJVk{tr&08{2z5P!X5;0G2(!fO+@Xr zTQgyhPy3*}XIBb(BAM>-`Thr)#U2U@&6wIW{N8ycelpe^i)6$<=hY@6qcsVUg+1lq z@ip`l_G!?khygkq81I~E6eX3QbG>d*=IMQ6j~;VI*~;f3P7R4zblhmHir3tH(%syt zYg;2~v}Zf01$QpL=r%$_aQeD(9=6!HTCqm20F9f%)N@4W$bOU!5}3&is*lZ1g|YI~ z*78HfJcX)qit?|#dF0MV4tjbO>R+g9L~ijLn==_7tjlKj>BAWsFL%-lTrJl zc=NEcDP&!gQwT=!8dP6JFIFS?tqa9u)F(cP3s!<;q;oYnt zyf%jv}JH42%SZ8)$Q>MxVp~a_r;m6*3qR(9%~#K5on*!8(}Js=M%gPf=&* z#|eG@zF+-}ibf?sgIQBFRU@}?qu%#=+IZFc2CIaaL4%x@h^Kc?8s^F9VvhqTjW9nQ zmhWP|aTj^0$Pd6>We1|1u$>^-Iq83Wu_6(xY;HT8g1UPEag z*`>K)z$!oZqN7kQSK|QIK2-_oQ|tZ`mf?ZmoD=OlJgIS%%Y8!t6o7ARi=VWd(-`D; zZ3h<;Tc-?NBVcBBM&Y%rMD@nQU-vy)pDwGLM?ogkJy()0XTv0Z=NYSqyiBp`#An-L z4dgCq>~;J>^$ez^cAHZ%zoqp2HdkjVJ`^S4FMJGT^6^k6r$C#jR`J|?`;xYlfk`1d zZ>MKIj|Y4w8uh2;r8Sjge&H%)#L_p8tG;GgV2Vczx|S;;JC&&hdJQRqk8J#I_wMn5 z44rCP5CN1oC{AcQn}-1rUN>u%V<<=~n*26#XeUJNUSY+-UY__2Sbg+C>9jKkJJ!tC#33z}nBuj4EcntudOtIo`cgAu~ zmN-GGkZc5AikTicfr+={IR8Z3WHll;*&fOUz#T$mPI)5e#HQ@ij9I;D%NOxF?ZC)l z2Rg*uF(`p=88~BPN`2nTPF?;*)KJBLs>D+(N0`IZSYn&~H~q2DyC33YtSEV`CN0zW zQV-v!KJzr^^GWZCr#Z-#-*8VAPvw3IBc(Z?Q1j6ZteTi$V^o0r8rQAa#^+NMC3eJu zf0z)-{UFB@OHW>>;L9|OuAKTUc+LXq%{oFPiq zdnY^z$jieI9_Rf~bgW+pAndgcl*F0EI_-@{8Id4126SE^09~d(2sWmy66o=#UG$ig zO5ItqHcT@as@+*FiH@7eqC0P|iP-)v?kybPX-mLe)d%uh#XZPHFvP^kPv(yVk3_5u zeOe8X)*}Sc!eu!})S^fIQxj7uE(PjDHCx7cc@i)A7@lm%hVAjEnD|7FOA4$NZuT|( znz~BQVUnlI8oDc9cfB=Rex>Zn-OZhaKm!d}_*|s!5AC*H z+)StT##Fxy^~Qjy-4g0Aq+|mmo6zK9e45f-Nv&0<%45#OE&w0)-M{aoauZ1qj|&LO zadv6Uw%0~l;Qx4T{#+@KIFZH@%@b6cbhp4T)l)J2-BCD!CrBqcyatUHMSSNxFkZrS z32W|PeV(ul-ZfM@uT}7g5MVyQ3f}7Z#kY1hj$X|g^4jBBDN!;ooY;^`6OSi@N2F^y zI97`R3uc~uUO}@TTFS13hq$!fW}dN{$dL&f=iV3|sgdv8iWl|0m{6qU>0HI8mplLv z?Vv5~d!@C%9Wxtq1kyWa!umhcKbhNq3z2>TjZc&BC{HR_Ue8qf&Sdp14e->PdXrPb zQA~R!s&Ucv7I>?;An88MZf2LKep|S2)mBR1_euiY-LFFr*Dbalobwn=vYpI{%yd;S zBFf@p(yR}>y<|24lyV+ra4{&5M=rm>EM){I^`lZCdd4t~G8GK#(Q}xJpmO!;>gQ-q zQ2hY5Rjdnaxo0OhCJ-8S4~cTo9o_)>-K32-@+1!R4o&i2;MC>_P4aFPj_>}kKJAmu z>9eA=lK$M&wam2T zwoM@Q%4(Cm%D7j`aUr}zk}QnhYpl5@TUdn)2jJ2>0W|A<{~_TRJu69t>n8Xn1uKUK z-Tl^CB-$}onqp>wKtz?<8%!R)+$wk!SL0`^`;1FX(kEzCj!WI&S)fpVZ0!xFPqe9t z=Q@RYY}|*T^@6WZR8KAQp*!UH8RgO@@YpRMYsNo1(C#VL)BC`8+G7MfO5|LC7Wc|e zzE6$2+l7gmgOM;_mw_^W%aViYq?+CZ23C*lOF2~!Z+9+oxygQDwhG20U=?P ze`L&ppA>XP-@1oQ@~F7keC#Sr^au91kw`{ct+qVegs+Xqe&NE+oM&idjpI5a%OF2f z-R)4LB2viJd3QHlwZFt&!R@8^HwE`Bxst}Moze$$H)>piF$xU@>1JqUlq}wRJ~nP?*l(k zti`wiR;BLV9H5O*I)vPrA%(vA?mvKiiSDVfMYmD?a@w&U=MNbf_4jt9hwrtyXn_}R zgl0{=zVYFf1R$rs9v+3wHLJ9g@}0FaV)mMx^)&awLh}R8qXJ?1&TPU?f1nC2qNSNx z_QipbwVn|M6i*-mih6B5W7p)2{k7A9s8GsxEz-UlXcpaO(oTI?S;ig5x8qvl(6zqg zLly;9g}#_v))I4K!vJK|jo_0%%vtaW%pO&56JYjWq+D7*_7g5ZuW0J_EVXso1}jXH zEg7+xiP*ObPYlWRhv}z`?NKRLIprSedV+`mfcdx;Q2^%i)uN+&G2=r3MLi`6NL(0k z=)Xn_{j?zm|5T;NCt0yYp(c`Zzzj%~V8$zPps7mxkm$w;J>|LYB~P@4XF#)*Y0XKv zZ7pKh1v~0hSAqMNb8>DJFZNBnUW#l`M@vv~)!(b>-*OKG@$>w8(q>DBSWXg71{_Xc zJRjOheW@@Uz;FP5;r3yd&wSuPE{WNb+6VI}e>H7)$u@W~J9#xWIg=L^IgLzAr-bWz zA@zJNb%wYe?&-2+KCW+MPJL05_TmbcWnXYy{RTV!dLlM$;@O9P6f_83I05^J%`->2D{RN}=aY zNF?M@c}9xO+m0&+y|zlUk%u=Kl1R^*)r3(aA0;2Mv^QR(=GT^r^BdhLtOHJTX7-Wx z0^51a*4bo3JCGE%<-Biv&IZ_iG9gM0eV*@E-DyRcBO|Pw%!^2Hc?jnZUYO1`6H?)L z%2?wdH|yxs^TVpkn4I!MmbKC|@6S@(4sE2fj8iMlalW?zT?$!^75%^2@0Gq~F_FmI zKPxid2*77KVb2m_C*L#8O~QNf5QkO(BVg1VmQEx4Z1y<_z)hf?+Ji`$=CR4|yg?9<5Y#6_ zxqw^+^7!%d%*Te|p)_L<%YY-HOOBINbg~gmWCt%EAf&eb_Wvxy6!SAsT zYG@2=&HN#|4Kf$ad{@M#oH|BaH~nQyVpgP{4_12+rHt!9(?%m|Ao^~@nY|Cp(5a#YVmGZ*#v{1mua|GG7>z8#zHUq$g8l-nLVzlUZNO8nhKs zxt(^vvy-EzkqrUdAlfieRwXhzCr(sRR7QO*#W?V3UKX6gDU=|duG0r1SxOCtP%zA@ z(SVxcT<^9Jap}d;Ytmr`$E{S~oF>F&z#rTN;wPnxwxvkZ^Z^Y3tTK1R!lKJ7*g9kt z$bh)6dw?CTmMku=e{R1=@wDbe!L(7MDRm7WcLPaI^H2$}zEykp#p=5a4obJ>`Cvg~ z$>+eju%s!WHAesEOFdZfg%(JS!<)fDi5v^4BxptLKz%H(HcG+9;C#UX8T*xkNq0SE zD}5G59@>~OK)fG6_FgBggE_BaM;k-7>S>DnrER{TMT9U4Vt!GH=*OH;qi4OGYtl*#R8ctZqB7T?2Jlu*UUm!{U$&5r*of4Pl4O_KE2 ze(UjEN1LP+U2t5Zv?~_xEmVU9g?0*(`*vJzVPzS6z#ioxX!rb`I*-muvE zqbMrAOGrB6^hY;2j%=3dMNF$LyEeGDI$?Ev7bIL==Y4&6bI}-Lxql^M2GH%lZoU4! zmicAW8BsCrwTyJsp~P5f=`UxsS#j*`2EfEm=TZArx4ob6f5 zqzXTB>)qz|0Bc==i~856mC@ETA0BPF;21eJH>-NA?|wE1nW4d5D||)!5o5#)NP~UD zT4FzLrmhwVl(3;jkR~GQIKk+hGA5bkPPX{mWsQp!Hqnr9Xl$z0b#Jy}SE3rMW4EGv zSK>)%TO|np(jT2C-bum`Te618)URf2gH94o%h`3X!?WrVWc|{Z9lxdw?@aC;3VGGe5cX@|~!0x$KS&0tt)hUWq>XTKfj2=|f zVj&~rxxJA@VDg3V8uAe`L#Lo71=YTCL;frikKPu~^96oS8pY<&MjB4?6jA`EsArEU z2R#c(H~V6H-hoXs=oLPO3>8&$sDi4cG;Ky{-I!Y|hmRb{7+|4Ho`|ld1cRy}U=MP? z6Z%6uzR;)yDBGokUaV~fzl;yYtmN-bT8xjw!#jofF-X7)7`C#O71N{AU{D@K-m1^| z6=j&9>@W{F$Bdvz0G*ifxqJ?PV=s2!<~?5+%UF*%otTED#&ym5!{hCl@o6{qt|t{* z^3Qj)N9Jq5D`zUMI*ZJ^(s%Z|+@FZ$Kv6)7eJsmw`q?ZUnB+S$v{_9RC5%0+`j*(xbvR9KC($`S#XOb2Z8z&Y< zkU~?bLja!Kp`bsDpeIAoViZN%7ilQgJ^7NJbED>Hp09PVya4%B8bG{K^W>Q4qw zReor~Y8(9))Dw-A&bXmXbRJ`@1LAt<9mslZ81pQdX=_@7j!P}$>fb5ISjIpWX3cU%sf3;$BOXq?0mgMhmtDWWOl&+ z&h_x)`FeU`I@fSC|UvI+kThh>$u8}AF(<*$)m*Y{6`45b%pbXK^LepW|;dfJ88B} zI(13G-wEOb`{{fQE61&0Gi~JjZ4*ID|vP7 z(r?SUj~QZs$$?Z!`m!9JAs!u*A1Hu=cJ@oc#InP`veP;@%fHUdkZCNdh?dGyC;guC zXi{zEYCh!coBaL7TyGF^O+t^N&=gTU`mGzGFe)xtd+AaT0|8Gzy1CZ)ad!f)EXP^} z8a!aw?2qLzQxMV95b)`JkbYVr7DhkbCIi)rW2QGR(|P+Tsstf34?Zjr35dn9ss%2o-jMZEeUgAwykNTR=*X@~c7}O{?+0HEV{h9I zGpox^aDUR)7_Jo0a3cQCS|yzf-JxBfe|M#x8>h@zqEm+{(<2&zJ9BtLc_X3i*JGQf{~3qzgU zlEexvVN1Z;dov6#UQQcezCrP19OX%~DXErPxP21oBe?4{BBIK)UqD%*Rr^QroU%F& zbYisW)6!BPz6zL}i6e6;&4%Sk6HwsZ>+dbSy_L5356!CGKFs(A=2z9YNcUY8UWA44F%9iIJwL; z5SXei#j%lkN`umwhKS4mnn-xUJ04)ScQ z#=7})TO!d+48_8p@KTVvI}F%n+WhdD(k4ADN=Q<5{6CAZkTIM4ZhnTSGBKj_K9y-S z>LWoZB;uQ776TF-Ayv+IXE-Dx@KehV#Y?fvb|m18r7v^rF&FAFOS03yZE+eS7Wz*X zjM7NtC}bl9{z*rBb7OHxYxcH%B5v<__UTX{zYw*nw4r|ySj*O3A-JP0kpZk~%t9yO zde`Lx$NwV?ZopS`WFVO#SQktTyGIn^Cm`K+D;4k^pV*tndRyAP$($dl)5J1IKZ*>z2rxhfcAl|bSG(w(Nxy#GgiFCc(Zi8EFOHS@Ud#l@^YuetB>i9s~c6wHC@ z-)FzQ-{lt}h%VDE9t;X6rddB_Mm>X?er^qC)7@Hp#%+|fz$9yv7}z+8XHsnHaZOtF z6Q*D zvftnb9J`WznyoaLN>K!oHBUJ`Gjn2Vp+BrXWqaQVZX|2|u=W%H)CM7Gw7TrD4iI{5 zC+k`DMo~JDx14rje}?yv|9ota!oomCe>B403VRH_?ZyIpoGI6dfx&V212W+wgUa9x zAxAeq*#_Mzqka6Jw1G%H*s}>5ddw-p&Qkl;rfnvO{-(G#kgU&TvoSHyYGfZ)i;9Xo zHNSgPZni~x^e|bp;X)bZ)^0Xq-Lov?NyUyfMsuW0ZAQ|!kGnYDnVROfQMt+af~0e` zbwMFoAYqgDq?&`?z7isvLVkV3V9h@dmrvBSfHYM-kn-V28urDXj;YPZO{%^(UGxp{ zuSUIOdsc5Ne=t59Cx`Ja=`LI9X@9@RL4NH&!!&F3C7Q){GW$`OnaD~uGtTH+<(T8u!(;UNUT3$^%ZQ6@V`ymfZ6~= zV`aNtIMx3(WkeU_bjVC5M?5u5|GQT!G(@8TbcP7w(Ei_Eb0ts|S{5uV6#v_V$bP^= zG}fY2u-G9y!~g9<+6&=~qU#s3~imwwm9vfyu19LW0$;`+pBq z2{P+uXa8=P|9>a>uh)7-gzUW34#WQUK>r^Cl{UDSLv*=Eha$A(6v*+uf#U1Ok6Tn?XQWJLypmYFTfh-7Ane^QGveL7Mtsv82`UQsYsrv8gE-o1BY(V+Jqn0*?Z& zf)8#MeGQO2h2rF zL=A9<#Rid$g`_p@c8|Qs?5;ZdPdF z4J;@k3YF&FAazfBKm`7H?;#){@I&l_A=E8y4k|9^FPK^CkRb>fdo@{`L4wRm7{1_daNL#&LLPBICV z*aR)W#P8A7pvmP!Gjn-)`2uYnY6wDp-#;yjdLGvFEm+?^UazKN60_EeeZs(jddubJ z}(?vjO82~BYN<{9ddOz|CHoIjp7;J9>*ZJm7vN+$p0&n9GrqEReT>K z^>ouvi$lSkd*pbJNF0)XR|FXvZVJg-CJjVF#gn;=k-Xc36>L~^7YvR2Qhne3pAGR}Uf%@52rD4v3t0clTQn*lY_RHMd$!|$4f}N< z!c+bKdV*V=D1qp>3AMGn^WV+oR#G~6KOvSU5s6q=cF$tA4dMe@Pwf}HfC<$s+f;@rmv{GX3+<<|B~ za#Gq5JOmEpZRew6wFt724|aA5d2*qHl?HWNh`r5G%+c>Z?wR1I*rWpz`s^~lD$@ErJ9}{;cjXX7%PppI~iVFa#zf9AXOm3MK)h$ z7Hvg}8Zeo>Hh!E3Kdgt+bNzF#?yCY0(pM7=Y*y6BC`ITpARHB?oP?3dibBKkzwTdx zD$C0U7rr*IcTAq}02t%LXgt=S5?3u2o^gcL7G?W1$>(4GpQgS7D(dEYpIBijDUt3H z5RgUzT^bhY2I)q+QyKy36i^yzkVaDJE@=b=Luww zGk5OHWM90Qnx5X++&a;bq^pHLAP@tuiYT>65Bd)^^yeJe?+Jz4ZBLcBfEO&xPjXW; z=;I|}b0EN13n$A<@A<6uO49i9&!MyI&m#Kx4!DMvRzo_)g{EEFs{gFKl%8VTYl=wo zC%}YXa^`G&0q&_LHn8V#@KN^(3Q*%cCfH1s5jU{J$@hIO$gym-2cuFbzwCoFArdtn zK+%E8W`;doPhmFZ)P>56!oZwnB;Yo;ThTU`tCF7NwJrGBadW*l_vM4@Qsb2sG@}r_ z06)x9OFFS=tCgUmjynXu@gme&bIE zMgC$KL5XH*YZuaa{SR(kVGsB)G`SmMvRQ|Ur6u$hr zDP+Oe)F@Z|ufHYgB!Q6-kpoT(T7gj01*Y?;aV30mebm&i^q02AlY!nuI#=iaQ(QL3 zBD2!^*?qN1eF4Mm6^p;50g(aB6q5Ks3#9od(x99d>5ryo>(4#Fxpde_bE&i3A(|<( z5MU*BknIvQ_Xq*a-QhqJzd|1Gm(D6uc+T!~B3m=0249kLP-!`U?rx$1R5zn!EI}o>aVL1!@v4C`YwRj)1>@%`i0@Eq z-cLEDp)p0kg12X-C}vC5+iY5}-}_X^g(KqVf!XZKX}|=cA`BUGt_{Q$Vu-kLGBRe5 ztEt61FYXcKn6 z%>M#ZlP(UTUa~0`y3nFGOP0=BW2JJzQ`#qnm(Ogh%TbvhhJ721$t~?dEjl1rKNFhx zQlb`LzCB^GybdR)WR5iuTeD8n@fM`h!|2+q4)Y z>A<8r93=mJVhjqv`Ow6>uoDuOiOBhdhUe>Ap#jVSqscMGK3wx0Kt?PS(MD8d9gL-=4X6j$NRJo@oFqW2Yctlz zSC&j%jX2D?927$s%#R&q|1JjPAi~e|an1zlt0~N{?%c428Aflt@KdlqHEI=WY*8G1 z^8l6z^@yC;z9|stY7Xui!z}Hup2Stwvz}L}46^|p+dGLqK zbs?o5K-5~)-Q*#3_22`#aqtzcZk;G(d#)M4R{=Yt;H>~MG;*1b>Ew+aQxqL#+3Dnb zxK+%MfdbIveva{X+WthK@R^P0O>AE%?UE5M$wc7QFj|C&w2zMdYb5coq~#wQTA|iY6uxG=V&0Cau$eC>6p5unDUtTh`uFN7AU4)9n`U5)1%t};k_0P zvZO$+UYm@k0BJJ{9Vn_tbxaEhO3MWz#+#7AyW9)!=CIyZOF{^th7f|OtuPHC1O>E^ z3k<7AJDZ1}u3qUEmU%Tp@_^nKe;v>`J?PD&&^{#y-{Oopmc4Q|MoV{mJ@k5TGa8XO zndY*CvW4#126jMo;Se^U^{&br_@ofNNeuLJkNA1`ZD3Iz%fK3%*vR=41Y2~Bs(CGV@CT$XdBF(VOC39%>V-YGv zhb?-x8tWF_94kAMM~?7s#84e24fm@c5eZ>%MtbquN7G~cm}k*+wviCLOCg6s!qx&= zDQt|OoO25xNxn?kipUjjiF!Muy#@N`j@doPpyfeJ%?Tk?bTAbqU~_jwN)KCn6y;hD z#6MdunHH-Sm`W|2F5rQt02&W#1R+dHhXuaUT6w>`J3_YA=%|{qgbkUD4^T~eJ0D%3 zA^>TxmNo=?mdh}+ZR7rih;m54Xw48oCaj6T+F0Gry?j47y}Bu|W)jl5AY?x9G&mK( zSi+gnMu&ASV&$q5Y;F1Z%pgnp_-?{!onK`wsjkG+T8g|LW-<8&KVHuEZI2q(={p?;D^IY^ye%N+1*6 zXLxZs577iy)mYurBD<}Bygx5!KrMXmuYGKlMl_ybm0sslRM{@x5pm?00Nncy1|(BH zjihQ+j!g(GhQnPXC0ylOAFm1A3l@CNyudX*Jhvj)17ao+5&nh&bok*@TTT`Qe;c=} zRTQq{b&{0Om!fJm_vy4qdIAPmaPtO3AvzPUlS88`$e=?hR}(B)w9$n~mWm%dnZzie zqB|WyXRXIAe$2t(4zBXkXR@NM*6r1n(MyU=wp=4j4X2Oif!GxnOsZi2_g>MK;DAG- zTu<>{kp&wBuL;QSZ}=pY(h23CSIHmp@~ZjWU@iiica(0)q20-%xtiuF;uS> zZ0~4;G7zN3yPZ!&ekgyo&Sw3w8~8G3)nB1JVEj7GtcBbGdRYAhaK0 zfy&M_^u=ClD>oFpC~2;>(^Q;&gk?+me0<;Dwk8s3K5mF?dd$MisHD!>=``(fy!YwL zd_HavKf!nd$7G(fdS8)qlEFV5(*wdJ^|N1sn#xVV8I5jdS3}4q!KmLfoC${O%)DL= z8Fs%tZ2}@SUg#h(hIwmEmuK99%-=j99KEdg-t8k0w6pJpRcbgbckFACodFDFmy@7O0_ph1d~jGrQxjr*q|EYCa@1Z-{~;&tObw@c(z!+boX(Nf=I z(@3YyEcv~qE+oTKW3e6~fI-Z}dkJHFwj}d~s2_$VUePdQuZ&cwD!@UTc~-bEcar;* z!T+6{{02|DSAhcKq?M3>{@%M+NVh_!Yyu0`q&T`6KN(5|t>i&$dYzxPS^HAF+mhF#6m9R{j>2(}t-kBO z;opc*nRO>hN$c#drLnZ%Hq5t4pVM$LUrk*up;Hw12Y#SP&$}>TtHI7~#)Q>7ZvU|N zkJCoFUD4ht@-H+$Fgd@CKeC~6)J+e$k&(%xeNv0B?H9IXaQPOSoI7Z{G8~J2)n;Sl2nBQcF~8B&vBtIX#`E zR!1|{4THexf|G~_l~0#YuHLq~)W~1cBeS~b_w`RJ5l(0G17q@&iMYWm$?*Q|CrhmR zPtFRWMOXhA?7jL;!Ks$J?=!O4Le)qM;l~xi&%<)QlLEn`P><&q3S7lD<{uwZl>Ja| zHorvqaW8w*#NM)}*jYEzWL&+~Gt_lv-&emUk_+jC%P&+Jg z@w1LS&!wuZU^_<0d_!G%Ai^tv+pmpZ#%N0VmokTL%N(%3yioWB7d3s?+{3n!e;J7G zY2Annr`bKpaed4!->^GxqviLMfuvba^;F9)=8Wi5n<2A>SKHg2?@p)rh3_%fY!JIx_9)&I4Gn9GXsMQ1_BgWqK0BIS zgq(LMX3#kvWuca&)YQoyGtOSKzHOc=mP}ltJy?18Tzbt*j>KK1=tv9M#g`UkCkRm3 z=4oN+R2Vka7fSb1yC>tau@UOFv5SV)yn!evwA7TNkjP}KE;KyN(l1}AC={vFCr);H zThryq@xfz=G=IAMPhO?gWt#rH4)1q61Hl)?XU^V%KNku5(P0=iWRaC66K(}uWVY6O#PplR4WL@R;nJkAG(Bz$NL-es;%cGwPcAoXRJwb47{^=O ztcUE~#O_Z4WHhIl^OZDYN~yG)SiuSNEkXC>eLkgpmmRHpHu0QM;~Ar66tLsfnKqJ_ z0o}t<4=eS3Tj|F&VGJSe?k?HOYVH0l$!Tc{OAGF5&TEmpX4`jce7>UU{#tm>wZ*x! zlBO5)?8*8US3TN74th**)7u}_eDi9Vrj74p^0#v({TYrP_8H$zoS z@BMonYLQ9j4tS4Lkl{9NHjTX1uDhuLGAh5q9gcs=3dnDlat}u(RXwQ9!|ZFv3lf#e z>2SEE@wqCy|ANvyny5^3yR2TyzwNvtwVxE+_ffq zMg~*Oi#FVOU&pj9guL!n}Gku}5T@m$2HBz{CeFh1=Q>K7a_jrDRU8e;F%v~;3 z!E68uDk#$tOr%6AZcBBDD@KhpcRF{B8GPl}$u#s+-G-C$cnhV)T&oui2Cm0`4jc%v zSeSF>RZ>iL_doBiS$t8&h0|7OxA!Hhzf!CVn1)FN04#-Zp=$~2vkDWs)Vd5J_o}+Y zgd%zKK#Yem1+op7wVnbTw-XX0jg|KCa}$Lj@lO-B!x zh?vxJf1Ic(X4tzeVMkwq)fX*V*Sn_)Vs3?N=a{sKG0mzc2XO(zB%NXLCX+%OCw->V}Bne|gpC}(%Cm8Rzwsfk^7&W4k7Zf#=Bwb^v zf0X5w}pDE3!UscJOuaNVuwz^UuF1$AlYc0t%Kc#%4bRzo0E;|%#2Zba03E(8) zc>Qeg*d!xh_uA8QKPzwlxDXyuELdqD6hca17>rr6PFgi5E45U2y~J?Gd6w*3qG@$e zp^SXhiw;6JMrnmR?>b9wf!80RZUupx8WjxHD#i=slfHdK$4_qezZjgU(BIfdGx7)+ zOXn++yjLo4TT4+f2JAO|G+0^fSrYzWNWHP&e&JA3TpSOsiODlS{_(-f^n49_KGWa4 zxbO6XvFoM0`RIM}&*OB=>K;k-jIx6lV`8jh*ZVhv9(Yfji^Egzr9a3u&;xsjAdVP> zD2~u}+fa7@{3ET_1_D_Dq0DMlf+5KJNnVI85Zazz{IaG91o@~6afL$*o=;5YF$TF?8M%wq!n^_^E6XXv0;Y;Qkn^Ql+B$D{H-kXV+p zim`1RpNgTWxXuviPOADkvuM7{*^yFg`{^9yZa3JT*}Avn5F%OdMNf6~dp1#P!NzSj zJT%x#yjf4{28m=fC@sLrE?yJluqg#(vwWp>CaZLft*x((>|TVu43~w0M078R5=4 zEglu36_3?J1pLsuf3}@2C)K*gb+-wG&wzc_{io@qhF-aR7T412*160V;0;U8*AHp6 zv+qaTIaSpBamqI;EP3+9Rrw6MzdHb=PndT{5RSIO>81Md&%RQH?tXC{TMF}X#{2es zDy@TwdD|{-Ogo9FsiKgX*LzSSy+G-Yr6G(N&Z+rJGPzSdo~b{M7wMlKYQ@cve=xwYTR;bu;Ul+L8li z00+OG@78rhd_MYZ;g9K*FLBA&-h4fzlw7=(u#R3L83Jf^=o@f1iov9E{%F9qdbZ1! z=-IcVBiW@Vghb&Oc%3g#c7$U(!oopL8%4*>)xJRnpVesclIO~jm3!KL#CNlT4D!Ag z7s$wBEVseFCtNKhu5AgG2F5jj6BQG}U-p(che%=M$6!f&NEnzH3{Y`!fcq6~<)U`6 z4-YDtOiszb7BfmWmMaao?vzaL9*lThWWRNNR6s~TgwNE*rsT8B8AHBQIhs?bmx_YC0-~L%)a@j5|?#%$dY`ne2UQr*NN> zrPKfM#x-^r0#drS_?s>{>j<(0XG4^(ZYS{e_8#2R!~szQKEG7Yaws0 z;Q5+>o9of!`J7og>nWKnmKnoKK043%b|1wqXpaM%G)RSjyTpJop?!PDxZOb4#^#UD ztz$|7j0*QnUDP=uJOMQ8yz$54%@1xdyuLjVxLZ5+*x{J*`=?BYX8F-4H-10hae_F! zVfkX_*lOWt_===2jJn(yx1mhDw;|)=mE)DG_%e2to*GG-nwlGLE)Gd3D>Drxn~1Qa zVnji@+o#xWvAkC++NdsJ*QU!#kcz4IpPvKp}P2qw{n9ts!b0*qThC7 z>4eVWAA!TSdJf>hVXMS$ek@f9;xI=tTCE34*^igfQJi1&nY>u>KXtdM%}8)vcXyP| zLd|Wt$nyObPU+zELcc)BaapvnbD~SU-877Vv?$A`R9_bhtJ`Y$uTF?jYj^)94T4am zOdv@p!F_&pcp0YhlPkBPgoPV)a2jyitofF*LS2u|d#7^Qvii*P=i*ULPJL35W}@we z-B%3B-QZzoIvjot*aBPSRnwzJVs^A$($iJ^@SD3Y^toFPf2_gmG3M>mTiv*X1L9I;hNX*`h= zuV263KDNEg(Tm%jj@Gm$2*T&)Ttt4)Uac89m>sxo1fs zciw)9(h5DTD66{t=e?|+i;^5mlo8F@+1dFJJCo4Y975%slZh(DHO-iLt<^@nn)gYY z^zE0KSL>rI>!HuMy*l4VvYjl|P=Zrl-f)%+(cT_1;g@&4?2K@@Noo2QJ1c*C;LNP7 zXhqvEl3BNi^`<@cedQV1_|1_h>8gmEI%+oQBP-UO%ozVeOkB}UJ6htLz8y0fQ3g~Z zI67K35$ARAP!`bsoyQjAziFT1$NR!&hg{rA_`Ka7nYP@?y(@?gaW`eONA z{>btDAwDD@2$TEg^YIXNua)YCZ~{R@hx+#uV)&6Y5;=*YVsrNeNb$%2S2x`=c$1cwNfqVK+Vz?68U{zj ziD$m}w2h-79!dXHgM!7M75F@i)FW)U{&||H*TL7??xCSH?)vMDHhGhERe?6v?&%~} z<+{pDf1{Q=Sly(Q|JMU^0;j@*;Q0AEo22q*AJja4&e6|#H&^e*y$fF`Q7_V~gYUL@ z?$_O>!u~xoHC0?9`nsWB$BZ*lx0&@wt zJp8yo=F^k`C9iqJ9+iQiVWq$7 zoNhS#Q-um?1^SH+!M+lRTw#Zox2fIAqoS}mV_)gn&-tIPcD-D{mmsL0Q;{NNmK@Cz zw! zUL291yey-awiE3CH)aU5$~%TH@o7^%b{9&%>NVJL$F%!msWl&bdhYRKlzN0b#9Bi9ixHexI6ox_ z!~(9Lg=tw@zC#q}VrW(wwwW(AyR*-M^d)uHR;M`cU*By|pWSKeX(Hu%HqJxWui{6V zB@!Vz6|!j4`R*Vvx1BN;6QAb(tGk?Pl&ecS3-x7m+_*iiCa2reWtv_K0_$i`bZC+g zbA%D{cS^X3OZ?5Yn;URiw(9#sTS?x1G*6Mce^w87Tn>c=6F3-M^uBD=hMBV$rew? zbUv%t$Bv5)irAF~pLyut( ze*~dpY7EDK8(}VoO`_j`cMu#y zDWr6Z$}X6|j4?=#-nf2%S3QQvsHcO`VsPZKvXN#&37;W@mT9&nZ6D!@Kx6-qlsVUi5suKEc8Zn=KK;Wldx&7W$B@tCf4ul!1Tmpu*y^L6@v$K|_t^?g^;&cIwP7ndRy;xltrACoK`O$p6y!ASAjKo_ zLs!0{O6=WT{84)sqfrih= zjx0$SeKY>laB`G_WE3zz9P}=eWSXWBKMc559`Nx)>c_7-^i4a8~j50?RN+@3I#a! zc|I55^D-lfa6_v+@}hUdUZ!X2>Doz3Ok_aEysZ&OBJqO2WPs%qXG}T!u_iZJ!`p)u zfGvPn?TmYIPIN@m6Q_~hUz@=!9{>i0iG!m|2`=zmA^1y;SzqixGMl>jP%0;{X*c{h zc2y6~4(Eq=*VNQJ;<1Q(b;$`A@*Ro;NIN|yKTI(qc~5b0dG@OrlT3;z@rXX7!EvS1L?M)n zzBeBK?$h6M>tD&2S^44g<>8@4*jd7%6#L6U0}u+{QtXgpx5SoKlmGGmmfg2}J!2o{2AdgX$(1TTfL*EfN^>u(+zmd_1G zSWbTZ7E^?iH?(tBrgO-`j+mIHW0Z*U_V(UB?7TSGr2pAuJIy{YIy&RMMkD5XQl828^ScMpx${vroXNOQ zk+AHfjgXj>Y4G{o*Gv|fnm)ahcdcM#+9EIh$dKWa5^WWh&V^b!0#L-vpS=6E2EXie z8f5x_P4-4DnO zk7pR2f2h}l(Wk=<-%s8hs2N+#?d+vuOpc(s|BTq0!>-dC&PUmD(?&ofogHq6c=F83 zcf?p*vf_LjC335FI@H#MVtb+Bl%D_BuV0#ELN+LdQfS%oh+92FPsoA}Lk_>W@pW=6 zUE<3B8CLDAYiU&Tn`V~r^6qXWD7%u2MBZ4uR!aTs!hkBw|5fy3g96|kPAPpj5{$1m zJCiS^Nn`0te}3m~cDhYd{P6+9xv_<*F-~hkuGtL_n*DJj+iPoyfSVnAeYAaY;mW1B zF(v|eSb6s~QHqIM&!WDJzE}6f_i#Dpfc_m%I>C86^1~P%>Hsb+i2%l@9kB&f7(b9` zu`FNNS2wH^`2pZ_daw|FtDj^bHsV14wNx|4AqXk*KNdqrhKgNftlN-25P_W> zFqMZ){}BchEEppoHqqE)|L6PT5pcMQR~QQWOQwIg5BNLC7!aah)zydp`BuQQP(kek zh>iGv=@1}A1kosA+7H-8W&fi{2sC;+P&-;NRpS5p5KQP4eh{U|dpx7Eoj*M!gJJgV z+Esw2+Efuwgk$E)brttN7S;o!qHirv4qD?7v2xRnd8PVj*3EHVGa)n!?=HRP94b+W3+Lvj?$Fr{V6VTqiUEd*%xn1AHq|kH zVE5?p)mxoNf2QVNRO^S^Q}?@E2>#Pf&^xH9;H?SWOsUeL?u$#2!?r6-F(btb(VfcR zqOu0-v_pm$+^THeGH&TAjQ^u=WkeA+(=C`^M4M;tmiU90ntCw1k(@l<^63oryu+?m zpFd-7j&#uyKA_<;n#Nx%6T}}gir!>TF0Rs!m=@fTHSiApPtiFWSi(pz`fp@OS5}AZ zUs#u|I&SF5*7$m&_|T#|%RV{2tXg1H(=G2Dic(76TwWpfFcR=GaCH~<+HpzZE{7aT#Y=$k>22x%VeFVN=b$w1_6pXJdPBe{K4SQK)E5Q(k(XAIs+2Ge{(mipeFy*m literal 0 HcmV?d00001 diff --git a/community/resources/zero-trust-whitepaper/v1/images/image3.png b/community/resources/zero-trust-whitepaper/v1/images/image3.png new file mode 100644 index 0000000000000000000000000000000000000000..5ae9f2500efc10f31956b5bffe02a030e42b1683 GIT binary patch literal 41455 zcmd43g2uC= z&hL5uf|FdEncZt1!GME`d1B=OpFqi zpt~y?dBMREGyL1&m9*(E;ov0Ulw_rJ{o&6FQG+PQuO<|-Y^KzHBj1N7y`_}CfXDxc z-hZDpPZLUA%24WuMvtpZEvZ-DeSO{N;ut-lGl z$~ITNN+hE_JnT?|?28~^U`r=I*?P4vr{7qg{Ul1DP_l(L zIh~$`h@v<>9C0dk+D;~)#{P6E!(!GfDSJ^!0lLKl*&!oqw?E%~S{n#X0v8jotT6vP zQIzr9GE)BeH9efu%qcx_!UyRMJ3_+Xvp&jq_XzLTm8O%*#By~Zxt{}n8{5y;n%-ak zQKbMq%7?-0OcXz>@_#%?dz=+^4bgI}4O;E(dUx?n$J3-!mHZ1(7(tB^6jdC|Xwvrx zZr^lndZX8|O04Wj>3z|^7*ZVUqzjjFfcDNCNuDaSPxjV zpa8w0;l7;}v5mu7euGtO#?a;C{Ov~KwYDoa7DdO8E0(VL4X9M)H}hn1o^~NrGmC^| z?OkZfFSK|5NKT^`d<_)D1WXDgwY2k^n|=@RL~2ByP1$ss3sT% z_O(*gK=1kQ_G?ykafor(pPOe5(W* za(4b(qh^3ORPyENm&Ej9rOGL<$s8LpXwDlmOXB%hgD3RmDMR4f^Ji_p3dy3rm&end zO1lPMT{ z$4Sg5HA1e_+v9?sZ`Z!)Ty8m57cz1fw<|`nv9P3x{O*?dc=Y9#smQkhLYob-#P>^H(MxT5RFAf8$(`(r zHCN9O?ZYpLS4T&>AhMR1tCY};=lgAQSal)mt&x!t`qKk|#FGVr=h=FT&wECE(^i|f zr(HlO_i*UdIEg(2K%?D}I_xk79Z1#*sb?$`aK%> z-D6@3b|JZr?e)>qNGbKi7GjD|CO>5UeD|8m)R1^yc2XG>*8o7fAAaT^zP?<%9%Pw( zNb`B1+>yZ|Ai{foMQ19oh{l27Xbj#gs(4oa1_*z=anO-xi#N%h`!$nG=QjA<$#OvY z9y}Vj!hzZszi6zhtNRP%P)9?I0T_IfX6pCDXR*V1?S!~tD)OG?f;~jJs&!7}LR5$G zezEYE#0%6Kc51hS-iv|sY0lmmcCkd4d_I%Eyrwnz#sErT-C2p(r}~U$-FqQf8t8tVdK zv9k#F>#Ys6Iek>&+q)qRcvjGOZ^622{`zQO<S3^PNI6 zg`-CfF#u`*^&<3@m+cp<-|h6%_+2+5*LWNk>GO@N%X3QY>tF8&U-_ngHTM2yHF4|j zh$3&AC>n-?I+x*Eh{^4g-9#Tx%Z7)vy{8-6L5-?SplX2JP%V7~HTGRA=ZjZ;)%{t= z=d{fHa6Qds`@P#kdb67HL(4cZ4Vf2Wso00EAHJQb z2(57mcY}M_4rPWeTBkX$ON+iGGW`7Ad!bJ9?wAY$uU}KEQw^~Y^LrzHven-kWeNTx z=3@=Qh3qVKx|-CXacK+=xqB(ZRZ|LjBn)Kx(|KVD{d=W_HAUm}{9EzYUgKX6+} z4|r@vx_Oj;)6(c1;z0>fb%R;Xg0oRJo3hv7>lC-2~+(wKTP9-nx8 zJQTKe*Qzf2uX(n|`eOv`3>!GEcdz)`Val{)IUyyqTZ z;)L)-qzp|%vqq=KMs1mK*LOc5+O?xMe;H8?-g~Cm9Y!!6qDVaA^@EvE#l_bl6w`S& z2a}ls8xtddj}-25`~Ykib(mG*T47D9dSj#z=r5}v%%JZ`}nOY9@TF z+-)yUSY}$^$n6QB9|2z`=}xu2Yu9OGbJarCjpJseKmXigL0{xi{*riSD&iTaPPJz0 zl_Z9FPAsk|2Z7Q?swmssrl@d!9^0$ECax{BKh%}7a$5o8*0vJY4(1j$f9Am}Y(2H$ z)Q+NAbYxFxQnn?$)`HK|C5BW``d1+El{E%G-o)wBwBLAljw~`IvL3~W>V_G;0Uv$i zCF)$jQ=mvw%=L>i`iCi2_0tWoOQ8YX4yfbZ{99<(99p? zyCusPcx%fr$7f1u1SY&xpF4b8Z^_JxGBpCR?5 zhPLpfV|y}R@YrIusBYU+*1QyPG`1V$-AqUs0^KD>agpwKn80;4B>3HB1o=6 zxh*P6;eoMFXIya6s4&$VfeBKA2#+ZvsMkt&>!uc2zI9TS>JMyQ0QE;{A@g9kCWokG z>SNX+uA`~)mNs>6a^~HCA$Sf@PpT&vP3~gs6f_ zM`(*>f&>~=FR_@lM~ZFZT|$RC^9Wm|0m}2zHN?Nk>luoY4o9-6KJ6AzfCLdN4;rN3 zy$F^E)*p8VSy)a;M~8AyJ9yluNv>9w`Q%}O6) zqWK_au($Ui{4j+j5UMNkvm@M^Y+?2r`&+~GW~=5;6tAtYA;{F-e%N#RMkuoQon^DO zRjpMEeio%a(MY!N_rbrvd+!oM*<-_Uw8CnD#41mlJ7zD;T*O#U;=AT(GdWfEo#AqX zhRVRev$uirh1B)55Z zH2*ZAU~9yst`*y@G^CvrD2_dd$7U%T@G`NfVN@dl{)jV`-t)vNTkVKpMzw)XcP<3wfgA3x3U z1h(1U0hy_9B`Gtq` zYJd{KB`X?BM$8?fEept5%8KM^Ne6q5mS2}qoI@?W$>ocF6?i36O&fjiXi4VAw;jW; z&voh)s7t`G!Q6jkmA44)&|D1By)+bAb}WpCUlfSMCRVOzoNo%bWlN}w&w0jq)kWLz zlD|sz^}jQT(n7N`Ai}>hjVgNna#C7ob#qjn!ZOA@Zu)p0!q#Zd&K|uxIU3 zMl_l21O&nEl75v~?_)Z999Z_vt5w7D@mrOY9;>hOEN>H>0S2!kN*tjxHWpWvuft{h zmLrk=sXigwh8!8fV$NBN^!Wx?^g(R>6X}E<4pVN?sfXiB7th8ai$g!?x8q~3gOFxOv9_N7( zLF&1Q`Pt6&KL`$cnq~xnA6dw*x?0FGdjMK@=OoaqhxJprpWHB2!JKY zQG{&^A6bvP)D27o^+*Zkd@P*j_ITeJ64uf^sr9Gr&S=jYR2XM00FOc+wr18N2jZ}f z4E#IOXX#Ocsnb02$h$OIncm4-MaDIK;)ykqaWa;d&)vX{T;M1ds!!MuJOgZ_+tQoR z#5Bnl?3qZUqHI=jFD`#^9A?h$tR6dJqFTG4gvTB7jFG^rD9keBeOA~U@r;c^c&!#( z_&}rQxtGG$2OyRuUUUa`WsO)v+0x7zkpPyI!w8ZT?7Yhy2Y8K8G8scQgh7w-p0G@A zLzTU(Z2uQ9b6!d{2JSTKAhZ6WRlt~MTxG<&<`65Ikw>W_L%y9K-3)kG=rR(x6Nx>M z-B*3Peh{DA6$2BBdIDD5eW|B`XtW`KVMa4Tw41q}cB$Gf5cRzOeoIL!hhgMCOI*BA zB3OH8MWT7KjWk)}2{*!=tLZ`QZ)v}-JeWFnrLc2~mhO6jc50SR^RjJBM{nI$eB6I@sUTbCMi_LzY+d)x$mmW#tu=XtfzH-25UEM zu$GVuaT~xU_&`AXpdJbu*D-VaRJO=CjOa21XFd~#$;*%dxOFa_XH+n^4|J0q%^-$sKi$(@>(|gdkgE31f?3AT6x&2GO zF23I>p*#4|^VLz4maUrEl7OIzQ=5SDeRCY*?F9CYA)DSf#N*DC6A= z77r8HP#cX^dt1HG`%psIca#)v$S#r2#okxr5(~wKN8v{;l1(74@thzOtyFf?Dh|{J z@HQi%cB=0K7}Abyt2WqZGpsXQOaoJwZYn{jGN1Q7_HB29nPs4>%#l0zi?I`jl-&!R zhLZ#-(|&s?zMovd;@96ewFs1fpl}W37b>*o%QP7xM@c=tkem!|ZW?9Qy3uc8pBtIY zCiDy(1BH`-AZ}b~n&FQi37Z1kaBu%BoKO66CiW8i!ou}VQg0bJ*(7L$9hjLl>rImh zR)rU_T?yrqpVke{s>kuA&<)JOtG$Ic*ps2u)j#FF(L6EWX|FH{2iGGO7)L~*ZmT@i zUq0BBOtCPE%1Bx`f|@78$mev>Ls`&(^I)_-X!(0I3qmBMHv>899Wr6!q(v4J2tf}Y z2A}Ub@MU+=5yPORS9)mH>!d_m@q640>fmQIM%5V~L^VmHY!{-;_Yi z#hxe`mxA0q^k=DNv{AhUx;1Wv&OVV`-Hi|g+m&isTs#Cy(mE|A$CIdcVfbt3%D+&W zk@<$X?S>3%W|75!#>MRYG1m}0P_e#YXILH2&;s%I0ZI1NWJre6)A+Ho=Fw%j{1tYv zF{3Tk_M2%IealCsf#8B6wd&DxJYIZ@cFxJK`bM&a@-dYNr$~%$RqeR3sya2m99NfQ zvRlSY&HF%D|z`(kVY#fH@&?;{h944&xM+@~twlzDO)bu=~#xOgjktZb9-8 zJ+L0xrBXVuk@LJ|f{K5BG#t%sJW7gLWESdCigU4t3p^ne{%tWFB`_*NJg>zGncPWx zf`09!aS4nZk}|?xo!#mW+|*}f7aw^L$K4%@t_`VI%*B05OdZBZ@Jy5}2YQ0V5ZH&L zg}Pxr&RHbG#yjcIvRT;{P5dr;=Jx7&s+{OZ4F>?TDsDWzJVJ(M6)PeTIe{9pof<0r zyqA=cN^%h6lX333Ts_-aNk^eGz&>UX-_B!=Oe|od>7FT#a!HPnrNDktFTrgyWi40O!{oDg*8c}@qqcA}1gb!j+?FAradX*Z0FG&jn9GtzKA z!910;G@MBG0%Lnxy~UYth5jEQu^mzfVD64_PEmU)jB`_w>#P(QmOQjB8ZEA<-Sl2Ffz3~hFW^%KnJTiy@ULzV=DR_m(JSw;%zT}E?Go*&Q z!(CXh9lC77VSu;kQyVq8RSWm_eWlB#sJ|qb-Pp*VYI`Ko&*`~2B;1d6oLW!<6{D))IU%_V2PJ<8n!cbN00re1pRXHJecH*pBe9P|Ee$3~O>jUx{ zCao5OPlsIR!G?X(n|o%^qDvIlgza{6y%Xu{RZhLnt$yu@lrHPiaxoTu@WZg4`T`qh;%HLde%%kw&&#GJ|U!@(X_YTUHt z1XcLl`_`_O2PK8El$+xjgmje8^ZZfal?VyAbSCm3=n=QtmvY}UNk?C24c zhJUQ7zxS3h#ujln^h+UzwvazWo@cRR9h3m&2W1QZTcDoRWw^h&e zRiR_sFc0#U%d1SU-8AWj#54DHnw!SoO7jU;jeKk4+>1JlteQQ?-{?Vgl95`rQ~oFe zmU)B;6ry3GCEHA52bjcS8&rKVCKeEa0L1M@V)Sg~j6&{q^u5JbuVk@Rjy$L!`jZ4yWpk1*mi@NF#?(do;*w_fnwa9t27d|o-`by0 zCGODJDKxu>3lRIkyi{71Kva?^qAN%GL2p^06y=f3Q4ICoACA}r_UIacwvbDv?S!Wz z-W=>mx7-hQDsR7A?s&v@VBe745LqD1T_;`ssc^HfiwNvwr3z@CT6K!uvv;Bz&KkG&*T~5|wqOEOK*tx;+I#uIISmuY|hV!OF zOHXLR;PinwY6D+-7*P}%_yw>3b}TU&qeN!~ZGJdX-q7bLUS_@~{K9CwlqWEPJBqAe zk&aus+9lpQuQEnBa}70VIk`X6ceVdb&76taCbu#!rL}Ejn3SM_TyAt7YoY3PIpGN1 zaio`GdE-OPz$xj87I2M4IOjchATq+oLq>+0FMXN>?C)09h|Gsq#rL3}dx^Miv(e}T z$goyB!|Q38{m}|uYXLt#{Ef$}nd*W>0w>=t`ReHm%;;v>7;nXEfnV}f zPl_BL>Wcqvyahw*Xpx&5Tbv!bkt$X@qhbU?eEtKH{^L?Sl0!rgEXix?|A{n-=wJ|Q zd>u;upA3rvgoW!K#e7+{lug}kNz!=4TOHJ zlM<5=`m_)99nt2$p8S}XTX11$lym#Q?k1KDnWg$UqamhL&XePGqn^7l3tipM!T*K0 z#$5U_evItPNA~PO0p)LPas?`liCS*I@S85|1ME*l^fNvP+UNW^ZIk*)pVv{$qElr< z_aLm6{wL7!w7Np5t(TK`(fWWLNLjyP+e%cmvOag+*leYCFuvYmP4}ZhWU-v2O`lGz zY;oiJ-;2TG4$%`<%SVh^j5RueQ`V`DMX8wia$-6$4E{yycWWQbfdHq#tghk=9hJ<& z!avR*rKK2+(#5mpzes0f|B-1^DlnF&%A}mg{Q4wzenvZVUrA|u`uCGKlbQ|NbB`=j zL7&zdlWRrR+k!s4Yn9-O!8I8iXrXU`jbpVmp=#}yV8MoTkp+we~@wOAmRu2Pq3bE6+mg)sA}mo9mWb#}6EV!Onx z2Rvj-k+&|T5b~^ez@rQ}NaKMah=5;(elrmF9S|x6hB_G2nKbxc5euV<`BbK1e6ZNt z{qgDH566qZb`Tvj#-)2V+VgT4H9_3~^9Aqqac$5=))xjyna2OZ$Y_+{!DgjOcKbH6 zt=nq7(N8y?kSBjKQUB(%uI-RAofV~B``Lp3qC-!Yqky{)urp`D0=1khsy)C83Hw=! zfQQ3uxoTSW=ivJv2K?(55we#a`(MxpqL$-${-L?n%@4g(QmB+RmdwD5sr-*;?Mv#d zqc|e;dtQHFgfBr|0?o(aM^DFD_kMEO(zKF4F3y<}u)b@-AwS zlzk8$5ykMcu+Ir$_`1*C*|+EkzwKbALJ_~tCuW0!%kh68^bi(l%z%-fNf<>bu);4&UAr|9eK)uJ&|)dAx8;_01}Q;{Zk}lv>3{1%N@9 zpdc7GCf2WZuIF%RUy$dAguwPWe!#-a;*K^FF6-RR_U#-S^1{;JA~YPGWnyqLL!KYw z)b*N(iue_K8L`e0x3<0J#FiLxZxU~=hR4n0x`Y4Tb$ndnLJGGp3cfQ6RDZqxLheR- zQ5bYR^@U(Nq!HGlQrZA>qsUwu~3;U0c0#G{ip?2R(tQL2~lKp52!e~^VT z-T>SG_=iR`gSgB;9y8<$xD~CWi&N{d{LI%>529`1bnQLw)PK<}{pv?2QBSjzm#5z6 z5>jl2M9lTx<@}OK;vufxd2RLp%{AqP5cWx(@MuuJOJm(yYMWmMZjs+=6*Fu)ut*@njR6+Xd z^PS)Q4?m`niY-k}+nrb*x7H~};_MzBi6ZB6HQ9ih1%>m^Jh^7*<%zZzdfhp0baR*Y zx{O^tTfUpFanK&fbC~q3@xK{hk?a>0A(`KjZJJ>@YyY8~} zP7kO|#2n3WE}PjhCSYL8ROVX4^C|LKiK&pVc89x0MOnE_1|YV)MbPEE*62H@N0g~3 zGOmc6BetY2eEetrJv56o>{C$;5Ufh(HWU~c!S#7$pS4+<+xfNktTmy({3|%M?XL<~ z|2yr{EVS&8-;7 znw}q{y?vvAyvy&WC45uA9#>7=Iv%faBsdyxfCuFx%L54*bk6rTa(%xpz;%tv2jfYs zh=6~{lqaP3IZ0ANvUIU?@9_1H3bV@@d~Z!MLcy9F*EgD^61zSKE7!n&*LMeUSIj{L>g_PW=%N+8L2re&VU%Un(;@MKFh$}8H$_)QRZe_3|JMbq|+uGX;o;W-A*m4V}m>4n6z7^VRYS=C~vxx$Ji4acREG?jTxgK z_r~JzMpBazrAx625l3!+_-!XG=eZ>R2%>|Kj@0r^B$_DM0p^H1WnR7UpA5b?`FK3xHN#E3T8hb&3T zXRjzv?9`hy%bj71`0bnE6AkO0 z4~-xN$eI8mN92Vk(0mF1BKu1_IYL5Z zeHem*qwUa-oTYEG<}N4)eevGw?D?*E*JJmK`mGIfj9lNg!{e35H4ZolvC6N1}xF zGQ=?$l8R=dXeey1-cL#Yt+9|<87Y-2 zjb_FE#)A!OPK%x<1B*Q)1ACZAvHF<3kb6VsExj3GxZp9d>K%n?$$qlPY{(Kkl9f&J zrzAcIM+SUmo|zW&s9#B;bi0uJ?j_MSi{{btepbXKr|B`0g{=x)5Wf{2VD(#VGNXXtM<{1?qJ&Az<~9YuX6|1Mf-7CFIZ1CCS>F8d7~+EqzK zngoV`tFU1t+AB;fw{<=5IE4G7(NM72B@(K{W$-%RV95TVSw9SMdj}>;Q^KHnr1nqY z(bRylX*Pc^zm!4aBm}VMd%V2DlsoLt77LbeY9T#DT8fazn(|~}NKvo!=PIBET*e{! zqc1etjl_U{WJj?&fPlfmV(30$dU$MlMSuniLLwWqH(!jh7dVPYO1X%qOmvR^K;ZUw zhJT*Q@f0_L=>QkQRFvX6RUGMkV{EuInSnYwIlEt}Ys^4QA=+M~wpzdD>>eRXF-+2; z_2jWA)`mk`I8RP0Sw?DQX6sH-O})9}XlGu-hT%mGjpdndlA05{FL-|WaS=iizRtIt zDMc~XRn-(no<39{I#0fLK192`G6u*k$Q;mZkNcyjyAMR(ETyoUfc`ZW; zS)Eo~Tz5HF9JxrRZXgQqjN>@mR6DQ?W@lQg#JVh)b*C??wf*w@*qpjUmFx~&V7P4y zxCL(Gm8qxp?5-2NHcJKp9wn-MV&Kl@QQwv6|B|JV9;CYHO5@XnHh%weer2G)52DsN z5}@%>X<-u|pQH<-2mrWwYV=&SbGV-YgT;eg`_4~Qqi(0#nHEbM>aMMyVvDI=(WUQN z=h%XUeag*iV|5+XJ|c7NObfbhv{(G92gDNeA^!+{ef}ANQ7l>dawQHIDj(Dkhd4(q zu@kTthJHH?la_oyKOXFMK?HPYD<5H^kGe76h?J^2HMh9oLkLe0-tS0tsTk`snH)DJ?eFxQVrzStQ!6lil#zJiv8;m%si%)9U}U{$r_6i;Ipc=U>vaj z1ZaUuHstuGSS8UWjU?k%i0>qiN*p%Sdr`wfl%Ye39_;?W%MwJ}1xe~_8dqVQ0Tzf7 z<3kiQq=5|K*q=2>28B?QRfDE}R&XCnOC=whYFXQj($#^yv>yzM)GH%VA;csXj#~(} z8OYTJsfm-J^YIk=KV>>a6k+cnP3D7RzROnc( zUQnz0Pe^Ju2;On-)Dm0%rF8EEI=)n1`><+gF%DP@i=riHV?{mfVX)2VoKEsqKgvA?{ zIr9}`J`P2cK9#!EuE8Qu5ZTb!Yf1>xhl43;T7TS`one177#S5MU%HU5)?7t0)kkmp zX!J}|?{P(AbRN|~_kyQ&W(XfG2f{3!j3JG9E}Rcu3M`(N zS(W|BQxt-WP%&4Nk!EdLQu*ajfKDftD6*${>bK6TCC9=s9ywX9(w2S~p8T`(nJk`r z7+KAnY)3OS^?v#4@(uX$hhGO@_Cm|!dIh$6k#}NZ&lJ}{8D*&{(SEhsGH{g)p*~VJ zcMM_bSkVyo!Ona2N}WW7lo+jkp`dSAkqS2B6%i4k?MkgTFXrMHRxh|@3e8Cep)gdK zn3W|~05^!F$#+#n0K61Lm1Iz(>O#5dGByl5Ciw+G7{DibC{fCZnh?%?v^CA?0bt4V z*@{KV!P2r8D@9Y_x?BT|(2jk?ZIB-a$w7lT{pNg9;8706by8$QkJ^{3H09R;pMT6V z&f8X9`HHC9G;irpmB23}G3+J%!wH6uIZ9<*fL&G(vQL`Ts@35t~^o(lBlJ> zK}-S3@Ud=7hK~K~F`wj-uXZ&d%|Xa=C{<{(_Np>NJaJQR5@^c@AhBB5*fPOyU0HF4 zWjEdtcH)7CNgIa3xOq28kjk#Ok%3hWBY&VoKkYFLgG*+N6(4h;cyMTKB{pC7$1ZYL z%eT<@I@Qo*_pt-g8AmdsDUjHgeyECYhhtC@V7!I2HL7Z;elDr6HCYOWSQAA(^^r7>4MksFIEawB>SSebwd#k=$FYcs$tK#e zpmw%JfX+~lO8Ax7u>qgrXgJ{5$#K({;b3$q=DZzY5GirwMkwfMZSZ9!Jciry9&fFAk|6Jd&K*ef5!@8JX6H3x_NfNe7`E35AQ*rY`FI%hWX^x{#o2JexR72fPIVk z(Ce92=kHokq<54rOx~r^4JTuW0TIqz6Jva^mWZQQ7VPobR5oy2$Dyyl#gO89qiZ! z{b$3;J8E)yTlhn~hVV(WDk+jDz`91Cnazc@K~}aaC{D-D)s~xqsp1|+WR!}?nJY1Rp0#6l zXv+r3K4Tbs*LKKVJVu22x-oiAZ%#~H^;(tTsM@sjw9VL`g0vSi`^>RJ#|%mZm;zuC9}B?74=;4=}7LM z-!sxFb%o5nvHQ(Qh8VpDp;)otya5_*c@=AXc^-I~s0ZChGbYE})7>%Ii}ZV*eH zp{4rg{*0CrgL&s-$=B>bbUy%CBJL#HFKviK@*ZzS%Mc(D`-u?_xICB~Cbc z7ju_QNPQO}$9DsNS-@J=d6Fky+|BNwh0KhXHy$`Cvb7LWi^`V8q7ZatKs$0me!%8o z=&k(lEgUd#z{Ng8?;uG0ZuT!t!zGSU^mi*7f*{#|qjGP_Ov79C?Xah6bE%M2E*@;@ zpGaF$RdjC5CWeCGETd5wR96~jm>dOT*IP2jKLqCVZ1P_2=g$`(ht287rQ?h#`}h}h zUsCre20$Z7$WO}(zMp2aYx7m*3b(q|l|N>kaHXnQRe+-6lio+r)rXLf2k^4Sy4lU3 z$&ptc-J$clLXHa4gsxh~cEcLkMrSS}y02=1@^7I8R*zqPRj{^+5EDLicw^F$?{fDH zaiy`ub}vbkv#_IO-ITB}3VAC$(JM$3h;!MzEonq{Ub+C|{cTp_sadBhg5)1~@yS>J=ejJN_#&EvJ#V z-7&}(DItadDU=w3cM_S2#Ku{^u@m;yTOfcZ9t8kt8kwsvj4UrQY}193+hvdy6Uq-K zHU^|z;D!`^s}hQ zrfqRtVk|rO=DmeR$KG!Ln&ysLerifP*?CZF1-eb#d zBBHXVM3xQ?YfGCxEk4%!wle`90q*6`BVAxLV~XFyX*`R`yA06C9&XBscE00O@ukFN z-T~^gN1irGAjx+GG>x81%2l-i%m8k_l+$Dk*J;33MRA$xO;QH>tK(t?`wi$@m7K7N zHkde1T~D>wu9qV2hUo9HlimsVH`+rT$pHP9?E?xM*)!v+hm9(^6(qvh%bRutTA{*vO5qX`yABf>Op{(k z$YsfsUj8xANdp^>AT;qy1m1ws6gUmLydEmjO$pu_+XUh2Dp@QM{^27R&vm-~w%RwTLe=`wfX< z1%u#`N)@{Fo27BgIj3|#MLJU@HfHQyBeli~nSR#4oIaTbY7hZwjZe(l=0jA%4mE%` zwU8jTTah!LZ??B-W(|L8;;WC2w4!nSyR~%8iKRP} z&DKaBkFOP`SC_W|5{FqPHnn#h5x~$s@wNu;CPktSF7L2`Ty^v{-5mWKf3f}=Wq$6= z#6cQ)IMb3=IX+jv4%fe93RU{_={$$SVE1~Q4;69&tgHl%w#JPo2PR9+=5QeT>#P`+X_MH}-H)$p9s5%CU9WK*Bb{wk z@keYt84AGzDrSe7N&%v(x41PYn=NJ}FG_}_;5t?9PvAvB<=1znXuw9kB$7RYN>zN$ z|M8VVw!86aRQXHVcbF0uqgiAay9X^qsJ;TEjsWmQ4Bfy@(Ok?vu zXe;Oz4kX;7dBPZ3MlRlf>K;I}rh>Fw+P^gw0N$dx$2!G>ciqNL&X_aH;_GhOLk4Rg zIkB8NHE8|>YkYC|QOElF`qCs`cOD>wa2q{zoy%MKu}f&i5v3#!PS%dyVgVpd@G*8&_i>o z%s=`emToq$Z13uy`o4!!4)oz&Q5|{18fwd~S8XH2y9f+u7fbO84|}|60r`iBxs(-Y zJ?rM0mYSGko>r|gXQ?L-J;q8VbEgj9Hs9H3wGx=h1hRu%j;j&o+F$ zs?=EI*n!7vKA>8)<&iIIn|9!L%=i@pv!X;pW6Et?N^rjav-tFB$^GZgv|ob?G+o2Q zMjm4%38&g6wm2Bteku;5h|yPNkWST);FtsA4gs>P&7Mrco8Jrpa&n9H0bY(SnZ3y&;y()~PKpC@zT%W6XhoaTXBm}@1thL_uZwnrNG+WU$oX|0|{pB-8bX!E%fYY@KG%c=CbZPoR* zAFXX4nE&B4tNaY<49awUF!R}2Yb?AjgYaiMPj*r0$*S@5*W~d(k90@1rUmWe6MbZu z&YBL}e$OJt`B@i2%#~Ktt{Y#is*gFX8mFvmJ3bcIYV{;*^w|Q$4itC~i2-DP<{G3Q z*QqA6w(6gm`l@3$Enw$d72f2&1J^O@o&8*i)G4GtcpPZf*AMo3iAJk3t*CqKOX3 zgKBtcc;f&2zW_wn>uoU|g&bt2?6ah>SvUl?40{Sc_FzNvxHC@soEkM7|7fHd!N)Uc zw1zcwephZ_p*&AP<>3F$?TUcbThpgX^c9~Vn%nWX9=Osfq@X`r%*D`VU#nSAHTY{v zxxe_&o{IK>)n{+POGyLfCE61}{u_jG9o2C;Zz5G%cL1tEsOF~7T|2XTnPMf&;0^UuVyea;Et|Gy4EH(ySyUCQ$ z*BHVR7wK&46t5^AjxwM7c_K*9C{G%rfH2~G-(M86Lu-A4g}Kc>$=sTx@mj@) zgF^sptu&^@qvo~GyI%)r^#HVb({4>%8|2_XTYa;_aObKg8_`Nm2F)l)^+3M=iXP8Z zG`X&#Z%gyb9BhtQl@A*>^zvbwa^C)Mp6yt4P(zLplyGYBUMtmrh^^Qh>)Y7(-hT`3 z)AJ<2Do8=M@@8eZB{a0nE(grR zpuQ3lyNLFa)l&aQ-KiCp?yQIyT>)^6AJQs0QWg%m-M}jpxW?B|(8TMG`Sa8`TwEA? zzzNrIEx`YyGp;-4;T!fhH$URFtX*WYHl47SGG~i8=rkns3?+x+1&MdtDc&jeP=xle z78TZuLyK{7s%?pX9~}IdBHM1Dsp>J{G-i%E@!G39THV?6QzHi*mQNTWuNewuWG>6u z+!$4Fw(~^@Y!Tg^GZm%?YX{Sz8u|xit9XOS6Hr$}O(N6nZXIhM{rN8H1~M8s5V~zRfV}T*vmw_*-Y34lzzln@x^f+-pvt-4URjuvZs4T##qjhBOc(M6 zvHK{H-u`w9XKiv5x%+5e>3=-4KXV@L*h!&)I z(k4WY-uluv|HJ=WE$8c_*Hc{fk((@C>;_AVqObSeNi#&1!&#eUt}^42_rP|~bAmp^ zMSH}6jB%=|X(`={CLI<|IW~p)na!XarRwiX{wRGVrcz)hRmL*2j!V60CbQVHOezr6 z8Y{67&q_V(?_xi0(2?V)bJ*VGg#38vlQ&5oEPFEO_XQPEw%EG|MUUSs@Z1L7fRAM2 zrsTOTM=VnlcmDH`W!rRovFg4ubqRfgl8sf}IL5{w?B-6FB$iJ`r)zHj_(F!9*r*o! zw_8k^{vV@Hw8Ji0R^=>z|By}WKv!h%+pgaZ^oLqa=4sBN*X~XVoDDft2LrH!`L6mA zb>k+>Xg;EbWzPdDR0=QWtBx)0L0X1MDc)vrt;{>h(;<2 z)oPjpL-^{&CAu|iX(Z4!9bg5Lzv%d=lEK34lJH795J^1i@F8WT{I00=hX8Wew{^j3 zSYZzM%2I~7TS@Z(%1h5Webdz3%xRwYwIIlBt6?Ukayr2a=e764K5{oET^fgso3btg zGq-#_8P4@F<*Sp9l^+D?6b+ZGIGOElAh!pHS*s5$ZvLQmtGQM<@|5)RF( zwLkj-GgN>ayIYP7;y*GfbSkDWBg}Lmno`GIJk`N38?(FmwFm_nfIdyn3y|{9;>XS_ zAp4a~Z1psU*tkmT<)LoNr8^N5atZJu9K1qc1hZe zVlF~79z)lMnPS&}hvbKMLc#l#ooc^+uZM!q6jSq`_Jr}92S;2dMByGiHw;XsQ+RO)D2><< znnG4+Z*xqYnMl0u#}0sMB7^`tjkV|aD}U0sntXpAc0OId*dJ5TG1M5b_i+r=;t;503&c z^NcnSw2X(g%@}?)TP=CB!MNbtl8e15=MM+gRyRh!&8&84{i1dQ1xz(k*>Fo;9NWOI zIVpAst|p!C_|smGJ#RukVb^1&E0RxNI>XUZoi{=*?dH0r*5-`5lByLZt+bsREwv3WsJNn%ZG7;k#p{r5~np z>q0!#p1wCj9l{hV$M?>9{MNO{H+4!A_ppi%djmAE;A&^?&SMv*B^0^RsrKM4ZNJl! z{nz;8NrJ*k6F>a(3cvl{t(vd9$1MY?78%pSkXgFaK*mX*i|zJPQke2+TgJmVqk8Sd z2zj#+uFrK*?EX(^uZEuPDI_)tcvk{8gff>n*ZVeKhMM%J$YU-(CN&649}z9#vJ*tH z?Mdali}ih+REAHsg&QvIGDk_J**YRu)IT$CJnV%12$TT>^kJ_((7@~i)8d263D+5% zr386XQeJQP4_3v8mlr`(lRVJNUxjha_kKmnU2!8R6$M~8o$X%NxSB$+53BRzy}!$x zhs->DdX|dE@n_NQ?lE)H?Y&6#J${n)Ywd5htCi5JlA z(YURRzQMx;vH^B2AS7ooJfIyS>brqlN{hU@K^hkel^5bFwjD5| zpCMM5%c=Xi&k3GRE`~RW#`UOx9>*N=`a=2!S7k^w{2sX$SB5?B=#yM7n5z}hk1WSa z5|m9GiZm9Z^J)}vA@R(53`P+`08Gd=g_xM=bK3m`>iGlf`vl-NFD2pQS^Mc+g`PAJ z%rPO@4h5=CZe)F?sef8)|9Yor>c^zrSf(0;$w)D2%LwimAksRS?~fBYJYT>`6183~ zOIei}7!Rp=ykgyR8S}3m{}Q=a^(|zbabv{qL~p|z%t~E}lFgUAL!YytiKm%GNUXeaTJp_Z3HwvplePXN z=gNnR5GM5v`QWzenD`Xic+I%iC+(Cg#4b^_OI9-Tm-9O@zggv8KF9!_z9^tHiDrgB z9u@6O5c?J_`Pe`5J40Mr?~#~v{+NeS4CTt3`4%Wc4T+}=S4?DdiLVOljVD^2b-dDN zv)aGOa>YU{mRXaUA4UOpIi+3y%wO_~{M~#?VRZv312^BV5L9#sRg83)5tF?a*{1_5 zz%t%7-z)DquJufZ9GepRO9ymbb_kMjWO$3q(-f*nGGD9mwLj2>deXS1-=TFmdmQo4 zVRi-uAnn!#eB93-g}+au>QKPl8m+IVV@c3hnqo$zcD#+2f&Rudj`hVgqI)Rs5KFGJ z*0NIs&ac*YB3qh5p;d9VXA33!eXUY;lc&gBGQg@&{-R?w#5XETxkBQYYx`{qbHA&q zAWbA$^`n;m5WQu2pDgx1P+n#BXHa5#R8Mm4?Lr@Dd}=Y2F}BMcb?~E1o372M_)*Ki zkj^e;E__$1*tBDuLa+ifiVZ{6wFLc6kU0?%zm4CD<7R{BoZa?ZHrMj0%+@;l@IaW< zReJvCnzm4;NvBbdM?HM!$JhG-t%{yccOR}Q1m#dJZ-EqY$!4jaATtCEEmOpO@$T*- zqgYU?pqTTajdCmsGtqkkja_=Q`o!mvHLs4rHlL2+X^SIjQje?jx`{vKXSOb}8IA+g z$gMy3z#%3+07<@M#fb69uiix3o^nw7U4qrk3hiXHm30!4%gTdw(aKeYM!6kQ5FQPljHDgQ{ah*>CtC~q+uui|wXg{CYd zg(Q5Nz(49f;+H=8`i0CKw|G;TzC3OnudCoGnHG~*u^)&uCA$k3lJt|ht35%A)R)S6 zD*Fekc>_cxMi^inwCe1ra0(Bef*)o4{Tei6S99sVEi^b;gzUELrYh0-7oZ6f3 zd=p1=Im1tmGaOIxd+36NIHN=tb+uNA`Q$E+@9#IcPNp^D`Y-YhLaaU1cFciW*Hz@- zpT3B7ELY1Gw5#pU$*>d06|ZPV*e9lXS8GyDPJ8yhsTspWK!LztFM$ebtR zOR+++P0)|>=G~`}-6|p&sEV{kZe_K2wb3p@u&;|Qf~}~t*~D7)MdI@p*%x_+kwocd z{gmuiBP~PgA@{gpPPQjH9N(qYfzCqq)$7H)Nz;yRlyWZ|iH!jF>%%E5jb9;4UjwkO zWqg%UzIGQ+hF3L2Svf`RKr%^)wTV;hLm>GY?UHwmV%v!@zB@pn(@P4H;`UcXxw!g0 z;hko^>o-_7v6F1`6}Yj{OrWd-KA<42*Xmc3-rfZw4*T-oOFc4nF9kceyXo6c`XUVBAbmDHyl3hPGsZTLGilfj5LWmRU?_p(Xn$GawJv>M0l21rj^Vpc8p zBn-zhho5zMze%j=C}{DwWZW}C8~|553J7555Cnfy-x>pvQrVj~wx*9se8aQ-y(p+# ztkn@fn5XxHSBE$>#qA_Zkq4?Byp2Qc@J;Y0F5&Ckc%N(vb3>Fe!;6hT@%f#7o7}Qv z2cErNLQtbVwgBmAtu6e`PF#qal_A{m~2a{!`lx^&9}@mR>;~A8|G0W8Knr`x7rq%*c!SyBz|;PUaKx7ls^(`BT(dRa3JGOnd(}x3PC4WyPU3hG z_{>IA41B5&;^$yYrMz72q=qty8SC})vgnvgi`qxO_^={`78G75HxRCP@e{*qd(grCLhd* zpsqZrVnc)SF+Ti&*z&gJ&j#%r{Cwik*)!{5GH8G(8#6k79QyJ2;Nmc^_W`>?Rj1-_ z-QU}QpCQky6wXri)7JdWN==o`k1407H6cI6#2c(pn{Sh?I_OKHuKsC!zbkSf&lwlX zy!J3v$58S4`%uPVtB(4s(UW%nv%~7Q8{S{e7k=!Wr7$6sfjQ3hB1MX5Rfgq8k5RJUG|yfmUf$uM^Wv1I6?v8bfA@t>T>A|vUzw$#Le17>q~_e zC`VI^co#4(YVQ_Sq$ye9Ue7XrpK4$vu7WPgZUE&ZAZ~x%%;)61blTyr4t3F84f=>7 ze~B2Gx8hSGlgy%Dw^seWRo7I19K~^`=;Mor0?H^Pe;h)zdQd)NEc#-hiBqP_Jwpv; zSLoXf&|d#qGk=R>a!Cez@SDy->?18J?_Y+Kl$vP-=+7yvGXqBoW#bZ@kRT3hP>=P= zK*K*E8ingis!aF~d>)dmDC1s~^xUT>u?^|`D3+?534tWo5a#w}+ymxa6Vq}gTUAHT zZPJI#@6*a!sJ0smd{-jL>7dNhaIvLC+oI;c-`;)1#bfRJ%ZZKD8rut}`omBS`$3%g zzf;`i5gn&qKr}B)7PXQGp^qivSb+8CV2y6@DC&$(K;~!;;)NM|BXmIO4R=7w{yk%} zR=uN(*@?+h27n4Zsr#r+=QNBR#}9{=#9`#lZ;&Kh>2@E1PKuM+>d7SDkmuj*8tM(F~jNm@;9w zYCSQZdObeBCb#dpqZQY;%-_N%;xPM+wqd6aDqqKGGm<9e%~qxV^PRj1Y>4`3<90R8 zZV6Hu-UMFF+x5CWQ5_jL>a@OR$^Hz$_ z4WtU!h-^zCfrdh++3!3%Qn;R&_*}D{kBb74qM(%G)7jmMlr?3@b}L+6U6?U}DdH!o zo8sllKlAa+U=l^ogv*>(!DQGJ*7zH{uV`;K~|S)JIdp3z{NZFZ62T?_q{Vx zMFhVsN095N-3wA|V60CN-m?C5xD-uao6bOw(;lG5dGt?c06{f zJMU9zH9bd1_d}iMsSW5n-G~Smww&bG=Rds9ZJ-tz`Q5(Y=mpVpHu2-yGlB=RtcTDn zc{*SEnu>8=g!Fx=!128xQ9CP2J!NCY_~?( zCtKzIDqJ3SNJZ1*QNUq-)$UTyf+k(dwZ`SP(h_#-7(%9T(zF;mo)lSuX&;gR1iZWm za>zqo_skm!Y8L6~m)`KLge2R^97RaF&gGYJiwwzAPR)8VkIN!ogbv=DVAOt^GlG4vCt6 z?Gg8cxJuQJIrYMg(VJ-HH>Az+4qy2#QGgh?6n)iw>g~-xMxV>X)e#wzIF?2cn@;4- z%w6u)bFPr=xC&hsfb}Q8-Fp4g_WY(G_X1O9rqMV|7$)03E5u~5k8-XQ8=c~I(RObA zE?>rW3i-FtNdi0UQDiXF>o_JI*HCi8m!}c<)vz#D*%V^eV#g!%rvp-U!<)QAr|z|8-&Jy}{8y3%y+Pj%=nmGr91&#t zUZKZgZ}dUCZOS1|Li71oI4O%iQWR@s=+nF>!}mA6%b6MQ&MzlDT#ijuJ-n9T#gA(Ib*Ki4FjdePJulH#M#D09vm{-HHiGP_8%$c_NMT>a9*B`J! zSC?st`3H?FkDlF{RnKWA_WO*dF^+cJea=5WWBM))n|&^)+*{4yyh%AbzL9OG2(YuF z4uu^PA{xS{BL`o0Wg#D)(fl=vsGR$z`js7vnAvJob2^owsW1QJr_?91O+>Vq7RwgW zsg%wX%oP(n99n6xSUSY>|9LdjE;+tQGB)Op=`X(yCXF8p7A~9qRIGr-tKEJ#XUR%12l5lh@Tw$A)^B)40`= z4gAjqMgGHvjHCIug&-7OiNW{CLr6HEjep9Cd?r3qcYMb7kP;Yp&V*3`g z2|mmWXy{Sr_Dg4aG%sX&JXfGk6Hr+=Y7V<>hCA(@Uig4TcLWN#3eoq2tYVRee79Gu zKQ*b~_`yS<)e#e(3UPMLZ~4phJct+M_EKSq-GYC|vgl@dDUE0y$QwA@+PA@QJmHJn6ZWG* z;85=pu&(;(0;VMq^2dXzhGTCsXA@7U_`Lz5W>3wscoBKy|76q$u7m9IUNv4rHKYU% zS3|#U+?E&&o{HamcOuO0IUMSnKJE>Pwg_F< zikW;VPEV*a1G*GS@lrf}0!%=f&FWB{(lKm@;UFwgcp%B6sUypjgCZu#bb{Emdk0gEZ(z1vB32wfS3!a*NYXy$kH6tM@_ve1O7vnN5;z>BH(LWuNS(dftUm(2yR*aP2NPUHwpgO1S! z&JQ_^qVlBr07yDGSkyzR1~K{d8_z~|JvZH18Tod)0%6ti06~hYJVgb;8%#reOL!Kg zDkg%Om6cS5_S*!L3{MMJvbW)>Jqg$ry_@9VjgV0SC~>^CHXvio;yZ z(c0zt{XDOEHy`EiY?EXII+T&I!R~^>i1mBvAR|LDMSh1d?sGkeMYV!zlzPRN8EA

g+QLui9sjcmtHV2? zuP;E|XMF?NtnD!XrJhQ^Ngb-qlu+MttZzE=+$iI6O$2j2@yShMh-OriMNJ-D?ReB$ zIH_|BI)nE#OFVZF1^Xgo-2ICxIS+j@>h13Y0?aOSG-JWYn5I+I6Hc zk=%td5ekdPdtZbzWqguD5;?DQppC_01D3#Z&_$`50i-e(l(;>2P4RvIo=t2O=70hw zM=K{+oEX{MKVBZO8u&d1{ZjT|CFWL?&T!7ZgdJ&>E6(f$mzWy^>PK+H;2fQ!%?Ky2-GW7jFDPlzO@-0=0OqKBkK@)l3-v(UZaZ(ZHdfj`-@TV~<9Fy?h<{e_0@feuyad z*N{Jv!Zei1d;?6eOUlA^6XHySTiqmJPQjFj~a@q4kh2}D3DgXD<6MZH5LSd^nvcy)vBd)Yqwn#FG$YWt( z;v!oi7r@W+bSAq;t78Jl66|QC%SEO*6|*AEJazh|%Nsb4W|AN==-ga~hH$LmBKtq{ zvWlE5)5#R~Hjh2Vo;D-?<5=7P6)(XsI`CMx1?&m{sC=M*BeH=Khllt6pJd2R$Js)$ z)v!imU%ZU!k&WA7pt$BcoWkN6Pi4hrZ4 z5!!{!qLHgc22@Kv?>x;#CyzZ#ak&_}=~%*)h*ooH%<$iH1%$aDP)tQ;zC& zK6frA!EojKuu$BI&t zj4m!mGdk5}5^dt-XG-pcX)w=UV1$gaY$fe7pVM)tfQG;?j*(d3Srb;Hh_ZBczAwG+ z^s3B)E)QlaFsB#7{$B^(SS%*p;iS$@k+-C_Vlvgy^;`|TPMzHBFg8^B+9S+$S*sp) zi#2dCmZeYq1YE=20;mWxuQ#@wwv#NN087rG?3QHizpX?+4npbU_Gr-=#cDx0&tC^1 zBO1fde)<=HTxA7A0d_khaLv(>va}9&{=Yv06zdqCZPOI1M&H(73K;xibTAIc(9x!8 z!rs0Hr`FN#{I^{Js@Oy?GtTYTNfYa(c7JKKE>*yffzT5XfcW7A zyk7rSf{F1Ukx=u0j!87amv`-ec!5~Ha+;5SkBKF6~4FS zyW7ne47j<2G9 zZjp@;eI=at)++Id4YGB&**5>=hk@ zEW;+JJSLNN!(Fl}QTCu=A2M&M6~8ARFKt6ZCV)axrz0gLg>!OH(GicvJ=cl5jo1l) zUY7^25pH9i`x+P#O0)WrVD)12qFh~^dPD(Nr^zr*TYzG zVuyII_NNDN)<0(*W~OAJ6Y;9XvlubJV6cgHA1``3x^E`gyq|#>|Nk8ioTiA0f4WyS zXE$-6&C;A*m#16v)+J>_;(Q+GU*`c#i(Qo>SokuL?Texu)! z^r2)fg?y!yc+KI@?thKSX*N+nN~$HMMEu2o(uJt*r-16dzAucV!YniL>1@_`>|bT2 z4PZn7$=eBF9wY@t@7Z`$7}QyV@(#vxg5iL40Oa9%arEPW>Q`vxtg+X;%11fq`pDi( z;tu}*GSDm%09wVsjN8JeyYry+k?i|g2=Qn2ve=95VJtYK+dL?Nz<&(|6#ltHk1D@# z#bbw9pbW{R?^auw&P|v0ETHw7=J+fEP{Nr5w8$v}FKjFT+Xk*uvr}_Q@*dSrZvH@J zshs|;Xp>W0ttHwY@H0@n>#e2dFmP3kNeKhQ1C#B=d&PW=wmhWU1cyB^# z1i&;j0g?qAP&-mDwSwIcA-fK`(aRvN3E{%kt-wD+b1 zn|x>P!7JUQkEd@qz`(6`oYu$x0tF{#m_;Wyki4u`b%RzZtnnq5ll^V;zFhk3~Z}{-jN9MVm>p8 zYnTIcOCj>5x6<=poxvaFac)w9JCD=VG5Ps>9mM}5u#|a5_T9gTzb2=M3uukRj@Ex9 z;jvG(!%=3xT@TE`o-cm`iWDggri<34({l_*7?8J#<*z?CWH1T}&0|F(rL#cd| z*-aC)pxEPwp%a6A5mE{5sYR762}bgk6^D6frE zX0~dTzp6_W1aq6TWmb95JB6_0RZ8^?2ALWu*AQ)}ff%f2oTlpy!$}gRvE46*dA7oN zmZNqu{FeXOC(F0(SCiZ(*4)Lt^s~cdo&q%qGRtI^V~RTb$&4M5=X-`*?d2uddX`R{5!VGl^OkdEog1lsqYVSw#@l5}pIzKg$jbhpG%h$6h zFfkd#V_;>!L3H?!n@`CPZTB6*CC5j6Ekdczz7`p#8TakwKG(vdHR)HSJNKn)Eywr9 zHz+Hzvn_r27OCSzZvPyI0XmotW8f1w3X1n*s+UEeHU}CTgUkd*5qWuQTQU5H~ zG$zmqkH1EcHWr<<7vP53qfA=N%vhNKq?zep^;S8?>gax+)-|+YX+pcH!={~daGaYZ zmxTsm;3aS>7L)&CYRn3$wP=jns_@=oOaW92n)m=>N(um;FRA-cNTvA?)3yJQ3U_A+ z3D#;}MP4aQu6Tg!x4Pnc-fABH1hc3aNO4FlEUP;U^_McT$q7$kRu*YXf9f!SIXPbq zM%r>S)LetLg`8Ho6s{1+`bugTPhrcnrT>ueL3AR-4j6QPsZ*``*d0VKQ80O7|jAIY}$S4c(<_8h<4UIF8I^UA~V>{x7l&u7e!;-tuMOv-dEu2oSAI{wKSU=>CrD{z%FtcA^P9yI0! zKa=aa?a=J$mDAM#ns`N|7gaB!42A#&k@0Cwnxc1s=K`3ri1`7cAE0}goMD{eu-1#T zlhW?@a*`NUh*qc)wq1>Ym&*Ap+d;JNOX<oJSGN6lB!c-ek{2o(9_z z7q5L^e||6zGBi+Ye|Ee#B^le6gAK(N}3rd z&Y;H=1r-7AIy>@rVEIduVd8~~TGIvp<+z84!{#6YfdegNT#^{k{ebRR%5a3hvF;bq zbbuEHCRZ{9mS-7_%r`IZo0t*V*~k31S8Ej^boFw!0!DCYVdj5TXq3)yKt0M><*Z@z zCMgD4kpO`w2CBmORClnELQ3i)3hW_!!$OULuX^)F1Dk<&iV>a(rjPbE49rt{7HME< zqvRdnp*|;3Mg=;NFo-5X{^DY?)!z27@S91dYv7=KVjag2KC)6di0=oBi9bXfw7k_9 zd55SS%8|1;GahQ6v4?^s6i$!T8nV&Og)t*VKkY;Wx3&^T z0P3V^A5o1T@eO@Jsyc3$HvsA?MFn?9wjMVhH0RrRyhGjE@bq$DymPE)tXa~~3nZ$x zq@~78{E9f!%BZf#8K>eY?rfy@%eA38*(>1T5u}y4X+e5rYo|WoL+i}|(Tosh8Kp%S z#Pz?-N)2{XX>lJkSgy7vy#XQ)`8ms%LFZLR^MJssg_pf=m^V+ceq06sQ^|`< z$F6lQ+Qxnxge!$-lu0#SJ%90&<=AMV2Tr_q1maTlZ71VVSsF7x%w4mAB&>}pe)n$z zcG^hf$OR^VnJ5W7;(<|$7tTSaki7RC6+~m@TND)FQq^B8t!piR>q67O+VTSyZWQvr zKww{a6r;fLkFqI`H(rsPem~xqqd5*3v{n~qq?6tRP-{!2hE3IX%x86i7egF2x9Ql7 z+MKLj^Mm#{1L@|`p9~;Cj8&Q3!Hi^$%F*(9U-m09sY1zk8YP^&>@ZhKNe(go6@tx@ z-Q>2Ph}F&3X(5NNbnZm=$D&$2i5MupL?SK~!XT1ARqVxWaTjT|&)^%8+do{jQD54! zyc3%MEa|#ApvhL2JP0^PEl9$Vb8*p;)2p>%zoA35Bd7=c<0SyCtt z-o{->C#?4EMxmFSfAVTPA5oZ!G z8o;k!07vak7Kx$X!xdL-W#iaz>z*n(Xx=9j`N^XUN-xIIVK|n$RK983ZbeGz?C#YG*LWoP?2fzioI)}j~sts z0b#x<8`*;>^B2JeRD35=9eeR>j=wQCj(ec8KlbvpJAy+Yvn-g1-Sk^;Y+lA=!|6jh zc`++XW)%1F)nPZ)q@IZ#5*kUlPN@#`7s`k@BLA^O5w>NPV&PiT{Q9PTENzz)+fAcB z_Gq{t8=lRVmW1Q8U*K4n%pa{v06l70Y5#fd_-G+=ujf4bVVeqcj`^v75vhjfa&l9| zLwL=b@)IGmdkhrjtKiWg`T2}8s-(5=G6F;X{Ym|2D(%k(Am&aF1L5=NNX`?_*_MUi zeHQEpJs+jg)p}>NmFC#3fbU`gA|Zbo4?1lPG*dLs*Yb;ogstl>x4|Ku6EeUcCoYpy zSXmHC#^?q;#8r6b=>gh#`%hVwSpu`+HY!>RWgiN6KzHQq0sEGx(V*P*Se ziuglwL6ck-)LUsZrW3=Xf{63ZpVK4q?H%$~7kWgIeyg1MkO`m}sd0>FD&VPeDPK}k ze}HDUrC@v>v#s6GJRNIukpawwEFunpKX;LL52Nuo8vT@jhw-k{_QUfb+=@(|Jd86os ziT!7Pt)!y8c^&{l9f)(WVJuQC0ihHC8%Tq|l7Xcs4TCc3&V%KW>mdHDW3s3Y~bU@DOy0CyYKU=1!QU{nEh4WW|xd zuX)EqLH1Y}<+}M2-Mw?T{;G{_+Wj&4-2;$Ca(JfcZri)HEV|pX2RH4%I{aJ@z-w1* zC-{RK^d|JEvxqhhYX05>X~c?>S~O`++8bcwBo_!BSq)Q?!ur{koBU?@JzK8nATN`* zMJeY2&AsG4p<~Bktn|}B^EB|xo}VL0nk-^e9;?ru!Y}|pTp-q67n^?l=Q6tTlQX5& z{$EY*Z6UPbU3KwZ)>ZhF z#bgOApG6FJ0nYHY?@fz|);I6Riwp->Af=+u-_ZapXAj0bRO8bh+mjiOF5z|Xq)~74 z!u$td_N_|S?36Sb4N=|*& zOkMi(iTx1(AuqQAucS6~5Lr=$Uy@|$ZMl;^hCA*U z8ncZvT*z4t6lr3AJvw@v!@YXl?jL;zYuYBm#CC=qe4Q_VrQJpo*8u;KSYP3gu#!2> zlJiocg%{8#Edl*U0de8&f*uUkNOK-ueeXKNM`0vrQ!8Y(zU+Imya@h;c2s!rjf%6p zoczea>VfnmlSa2wcXoQ1a? zijT?W@ct+p4BBLAaI{r2&1-T(YUm`+y@JRN->4PI-B@rvx|^R2>=}}-Gkgf1HPWGV z15`mDZ1B-sYx!$aBt18iT_p)-lXyKzKvYPANBs?j?|wlJHrG66fc(|A7`msb+nZcK zWVQ4z*gBvTaUrL@^Qy8DFxNKtjim1A-2AKQqB&E(#vN;}rsI+!FX=0Q#9Fn2rOg`7 zZlvdihbLE@97Er|_|&V7sCv0e7^8M+p`DQd7mliBp#>_nTJT1T3Ewl2bX&>6Q$wf@ zfVk`M5S5dZGPLg~G!~QB|NEg`rmuDH4{N?rZ&vvLlen|$L9A@Rnt$St%4}}CpcAE?!G|>2wdl8ls;sI<~dsqWrcgzzzIWX9k5sb1ED>eNvqOf)8ORy>K?d($$daJ>+uUmZB>M@!n_{~PHh4Xp z{xC4jx~&p0_w35av%5^u=-o8-2^Hht0XXfVqdz_&PQzc-`tnok^*7ol=*HA3zO}v5 zjx}jfeY`$q0f5Pl(^DzPPD&wSVbXt}pyhUWo0d!%@`N~_sQK+NWU_0$JZw&o>_-O) z{BtLeyp-+Am8Q0?l4o1?^ZW`nnc#;Y360O7niT=lW7qu9v05II7QFw zarOmdxBMP={AO-QOF95Y{UqG|NsOjRrwuU6<$*E1B8KVz+Kiq&6*fFcu?W9T1*+a7 zkJ~o}7KSN~VbUh`D72`pOiyEYSTWwE%LwhOY3zT?-Fx7cqbSb`3>irAws%fhoN_*s z5y|s;SbZZ>7>|P`@*wt0j#!74EemFET>;>*m5vU|oA-;&0Y%T!CmFx9XKyt=fyPOT zJlfE&R_&-tsoT`jX}3ua0hSHbF~R$*5*NvHfPhNo{2*z~i;73@9M~Bwd`a%wa!3EC zKX}`-8&hV=1tg|eU}^m`-zW|892W`%jm>x+H6N6xu~(uGmA~^$o8X(O1yvF!vZ(yV z^|uh*z)uqw=MN%sfl`5(GQ_$0_bsPp0lj5dnz*mMYlV0&zZBLiJwZfrJ>uNS$Ld)= zAl=Xm&a)il2W3yt6Wj50WJm9RG+Ur27_xt06ni{i8`Yvw=d!~O`$Ul9z2U zZQm%5f0_~etcjGWO#bi6Z!eUl<|46AFyEj(yXP?0zhYZQ)`lmo7WCpM_Vv3o07hMF zFta{8PfxJqshs?re$l8cAU?4(1Y6X@JazVs$m7%4dEKCy#u?7SPlX%H4&;Iw_6LnO z0Gch7U7&!~2t}Q9IZYgHy)=H4kT!#a)1uqo3@+6zwr)04+HE}zVm*wNQ@TlQ)}l#D zGxI#&*7}Fryn|YGNW$uyc;!xRT4yBSxE@05S__8V7WRQY0OQf)mu9wbY`pTAMdUaP zq(O}q{qDVg`u4`YctLh3Cn=^0pFvuDhy(L?LtkSd zB6dKs^Ic0BjN`)IrVUA`ZeE~+riG`7l=Ez8a2;)8E(j?AN3zXkbTfEME=Br_%#<38 zEyRX)l3r(12_jRnL$H-AXM0a1U-0k5=fvy4!<ZqB6s@Ahz!Fv(~SVZDpTx_#Xhloxc)jy=gl!s!O*Ul)g{Cc1Zq%k^Cr* zbTB80h4=TWJ6qsr=7Pizex~&Wdg!q9z5X8#d4DYjfm8X5+C0g-FxK|Q$9Rz&Z1J3a zGc3E2DtBX_pN|q=7luKZ+6}S0sJe21r{ktc1WaScHc;2ANY(<4?F3Rwr$fkqU~!k3 z-7Y9(tw_bkTIWH8&TISSHZR4JP0%s|DGnp@}+wAdNKCBqfmZhZ>LAiF!uq=h~xVK zkg~JNG2%jFyCqxb&S^TV{+v+;L4BL#<&iQmtsz@JM-fE($>GCg`%T+u2U-KVZ~%>{ z;`TyRGiYsFvAbK$BQ_xAw<|@YF$CNp7^YSBoC}x|%2RS=+&FNkmR5xS*6{{h{91C4 z{_Hz*Y7c|hE=et8Wb%X;vmfkfx&uF*>*!1`xjrE?B63!ap;P3@77EMYx4yyBQ7=^n zJCau0)bWnH7DyD^tW%!@&JIxt;~spT&#rx(x<{?UrxI ziE5ORVu={U?U1vMm_1IPg%5#H3c_s42pg9vG4Gm(&x8FCBiTHrj`}Y6}i27I1*p<;WYtnJ9w6;(zsH(lRlRH z4i6%op$m>wM4D-Xu}(ihR7b{BCQnOWP@7BTbZ26qO)`u)hP;eXbffv2FT?w;?_%l| z%pw~@RMaI`?8Q-Y_T;4hem5pjS{nZX3GbA_PPDMNM#v_a1Ha3w578Bz6K~YS*MAWG zzEO}5~8yTmkxCh%H?5DrO`&+wnB-YK* znyyzNUwkRk6)ed|O~*JgF}H0SKP-@p;x!JaG;QwiC6!~ch?hui;!^mCWL_AwSJv_fu3a#t#U7dqEnu$N zRl1+K7SA^M_4LMPFmm3=08k*taR%@iOWm8QgshJ})319P?vsdcOb+Swx@eFauoi0I zA-*Ae`is=2*o9A*aDS~!r3ai!C)it-&i(I*l*NXh>FgDSb4CvaJO>^Hu7+9X`*d%A z*btejYwzV`qcJ3fmP|m_6$R<$tx0iZ)5h8ZPX;p;!GhkEzqA_o^MQl?1)n%wlLf}Y z6*8eD;paGRb?hvuADR?=vKF@>HWPB>*^dxb=b50M-x3&wyNx+DTpSk4H2|$@p6vYV z2=zY0iVQ)!&-J{8c8&X%(CumfBU^dW@?~G!yNG=r(*>ixLOP@y(Lto)+v7R!x!(8h zH-F~3_BHIi*1ewR*=w!)UfgRZAFh{h^`fGdaNAr=UtQRj>V4NRQk!7gG+X+gwK8`-NNFsMA8S~n=Z;C#Q+ci0>^X*87 zQ=#hKwPkr%{?-wWhJsk{3qhA+oQg+i4>Q~CYF^19K?{-@6f<@D26bH56}Ia# zhG$eRh2n+RRitLx7yQ%OE_8qsh|mCyE|8B;y!a;d1i=?RdxWpWhrManyJoyI#pFL+ zN!|zjG8`CP;(_~4K??WWQ$J>>#y%GvdXMf9o@rwJF6gY9WjvjD6*kGGk*+_qG<$1j zL>`{HmMf$#n);5oGVq*-^YDs$(Edh zN%6>CD`tyRkaGF6xzEb#v5{ZztBs%b#uq@derxC7th#Q1pm?PvWpt&*`<=~?+Q6}6 zBwnjL&((Ke<6b$_Zt@AHqq`~tr&FE(|&{%^lpYA2ygT$C(dRF(SqRO*Cg2mD#?W! z=zFs-cXyTep1lk(8lqRf_A+O&OztNPStw~m&#p*q|I|>-5ZI)sk@AM1 z@(L%5m}kn6uR6niACu;Aqq?%^=quFgl-fVAWoRGfwA3G8jS#adZbxK$IZ!5`tC%Pf z^j5w2L@qzvIi;(%>bYfO>tQZOVNr@6`+W%ytWRJxNR0cLB}&9W+vDmyqUw4%1ng9Y z=oUu(brvZ#A-VK)2JSUUpL>RCo|iuxt&ScrU^laLXM6FR%uhgNggmZ1ev>E5y)+@! z<3mRVw%n)zDXCaQN}oTfuM_S@kH=JZQZ_MpYV$isg^K zl5+a1GPu9pAI!AGP)5D5@zqdo&$|8%LYEuT3ay7Ssgx7ceUAx(M!S(o3g5YZDdGhh zP@5_OT^JCao2vnnL1c2HAz_BD5Okd4w&D+@Zj0gaaKJMgTe4h3(X4z$u={bc@Ra|v z8vXKtckc6iOkw56Q~{XBBV_v=SHdS-$m2vYBXyxee`4qk60g`$-KD%Tarf4;dFPzE z1z}5wB?H2Z681W^G{oygIB`@C)y;B>cHNPXufr^**J=(;Ph<+uHMy)i@%yxT3zy?; zQlw1?%fRo{ObZp0cSLRpPeF4Aby1H3o=u=5=xnNVQONOO4Z&wvw|$kd8ECXOzYW8= zluD@C!Cj$yJ3>x8(ZTg|SiT&Tu9?OxRACV?H&*PBc1qJLr}(JL;J*`|Kv-^QjG1i7 z=cVq;so4l<)mOvDB>5uo-Ws02-xjjdAr7uN=?X2__d4b&kElpJ0^_?cfQM5VKe~-} z5(bAIXYs2xU$hCmycj9akbbC-KtNZ$HD`o{HZN-y`f^=3R8|&b=}zdXf@O`xXArlb*tFwx8Y^K88Dt7~OkDYSll|)RrELCN z1@}jB*bZP}_7{Ij>yyqrkM17QZs&y8i5Zt-pE*@r91+f-55clir-p=4;Ifa;J`8sV z`k)?k!=JA=s2^?hO#EYgA(d)Xm6R1J&X>tkw%B)K2VZsHltY{uj)*z-zQ0s){M6^ z`%tirMz6NkrVd-jG_+f_v2&)Pi}xu4J{@AbfYnL9ug~5yaq8gV?_+OAyWIT5?Ta+X z?9l5mhHT1%BT|va!*aE!2cOYE4M>=V-`j` zxfK@fU*I8pYh%S?L3zPZzaUv_Rv_Bp;=7dyIDOK8NbO{;=KSJ2wd;%%IP<7z!`+6< zMtHL=8k@cKvtgs5olXSxYqvjMAN}ovPcJ)_qoA>8PjHuExUj2hLZI!ZXi=eP@|==a z&7U6jO(N2>9U01t2i4j}***yAl4;Uyt;}YxF<8=(Y%g1$F}fyem}_4yxA=xkC{P=2 z$-Eba2Fc0f?F6+(MDX4W!Z#5J X0>Mj-eFq7QK|cEd?;uW({o(+E#nVo|HV}jQq7O%dOWl-j62LWOOy& zIQPfM@eLM*l1nWJ_}zv02(;Z;6B=7d`zFyo>o{71g!{fG%US7iW;-bBa;cf|%mStd zTnko+w4ESWGTZ&u1g#MM>uKn$hkroGjS-?f>Z*wV*W2r~^f;0VBh)G;Vn<^rZwSApdkGJQn}X4JJayEqD)O*^Zo&sS8aYD| zIoeFefZ*1UZd=fhBVT>}ZHzM^R2jd=4Nk%NAo%vZP{yy>A^q7`T=)QgO99$UXb{|e zK)WcY0YQ;E0#XT67{J!#bq49II3Lo=-Tr3W_dBO0O`WMabJE^&gcQr>n#=ZT$jW`9 zbF!2Lm1u9+&yjf^iqKqq$>8&&#Ez#ZX;p-?tsv7kY&u&=ai9fZsSmllgDKUHhKKlA zMf`c}FeKxg{3Kz^&;Uns2D1Uwy4bgS8JYZf2$Ld>)u~z9d=I{+7nvomZ()04Q8V`7 z(8s=l>$@1Jxwp$uvuJGGJh#Gmm;@vtyytc|Ubcf6i#CbpTrf#@{+Br3lz}bP(O1>mX<6B}7}&pW1lQ30l>RlW#2A_xbN3b*=ao8V zqF3>_Wi3xKQ7&!9>uGzixpwU)f#f0dh4OYSHx<>?1ZVfp1ut{Vuzgeao7o3WX*ZuR z*k=}xI~#BRbWou0jQqU)fZ!I&NT60gl01QTy>r)7Olr>wbIvL+T_tdRtFW+n-Re09 z{%PW7I~;qi0NH!$d5`MjrlE)=HGzl+yPz2k{?BL1=-s<+DYmPr$YXr`mV(b{n=3hbXR}6&W`N?7nOs#Ml13KLAsYjfY8tgdCK0tH zJ5B*NnSbLvrD!I&Yx~#zp`K1m&W0+7e5dwU6>ONfoD+XVQNHkFN={@@4UNN;Y_#@_ zl?Lk(XGZ5R2FC!)+e+-1G1CuhLR}9uQ`bG~B4%JeU+<%S87rtWN))!OOnOcw7c|(>v{DUP;Z>}^3R|UJUmh5k3 zC;;ZA^XOq{>C~wPi20+@hN6RWW`K0>>u;bt_8$=f`fhTRzviCDciG=2aZjC7uuwhh zcNi9eo4}BDxxK49)<;cErs}WQ*EAW(@fQw@j${j@;nn>#co%f_xm%j)eOv6ATU1eN zu^mbG1F`_e#qD_1D@qCWU&){oKLyAcO}BMXpy=W(X9VZi2b#HoJ!4M`mz4(7tWN=~ z=?aSL<`x|{kdYe)g;(e1MxnK%ab-Ae6su6A1JUsv8)yw%2#2|{3o;QHC`mFQJvF11 zr>)~zLu+5Hm5uqG-eKna#FM-R7*FjrnOhY3K_Dan$ZL(912Z^Yxx0&9wWZ_ibo@c5fijV zP@q-_o`CB5O0GZAfN)*qAHmq_LGIW21`?U(LdFJuM+UP1CZdA?Z?+A7;fOw24IoJY zq(sgqHwit$#Q}p2>ljh2Ro(s8&*H{j9R8qnOeSyn!yXC23`tm&(T&=Il}eFjoXA2M z#G1h;BAP+Fo&RV#KH-(W8S+F?KC%WF)i_eYEMI`RdyvHw{H*7;-S2fQGivgj6{sE& z-UWcy2YT-@$NCzMK|3N)gFnrvEqyt@s7O2L|MaAi1W5-0M&X@2FbZZ`d;?k<1o(Ju z=X93d3J=_-9xIVLTpoVX7fLv)zT5C?RBI==xo4VR7hLAg7>($~aeS`K#~n9}?YEe* z=L<(|CX>YaC2=9_GS+bixAa8C5PdRp(GDwe@S-Ad}Oj3w!l{R_MX2%6e&cvLn=qgGM#wv%PJ^wz7>5}6gL@)Ka;$6jnnU|{z~i(ncy5K+ z#GyZ)`d$`QREnLT4dkkkFLFH-h~1Zz@(|bL>_)(zwSqI_C7Z=_=o8Bk!c+Q}i4VHj z!JYLjYy4tuP(}4-k2!gHSBNWnnhYkDx4NNNYf+h8aA=ykAZGZ3C_-`a=j=v1G;o`U zD^I_khqhm`x0t>U-^@8myeAhcTpezj>j~xJWRjC-GxAR+j9_Pb z^)~a`h!~?ym`^sPHLL*h7Le2P^#{q$$LcBqS)(Zx>YFQs!mBc^wI?*Wsi*l_;O$$% z+qELk8ju5^WsU8xlAY2J{~HRMqI^yxtYLhM3W9r0D-I6|^cDTaLAx6s#x4r!4>td# z6Hw?;d6h?!HhK@6mV%O{ouNt48Z5|M$xRT-VAC`%6qdSf)9m>;-9_CYOPE+b>LKVl~IPISyLJT zzK2KV0*EvsoOxpCoecCHIMb~`c}ME!a?M}vPYsNl&hY<2TmW@7n$B(AvHx=;64#i0#dv4h94DVm17`U!faMUQ77^7x)JLK-W@FN*qIi3y7apg&u0_LS}PZIKGu_@un+LAtzZu6Rbn;}OU5Su2r;n^c9K=& z1p{rTnub2}zRNN2131ax6+~%ZDTg_%v~C%=;(TG*LF|3HRX%CE1inFY4p;>njUPNg zeo;-m&%(R5yXiOQ(=$#O_tq^euz~2H<01BoJ8m)}Oer|+xL!8j2rvq{j=sV+2U7)a z_V7Qf=eP&%cZwx`;V=;ZD}mK~GQ+v0k2TRfCFs#;UxI0e01nYu%IfNT0nc@Me5f2t zPOrFG68-2cCA+Nz_wXw~-&Ju1=0(k}Fvq<+=YC`m!y#C|a~1oI_Y0arKiDHQMjN(F znewWZ6IJf41+g%j#CQ?*mOBDxl`6|qwa$Ei*ECRshgDf=7g;kbyjla&`@|(qLc0Nw zoh%2!`)B@wuRN$Q9`CHQItS0L>Y5f)OvpQqX7}<9BHFGl&w92PB5T?&PY=NY@PQv} z=UlFLP*X&Mul6$MQ;aj#)8Su>^N>q8rB3pfsi7Ra*OgL!H``Z0TDIde71oDuz!3`3 zM1{|5WsTr@K*nkj%uHgfJy)1dQANJCkRnL|paDv{ z1k6F2(JhRP=-59|>)5n=U?4Ca7gnht0{nrDPt9>6P(@`;_F;0oG6zi}D)TP1WaEW& z7-P7IG|sBDDnZG${bU`x#RU-zTwS1F*Ki!)${mma4QP<|L?WOF3s!cgT5|GwDn z!>R=@KT>wA{bVW2g)`{9lRm-A+QRpgcFR;>8PWHS{`py~?*ZipUs)#!{4FKP+l9fB zv!025;Yz`3ow++LBJH?W*9>S_UwEz75kMoF!W2+%<#^Q3qrY!>rjfm2xa=cv8uzmajT zUUa1#OT>VLA%Di)h^)D9{mA*pmW+r1fzdU}j2y;85t+kO*vu}tEV z^}Xk~42WlEy-i#wlvA?CDry13w}E}ESGui6kFZvP&nS+q<>-ZP8x8`@`wZ+uWyDKj zka2VM@FklM1mf}H^TRV$saU>KP~^rKZ!Zf~EFXGsvAWh?hR*}DSfIeXHntyefnhvS z)=x@`D<4*AWp6j_dKn%U)HwHmj?!$k-p|tx^RKH- zbKzJsF6tW(f%9Fthljzy|HJ|M^yj|7JC8y=H0UHa_IrH6RP+ee$#C*o!hi+tf8b-Id|SGJ6KAXgGMDgZ<(R4Flf`Iq z<{b#NPtCb50fYwlgN#%7LE}G|m$Aw#NpcJ91BA5fQ%BuK!7JQ?EDcmbzNQ{0tnhbF zJ2*Lh0QZyaTjgwD3_}Oww5Kf{dH4QkUV#kT1)1iJ@dh&XUzcuuwR#obF-QquI4IP| z@efx0q*1_3sb)}x&gv`9px&?`FY=EYG-sxveqSV2R4!0ju5~9o z!(b?`Z!W-D?!bKx(Fu1QOb2#8O9z1A#H?vWkQLPyGG;#egex-KlHW|9hx8 z@jZYLK#%l(`}Zmf!GyVc6-@0wAGiF;9xAT0M822VR)jhI(=I*=ifF7}nrPYfbp79drC&EG&I(d=V8S%ntF$Mimrw{MHYr!3W5;E989A0V!bFY9@X%W@k5t*> z15UEaxR$nZ=h;)K@^#sgrmx8yMuY3cn59316r#hFw@w&;UGTa2kPwnaiejhHjae$j z^?hc?!H($&+mJt9!Ms|a6T+m5Q$#HYL zFd?NlD&>M@Rz2{Dq|^1QuNU6lb127;A>EBNkSgBYDLnx6ozRgBamjAdjX zsDWz`1mqVp2pHfB68PW%9|#EOm>>u^;2RbA2!DtA?^CGa@6i9fhG>6jD4--HApv|V z8Q2>cSv#28IO6x#TL42%nSE4qRFjeBG_bLv|72*RZ$$5EW&6?vg4>l7xU@2I`~-Hj zvb1*Kbmbxb(}EMYe!0y+4F1!^(SnCqO-3FpWMgjxW~F~m|DKo^0SpFn+Z!5lDhiAK zr#tW$53#AEqb(-`gNus`y~_uB8+#K5Mh*@RhWAViOiXk@3pxikYsXKnbk+_ee+}~A zafFQ=4D8Kp9nEa4!7t-}(zkJPEAQ_ zJvPvl`{gdDyqT+!rMj@06+j+f4nRCUaQ|ul|MTR3GybEe+W&g8va|fN=RcnO-=4}2 zM)pEBR=|{wy#M3Oe>(s3;eR@EGra8lAC&lu%zy3zbmm3iX84s=12Pa0{16ht z0v}x=57OXVKTb{ssiF!VH>2^l`MshAvs%t@UD=OXbS}vs%rv_f&(P?2*tF`yc?i71 z5JAbo+D!|HyPa;d>xu1?W|A-_j~&$b{UNz8|K4-^TXk#m+%PCVID|+K^bRWM^MAjh zIzWa$ZRd;3{&(xI210G(g*>2t-=&KD96c4+Dl)|{)Q0>X1_|;%UnIp>NdFvE50uRf zC90wHgsBew`oE3-v<EO{Y4ojl=ovP(p86A z|0YAcV4Ju_j$UQj-<Fe%w|zW%>={^CD%;Aa_2?U&}ruG?uYhD%LuW{BNesW$ZU z){RzkI<4AuMDl3JNt{jvo>#LbESdT6X6q6ZX>n2Oa{{k@_xORGIDOZV8g}b^&DP60 zZ%OhMhoyi_75(051VuK5xli2UAZj)th`${%1w;U)Cy#=wd;TpWFKm<&&`10? z0~B8aE6jHmE8_Y0692Ff0af$=Xr=j!R#tQAA2R++E-3?n4Jk&=K>d3^9|0w_C|E?X zi2U~wsbKcvH2$-ayj4(M21B7%RPx{dhKkZLX`^ZMb2b4oAmoFR9t3L zaIvG?`PPt>mYuhE%U~MUwAFN_iCn&Bt#!!d>T?-Sk9M7HrsiacHrMV%ek`EZy;Wx8 z+1`(LW7QVZCyNI@FO)QZ*&0kH@p-&VM9098NM*IkHt30vo&GM?MBmrnA7ea}BJt%7 z{x@FujzI5J4hQ4YmUgFT?^3OLMdQJw)eDVSa+z$8>mymX3eTs9TUiqp>jn0)5~|8U zaf|*11dCu`n_bY5=qFi`ywuOvKF<^uQ$=?89e|CXaapkYBAw2yZryTgtX^drJ%Vj$ zVj{KN;vFP0sP6gc-YAT&hEfOX$>8zslF9i%&21xE%&;$p zOi^AQjJz1e(4q#AicD3@E^uRGqnECB0kx&@(FTw{v(UC4LLXX}MW;kuJZQ-5%M^=} z=%>f~0im}%8y8sq<^jH!0&w`GJ@_tK@N1#NZg;!6MlW)WYtuCPI%4q+$`h?-jkM@j z95OU=>8OqlLAE5m(=IflnX*r3Lu|{vi!RG_iQ3M|NOWq|fWu2Do>X^9# zfY~OXV9w6YHiB@iqjY^9CsCAPe@98cw)JL9#C}TzDTZJq2;2aseGfzi{mJlhZ_=8B z^EImbL3vOAl%~z$l*pZb`ntneAB9w__v1qSs6y{pj?^pd;7!)aUx3&y6Io;clY9jE z?vCdorgcOS32pR}L^?|P?2KeaB;7$DRt(Tr0G#5I+H+alEW6qr z?{Pw6Xu0{J1=tYpX~pHbYjBAeo?QSJVJ1YON^uOQ(_Wo(+*~{6%i*Fy@>vX)r~0%T zmrII556^YQS5^!~F`&wFc5D}25PF0HsQ??vV~o@L!F79#?|kqBzT4x)xZD6~aS_EJ z`~YM_RrGa3XgXQ8 z4eEEm-CuDjxDLwv@w{(Vt$7mWOa-}Vj~bsJkA2R5Vd>Tl1!J9;G@IVf+P`Ry9Lxxt zOe$;qTfPT*0*?bmIH+edA42*lwO;CFT&pUD(>*L5R{tJxkW`YsQmx;^nNznL@N3w^rw&7i=`D4{oY zMDS|nv%_64M$gw41_W1kIi(q9uS^b&;|w$nWtqJHX5{ECcvx95cZ31+7lg+vrYK(7A?pVshrHE-1J_v*=! zWoy0z+I+CMA_xcI9W6+&9Q+g(5CrU7CEb0Gs-2~~77I1!#&NU&O4s`~C(2S}8)Eg> zSvzA{LQGMh@<#LZl0ymmRZoXNH+=`^u+zh7kJRx}bD9%YM<`-M7f9b+=8ugAiRslY zI>!RCrApws0(m{Ol9Da6rWPIa8nU!kFDI5nTHBXbb`4CCGD=yQa);cuc<`N;bq3KE#{zCYB4dZ&zFyV-oZl}biS@w9Md^>QLYfaLA>?)FPvR8$3% zbli7y^xwWFI|rBV#4;Lm*S(tt7_k(s)Fe=MM^v7h;oZRfaMC%{I|7eGk<;bqpa`WM{#Ds$&&x?w!5m0^ zZLbHK9{0oQX}mr%(F9rF2#7V$2?a5ZwL#XumhKAE`_Q^qQ232L6P7t7eFqD+OQ-gG zA>|_6F6jn{2|+=`raWRfN@xewT zN-B%A8QJ)(`+TRGk6mV)ADtE!2t9^_UPP*CU7zD{Sk4Ep?#SDf_sQxP85ZxlimlK6 zi-hb3LcDqy6+?2xMmB&KIbPW_DGSFy*A{s+q0R5ALiG>L-R66~jSOow!Ie`Jh&&;M z9ooqkw_kGG=13D)L+@EIPPNk7fy|WIDZ-@Fs5=(F|2bBH#3J$>tC%WDS6Kr@9$bf2 zvGSd$s8QA(l<}h#zp3SF_vN-OW1{#IyhUIt#M>>io%W~5;yl!Q+K1$3ll4qiYQIG3 zH}m(2p|0ulO$3s9B;wDn!jguA=e(mM0F&ZzRNvttnx-DxPh@-CeBHp#x2N?p_2fWl zsh6}I#1E6oYDR66=A{xSE4)B;{Uye2r(O+aF-VzZA*R2D*OF?CbE=X7UNh<=?6}Tv zJMO8>+y|zbND=l#J{#J3RVUoaDisWY`DMVQDZYUeCpp!}z=(5W4*4j=SVuQCA&xnz zmn2~8@fZERLZlN=Cw&wiv1%8vvt2edoV4lmjt-Yb%A@&^chw`a4PbUwog%$SD{idqs-2b=3WopipXZ!)|&S!Gg_N@C<1eODYGLLel^_yMIdM`3}7 z8#Zb#vFk3waZExG^0p$tRW!8mLmEYirZKx9mO{{1=@T&mx30s8bi*}7YDM|QjxJA8^;vAEg8jl(ZNv57W0W+G73wZG3 zhY_lsm->utf&zVS_6#EMxu%97Vq#<0HT(ltcd{a#XKyA3vvs!o-}0y}D5CQj#)BQU z+;Y)_OKa7e6jtEW*QFiAs7N>=g5Rh0Vy4>YG+`(?+n31k-U?GjGrOH_=4;SMQ-Cv{iJyx2VhZpv6^RQ|?S;^7O;)73*&0j(Rlc71NR_hi0UV~C?g1)=K~K(P`df^hs4ixL>HXC(%=ad%*)}8n>S*)v@V0_Etl_uLgawU4^mnJ=o zUj_jLLMDu^SF4anHR=(nxmNQv^qFyW$_r1VDX2=vm*}k_$Am2Aard<96~fkatFRmw zBSPA}pZN%vU*eb4S0N6SJnkcZG#Oyaewy5w(}xd;2#Lb5MLAvJfG6b61@o+T9w(|n>u&P{Vpp`j2O%-21d57{S7#AYm} z^a>_3Dhb~G@u5wzo!POj@5X1dKRzO9O@H0LkZ@Dh#21+lk!VRPwhV*Wm7;2@Q4s&NT_zz4X5)oqJyJkIv~Ie0k6K>h+~pX#rv}MX}EfoEupH) z!PB7THKpt0n9|ni$Ym~zM&Rvs#0B5?+^@gV7Mp|sF=S)Xl!XvQm4MXJrW~8kC7P_! znG<9ej7d?Wh9WoPG`{eznh$^Dpf8C(P}|GC_43aMwM^U6D;`D$(e#k7b-O~*?=kT2Z}7f_c& zF^GNgzGPR65foQD@r|x?Av~Jor-_fhQV>FZg*iOAZNCHrn*eO!;BJuNbxk#;1P%&} zn^D$!Kd|j3-s2|6;)iqh+P?g#i{G`5p-*V8EtVp*L^$8_+IKD# zkg_><6Q!Moq+dpWgvDU*9f>KdGj;a&AE?&t?;YI(38{3os!6x2$P)X7F%L|5Z}2OZv1(jVWx8Vk}9!7zIE z^aSD52RInNr3=cvZ}UDMVhdZmRnsRbCbfwn4gCVUC@O6!KUZb8uCGCqX^9mFgeL4f zfjXqJ@rtV7&tffX0#0Etuzts;eTf$1IIbyq-c_j8t{5B{ zN+C1}a1*Z<*pmkzCQZy0Zml+}Nx4qgT=TzYf)31x5|Zm}0OG#*U?}-2k)$_QFT?7q zXqbKK2Fe&-eGibGs|XtGxu-OM;fl1OmXBQy&pQFE`5Ri6_kY1L{jC#NCSM}T|De?` zjm0e*mfRYx|LHB6BLf!KVq~b|C*a-xJp`aF09ZE7Wi$OJ1p3c?{?{+C-RlPRDF7Y& z-_ZX(91k1*iHzq7ya2lbYy&9(@b>r6{0%Q)s`hb{b}gXif8S>T0p}~rj!*-T0s}6!l7>#Bb`_C)EVAoU;I`4&+gNkO*!8igj*gBxJc=p*cV=HPsOE=( zoff?Eo!0S?2@MU6aXtcIAt@k`Rax_#ot-`F#cz-R|oqvD_tUz7@ z28gqgvRiYpv}}E)lbLda!^Fbh5j7sxXoeVtJi+0|OEdnBaLa#!2|~hFT=gob=nTjH zAbFUcoJ<7-H7@y^HGe4W`|TUvYOFLii}}a=aVr3EtJaZIm$t~CxBmYIC>mas;Mes6 z2>mTWfEC99L`&%~Le1m9GWeG$O1|(9o%FAb{hdnz1HwA?{{{{{K~?>-5)A&8%W2(2 z02fu(i<~RptzGukAfz z1Q3x5*V8q9FsJhYr9a%;gg5w{=nPWbk+E{T9N4+#4)35Oguu5vUSsq_vT>#`L2n7u zca-8dy-CO1$7R?g0IW#T%Hl7kzGJujejS*FlzU+G5xW*Ne z5`CnNCKjPZw=bKtnpMNubd2s!wWOWJ!NnfioE=J)8mFs?`k8tie|I=%^SL(SC^sfL zdX+aOo(%hr@eha&P6vHA*qbWWT#EuQN}AKw$3Hm)ekWpnajm-a{=uTh`b!C-Vj{BQ zLT2Qa^-Lkdu=}Ivh5GYs+d~{GwMJQ$$A`+s<3bizCZAnJDySCllHv)g#W}Bs3f9KsEuVxt9X5}ejZ!VD zLZ90l*F{~M7BUB2LK;mTTisKp`%f?Cg}({ebSyjMo5L{2Dd#u*KdA}dI+FK}J0o?3 zmE?Husj{mnTlo=GisIZgt<{O7aU6Gvv!|ICEi2a^&oJp?jL;}TvVF0eZhjno`KQG) zi{Mujx5z8w*M8V1Z8RI#uX}FVw@!YX7^nBH{?!IK=AN6DU9F)lq@im4D*I#3s3?z= znvuFnnP;FOn{|<0aW$W_|31sV(;3JT2xfF+NmC20n3A0YJfV!o&U5(@WhF`M3I?jv z5|1U?TKdWg-Yv8fF+@r>jjBvcA9|Z&9#tQdo0d~vvJQ#EbM{gl)Udz2|EbOL11REe z%q9bXR4nvgJ>N({_ZoW`ML^A!v6Q2)sdM&w)0GT*z zgMQl!AlzgCN}o0{?VR-Ypcn!xk!C)9zg0tDa7dNCEfB7&(}xI@YnTM zx5yk_A3AJv?BekPq8v=bP7az#Tx3?4`FXaAcRW*M- z6HOx44+OWw+KtY1<@cqnPt**p4;9RoGxF}c6P16#YJcx&@(cf32Xts?Ko=FSy5vKJ zCW}i>(GB6Q+f#kTLyxXe#|X(LLoud&9tKR(QT%Lag4g3$PnU`Ev+W&^9R3ix3g>R5 z{nR0do^E|b8aap(U-;*W$-@ikQ?x;2Bt&ziK&Xe3@jlt4_W}`|dz7`>ry&O~8azP_^X?>OQ~P^$CN7XQ z0FvZ0^2ww@g``!WH2C^ z9Yk`Y(Bvvkmq)H+@%Db@H~TD-N632xC8=C;2&%;i?uYaJbLtM+I)y6M+Rg)*G0Ls! z%!=3US?N4RlMG6RS7^_%4RjjfJ(*u5nrp0bu9a0K=e@4u7t|}W`EA}*Yo%J%2Qu%M zlB!ITgmr&Sq*B$%5_WlO<})H-o%}qmu&zl(#w0_7SoP@P(Mo^w7$38gJ{LsD-1S|j z*`3LB1YDbR}I$jnOM;2YpjG*%vyy8qPt0R&EWElp~Kgt#c{H=2GL`*pg zfRGioerFuBO8{Ym(Mp@|nC`8DL7E{|%Ag`Ii%usag5i0bJ~dV^X3U~PZ)5d1DsNBOV?*#{cs!Fzer%;M+Qrh981S7p6K{7@tW}n( z{S`;0v;lYli9i}{pvmogfvG4*O~&r}7?5ROl8^-;O8W!j`pp3k*PIrbWU8w$+2X%^ zZ`80$_GqdO0*_?UO`E^^Lo+Vqr2O(TAPH6Wu>Aa(fxDyM&R-UTN&sWWV>k1jW387& zN}YL!T{M#5up{~%>Ae^B460%kkc$`qFd4;?+FWO_nJUU_-(OOgT%BUJJSrua=0(6c ztS_+gm2D~N3xT^h;3beEV$nM;fv?UvSUvJ{?}{pisg-v@Z%3pUnn?kmKZ&GhhZgkS zk1g*D&a3NL6GD!|s__Mz+8;rWeItl-wj!I%o=+B~h1KWgvll`8*_*>$^_=-m7a~P@ z8+00^%Y-g|w2#I=CTyl9=Z0H~PDT(sh1Hs_+W>(=fz zrY838vRdi1Vp2u3FJ4tg9l=%03$RiRB*g-2?)QhaT>Buyi|`M_wrOZ=7fT+;PH8f( z#F*Qw-RHJ=&NH93?#|m(&s|8dXs1d);&bTN%b5uHCSX;>N_&=tpDnG6tf~_Ww;^IG zKJ|F`Z?Zh7cM1+bBzyUrkK6RH-6w3Go^DG9+JNe=*>eOv%%yPYn@$8XTjBd#pC4^r zveJHGifh*nzj-KXm)tERt8zGT+C99F>bLui617$Eb0gh{Mfzj6hSM~QOgb)Ke}dXc zIq{A>OajC6Y+few!9Q1~dtrYU`mCf5^1lHpKO|WgjioG%7cHsOS`-B(5%yte<8vZz zuKixwG?P^lxC_^~AB^hnQx*nm4oy8Gs%%I!e)5o55^UyRXrXosdrB4{ZB&Qe^_-BO z)xXg8yJS_;z7!zZas(I$qzO4lf6zoI9IDA25$`WgYi+h0Vv}FXu+DbjN8pMPV{Tjk zD{!XgO^}(e*AfasiuPwl|1@t^OE>BEYF@wfwQmKoUR<~;7(cL`fHbNRX3eh=p7rc)3SOxncd& zmIJYEv3%|(9y#vQfJ#3thanb;as2votlqs0pD89kO|!B6pp&9CSkW81VUF!2EGj7a z-J0O*vk{@UPF-}1C29LWrAp~}%Td$$ur>MMUKa$9Jx~b4&SQVG`i08?n-heJ69@f< zonMxH6{db8M#`{x3)SmlRBTMGIL~FtDRBYdoBfysMg8Sthh!)dn2_7GtS||N&<`E( zkSk?fUPWdEFVj#w)9zOnQO4vG940`+#d)NtC|sxwW>*X34oiZ$Br`Q|<4UmPvNXQ; zft2W51-DvH6OfV_i(TE6$bzh{2#D8f7Bo2Voue#04_Pz{%>9jOHY2!tn-Z7fWvm;@ zg>Tx%7+Rtde0oxXbWuK!n;~0-!s8|4RV$arp^o^aPWB4kZH5euH0}1`t;V-fY?;)@GJ#R7(@?kI$izO~eY=KB1-W(=YFuOp{i-zWk zQh6Rf()rbTdm*krP-^h;>ET?i{$flj?b>i6Pa%gM#miT=Zp9BV;5}49%u5bFq6?M8 zdD-i_zHag*B{|X3)lKqJ#W6S{NfAIea*A9K2cjB#_n>V4)lDemj5)2Zw9&A)e>g3B z$)Z$(XVQp{by4_gVz|(EPgJm`;}^w`AcorK!U%}pJSA!jyy0EX8RpB}h?9@rDs1HW zpCP;J*p@xVPf=WlT)#?Ox|0RJB_Lc=EUjBZ-~f1$ru=-f9*HH004&L+e&^lyE%%S)7`MHY^ifUuqRXeaLH zEK(0Z)WaAWHHTJH8bFJo3jRXo2GxEST0umT6cK6@z`qmkp61A_W<^Ke*RE*glUHb= z5BiAi3#1pvf4QTS@UNjCb8&(xk<_pk^o??$XMux4`wS|9k~$9AAc(8PXduD5OiC>j zi<=qAGyhil44MdKDQmqpWSWggrM2n0WpLu=ksi7xcK!0(Dw8(+)%Er_3OYG<*@k@8 zg6LmLK|*n5&n~k@Skt<8P$wUZ=#8{4|s11qPaK5&|k4O!1g zPZj2Kek{wJG9SJ3>>Jx`7LAB4z!p;ndRU z240`$_dkesJF>S(+Vaq(JPLZQCOoqXpAlH6l5QI(ysm)4BvqgqQgoX`fY6oZ-7)tu z-@a{6n(JD~@DObDrVuwVk+36qSHSA&X*K}NF5z;b6oKoOWceN)U7CcoZaZpw`kM&J z`#vklMZYO1C6hD^$$WDHw8eZasNlD1JX%Q9x2ws?xctq}<*>NHzVV zpr`s#2@SFX2cWMxR-t4t3QW8J^If18K1}lmAs!9@;l&|>;tDRrQI*DEKI~2P(@uonAS+N&u2f* zN*gH53)B#l2(=mg{`$(+n%u|&To^82$EYSy?k6t*p{mDTPuhr82+xK)ATD1v_XMOr ztrhAJal-mq?hp5A8|vQ5n8QICbcfrK$ikA7SK~s8lQHV32?AA7gTYvctE6wz>y(2j z3?~u$A74P=BX&--Wt5vsr1Vi`pq?dnAIT3x@`3gAMkiaPao4>KjQS@F6mfxmwJ%A#`)?;`%3%C>+THS=L^v=A5a=5+&HCr-M7qoO>x6nT1e z?-%*(+qCsS7WlA%y00qiIEnypI47q zEL_xRZptk_iM>7!7tyb&vM;;aBSu8Tt{ zaOmZ>`Qbc*_s$f%sJ-(e!bz5DFBJpx##ql!d+0n9(VniahV~GgiQiB7ky}GO^Ea!S zke%DUoT*HhlV!!surY+|xPr^dk|qdXf;Bg=*Xs4&8z?rSw580cqj8o0ASg-@15#wr zVC(R9hRqUi!RV4hg_DFm7!sZ49oh9vVmtHc$qq;#+CM$Tl^AENeUi5LL$l@nQ;O{* z!%v~w{bf19(k9w4X5H_z%LFA!&Q)Iv@FCYwuazv&Pe6m<@I!<>>u*?>P7L*!@L5NmaQ=68~APe-FX1#zT=df5Si#2SYClnvBs)_1Off;em zXf{kko#qo;W@ufui?npVG#Yyx{J`u)s|2p?YSn*DDVLXlFrucii(KbhcXOLDL(~Cb zyDcEPEBr1ET<1L-f$V3R1`5#(cm$*isyQ=E6@40RH-zb|vL@-sBU|WLQ<=%Y z34^fK@|#tFm?&LOPo1!a*+B; zoa!_#u$&^n-qTpnfje1e#?~jP?RuIZg(*wH&r-R3DJFxj44)+B9?L1V#q7YpMLtqf z__Q*V%XF`Dq1Ar4-F*6!cGgnKEbp|+4QKsW_ss}5*065priRP0mES=NSUm{OJAQB$!cL4%MnF`0zHvt)UCizcO~ z-cwxRxT~0Wif^4+dWvO+B~OD)DgSnwn=E^v+VycJD-y+ttncB?p^?R;T%(p<4zuN? zqWz>hx3+-}#op&8@k;}R#u_HQ~}n9LSPJ( zq}WDT*r`H>LcZINM-98iyED19=+pv-t@9-n@o&;ACpDxgCx7Ea)GN}Y6-_95**xEV z(PCWFN14>+YkKxQC?Y7W$QI1TQ1z+w*6c6pNsnS}e3O8gqR=W@oa{7lv0$-5reIPt zx8rwil-5nlua?jI{&yiev}O<#5>yY#@X&A$^-YIexDK8__nGhFC4gu7nbPO)N>o?=HN`7pH{0 z8X8ioaY1(t#Vr#gA#siRzIuIls-&=YBw+j}-y_O|B}Jn}UdP!f;Q)n?bS%TN ztG4rW*%up|dS!c->y_{OCGne*_N@~*6EZ1mG@n9>weu#P3Wf^mkL#IG@?t$3BGggr9vQVy~Rm1JivvH2?0sUfb$H2PogMP-6;Ai0;(9gi?uvJ^hM|l(In;$m zmx7Q=KJ*~WJMtiYYGQuRy>CWRISQpqiYBA_>KrCDmf1^wOXeF7n*$75P*0Ap-{Q~I zhi&9dgKb6y%~-vHCic@w945#6o;D={X^ZiSLX5|3ysx#HZXXag6T=wdWo(+&HJ%Uk zBb_UvG(cPVQa*P)*HWU+__IJXB^ih!JfFB3PTh=4sJL6%oGcqH4~bev>G4aN&2Y($ z$Um_w>_igMn}>nVx8DeU9vSNe39H4Pnl5T)4 zx!=gu@6z~IHPvs~h=wM^tc&~)?E3S8!dZs`U zVQSnrh>~xPV>iQ^-^4n5AjQxTx`XxIpo_|t=$i$n9`Zx4dONdw0N4Ye+IKof&3*WsPBAKF3^>Y}$W8 zGnVLUT7roA-vz(@K-Ae3-_89YtrW=7BY>hTm2JX?jQoaE971IYMpTP!*1u#>?Kil@ zrtcXG;m{;M>PVP-RQDe?cY@70^gc_oKZx)0DH?Q3n=?a^l6^3HHM<;u)RYrA`?YRr zM^j@TXIWGV`e-SyylAv6r=9cb<%3O2G=mdzbBPPXENO0|agcFuLQ3RCHF@0C*tg8E z-#l_SP6yzyYU5|WNWN%R&H+_7MXIrWfy&9y`o#f;KBlx?^U#I|KJ2nA^pb)2t@*2Q z_mUyQ#X)uRJME(JmMw`w{Mtl$T2)1Tdp0vUA3HB&l%eFYk0&}Ev8g0l6DfO=vDuXM3rFK5>q2)SKuC$w3jHD zTX>d~5rn+OD7T)G91<@1dSdZ1htoC|NC&?km}o8&FBE$L9&{0#d`x3 z+Tu9G_80+68Wq*G!~sqh+Ma4FBwttXh{Sq}xBDeaa#8tZ>OOP%m*xlkkj^)wBM=O( zbuH6}Ei-ksZw?x7e_d(&qww>MUf-s)Ki~fLS(w;Vxy*)Lo|v0(^y2kE;?vftyI|t5 zPfW|n+QPyAneqKXk)XE+aa>_J%l|}4PTBwak#73Ol&U-E+L3_I0>@vS;8h0V+c3?q zX6E>+ekLU_nC93aU2-|b8EabYvPBNCDMbqqJcc2Z`>G+oSy{YkT9Ag6!lvnk3sE2Z z{7V?pTgOy)e^S$MdBWXQ8h$@gV3yWfX$Naes9h(v3(Q}EhiSDX=MB7Zqus~kLw@v@ zafotXZ|$4zZ#L4zv-gCaCjuc}$$EYJ#!-A z_j@$%A*8Sg$07To>yh>z9;4!;(-g6n@jg{zzk)w%h3MB{22-c-7BK>%G)H8Du#d@A zcd^V0`y?5A$VEA$FoKAXnP3J?<=`FH*XrLVP$r?cKNJZOZ5MP2Oey5(2J!*K zT_YO#G?B6oE#-NNU!vL}(>`YqjA!_UKfNSHmp;}~{#p##ML<|3P@Ac*9lXRx|G7(g zlx*ga-{TIvW6-lu|K1ZJ}$>SG=#y~i6Ds!tFsMu#=P65-Tg5II1vQEgQ0 zj?oQ(^Sfv*u~#0)R6R>R8HSWp?qU{|&I@K@yDGB70u^)Gn#2APMC!5LFp+P@M1;1) z$1dx!MoZ$yLUtIDsHLsjyU0DAfpSCy8CxiUU-F$7Ydd^TU+REjt^ChzS7LZX7A(vw z4s??>U#GTpvxw+)m+f*N3d)PqTo&4+r?{)jTHFq+$2dPoy$Ovjv$wJ%Dei+Y2Z}eW zy%#G)Yb>E}iD2VHp#xC#?2H`m$D|nQzdQf*`Bi}x_P!t|AvbzTZKPm^^)1guRAq2h z08w!qDh%Tp zM+(O) z=^9GV*6S~2$T)2~RkTFu@l2}7U~xpl9z+=Q9LVSpWpJ;Nx?>jp7xxOFj##H^vPKJK z#ruS)9m20S;7xmS4>&}v(Jr4665@KPCvUBx2Wr@z8X~|2mX^daKpwS-_+YzJh@E1U z1i;ySlCLx6Gjfg{Ygjs@cJRvbx~SD|%1g4dqG;{+i);HKWMJ2Lle@5dq3~B8Z8w#f zB-XFr`Wz^jWi#FvPWoLpG;G}MKv)l0h)O(C24L8{@)ri7stCr;Ab)=rfD=KhxF0o$ zhOKc89}&2ai4Nd}T@U?Tu7@-HN@K2wb{(mwolD%0v67u>(?TSsGI&<3w8Dl{G9qaH zeH8dDl=ml8F_<`wt-_^eS(A5XSwjtM1vx}Fj`UR&6^1s_ZfOP79kcg>4| zihVOqhXbU(mRFrYp|Qc3eYX6LcLQ#6q=eFO*0FVExBf(1RObRzXt~@1F*g3J(S3h6 zO1X{5t5?_IOJIbV)Hu&h7lzh7nEc6+!vs7Ys~SjbH$gA@9!y z;+_gCnlBK?%xNEv9e>zfXA0<)ek{r9n=g!ThR|Gg%B^z0LAgB&KqGUxZf7!?BdoYC z`!psJ=GsGzgr59no|FlS+apTw0!@i0D{M!pgV6wjpBFC zCHY)*`yu8*0)$S6TfVjg)O`+{YZ3q!Dt#LIE%(UlZV7R3pkTtPU-hjeYO7o13K0fl zkaD)$)6K%MT6$P09v9I(HP(O%K8yVQ@@xvS`@U7J1lJ|(&`121-vo^V1pS-TBpB&h z-Vj!XHUSq0}`@#wO2EOr~I2+^3K_YA)Gl)q6+1l9FGulCytMhUY z&1m#TC|nQ*4p)A@{5I@=@&=ZysVj~%D;6{y3RJ8<0ovm{Tk|apdx)9_i96WHKvHC` zjg}<@m6}psD9MB)E#N-TD8={HWn##^kSl#z0CMU#N+RcE!xnKUyG(81bvt{)xnC8+ zpy?qBl|GJ5!`<`2*qD5kEdTf}m4LEt_Xx+OH~#RPp#mTLr%VM2150pz`ooe_e5$~u z71=>RqIO-}$x1@wjhRs5fjxZ$MB!UYVV*Y;h5v@WI7=qzodYUW*Cvy;J3FM@28Yt> zOhDNq@S3RLt_&=Fy36~rOdI|$WP;rmNGzhbj-N=|lRBBNrFG?&ec_mv{DwOz1H3yR z&dI8H>5VwP6K6 zPk@v zmyRKr1|B4>7EFh=2!y}TZ3^^`=f!-Bne>sAlxWFHV(PRF?Z;CWnp`hiieW%{x1OMx z$j^|Ts36tLhW!#L(AGzOeF)(Uv~*2>9b$5vwADURr=5DXXhCJ_Fl=a|62jjsM$;z* zUDRpSi)jXnb>WBRNM?%?y81XNvm1gT4y^WbQ zuSH;^h^rN!V(_Lu%2r0$l33idkyOe3gkg=wh5q0jR#XUOw)xKSsqXacoO^}mrTsBF z@J~BfOnHY^zTdXMta-K3Ws=kCWhvLD}E*IKie6H@!a)z1w(28Xm< zLDq)mdx~2~G-e`PzQGh@ft04f=+^9<2p~IdZ9%nj-iH&RPk!O|Ro?hLk-2Lj&f1gB z-z>yJ!l^i9IfN6THih0t%f`BNNcb(dUCVw^ADO6V9jD&C)! zC^^LML93bPYbj#4{|HlnBcj4c!zz~6Gm1FA_T@&I6Oj-w{~im0xeqZwnDx^umI3nl zW;ZuuVFkhf+Ym*LVQOd(6?PQam|H|`5BubV`%_U^?Iczf| z5Hg)w&B`lF`y1mVi+|@W7YnB*l|d%*_{~E%<;UVE#8q`mHCS9$e68hD3o^D|r`3q6 zR_iq;v1+?|-P5ZwKt5nSL{BU09K01;DCtqIrH8+jI!c}}Rk09+!GZOg6;lP~m9QvN z8gytc;*@aaIFy|Dnh&N;X;%g?VCc|DXO0P318 z?JWlCJK+<83Opm3o*ql?kha+U4!_eC|F;eM?S2xJ$ZApeugx}G>b}#I4aNuyn7q~@ zH6!kN)pC90QSl6UFBPF7LX@P}SN^U`pQn@9R|G+o@4lQqW(4v(VH=X5Z&dgf5u|p( zK``_I2mR@=nl5rL9X*#h_xR|C;I;Hq-cJ}=i{BCrWm@WC#Tid6blwgnF?QDHnnB}} zF|J6L`-XbZwra zF0psGks%sa)RV4K)rMNho679xFJvK(79q!kN?RI@kl3!1w|6lv@g`xA$m6L!V#WY+(utgjA=E9kyN1{s{eWq^UfEkJMx z?(Ty-1W3>c5*!A1k065u2_a~LyF+jb7F>e6hvnPd-&b3;RqwB^_ipz+UG=KvoO6jj z_1woBWW2zu1e=dsu5IDxf#_(*fdLIHN2td-;wX6E0J6aCJV!;K#{Wd4JtD6g6=&Ie#qdDRY zBrteSRQXG-N@|@7DYc$ENr#uP%XUY9L)%B^{x!B|^r74{lk%EblNgsnI0|>WTkh8` zd4Ad@VQ_pDmzRJTzs0L)EJ9pf0zwI(`14ZQ`s4lVb_QFh*(00FyR1fK6@5u&g~9al zi~}3DL{ZD9=I-HfZ`AMuZ(% z`b*$DJQ(pxuvjp_o`$rN&~tY&0>m7ebT#EFmOODCpZSXBI)#?`8 z)R`E#d4%I%_2TxN>(92mF(M8{{D-i?LmS(PXMo{*wGJT?&Q6V^@4ScHs?-ymQ9Q{h{@NfE53_?=K0ydC6Uf-yRDbvW1DNd1ON z#gODA`i>^EUH3>c$r@ivbW13YSqbMljQc z-;uuLY%G0nDu(mvI>x>7S6<(}3UCl^V2t6u+Ue-qpZC2^PZ~QtY9qKfovRp8v<3=Q zA~rI`Bt4VA1aKNRdzG}eiRzzue`2_Fm1R@)93LMJo zkq}c==FUTgpwefO_$%_G{$7FS_OMOuDS|3Q*i5eqO)zqBnqseNzPCT&HB_5S5l=Wx zg?hab)2}Fpfjd&~W61!ru`i;f^KF^!E&pgHj!AZ@b_FeoAEBcYjViEW4en4e5K!hs zTt@DH|Hgm4Wn{)UMB96n)X_X^T0%57`NZl}v5OZNNy3e1Qr+Zfc{>iQ<)XH}Jk1VRUcNkmMX3$`@vM&>&@7@d?wT(x(wr#-3gW$SwuR-;3p zXlL{UCGW8Koqs}`$QWle`|gyu`D*m77{o-se057+=T`dW1L4VaBwMhB>yjj!U#?O` z7+Wf#ffEB8HsXyspg^`nR8NIo9$WYoIXGQ-D0~#dGfEb*Yej}&D2T4gd~v3DnsyUm zO4l1MNbW;AbQ^}t<9>`)grktomM>YyXE;X}o98{rj;!0e@i6D3RN%{GZJ4e$tCHH0 zUn40YOMs8(PsT`7LO#RhAeFmBn60aFB{8E&+wc=FDWW4(64Ma+>kI%SyZuiD9?a$IJ>{H?(k}6wd3^P)Wf^REfKFu}9L)w(Ad%3;)4V}4 zjVmBNOKa{8Psref@M*d~CHp!1VR(&(2d&-gvi<8Pk~QtjaLMPD#j4?9YYAV%orS<$ z_mXyl`#4n;PXL~lqL^bcTz9_@DYvxhBe96OBbwth$v`UE*i4$d@cCqA8>lbLPkAu= zYdH!F9}R8NXIePWMzQ}_9D9xqI5kDq~DVey_Cb3u7H*OWy3hE#-Y_YM}@=-gWny^Xh;H4obNl;jX1_{>{I3J08<|!X4!@y3E7iZHw0#0Jgt)x4mdw-^bE#tFqzJe zukg-CYx@Me?tR+6f$fSA%;Huo1zhjXjrn~J+bKztS9-5z<_?}U%@xR{3g(6%1-`#l zDXnLpkNkV1(J_7t?lXwF-X$BXNJZnz6Hg9`_jgc90#4U*0T_?nUa{BH{gd~X2e^J`@)=tQ4q}e* zYjpFW^F%dju>6yRYHNNn|7g-^&nLBP7VvA zHYwgP#2%2mMF|ZhXeD0Cdm08MYEfc9%n&TdVLr41B@se&bT|tF^p%&6e#}Kgi%1v` zWmB*tqrojef)D>ksCR)d6)Xz(dg@x-;wNZQ-+(|z2xskE^!XE;85avSuTFB+o!*3s zXZ{l4!+VLIKiFbN4Az(ZEJV392+nXU($&Xbmy6T0$KT$&7BOuM+r@gLH87_LsWJxL zttmAspYq4VqZDB>hj@mJAW^DZ_2qqMtKgtG#a{{l`@~_2eY!Cz)od@M1jOedl1t{z zJo#`Qg_$^)Qm4%+11Sq7uPTiW3tQ>i8Ge4_7?f}!QZN`D3^tT8^M;uL^^{4SBHSkw zmri=(Z=V^%{FD8kNJ!U}APq23N9ZUDr{EC9WEd9K8}0I3{ksP7MD)buS64f2p^|se zi7aL!W51s$ATqh)Gg_EzH&g!en5L=adZ2Rde@9CvBWuAngMnJuau z;uCF~JvqYDe=n3bauj`~_y|tpr(R+Dcb)~c7-ffF0|}%9pccj#BpD9T_RI&Ufie%Q z=q_F1VVj)u|H}U`aiHSFsl zB24HH&F{|FTm1q$SBgq0rGQM{e)amD=FGjMzPvna5h&-dA0EpdT*wzaqF1DVxnS-6@_ep zdCHi-yX_T9qGnLDMKJk>)?^(A?3k^vREjm)9_U;JmCu-xUNKUAq#9jcl@p0hNMbRg zuhgv!C4i(}hTeA|sntNSc|W{dD-0gSgy)hnV)lD&F$^W7>WwWWCC~Wx@}@L0OD#;k zTvK{h!R}Ln9qk623y(7c;S5%~)Tr3_cj#brR492JqpT&iXy?{p?dtEm0FoArhCGi@ zxrP&wd^O6K{JYyZ9iKZqD~emZ5bva;v2)fWZBTZ;dE>E6l=Q$s+dcjvM$y*<%Y9(!b{n&S=D>@hGv(Ll_Jc~VgKG!vN0-T~uAJ8$`7^@vASkZLQX!Ws& zA4lllGKSnSd$%VL0(Br=9!3G9Ti&eZcomFM$-fYhPLfj&#CIAs5N@s%kQi5#n1N|@ z(wPqm%99-N-2vCtZ(v26uaB4l2{AjYKcU2}p=d^70l>d*8~$YD#_<9}cPq*%rT7a4 zMW}|Us#8J~cI5kMHFo10_Uzx1y#1p*>{r!T4ac15NyBJ+++|((0kotWnls@SyO&?% z7#y&yOw-63DN3BXrBawZ{+V&`ovG;V9e+mA%hW?bCJI@;z<%)NkYirvjL&lG8XN*P zCjT}iaCLmr&5MGXqzD^Re`he4`gP^xTec4kbH0=53Iu<&U< zM#a5J!vR7jcskCk@d{x&K12-e*-z^Q=gQJ4d)uH%%53d(9k_bd) zs?2K8S-@vk81y`BS+we_pZv%tM+63kTSha4>+)NQQp~;{RZ}`Lw^^g;@U#iolkUjw z!ItGHjZ%q1pHR$Cq81z?b|aO1tMHmPhvbkD=P(4|wbJQq-F3Gf5qRqkUZN0l#b&Q} zh7c^d<&uD?MR;eKe?X>j_VsTXA3V~o5?qy&LryjO>9`+hgi{oq4@$pZUz&lFxAx!7 zi64?uEjij6(@!ued{$-IW-g5(CiuF;J?ZHj!C4Qa{@Hp~h`k7PB(_UJCE1J&eWL() zM2A2s#dphDBI#ODsTkoXpjb%kb(l{iDkC8N?YJb70p=xM$7|eUauqQIK)P*Q)Na<_ zmY6ow7UUH(7kZ7-+UJRx+f!^?yeYX8sG4pi+C$QFNkpRc8Io!RWPxctHWTb^-c`d2 zEGaJv(#D-&*?v#PkrwMTYV5$OUGWwF3;tn9#ldk5)4c~_cvzy0(({k&)Y1O}t0~zl zH(+QmQGbI^E>GK|vwz8x_QzJkT9+V_we#aR+k)z%2>s$YUb0+h<#t;kO?8h~-fv9F z-uqZ<476cs8aGJzWw~-BsOIncH1jST6alo($1!DwCH$n}#8Ip%F<1O`%wdpXV2ivx zaA$q{tmZ`%kX~loX_7@u?#G70Mx=qF?*|B8GCtJhw0jci+Gh8zu`a&b$=jmMA?~~7 zW*hFDy4NM4fKfmhMvZXFgXWy`=@Ehbfn~J;Ril(@cZ82}&M!+3@l?t#M~ZjNl^+C* z$aljRY_GU}U-!jrl^pjEI|MFpSmy9VaJFTQY~?BEPiI|99;Ik6CvbSLW1G(9_&sxA z$_M#=`NUOS9V@7=%iYG2(&yxqTBVRyJZQ*%ZA*{OkWvYXgXqp*nE~w;M(g5(#&0TQ zCJF{9oz@d&CQ@lh;*dxN+O=bp?`-?9qdC5Dxrx(*0*00s17QRC+7hRy`>#LyFjbG@ zj)|*cDIg{WX zB6a;{T*uw)2O&pbrALDI4{rUGnp`dSz!TrP7)_dD8rQ+1KsdG4o;cmrmT#T-r+>(| zb)Q`>x>^;(4m$+na8qotvTDI%AYt0fxz{_^%}6UM2qw`!H-d`)p!lEGqG~I+!c5-H+tpmPq|5@?XJbXR{+&VWZ{3wdJ$clO2(Nu2T=ph4s&)7p#~|vrTcx zpC_Xv;9aU+#f^F}Z)QvOBJ(uc=~g3SeZn;nVf>R->8c;o$1;i2W5Oopo0b~-ec!9r z{VdypC|}<080azW9VR2qzm~~YxsEN&|6sKAvLl|kr>p*>wH;!aQSE65M!B2240)g| z-)e@AYMeP~f8Ws-&BTk!T0C@gO2B2E6ybYxE`~B?=wnZFLax$rK2})6&Bh7-_AavN z?m=l?x(-9_o!pG@u6QsZ(;iK**+Ms~Zyuw0iIk6TaF2&C&ufZn?)ml`FZuiJpfIn7 zX`p5D$WvoXe4V@Ac;gyNVc~gL>b49cFfIk~ z-m0+giJaC6-e7ZmzQfz=5e~K=ZTl3;opo`=Uad_vCp%;{7M95@5$!6iUk;(|i{BXE z`OAyzXJ>uw4cwwg70%)cl9pcWAtu|9h{KeNvVc7ikXQBWyZN%`*XDnl2<~^8bf8E0UeNq%Sl&w z{4tjZPae`eA%G}xOB}f>^iLS)qZTwjFlC|hw(Hp3J^0U$)f(kF6{RinsLr>y_=an~ z5pE>cPcz*hlj~;0tY(^a<)~D%w(M0f4Ak4p9B@?c5f$Ak>z zEG{+C;@dRN3_Smb%O}#&e2u>z#*)VTb7N@*Lj7uNh0fLRBl+qFb{J2@`BBykr^DBO z7R>uzbE>Tc5t9uTZKU3fia-~5)*G&du`6MGN^-)%CKkCXmny_4bZ z6^N%`Og(8+@Xw?YQL4F zfFN;5#3lJjx$UIP%~Oq(2329(JYNH2BcZl%gCj=fXN%j`3&c;30>Zmr04*;gM0}uT#Qw zVmImM98j!A-SZ_!%-38>^{%%J70-Mj4SD2(3TGzfm$q(=NHx02fnA_%tZ_C>%o!IVB^P}!nm{`^9GB@-wYjr?T)928?QLH88NQw$@Iyd zxrO`mq5btKmg>M&7Mc?ecvgzx*W#wKbrkOU`a*1Rj;lT?B^B{KtjfKd#qN;RZ&JZz zr=9KXr`LwwC2@jK24nKscGJq!+FQ=xEV5WFwsiL8*(amFKBCGvCOM@!x`i+vUdSR* z($Klu89oqgZOl|w(-}(;P>vd^y&_@U3U3-Q{+UqmYu=37PBVjmYGXQ9L|5fE&yW!( zg(}&8F|tJbD};#+EY9JVdlfZeKBZ=8ho9N>5x2;3MNoHIZgKj-Y6f4WrpCEY*5%8< zP(fwvugu987isWcz6S4@=h>_^UI@vkKe(AyOaoZx(m&`7eR~!k3zCI8vwlN~a=|?l zb)IIUz>yXbI6~(tZn!QquE2hX;Hm=GN?4iqE+r--WY;l_I{|^VgZMZ+(VgK~;;G_t z-M9=tK8!-j0ESB9jwh5ccjgVdrp9x-vQBy5^&0A(*)hO86+*ZL?S11l-|GcLR7}WP zIKcZ_nU^`oI=C*0mN_kM^>y34c^nv*pE<2t6@dGpy7PDNL%i~1ooy3gj$-yyFp1=e*^7sl&F9st=*y@&6 z@Wuc2XOQD%0=zT7zJ2H~T0-l{jX`yzg{QDz`GO71i9V2qjv@N1F^p-M&(tuDsI)ED zLg!3o2qye7#rY$q(8jhBwuOVJM+M9lQq&L;287t1S%>y=P}2#dJX^JO;aAnkvV?_U zWND*u)mNO?bH{inV8{1)?r+$Ol(2SpZa~+4CTe^PPQ5dJM2x9^-lj_ZqvJ?Y#*+23 zy=}Z4SR*v83EX#?6uj3n{`0u<7gDi+?CNz>kx|6mgPkI% ziY2klX2AVim3FfH%UWi)Wojo_o&3Vk)Ql=@Z|6gA!igw-_b0gY0U}a5o48bHG8XsA z_VC1VR)@hAH=41!6ecpLxhV&vs3?2*qDU?OESgk|dlN^L_t(WF(l)#|{RYNCm^`gO zPTOAAul(%PxFe$ZA|}*ZJ2T8)pMn7q;%lTTrTvO=0%UTPZx>~#-2COM;GSyu)qc9> z4;45~R}#I+<2So4-ejK3S92Vw*L}sR(l??uk5YB;iYBI~)REaoGrX^MnLIPZ`_<(& zU>;#r*$FD`Pf##6XSnhTQ)(^OLq3O=7XHdl?aRq>%VLYyp>+cRO0wqPzk7G#e2P%} zGuLiBsbi7R1ddX*J`XR)+H7ew`FBj=WU92`-@KyxmfW!BuL=vx1P)l?cNd&UDxvyU ztfBw0_oNCZxhBrYS^g_1GcB8#dJW+wNtmiiWRofjkeYQi1Ht9Yq&t`Jo2^uB-rOa+ zm$A*Oc$XV!H0@BNkCBg(&J^|mvlhi~w;E|3*t?)s?akGc3@RsB{fDoG9ajwQd@CCV z&$Z(Y2dTu82eZ9fc=H``iNjoRI@}NkuUxGeFK5@i@gGDR3<`W5kvhw=EC^k_D}uq| zwmJALF3P0>V~)pDd7-sAnku{H0R7egjhOKM8?Ahnd!50)zVKQ}^D_rxj_w z0|L?Ze+WOs3YTuvw@BgbmhS3+4KRk90#qxJG;A5&C{xdDT14#Z>zs-2MaIkZy7PN2 z?Idv^ugX|j!MaUJr{sFG5;5_E6!sI}kT{-DI9S?`;q z3iCJ8kG&bHJ5jxn<)|Ybns3G7I15$*vbC zPB{4+crUVY?+xWx+UlK)SsItK_u?)%f2MZM`F${HpA!2sW-95yySv_bw4ziA_uaCL z?G7gUt6v4KX}e^3uTvb-8TD{=Ykm>NmwQ^|dN{PM-){SDQ9-#PsXKcdj1+d?uyHEg zf^r|Na=K$_vwV_0MW;D51Ut!|$@5&Q2G9J-QQH@?Tgf%5GerxR{mqgXBtCHg0|l2R z!TLbXqKdsr>Q8B4zh(dz_su02zIl?F#H+f$gur)g%CRPR8on7JEh|1s?PBjx$m@@| z@-aV&nBjX|wd`LQL0{S~#bia0p%eH)c8Re$#c0%DZWtl-yvg#==RuhbJ1cL2A&1zk_-f+{rzMTua~c!QZa>)s*N8&nmTJ@fO8 z`Tcu`o)P|ibmOdK9IhU0y{rra67B^#BHeYPd9Kq<-i2ExZbEyZ8KFl#df~}u13U8a z_D0gbtOgN9oYBzP>t*VS?U~x!R{#C^~PXN)#O~rPcK{^x8P4@{Ck@9gEZwKoTe2Pj1e441O6F- z8Iu^BrS(*Kzl ze$idTkGqoP^QN7Sm!qk&yl94=m#lq4V{<|~v$h7!>DjEo4u|qSzRr+*kn*bAQ-zD& zzR356Q|_kf_34@eWMsW_glF2M*K^_c*snXwNo*+S-E~)RaiJA{K3WuG+5Y)WCFH6-uRQrj>I8fEU4|T-(plcy0zM#tQ##edX z5yT`$Yf}$!kG<4;c&?f-^ozD18LLgrGHW&JDr@P!BliO`pB~Y@pjwZfSu1tS-0uiT zat!UkPX+CL_&}X;XxlmPQ=F`=x?y}mR{=3^+XD49_6=^_*~Qp?j2xL_7dYe@9;k9a z4!`^cwbi9gB4UB#H53H1b@yj4LSK6xe|SKghe)n`d^XEp04H^dSmVORI@8NoV&Zn% zwEd~UVXlnum{7nyaa7(xV)Q<5Sswodd8WM#_vGb_^)HUE8WQh@Z}h%GDVq#uBTlo4 zhx$U|C})+K8HX3zE8fA}j+^#*vKB+v2DR{rpdYgHjEi>{t6A1>?ZgZv%31{Q22|en zHQ#2ATJ-Tfdjr6X=#sC~%}C645CloX?W9L+35TGyb3Ovb=TEeB(>KgLX8H#U<+A9L202F!x zCM5QgnHJ;@$iqwgXV#MeV?{?)V+cG_8(`y9 zT~x(=TGt|{odvht^;q}pyVgf64@ddnvHTx%f2I;xz0PQ|d{x9q7=D*9 zEEI#%Q-aHA_eH8)XPoB8n^)M}GipMUPVydw{2x~7UNqB(6LXy}QOwGDP6WfLpGy>E z@5k@W$1FNhyO>oih1+@Kz+d|os_WvSawQQZoaJI*ss@=Dwr!}uWB}`O*mU_QxmA%& zy&(xZ6oky^{OeABgp}#vXEFa#utZL>`)r}{=rq^iehz!b6Mh%{*(C)6M3I(q{7*_+MBzy*m?T^!cyCT)WgPZCzeslH?ZoX$ zS~+W4+IMeTGlZhc83IkATp)hjHGtkpzEp=ezALPL!f}c4h&2*qgXDutKa_cB?V^gs z_+uZ-1nWSeysZEs4Tf3Jgt|N2O_{hXe-JJk7#kX2aV=&u6jO z)%u(XBY{0ax}5G=uOX})jzSU}j*&S|E(RQ+D#G51oRqK9w^D#yCCtBUL4&DP-BjbF zcmKy4A(FH6tJC^7%>VdJ?PKr3t1~OdH7RRiEILwSYcL(%-_F!znE5Z)dp=t%hz?`T z#YaSGk_-!6qqzwFf#nmg4>JUEIfit0plv1EQ|t>KhNzFrNXu67=ii88f&r8y;l7<1 z6b+~%?>Q~Rh6Ss#rShEPf2jP05UF+X8j4^#!1k-_mt9$)jqRll{r)V_1WbP7bCqrZ}85-2Va<-NiFxJmvzD>{zjg*Kx}tU(^KMD-v9x z82Yun*00*7972;wMN>olo#Ddw=kG)#uV=%MSjI?z>?TNtMH>%$NXm?%cA8o-1{u;a zhf)yENksASSpDj^f8ILmO}gaJH?B1k1{jf1I(P_&8Jn-asoMi6w<=Ma4x4+4%6UYU z!=6hV%~~X3lp!%o&-Dvx=8@nV(!rSejPO-8-P)wmZ!cbkChYw(9<;KEm*b+gIbjzh zrPxVx$%N&pUbrBCCs}#faYvAW=ciA#ibsc)ZAv``X9Ild1%YE-M&0RM_}k&BL>5 zFs*z&!dhxR&!>l;LLsthBu*;G{iCH3Nn4{L!UZ5uwJ8@*$)i!B2lJ`wu=$2f0g|eQ zTYa=&MdRz$pi2BEMR*^cAw{^zha{kAm+B|5Q7h3B*T8$Wgb9(hp$dnszJ+G9>U3Ep zollI(!XG+*=MlDcp3?@nwyt3FY=D7ntZ%ygbu(ANI7i)Av;qzBKA&yHUn z$9SJE?qkSeGUWFxB~63^*W?>6nIa5rfUGGLXKEjy;r3E0Y3(bkejUIE5sH?WKir>w zo_r<`uB8h^B%a;Zx-sU}ucu|5Zsb{1#V6=GkuedYB~kI+eBiTSA(hI+> zl#J$?^hM@he($`#ai^cAQsygtwEHR;~JJh zm-c+{)xpzMy=+3QlsTjv7T7kz&&7ynVWT#O0b%{j(p1-qH@9Jn^T(g!PLJ%a-dF zx7%^*37Snjd8;s^YSxSqD(Fbp_ASLvY|;*r}~%UE9uE*U>~t1DUV{5oD_kY09l2yxn&JF|YP zVqWc}XkWr_?RCQHDTj`XP@ z>+~fq#)mukmAx^YhSyjhkG=$f-)r74d4U}*{s!zcj=0d(3WbIO4+#&k4pAS`4quQP z%nFQKYz$#wt>AhCkz--Dk?Ooji#x0PLm}Bh$^1Pv37;v$iHB%@vcKBPawkL{+9p2< z`diP{WS<2J6=zVyVc?el6sbhWYe89A_d6fHY!tuR4DSf46TE@6y z@WAjNPbEm;wmOL`?6$8a$$5otdXq0Pi7Ie8 zpihe+DX7w^UND$%ay-npgFjPyV|)TBT`#No%2)k1Pumf7yoI2%s_HU6E)C{(Xs@7khOR zcz68Z^zFJX&#_dr*p+K*J2}1{E5&A=dx*f{C|t4~6GzxvQ~D$H4_-lasQ@nGUsodP zp6L(+S~sT09{tL{Gw@QWRP7~Q_`U4!rC~7^Q<%dO zMIQX-EBduUxP@{Q5&kBFW^NLJXK*0>X?yTezocJq;M)U#n1U)SR1MB=o5d<+G%Uoz zDG{B9N|)|GoaR3mygb^Gb&YT-O2fN(^E=67iz@#`(%F|5mF7%t`+#p_yB|~=KC~E~ zeGz{?=p|BZC_DI*0DCa%$|y#3>B_QaGh7CzMVIY>YO{D%dC8B`tC|v4y2T}~c=WUu zuA9HH((2LIzN(+w$I=z{)1+AtTd{CUk`rCLMzvOP<<$sU;vWdu4mbJTsChegsNGi_ zT)OBv`NfRiHOG6HZ);URZbi#fKX2##kVol=Kth>Rw}`-}%{Q5|-zP>s5?EbCSYk}& zmtZO)VBaZQPh$)cbRuNXg8ROgJdz(V-C*!BCkdX@qVAh(_Wm5}U+3G7){;={d`J1& zf<^0Ho9CwapMIZF+v2zAV^VM}nrqtr`Zu;UKh&*G%@301F^}G!6aKLqyTl7{`#tAr z*OD2SyK}DXH|O!tW{#F0eZXA->w;y4W;|u1s_o==H0NCwB?=hQFTU^cFsEPKfA=27 zdFvu)+P}EJBjHL_cc{oIKG#p~k&5Mzc{41%@UC&%=_jqJsB&Se)YR6wm*@29_T5Uv zBsEicAZwUkKx_viHjZc66t>>x#LGn1jxMGEypR7ros}3TWp#W2C5Hg|fG?QGf{G5l ze{^Nv;FIJGy(D=)xGtuo1Wp%5T~Z{7W{0D+>4;R;f_yaTXGPDp1)vO}ZNRE1-k@!^ zO0V0hD-HF%IZb3U_xD)~hHWg!W-(! z^=+qjb81dGBx9)oeUmq&f-h-X1r4;DhVquAd3&03W_rvjSjF5YRK`^`ri1`AnUP)ZIYf_51wwh!4TJbz4|PNyJWxRy zP=U(QX#YXwj$u`{;?!T1^4; zO@z%K94!8Kl>f9{$VeC0Cwc0s{!eIVl@l7rx6eF50=)lEcgV>FB~kX`|HhtwiJCF1 zLDBv(>;Hz9Mhhg;b~-G~PS^c!>^Gl6RQJEc{TWgFKcjx0nOE2WdW;v4a$QxV6dDBu z#UoHMzeh_;t9gHaAE@`TtPES?)vF^{H@6biQMefNA!eDUoas5|1Pzi%uQn0 zlKzWPa!1H>{wOi5|1%-aU1usv7r*=e2KI!KO{CPNgtrfUt|E-0qM#{XDQgw>zW}Mj BTZsSw literal 0 HcmV?d00001 From 9c65448459b7619fd826cb6591280ce701fd4443 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 29 Oct 2024 10:08:01 -0400 Subject: [PATCH 02/24] Add TOC Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 124 +++++++++--------- 1 file changed, 65 insertions(+), 59 deletions(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index fb20419fa..93b1e8194 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -1,15 +1,54 @@ -CNCF - TAG Security: Designing Zero Trust Using Cloud Native Platforms +# Cloud Native Zero Trust Whitepaper -[https://github.com/cncf/tag-security/issues/950](https://github.com/cncf/tag-security/issues/950) +## **CNCF - TAG Security: Designing Zero Trust Using Cloud Native Platforms** + + + +TAG Security issue: [https://github.com/cncf/tag-security/issues/950](https://github.com/cncf/tag-security/issues/950) STAG Representative - Eddie Knight Project Lead: Mariusz Sabath, David Hadas - -Table of Contents - -[TOC] +**Version**: 1.0 **Created**: 30 Nov 2024 + +**Status**: WIP | **In Review** | Approved + +**Last Reviewed**: DD MMM 2024, **PDF Published**: DD MMM 2024 **Release Version**: 1.0 + +**Final PDF Approvers** [] @name1 [] @name1 + +## Table of Contents + +- [Abstract](#abstract) +1. [The Philosophy of Zero Trust](#1-the-philosophy-of-zero-trust) + - [Cloud Native Principles of Zero Trust](#) +2. [Approaching Cloud Native Zero Trust Architecture](#) + - [Foundational Terms](#) + - [The Zero Trust Process](#) + - [Cloud Native Zero Trust Architectural Elements](#) + - [New Proposal for Confidence Levels](#) +3. [Cloud Native Zero Trust Architecture Design](#) + - [Peer Identities](#) + - [Secure Communication](#) + - [Behavior Verification](#) + - [Access Control](#) + - [Instance Confidence Automation](#) +4. [Techniques and Best Practices](#) + - [Protect Data Confidentiality and Integrity](#) + - [Prevent Unauthorized System Use](#) + - [Establish Limited Trust](#establish-limited-trust) +* [Conclusion](#conclustion) +* [Appendix](#appendix) + - [Glossary](#glossary) + - [References & Citations](#) + - [Contributors](#contributors) + - [Reviewers](#reviewers) + - [Acknowledgments](#acknowledgments) + - [Helpful Links](#helpful-links) **Note**: All tools, projects, libraries mentioned in the paper are mentioned as examples when describing a relevant section. Hence, such mention **should not be** taken as an official recommendation by TAG Security or CNCF. Readers should evaluate adoption of such tools, projects or libraries based on their own understanding and threat model of the system under review. @@ -335,6 +374,7 @@ External client entities— whether human users or external systems— must also After identities are assigned to all clients and services, the next step is to ensure that communication between these entities is secure. ## Secure Communication + Zero Trust operates under the assumption that offenders may already have control over the cloud network. Therefore, a Zero Trust Architecture (ZTA) must ensure data confidentiality for communication between microservices, or between microservices and external entities. As discussed below, to achieve data confidentiality, we must verify the identity of every service and encrypt all communications. However, a ZTA requires not only data confidentiality, but also fine grained access control as well as behavior monitoring. To achieve either, we are also required to verify the identity of every client. ### Data Confidentiality @@ -792,26 +832,12 @@ A structured approach to implementing Zero Trust principles, involving the conti (in alphabetical order): Aradhna Chetal - - Asad Faizi - - David Hadas - - Eddie Knight - - Kishore Nadendla - - Mariusz Sabath - - Philip Griffiths - - Victor Lu ## Reviewers @@ -819,17 +845,9 @@ A structured approach to implementing Zero Trust principles, involving the conti The successful completion of this technical white paper would not have been possible without the invaluable contributions and insights of our esteemed reviewers. We extend our sincere appreciation to: Pushkar Joglekar - - Nate Waddington - - Andrés Vega - - Valerie Silverthorne - - Yoshiyuki Tabata ## Acknowledgments @@ -837,23 +855,11 @@ The successful completion of this technical white paper would not have been poss We want to thank several contributors from whom we had excellent input and feedback and, as leading practitioners in the field, did much of the work that we write about in this document: José Carlos Chávez - - Matt Flannery - - Sundar Nadathur - - Andrew Martin - - Matteo Bisi - - Fabian Kammel - - Yaron Schneider For anyone involved in creating this paper, we express our heartfelt gratitude for your time, dedication, and professionalism. Your contributions have undoubtedly elevated the standard of our research, and we are immensely grateful for your collaboration. @@ -862,22 +868,22 @@ Thank you for being an integral part of this endeavor! ## Helpful Links -* Internet Crime Complaint Center (IC3) Annual report: [https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf](https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf) -* President Biden’s Zero Trust Mandate: [https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf) -* NIST SP 800-190, Application Container Security Guide: [https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-190.pdf](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-190.pdf) -* NIST SP 800-63, Digital Identity Guidelines, [https://pages.nist.gov/800-63-3/](https://pages.nist.gov/800-63-3/) -* NIST SP 800-207, Zero Trust Architecture: [https://csrc.nist.gov/publications/detail/sp/800-207/final](https://csrc.nist.gov/publications/detail/sp/800-207/final) -* CISA Zero Trust Maturity Model: [https://www.cisa.gov/zero-trust-maturity-model](https://www.cisa.gov/zero-trust-maturity-model) -* Department of Defense (DoD) Zero Trust Reference Architecture: [https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf](https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf) -* DoD Zero Trust Strategy (defense.gov): [https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf](https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf) -* DoD Enterprise DevSecOps Reference Design: [https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf](https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf) -* Dorothy Denning- A New Paradigm for Trusted Systems, 1993: [https://dl.acm.org/doi/pdf/10.1145/283751.283772](https://dl.acm.org/doi/pdf/10.1145/283751.283772) -* *A Zero Trust Architecture Model for Access Control in Cloud Native Applications in Multi-Location Environments*: [https://csrc.nist.gov/publications/detail/sp/800-207a/draft](https://csrc.nist.gov/publications/detail/sp/800-207a/draft) -* Identity and Access Management section of tag-security whitepaper: [https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#access](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#access) -* Help implementing zero trust architecture (UK): [https://www.ncsc.gov.uk/collection/zero-trust-architecture/implementing-zta](https://www.ncsc.gov.uk/collection/zero-trust-architecture/implementing-zta) -* Zero Trust Thought Paper (Canada): [https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/information-management-technology/information-security/information-security-awareness/zero_trust_thought_paper.pdf](https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/information-management-technology/information-security/information-security-awareness/zero_trust_thought_paper.pdf) -* Essential Eight Maturity Model (Australia): [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model) -* Cybersecurity Policies (Europe): [https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-policies](https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-policies) -* Success Story: Israel National Cyber Directorate Version 2.0 | NIST: [https://www.nist.gov/cyberframework/success-stories/israel-national-cyber-directorate-version-20](https://www.nist.gov/cyberframework/success-stories/israel-national-cyber-directorate-version-20) -* Government Zero Trust Architecture (GovZTA) | Singapore Government Developer Portal (tech.gov.sg): [https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/government-zero-trust-architecture](https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/government-zero-trust-architecture) -* 2022-2023 Best Undergraduate Cybersecurity Programs - US News Rankings: [https://www.usnews.com/best-colleges/rankings/computer-science/cybersecurity](https://www.usnews.com/best-colleges/rankings/computer-science/cybersecurity) +- Internet Crime Complaint Center (IC3) Annual report: [https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf](https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf) +- President Biden’s Zero Trust Mandate: [https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf) +- NIST SP 800-190, Application Container Security Guide: [https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-190.pdf](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-190.pdf) +- NIST SP 800-63, Digital Identity Guidelines, [https://pages.nist.gov/800-63-3/](https://pages.nist.gov/800-63-3/) +- NIST SP 800-207, Zero Trust Architecture: [https://csrc.nist.gov/publications/detail/sp/800-207/final](https://csrc.nist.gov/publications/detail/sp/800-207/final) +- CISA Zero Trust Maturity Model: [https://www.cisa.gov/zero-trust-maturity-model](https://www.cisa.gov/zero-trust-maturity-model) +- Department of Defense (DoD) Zero Trust Reference Architecture: [https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf](https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf) +- DoD Zero Trust Strategy (defense.gov): [https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf](https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf) +- DoD Enterprise DevSecOps Reference Design: [https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf](https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf) +- Dorothy Denning- A New Paradigm for Trusted Systems, 1993: [https://dl.acm.org/doi/pdf/10.1145/283751.283772](https://dl.acm.org/doi/pdf/10.1145/283751.283772) +- *A Zero Trust Architecture Model for Access Control in Cloud Native Applications in Multi-Location Environments*: [https://csrc.nist.gov/publications/detail/sp/800-207a/draft](https://csrc.nist.gov/publications/detail/sp/800-207a/draft) +- Identity and Access Management section of tag-security whitepaper: [https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#access](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#access) +- Help implementing zero trust architecture (UK): [https://www.ncsc.gov.uk/collection/zero-trust-architecture/implementing-zta](https://www.ncsc.gov.uk/collection/zero-trust-architecture/implementing-zta) +- Zero Trust Thought Paper (Canada): [https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/information-management-technology/information-security/information-security-awareness/zero_trust_thought_paper.pdf](https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/information-management-technology/information-security/information-security-awareness/zero_trust_thought_paper.pdf) +- Essential Eight Maturity Model (Australia): [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model) +- Cybersecurity Policies (Europe): [https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-policies](https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-policies) +- Success Story: Israel National Cyber Directorate Version 2.0 | NIST: [https://www.nist.gov/cyberframework/success-stories/israel-national-cyber-directorate-version-20](https://www.nist.gov/cyberframework/success-stories/israel-national-cyber-directorate-version-20) +- Government Zero Trust Architecture (GovZTA) | Singapore Government Developer Portal (tech.gov.sg): [https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/government-zero-trust-architecture](https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/government-zero-trust-architecture) +- 2022-2023 Best Undergraduate Cybersecurity Programs - US News Rankings: [https://www.usnews.com/best-colleges/rankings/computer-science/cybersecurity](https://www.usnews.com/best-colleges/rankings/computer-science/cybersecurity) From 8a813b2a3e349a7cb781a25e00122cca48a89bb8 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 29 Oct 2024 12:21:39 -0400 Subject: [PATCH 03/24] Fix cspell errors Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 37 ++++++++++--------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index 93b1e8194..2d6f4e8c3 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -3,10 +3,9 @@ ## **CNCF - TAG Security: Designing Zero Trust Using Cloud Native Platforms** - + + + TAG Security issue: [https://github.com/cncf/tag-security/issues/950](https://github.com/cncf/tag-security/issues/950) STAG Representative - Eddie Knight @@ -20,6 +19,7 @@ Project Lead: Mariusz Sabath, David Hadas **Last Reviewed**: DD MMM 2024, **PDF Published**: DD MMM 2024 **Release Version**: 1.0 **Final PDF Approvers** [] @name1 [] @name1 + ## Table of Contents @@ -305,7 +305,7 @@ Zero Trust advocates for network segmentation into smaller, isolated segments or ## Cloud Native Zero Trust Architectural Elements -To build a robust ZTA for cloud native environments, we draw inspiration from established frameworks, such as the [US Department of Defence Reference Architecture](https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf), which identifies seven core pillars essential for securing modern systems. +To build a robust ZTA for cloud native environments, we draw inspiration from established frameworks, such as the [US Department of Defense Reference Architecture](https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf), which identifies seven core pillars essential for securing modern systems. In alignment with these pillars, we identify seven key elements of a Cloud Native ZTA. @@ -439,7 +439,7 @@ Given the harsh assumption that all systems including all clients and services m Access Control policies under a ZTA must ensure **least privilege access**. This means clients are granted only the minimum permissions necessary to perform their specific role or task—nothing more. Fine-grained authorization applies to individual entities, whether they are human users, machines, or services. For instance, rather than granting access to a broad group of clients or services, Access Control policies should consider the unique identity of each client and the specific resource being requested. -Each client must be authorized not just for the resource they are requesting, but for the specific action they wish to take. For example, an access control policy should define the specific APIs a client is allowed to access, or if the client is merely allowed to read a specific resource type or also to modify resources of this type. This prevents over-permissioning and enforces least-privilege principles. +Each client must be authorized not just for the resource they are requesting, but for the specific action they wish to take. For example, an access control policy should define the specific APIs a client is allowed to access, or if the client is merely allowed to read a specific resource type or also to modify resources of this type. This prevents "over-permissioning" and enforces least-privilege principles. ### Microsegmentation and Service-Level Access Control @@ -497,15 +497,15 @@ Guard’s SBA-SR identifies changes in service requests made by clients, calcula SBA-SR functionalities can also be integrated into Web Application Firewalls (WAFs) that maintain per-service state, capable of analyzing incoming and outgoing traffic to detect threats and ongoing attacks. -Solutions like [Coraza](https://coraza.io) or [Curiefense](https://www.curiefense.io/) offer anomaly scoring for requests, making decisions to block them based on predefined thresholds. These anomaly scores can be developed further to incorporate SBA-SR features, enhancing their effectiveness. +Solutions like [Coraza](https://coraza.io) or [Curiefense](https://www.curiefense.io/) offer anomaly scoring for requests, making decisions to block them based on predefined thresholds. These anomaly scores can be developed further to incorporate SBA-SR features, enhancing their effectiveness. -To ensure all communications in-transit are encrypted, all services should use TLS v1.2 or higher, and all clients must verify the certificates presented by the server. CNCF projects [Istio](https://istio.io/), [Linkerd](https://linkerd.io/), [Dapr](https://dapr.io/), and [Knative](https://knative.dev/) provide robust TLS and certificate management solutions to secure inter-service communication. +To ensure all communications in-transit are encrypted, all services should use TLS v1.2 or higher, and all clients must verify the certificates presented by the server. CNCF projects [Istio](https://istio.io/), [Linkerd](https://linkerd.io/), [Dapr](https://dapr.io/), and [Knative](https://knative.dev/) provide robust TLS and certificate management solutions to secure inter-service communication. ### Verify Service Instances -Profiling the behavior of service instances****and evaluating Confidence Levels can leverage [eBPF](https://ebpf.io/) technology. Several CNCF projects use eBPF-based technology in observability, networking, and security ([Falco](https://falco.org/), [Cilium](https://cilium.io/), [Pixie](https://docs.px.dev/), and [KubeArmor](https://kubearmor.io/)). eBPF can be used to synthesize criteria describing standard service instance patterns, which can then evaluate the Confidence Level of running service instances. +Profiling the behavior of service instances****and evaluating Confidence Levels can leverage [eBPF](https://ebpf.io/) technology. Several CNCF projects use eBPF-based technology in observability, networking, and security ([Falco](https://falco.org/), [Cilium](https://cilium.io/), [Pixie](https://docs.px.dev/), and [KubeArmor](https://kubearmor.io/)). eBPF can be used to synthesize criteria describing standard service instance patterns, which can then evaluate the Confidence Level of running service instances. -An Active Observer can also identify changes in the external communication performed by service instances using a network tap, as exemplified by the Knative [Security-Guard](https://knative.dev/docs/serving/app-security/security-guard-about/#security-guard-profile-and-criteria). Regardless of how the Active Observer calculates the Confidence Level of service instances, it should be****integrated with automation to delete suspected compromised service instances. +An Active Observer can also identify changes in the external communication performed by service instances using a network tap, as exemplified by the Knative [Security-Guard](https://knative.dev/docs/serving/app-security/security-guard-about/#security-guard-profile-and-criteria). Regardless of how the Active Observer calculates the Confidence Level of service instances, it should be integrated with automation to delete suspected compromised service instances. Another source for determining the Confidence Level of service instances is intelligence information about CVEs included in the service image, obtainable through image scanning before or during service orchestration. @@ -515,7 +515,7 @@ In ZTA, preventing unauthorized system use is crucial for maintaining the securi ### Fine-grained Access Control -Service mesh based solutions such as [Istio](https://istio.io/) and [Linkerd](https://linkerd.io/) offer opportunities to implement a gate in front of every service instance and support fine-grained access policies. Some tools, such as [Dapr](https://dapr.io/), have built-in access control. +Service mesh based solutions such as [Istio](https://istio.io/) and [Linkerd](https://linkerd.io/) offer opportunities to implement a gate in front of every service instance and support fine-grained access policies. Some tools, such as [Dapr](https://dapr.io/), have built-in access control. ### Dynamic Access Control @@ -537,7 +537,7 @@ Identity verification is the first step in confirming the client’s identity. V With tokens such as [JSON Web Tokens (JWT)](https://jwt.io), the client obtains a token from a trusted third party, included in service requests to verify identity. As the request with the Identity Token travels across the endpoints, the identity attributes can be easily read by Policy Enforcement Points, allowing them to control access along the way. -CNCF projects related to token-based identity include [Dex](https://dexidp.io/) (an OIDC identity and OAuth 2.0 provider), [Keycloak](https://www.keycloak.org/) (Identity and Access Management), and [SPIFFE and SPIRE](https://spiffe.io/) (a universal identity control plane suitable for managing identities in a multi-cloud environment). +CNCF projects related to token-based identity include [Dex](https://dexidp.io/) (an OIDC identity and OAuth 2.0 provider), [Keycloak](https://www.keycloak.org/) (Identity and Access Management), and [SPIFFE and SPIRE](https://spiffe.io/) (a universal identity control plane suitable for managing identities in a multi-cloud environment). Best practices for JWT Tokens include verifying the signature, expiration, issuer, audience, and scope claims. @@ -547,7 +547,7 @@ Identity may alternatively be established by the client presenting a client cert CNCF projects for managing certificates include [cert-manager](https://cert-manager.io/) (cloud native certificate management). -Making mTLS standard for all communications in a cloud cluster is often achieved by deploying a service mesh. CNCF Service mesh projects [Istio](https://istio.io/), [SPIFFE](https://spiffe.io/), and [Linkerd](https://linkerd.io/) offer service-to-service identity verification mTLS. [Dapr](https://dapr.io/) also offers mTLS. +Making mTLS standard for all communications in a cloud cluster is often achieved by deploying a service mesh. CNCF Service mesh projects [Istio](https://istio.io/), [SPIFFE](https://spiffe.io/), and [Linkerd](https://linkerd.io/) offer service-to-service identity verification mTLS. [Dapr](https://dapr.io/) also offers mTLS. ### Active Observer for Client Identities @@ -557,7 +557,7 @@ Additional Confidence Level data can be aggregated from all service requests emi # Conclusion -While the philosophy behind Zero Trust has been around for decades, its application in cloud native environments introduces unique challenges and opportunities. Protecting data confidentiality and integrity is a paramount in these dynamic and distributed systems. Every service request and instance must be continuously verified to ensure that only authorized entities gain access to sensitive data. Such verification includes both identity verification and behavioral verification using Security Behaviour Analytics. This approach helps cloud systems cope with threats while assuming cyber breaches are unavoidable. +While the philosophy behind Zero Trust has been around for decades, its application in cloud native environments introduces unique challenges and opportunities. Protecting data confidentiality and integrity is a paramount in these dynamic and distributed systems. Every service request and instance must be continuously verified to ensure that only authorized entities gain access to sensitive data. Such verification includes both identity verification and behavioral verification using Security Behavior Analytics. This approach helps cloud systems cope with threats while assuming cyber breaches are unavoidable. Defining fine-grain access controls becomes critical in this context, allowing for more precise adjustments to who or what can access specific resources. To further enhance security, dynamic access controls based on the Confidence Level of requests should be introduced, adjusting access privileges in real-time according to the trustworthiness of each interaction. @@ -830,7 +830,7 @@ A structured approach to implementing Zero Trust principles, involving the conti ## Contributors (in alphabetical order): - + Aradhna Chetal Asad Faizi David Hadas @@ -839,21 +839,23 @@ A structured approach to implementing Zero Trust principles, involving the conti Mariusz Sabath Philip Griffiths Victor Lu + ## Reviewers The successful completion of this technical white paper would not have been possible without the invaluable contributions and insights of our esteemed reviewers. We extend our sincere appreciation to: - + Pushkar Joglekar Nate Waddington Andrés Vega Valerie Silverthorne Yoshiyuki Tabata + ## Acknowledgments We want to thank several contributors from whom we had excellent input and feedback and, as leading practitioners in the field, did much of the work that we write about in this document: - + José Carlos Chávez Matt Flannery Sundar Nadathur @@ -861,6 +863,7 @@ We want to thank several contributors from whom we had excellent input and feedb Matteo Bisi Fabian Kammel Yaron Schneider + For anyone involved in creating this paper, we express our heartfelt gratitude for your time, dedication, and professionalism. Your contributions have undoubtedly elevated the standard of our research, and we are immensely grateful for your collaboration. From 3cb570e1bbd3c57a6b300a2997bd4438ddc55f46 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 29 Oct 2024 13:19:51 -0400 Subject: [PATCH 04/24] Fix lint and links errors Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 63 ++++++++++--------- 1 file changed, 32 insertions(+), 31 deletions(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index 2d6f4e8c3..1a9268fd2 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -2,7 +2,7 @@ ## **CNCF - TAG Security: Designing Zero Trust Using Cloud Native Platforms** - + @@ -24,31 +24,33 @@ Project Lead: Mariusz Sabath, David Hadas ## Table of Contents - [Abstract](#abstract) + 1. [The Philosophy of Zero Trust](#1-the-philosophy-of-zero-trust) - - [Cloud Native Principles of Zero Trust](#) -2. [Approaching Cloud Native Zero Trust Architecture](#) - - [Foundational Terms](#) - - [The Zero Trust Process](#) - - [Cloud Native Zero Trust Architectural Elements](#) - - [New Proposal for Confidence Levels](#) -3. [Cloud Native Zero Trust Architecture Design](#) - - [Peer Identities](#) - - [Secure Communication](#) - - [Behavior Verification](#) - - [Access Control](#) - - [Instance Confidence Automation](#) -4. [Techniques and Best Practices](#) - - [Protect Data Confidentiality and Integrity](#) - - [Prevent Unauthorized System Use](#) + - [Cloud Native Principles of Zero Trust](#cloud-native-principles-of-zero-trust) +2. [Modeling a Cloud Native Zero Trust Architecture](#2-modeling-a-cloud-native-zero-trust-architecture) + - [Foundational Terms](#foundational-terms) + - [The Zero Trust Process](#the-zero-trust-process) + - [Cloud Native Zero Trust Architectural Elements](#cloud-native-zero-trust-architectural-elements) + - [New Proposal for Confidence Levels](#cloud-native-zero-trust-architectural-elements) +3. [Cloud Native Zero Trust Architecture Design](#3-cloud-native-zero-trust-architecture-design) + - [Peer Identities](#peer-identities) + - [Secure Communication](#secure-communication) + - [Behavior Verification](#behavior-verification) + - [Access Control](#access-control) + - [Instance Confidence Automation](#instance-confidence-automation) +4. [Techniques and Best Practices](#4-techniques-and-best-practices) + - [Protect Data Confidentiality and Integrity](#protect-data-confidentiality-and-integrity) + - [Prevent Unauthorized System Use](#prevent-unauthorized-system-use) - [Establish Limited Trust](#establish-limited-trust) -* [Conclusion](#conclustion) -* [Appendix](#appendix) - - [Glossary](#glossary) - - [References & Citations](#) - - [Contributors](#contributors) - - [Reviewers](#reviewers) - - [Acknowledgments](#acknowledgments) - - [Helpful Links](#helpful-links) + +- [Conclusion](#conclusion) +- [Appendix](#appendix) + - [Glossary](#glossary) + - [References & Citations](#references--citations) + - [Contributors](#contributors) + - [Reviewers](#reviewers) + - [Acknowledgments](#acknowledgments) + - [Helpful Links](#helpful-links) **Note**: All tools, projects, libraries mentioned in the paper are mentioned as examples when describing a relevant section. Hence, such mention **should not be** taken as an official recommendation by TAG Security or CNCF. Readers should evaluate adoption of such tools, projects or libraries based on their own understanding and threat model of the system under review. @@ -473,7 +475,7 @@ The Cloud Native Zero Trust Architecture (ZTA) design described in the previous ## Protect Data Confidentiality and Integrity -Ensuring the security of Service Requests****is paramount in Zero Trust. Any request from one entity to another must be encrypted, as the network cannot be trusted. +Ensuring the security of Service Requests is paramount in Zero Trust. Any request from one entity to another must be encrypted, as the network cannot be trusted. Additionally, requests must be monitored by an Active Observer utilizing Security Behavior Analytics for Service Requests (SBA-SR) to assess the risk associated with servicing the request through a service instance and to identify compromised client identities from which the request originated. @@ -503,7 +505,7 @@ To ensure all communications in-transit are encrypted, all services should use T ### Verify Service Instances -Profiling the behavior of service instances****and evaluating Confidence Levels can leverage [eBPF](https://ebpf.io/) technology. Several CNCF projects use eBPF-based technology in observability, networking, and security ([Falco](https://falco.org/), [Cilium](https://cilium.io/), [Pixie](https://docs.px.dev/), and [KubeArmor](https://kubearmor.io/)). eBPF can be used to synthesize criteria describing standard service instance patterns, which can then evaluate the Confidence Level of running service instances. +Profiling the behavior of service instances and evaluating Confidence Levels can leverage [eBPF](https://ebpf.io/) technology. Several CNCF projects use eBPF-based technology in observability, networking, and security ([Falco](https://falco.org/), [Cilium](https://cilium.io/), [Pixie](https://docs.px.dev/), and [KubeArmor](https://kubearmor.io/)). eBPF can be used to synthesize criteria describing standard service instance patterns, which can then evaluate the Confidence Level of running service instances. An Active Observer can also identify changes in the external communication performed by service instances using a network tap, as exemplified by the Knative [Security-Guard](https://knative.dev/docs/serving/app-security/security-guard-about/#security-guard-profile-and-criteria). Regardless of how the Active Observer calculates the Confidence Level of service instances, it should be integrated with automation to delete suspected compromised service instances. @@ -871,7 +873,7 @@ Thank you for being an integral part of this endeavor! ## Helpful Links -- Internet Crime Complaint Center (IC3) Annual report: [https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf](https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf) +- Internet Crime Complaint Center (IC3) Annual report: [https://www.ic3.gov/AnnualReport/Reports/2022_IC3Report.pdf](https://www.ic3.gov/AnnualReport/Reports/2022_IC3Report.pdf) - President Biden’s Zero Trust Mandate: [https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf) - NIST SP 800-190, Application Container Security Guide: [https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-190.pdf](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-190.pdf) - NIST SP 800-63, Digital Identity Guidelines, [https://pages.nist.gov/800-63-3/](https://pages.nist.gov/800-63-3/) @@ -882,11 +884,10 @@ Thank you for being an integral part of this endeavor! - DoD Enterprise DevSecOps Reference Design: [https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf](https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf) - Dorothy Denning- A New Paradigm for Trusted Systems, 1993: [https://dl.acm.org/doi/pdf/10.1145/283751.283772](https://dl.acm.org/doi/pdf/10.1145/283751.283772) - *A Zero Trust Architecture Model for Access Control in Cloud Native Applications in Multi-Location Environments*: [https://csrc.nist.gov/publications/detail/sp/800-207a/draft](https://csrc.nist.gov/publications/detail/sp/800-207a/draft) -- Identity and Access Management section of tag-security whitepaper: [https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#access](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md#access) +- Identity and Access Management section of tag-security whitepaper: [https://github.com/cncf/tag-security/blob/main/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper.md#access](https://github.com/cncf/tag-security/blob/main/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper.md#access) - Help implementing zero trust architecture (UK): [https://www.ncsc.gov.uk/collection/zero-trust-architecture/implementing-zta](https://www.ncsc.gov.uk/collection/zero-trust-architecture/implementing-zta) -- Zero Trust Thought Paper (Canada): [https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/information-management-technology/information-security/information-security-awareness/zero_trust_thought_paper.pdf](https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/information-management-technology/information-security/information-security-awareness/zero_trust_thought_paper.pdf) -- Essential Eight Maturity Model (Australia): [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model) +- Zero Trust Security Model (Canada): [https://www.cyber.gc.ca/en/guidance/zero-trust-security-model-itsap10008](https://www.cyber.gc.ca/en/guidance/zero-trust-security-model-itsap10008) +- Essential Eight Maturity Model (Australia): [https://www.cyber.gov.au/sites/default/files/2023-11/PROTECT%20-%20Essential%20Eight%20Maturity%20Model%20%28November%202023%29.pdf](https://www.cyber.gov.au/sites/default/files/2023-11/PROTECT%20-%20Essential%20Eight%20Maturity%20Model%20%28November%202023%29.pdf) - Cybersecurity Policies (Europe): [https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-policies](https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-policies) - Success Story: Israel National Cyber Directorate Version 2.0 | NIST: [https://www.nist.gov/cyberframework/success-stories/israel-national-cyber-directorate-version-20](https://www.nist.gov/cyberframework/success-stories/israel-national-cyber-directorate-version-20) - Government Zero Trust Architecture (GovZTA) | Singapore Government Developer Portal (tech.gov.sg): [https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/government-zero-trust-architecture](https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/government-zero-trust-architecture) -- 2022-2023 Best Undergraduate Cybersecurity Programs - US News Rankings: [https://www.usnews.com/best-colleges/rankings/computer-science/cybersecurity](https://www.usnews.com/best-colleges/rankings/computer-science/cybersecurity) From b8a31bd4b7e53c5dab770a9bc52ba70b9fd5cd2b Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 29 Oct 2024 16:12:24 -0400 Subject: [PATCH 05/24] Fix more lint and links errors Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 97 ++++++++++++------- 1 file changed, 63 insertions(+), 34 deletions(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index 1a9268fd2..f980c4446 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -2,8 +2,8 @@ ## **CNCF - TAG Security: Designing Zero Trust Using Cloud Native Platforms** - - + + TAG Security issue: [https://github.com/cncf/tag-security/issues/950](https://github.com/cncf/tag-security/issues/950) @@ -46,7 +46,7 @@ Project Lead: Mariusz Sabath, David Hadas - [Conclusion](#conclusion) - [Appendix](#appendix) - [Glossary](#glossary) - - [References & Citations](#references--citations) + - [References and Citations](#references-and-citations) - [Contributors](#contributors) - [Reviewers](#reviewers) - [Acknowledgments](#acknowledgments) @@ -70,11 +70,14 @@ By incorporating the concepts of Confidence Levels and Active Observers, a cloud # 1. The Philosophy of Zero Trust -The concept of Zero Trust has undergone significant evolution, transitioning from a philosophical notion to a foundational cybersecurity model. The term "Zero Trust" was first coined by [Stephen Paul Marsh in his 1994 doctoral thesis at the University of Stirling](https://www.cs.stir.ac.uk/~kjt/techreps/pdf/TR133.pdf). In this work, titled "Formalizing Trust as a Computational Concept," Marsh introduced the idea that trust could be mathematically quantified, separate from human moral and ethical considerations. This theoretical framework established the groundwork for what would later become known as the Zero Trust philosophy. +The concept of Zero Trust has undergone significant evolution, transitioning from a philosophical notion to a foundational cybersecurity model. The term "Zero Trust" was first coined by [Stephen Paul Marsh in his 1994 doctoral thesis at the University of Stirling](https://www.cs.stir.ac.uk/~kjt/techreps/pdf/TR133.pdf). +In this work, titled "Formalizing Trust as a Computational Concept," Marsh introduced the idea that trust could be mathematically quantified, separate from human moral and ethical considerations. This theoretical framework established the groundwork for what would later become known as the Zero Trust philosophy. -The practical application of Zero Trust coalesced in 2010 when John Kindervag, an analyst at Forrester Research, introduced a model that operationalized these principles. In his paper, ["No More Chewy Centers: Introducing the Zero Trust Model of Information Security,"](https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdf) Kindervag proposed a security architecture where trust is never assumed and must be continually verified. This model, which segmented networks into zones with varying levels of trust, aimed to eliminate the vulnerabilities of traditional perimeter-based security systems, where internal networks were often overly trusted. +The practical application of Zero Trust coalesced in 2010 when John Kindervag, an analyst at Forrester Research, introduced a model that operationalized these principles. In his paper, ["No More Chewy Centers: Introducing the Zero Trust Model of Information Security,"](https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdf) Kindervag proposed a security architecture where trust is never assumed and must be continually verified. +This model, which segmented networks into zones with varying levels of trust, aimed to eliminate the vulnerabilities of traditional perimeter-based security systems, where internal networks were often overly trusted. -The implementation of Zero Trust principles was notably advanced by [Google's BeyondCorp initiative in 2009](https://www.beyondcorp.com/#:~:text=The%20BeyondCorp%20Story,and%20devices%20access%20internal%20applications.). BeyondCorp shifted security focus from the perimeter to individual users and devices, emphasizing continuous verification and least-privilege access. This approach was driven by the need to address sophisticated threats, as demonstrated by incidents like [Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora) and the [MUSCULAR joint surveillance program](https://en.wikipedia.org/wiki/MUSCULAR) operated by the NSA and GCHQ against the internal networks of Google and Yahoo. +The implementation of Zero Trust principles was notably advanced by [Google's BeyondCorp initiative in 2009](https://www.beyondcorp.com/#:~:text=The%20BeyondCorp%20Story,and%20devices%20access%20internal%20applications.). BeyondCorp shifted security focus from the perimeter to individual users and devices, emphasizing continuous verification and least-privilege access. +This approach was driven by the need to address sophisticated threats, as demonstrated by incidents like [Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora) and the [MUSCULAR joint surveillance program](https://en.wikipedia.org/wiki/MUSCULAR) operated by the NSA and GCHQ against the internal networks of Google and Yahoo. The proliferation of open-source projects such as Istio, Knative, SPIFFE, and OpenFGA has also played a crucial role in advancing Zero Trust. These projects provide robust frameworks for identity management, policy enforcement, Security Behavior Analytics, and secure communication within cloud native environments. @@ -94,7 +97,8 @@ To follow the tenet of *Assume a Breach*, organizations must operate as if their The tenet of Always Verify emphasizes the necessity of continuous authentication, authorization, and monitoring for every interaction within the system, regardless of its origin. This tenet rejects the notion of implicit trust, instead insisting on rigorous verification of all entities — users and services, internal and external. In practice, this involves the actions of eliminating implicit trust, minimizing explicit trust, and monitoring behavior to verify trustworthiness. -The following table summarizes the Cloud Native principles of Zero Trust as detailed in the remainder of this chapter. The evidence for the principles below is discussed in **[NIST SP 800-207](https://csrc.nist.gov/pubs/sp/800/207/final)** chapter 2 *“Zero trust Basics”* with further details in chapter 3 “*Logical Components of Zero Trust Architecture*”*.* While the NIST paper discusses all kinds of systems, in generic terms such as assets and resources, here we focus solely on Cloud Native systems with a higher level of nuance. +The following table summarizes the Cloud Native principles of Zero Trust as detailed in the remainder of this chapter. +The evidence for the principles below is discussed in **[NIST SP 800-207](https://csrc.nist.gov/pubs/sp/800/207/final)** chapter 2 *“Zero trust Basics”* with further details in chapter 3 “*Logical Components of Zero Trust Architecture*”*.* While the NIST paper discusses all kinds of systems, in generic terms such as assets and resources, here we focus solely on Cloud Native systems with a higher level of nuance. @@ -203,7 +207,8 @@ Organizations must recognize that all cloud native images inherently contain vul Organizations must acknowledge that all deployed services are inherently vulnerable. This assumption should guide the planning and implementation of security measures. Any service deployed within a cloud native environment should be presumed to operate based on a vulnerable image and/or vulnerable configuration and to expose vulnerabilities through its service API. -It is common for organizations to become aware of vulnerabilities when Common Vulnerabilities and Exposures (CVEs) related to their services are published. However, this awareness often comes after a period during which the services were susceptible to attack. The absence of a known vulnerability does not equate to security; vulnerabilities may exist that have yet to be discovered or disclosed. CVEs are typically published following the detection and reporting by white hat security researchers, but malicious actors may exploit these vulnerabilities long before they are publicly known. +It is common for organizations to become aware of vulnerabilities when Common Vulnerabilities and Exposures (CVEs) related to their services are published. However, this awareness often comes after a period during which the services were susceptible to attack. +The absence of a known vulnerability does not equate to security; vulnerabilities may exist that have yet to be discovered or disclosed. CVEs are typically published following the detection and reporting by white hat security researchers, but malicious actors may exploit these vulnerabilities long before they are publicly known. ### 3. Every Service Will be Exploited @@ -245,7 +250,8 @@ Organizations should promptly identify and mitigate misused service instances Organizations must operate under the assumption that even clients providing credible credentials may exhibit malicious behavior, such as when an offender has stolen client credentials. Furthermore, organizations should consider that a client with a history of good behavior might attempt to compromise the system in future requests. An attacker might leverage a legitimate user’s credentials or embed malicious code within a legitimate machine to send service requests. -Therefore, it is crucial to always assume that any request made to a service API could potentially contain an exploit. Requests should be regarded as potential vectors for exploiting vulnerabilities within the service API. Relying on the implied trustworthiness of requests from authenticated senders is insufficient. Instead, a dynamic, per-request evaluation process must be employed. Each request should be meticulously assessed and assigned an appropriate Confidence Level, based on its potential to be an exploit. This continuous scrutiny ensures that organizations can effectively mitigate risks associated with seemingly legitimate but potentially harmful requests. +Therefore, it is crucial to always assume that any request made to a service API could potentially contain an exploit. Requests should be regarded as potential vectors for exploiting vulnerabilities within the service API. Relying on the implied trustworthiness of requests from authenticated senders is insufficient. Instead, a dynamic, per-request evaluation process must be employed. +Each request should be meticulously assessed and assigned an appropriate Confidence Level, based on its potential to be an exploit. This continuous scrutiny ensures that organizations can effectively mitigate risks associated with seemingly legitimate but potentially harmful requests. This principle is discussed in NIST 800-207 Section 3.3: “Trust Algorithms.” @@ -259,7 +265,8 @@ This evaluation should consider the client's past behavior, including both its n Despite being discussed for twice as long as the concept of Zero Trust, the enforcement of least privilege remains an area of significant vulnerability in many systems. Organizations must implement dynamic and fine-grained access control to ensure that verified identities are only permitted to perform operations that align with their role and trustworthiness. -Access to services should be evaluated and granted on a per-request basis, taking into account various parameters to make informed access decisions. These parameters include assessing whether the requested operation is appropriate for the identity in question, evaluating the Confidence Level of the sender's true identity, determining the likelihood that the request is not an exploit, and considering the overall context of the request. This context might include factors such as whether the sender is expected to make requests at that particular time of day, from a specific IP range, or in a certain sequence. +Access to services should be evaluated and granted on a per-request basis, taking into account various parameters to make informed access decisions. These parameters include assessing whether the requested operation is appropriate for the identity in question, evaluating the Confidence Level of the sender's true identity, determining the likelihood that the request is not an exploit, and considering the overall context of the request. +This context might include factors such as whether the sender is expected to make requests at that particular time of day, from a specific IP range, or in a certain sequence. # 2. Modeling a Cloud Native Zero Trust Architecture @@ -273,7 +280,8 @@ Before we go deeper, we must first establish some key terms: Confidence Levels, As discussed in [NIST SP 800-207 Chapter 2: “Zero Trust Basics”](https://csrc.nist.gov/pubs/sp/800/207/final), a **Confidence Level** refers to the dynamically calculated level of trust, based on the assessment of a subject and its context. At the end of this chapter, we will discuss an opportunity to enhance the use of Confidence Levels across the cybersecurity ecosystem. -**Security Behavior Analytics (SBA)** refers to the field of Machine Learning and associated data analytics technologies that analyze entity behavior to inform security and confidence decisions. SBA compares an entity's security-related behavior to its norm or other predefined known criteria. The entity’s standard behavior is first examined through security glasses, and the behavior exposed is recorded. Once standard behavior is recorded, *Confidence Levels* can be deducted by evaluating the changes in the security-related behavior of the entity. SBA is a superset of traditional data analytics such as User-Entity Behavior Analytics (UEBA). +**Security Behavior Analytics (SBA)** refers to the field of Machine Learning and associated data analytics technologies that analyze entity behavior to inform security and confidence decisions. SBA compares an entity's security-related behavior to its norm or other predefined known criteria. The entity’s standard behavior is first examined through security glasses, and the behavior exposed is recorded. +Once standard behavior is recorded, *Confidence Levels* can be deducted by evaluating the changes in the security-related behavior of the entity. SBA is a superset of traditional data analytics such as User-Entity Behavior Analytics (UEBA). According to [NIST SP 800-207](https://csrc.nist.gov/pubs/sp/800/207/final), the policy decision/enforcement point “passes proper judgment to allow the subject to access the resource.” In this paper we name this essential functionality “Active Observer” while discussing its use and implementation. An **Active Observer** is a process that continuously monitors factors which influence an entity's Confidence Level within the system by collecting comprehensive Security Behavior Analytics. @@ -299,11 +307,13 @@ Continuous analysis of clients, client requests, and services should compare act ### Step 3: Control -Restricting access to resources based on client identity, client behavior, request behavior, device posture, and other contextual factors is essential for maintaining security. Specific controls and checks should be applied in front of every service, governing each action of every client. This includes avoiding long sessions based on previous credential validations to limit the impact of potential compromises. +Restricting access to resources based on client identity, client behavior, request behavior, device posture, and other contextual factors is essential for maintaining security. Specific controls and checks should be applied in front of every service, governing each action of every client. +This includes avoiding long sessions based on previous credential validations to limit the impact of potential compromises. The principle of least privilege must be strictly enforced, ensuring that clients have access only to the minimal resources necessary for their tasks. Unnecessary access should be eliminated, even if the associated risk is perceived as low. -Zero Trust advocates for network segmentation into smaller, isolated segments or microsegments. Each service should be treated as a microsegment, with dedicated access controls to contain breaches and limit lateral movement within the network. By dividing the network into small segments, each containing a single microservice, more granular access controls can be applied, thereby reducing the attack surface. This approach prevents lateral movement between microservices, as each microservice operates with its own access control and is safeguarded from neighboring services. +Zero Trust advocates for network segmentation into smaller, isolated segments or microsegments. Each service should be treated as a microsegment, with dedicated access controls to contain breaches and limit lateral movement within the network. By dividing the network into small segments, each containing a single microservice, more granular access controls can be applied, thereby reducing the attack surface. +This approach prevents lateral movement between microservices, as each microservice operates with its own access control and is safeguarded from neighboring services. ## Cloud Native Zero Trust Architectural Elements @@ -377,19 +387,24 @@ After identities are assigned to all clients and services, the next step is to e ## Secure Communication -Zero Trust operates under the assumption that offenders may already have control over the cloud network. Therefore, a Zero Trust Architecture (ZTA) must ensure data confidentiality for communication between microservices, or between microservices and external entities. As discussed below, to achieve data confidentiality, we must verify the identity of every service and encrypt all communications. However, a ZTA requires not only data confidentiality, but also fine grained access control as well as behavior monitoring. To achieve either, we are also required to verify the identity of every client. +Zero Trust operates under the assumption that offenders may already have control over the cloud network. Therefore, a Zero Trust Architecture (ZTA) must ensure data confidentiality for communication between microservices, or between microservices and external entities. As discussed below, to achieve data confidentiality, we must verify the identity of every service and encrypt all communications. +However, a ZTA requires not only data confidentiality, but also fine grained access control as well as behavior monitoring. To achieve either, we are also required to verify the identity of every client. ### Data Confidentiality -Every Cloud Native request, whether initiated by an internal microservice or an external client, must be performed using Transport Layer Security (TLS) to encrypt the channel. This guarantees that even if an offender intercepts the data between the client and server from the internal network, it will not gain access to the request and response data. However, to encrypt the data, the client and server must first agree on encryption keys. An offender may redirect the client traffic to a fake server and gain access to the pre-agreed upon encryption keys. +Every Cloud Native request, whether initiated by an internal microservice or an external client, must be performed using Transport Layer Security (TLS) to encrypt the channel. This guarantees that even if an offender intercepts the data between the client and server from the internal network, it will not gain access to the request and response data. +However, to encrypt the data, the client and server must first agree on encryption keys. An offender may redirect the client traffic to a fake server and gain access to the pre-agreed upon encryption keys. -Such an attack can be part of a full fledged man-in-the-middle attack or may be used to obtain the Request data without involving the true server. To protect against offenders introducing fake servers, the client must first verify the identity of the service before sending the Request. Therefore, the microservice or external service must present a **certificate** signed by an entity that the client trusts apriori. Clients should only send requests to a service after verifying the authenticity of the certificate and verifying that the certificate was indeed provided to the identity of the service being approached. +Such an attack can be part of a full fledged man-in-the-middle attack or may be used to obtain the Request data without involving the true server. To protect against offenders introducing fake servers, the client must first verify the identity of the service before sending the Request. +Therefore, the microservice or external service must present a **certificate** signed by an entity that the client trusts apriori. Clients should only send requests to a service after verifying the authenticity of the certificate and verifying that the certificate was indeed provided to the identity of the service being approached. -Combining service certificate verification with encryption suffice for achieving data confidentiality, protecting against data leakage in a cloud native environment under the control of potential offenders. However, a Zero Trust Architecture requires more than data confidentiality. It requires fine grained access controls, allowing each client to access only the subset of services as may be needed. It also requires monitoring the behavior of each client. We are therefore required to also verify the identity of every internal or external client. +Combining service certificate verification with encryption suffice for achieving data confidentiality, protecting against data leakage in a cloud native environment under the control of potential offenders. However, a Zero Trust Architecture requires more than data confidentiality. +It requires fine grained access controls, allowing each client to access only the subset of services as may be needed. It also requires monitoring the behavior of each client. We are therefore required to also verify the identity of every internal or external client. ### Client Credentials -Clients, whether embedded in a microservice or any external systems, must present credentials that are verified by the receiving service. This can be done through tokens—such as JWT (JSON Web Tokens)—or by presenting client certificates that are verified by service instances using mutual Transport Layer Security (mTLS). Note that verifying the identity of clients or servers only ensures that the peer has the necessary client credentials and is not indicative of whether the peer is offensive or benign. +Clients, whether embedded in a microservice or any external systems, must present credentials that are verified by the receiving service. This can be done through tokens—such as JWT (JSON Web Tokens)—or by presenting client certificates that are verified by service instances using mutual Transport Layer Security (mTLS). +Note that verifying the identity of clients or servers only ensures that the peer has the necessary client credentials and is not indicative of whether the peer is offensive or benign. As will be discussed further in the following sections, once a client identity is verified, active observers should evaluate the confidence level of the specific client request behavior and the confidence level of the overall accumulative client behavior. The client identity and the respective confidence levels then need to be considered as part of Access Control to check whether the identity in question with the confidence levels in question, should be allowed. @@ -419,17 +434,20 @@ See Security Behavior Analytics for Service Instances (SBA-SI) in image 6. \ ### Input from Continuous Monitoring and Logging -To enable effective behavior verification, **continuous monitoring and logging** are essential. By collecting and analyzing logs in real-time, organizations can detect unusual activities and trigger alerts for potential security incidents. These logs provide valuable input to Active Observers, enabling them to detect compromised clients or service instances. It also allows them to observe deviations from normal patterns that may indicate exploitation. +To enable effective behavior verification, **continuous monitoring and logging** are essential. By collecting and analyzing logs in real-time, organizations can detect unusual activities and trigger alerts for potential security incidents. +These logs provide valuable input to Active Observers, enabling them to detect compromised clients or service instances. It also allows them to observe deviations from normal patterns that may indicate exploitation. ### Security Behavior Analytics for Service Requests (SBA-SR) -A common attack vector on services involves manipulating requests sent to service APIs. Such an attack may include reconnaissance - surveying the service to identify potential weaknesses, or it may include an actual attempt to exploit the service either through known or unknown vulnerabilities. Security Behavior Analytics for Service Requests (SBA-SR) is designed to detect irregularities in the communications between clients and services. SBA-SR distinguishes between benign requests and those that are potentially malicious. It analyzes request patterns to identify deviations from expected behavior which may signal dubious intentions by the sender. It consequently assigns a Confidence Level to each request. +A common attack vector on services involves manipulating requests sent to service APIs. Such an attack may include reconnaissance - surveying the service to identify potential weaknesses, or it may include an actual attempt to exploit the service either through known or unknown vulnerabilities. Security Behavior Analytics for Service Requests (SBA-SR) is designed to detect irregularities in the communications between clients and services. +SBA-SR distinguishes between benign requests and those that are potentially malicious. It analyzes request patterns to identify deviations from expected behavior which may signal dubious intentions by the sender. It consequently assigns a Confidence Level to each request. Requests flagged as suspicious should be handled by **Access Control** mechanisms (discussed later), ensuring that any potential threats are mitigated before they can exploit vulnerabilities or offer the offender more information to further the attack. ### Security Behavior Analytics for Service Instances (SBA-SI) -Cloud Native often uses horizontal scaling such that every microservice is offered from a set of interchangeable Pods, each offering the service and each sharing the overall service load. Each pod is therefore an instance of the same service. A service instance may be compromised in advance and include malware that is triggered by some event or by the passage of time after the deployment. A service instance may also include a backdoor or may be ill configured or otherwise vulnerable allowing an offender to run malware as part of the service instance following some sequence of events. An exploited service may therefore include one or more exploited instances, while others instances may continue to behave as expected. Monitoring the behavior of instances is key to identify occurrences where an instance is being exploited. +Cloud Native often uses horizontal scaling such that every microservice is offered from a set of interchangeable Pods, each offering the service and each sharing the overall service load. Each pod is therefore an instance of the same service. A service instance may be compromised in advance and include malware that is triggered by some event or by the passage of time after the deployment. +A service instance may also include a backdoor or may be ill configured or otherwise vulnerable allowing an offender to run malware as part of the service instance following some sequence of events. An exploited service may therefore include one or more exploited instances, while others instances may continue to behave as expected. Monitoring the behavior of instances is key to identify occurrences where an instance is being exploited. SBA-SI monitors service instance behavior to detect irregularities indicating that a given instance is compromised, by discerning normal service behavior from malicious activity. When suspicious irregular behavior is detected, the Confidence Level of the service instance is adjusted. As discussed below, an **Instance Confidence Automation** should monitor service instance Confidence Levels to facilitate automated response, when a service instance is suspected as being exploited. @@ -455,17 +473,22 @@ While implementing a ZTA under Cloud Native, we introduce a segment per microser Unlike traditional perimeter-based models, where trust is typically established once, followed by a stream of service-requests sent by the client, Zero Trust requires that every single request is evaluated independently **in real-time**, regardless of whether the client was previously verified. This allows access control decisions to factor the updated Confidence Levels calculated by **Active Observers**, as well as other per request attributes. -The access control decision, taken per request, considers not only the updated accumulated client confidence level, but also the request specific confidence level. As indicated earlier, the access control decision is also based on the specific action being made by the client, as part of the request. Additionally, the decision takes into account other contextual attributes of the request such as the time of day, day of week, source IP, etc.. +The access control decision, taken per request, considers not only the updated accumulated client confidence level, but also the request specific confidence level. As indicated earlier, the access control decision is also based on the specific action being made by the client, as part of the request. +Additionally, the decision takes into account other contextual attributes of the request such as the time of day, day of week, source IP, etc.. -For example, even if a client’s credentials are valid, its access may be restricted if recent behavior suggests a potential compromise, or if its current request is suspected as being an exploitation or reconnaissance attempt, or if it is made from a peculiar source or at a peculiar time, or if the service being approached is considered potentially compromised, or any combination of the above raised to the level justifying to block the request from this specific client to this specific service, given the action requested. All as defined by the service access control policy for this client identity. +For example, even if a client’s credentials are valid, its access may be restricted if recent behavior suggests a potential compromise, or if its current request is suspected as being an exploitation or reconnaissance attempt, or if it is made from a peculiar source or at a peculiar time, or if the service being approached is considered potentially compromised +or any combination of the above raised to the level justifying to block the request from this specific client to this specific service, given the action requested. All as defined by the service access control policy for this client identity. -Secure Communication as described earlier, protects the Cloud Native system against offenders controlling the internal system network. The addition of Access Control utilizing Behavior Verification, further protects the system from offenders controlling legitimate clients or using legitimate client credentials to send traffic on behalf of some client identity. The next step is to utilize Behavior Verification to also consider the case of offenders controlling the service instances. +Secure Communication as described earlier, protects the Cloud Native system against offenders controlling the internal system network. The addition of Access Control utilizing Behavior Verification, further protects the system from offenders controlling legitimate clients or using legitimate client credentials to send traffic on behalf of some client identity. +The next step is to utilize Behavior Verification to also consider the case of offenders controlling the service instances. ## Instance Confidence Automation -A foundational tenet of Zero Trust is that all services may be breached. Offenders may have different incentives to breach a service. For example to gather information about requests made to the service or the responses provided; Or to use the service to access data sources that the service has access to; Or to perform lateral movement and breach other target services; Or to use the service as a jumping stone in a covert, potentially distributed attack on other systems; Or even to mine cryptocurrency. In all such cases, a quick and immediate response of shutting down or limiting the breached service, can help curb the attack and prevent further damage. +A foundational tenet of Zero Trust is that all services may be breached. Offenders may have different incentives to breach a service. For example to gather information about requests made to the service or the responses provided; Or to use the service to access data sources that the service has access to; Or to perform lateral movement and breach other target services; +Or to use the service as a jumping stone in a covert, potentially distributed attack on other systems; Or even to mine cryptocurrency. In all such cases, a quick and immediate response of shutting down or limiting the breached service, can help curb the attack and prevent further damage. -We therefore need to introduce Instance Confidence Automation as part of the ZTA. Instance Confidence Automation leverages the continuously updated Confidence Levels provided by Service Instance Active Observers. When the Confidence Level of a Service Instance falls below a certain threshold—indicating potential compromise—automated systems can immediately take corrective actions, for example by shutting down compromised service instances. Under Cloud Native, if an instance is deemed compromised, automation can trigger the deletion of the compromised instance, replacing it with a clean, well-behaving instance. Note that when replacing compromised instances, automation tools must also consider the overall availability of the service. +We therefore need to introduce Instance Confidence Automation as part of the ZTA. Instance Confidence Automation leverages the continuously updated Confidence Levels provided by Service Instance Active Observers. When the Confidence Level of a Service Instance falls below a certain threshold—indicating potential compromise—automated systems can immediately take corrective actions, for example by shutting down compromised service instances. +Under Cloud Native, if an instance is deemed compromised, automation can trigger the deletion of the compromised instance, replacing it with a clean, well-behaving instance. Note that when replacing compromised instances, automation tools must also consider the overall availability of the service. The combined introduction of Peer Identities, Secure Communication, Behavior Verification, Access Control and Instance Confidence Automation, allows us to construct a cohesive, practical design for a Cloud Native ZTA and concludes the primary contribution of this paper. Next we collected techniques of best practices that can be helpful for implementing the Cloud Native ZTA design discussed above. @@ -495,7 +518,8 @@ Ensuring the security of service requests is a critical aspect of ZTA. An essent Guard can be deployed independently from Knative in various cloud native orchestration systems, including vanilla Kubernetes, where it will use machine-learning-based criteria synthesis to identify standard patterns used by service clients. Additionally, Guard supports the setting of manual criteria to enhance its flexibility. -Guard’s SBA-SR identifies changes in service requests made by clients, calculates a Confidence Level for these requests, and integrates with Access Control to remove any requests suspected of being exploits. It also allows for the detection of unknown exploits targeting unknown vulnerabilities without relying on signatures, thus providing a layer of protection that preempts the usual race between the identification of CVEs, exploits, and the release of patches. +Guard’s SBA-SR identifies changes in service requests made by clients, calculates a Confidence Level for these requests, and integrates with Access Control to remove any requests suspected of being exploits. +It also allows for the detection of unknown exploits targeting unknown vulnerabilities without relying on signatures, thus providing a layer of protection that preempts the usual race between the identification of CVEs, exploits, and the release of patches. SBA-SR functionalities can also be integrated into Web Application Firewalls (WAFs) that maintain per-service state, capable of analyzing incoming and outgoing traffic to detect threats and ongoing attacks. @@ -505,7 +529,8 @@ To ensure all communications in-transit are encrypted, all services should use T ### Verify Service Instances -Profiling the behavior of service instances and evaluating Confidence Levels can leverage [eBPF](https://ebpf.io/) technology. Several CNCF projects use eBPF-based technology in observability, networking, and security ([Falco](https://falco.org/), [Cilium](https://cilium.io/), [Pixie](https://docs.px.dev/), and [KubeArmor](https://kubearmor.io/)). eBPF can be used to synthesize criteria describing standard service instance patterns, which can then evaluate the Confidence Level of running service instances. +Profiling the behavior of service instances and evaluating Confidence Levels can leverage [eBPF](https://ebpf.io/) technology. Several CNCF projects use eBPF-based technology in observability, networking, and security ([Falco](https://falco.org/), +[Cilium](https://cilium.io/), [Pixie](https://docs.px.dev/), and [KubeArmor](https://kubearmor.io/)). eBPF can be used to synthesize criteria describing standard service instance patterns, which can then evaluate the Confidence Level of running service instances. An Active Observer can also identify changes in the external communication performed by service instances using a network tap, as exemplified by the Knative [Security-Guard](https://knative.dev/docs/serving/app-security/security-guard-about/#security-guard-profile-and-criteria). Regardless of how the Active Observer calculates the Confidence Level of service instances, it should be integrated with automation to delete suspected compromised service instances. @@ -513,7 +538,8 @@ Another source for determining the Confidence Level of service instances is inte ## Prevent Unauthorized System Use -In ZTA, preventing unauthorized system use is crucial for maintaining the security and integrity of the network. This objective is achieved through techniques such as micro-segmentation and fine-grained access control, which are essential for limiting the reach and impact of potential attackers. By applying these methods, organizations can reduce the likelihood of a breach, and ensure that even if one segment is compromised, the attacker’s movement within the network is restricted, thus protecting the overall system. +In ZTA, preventing unauthorized system use is crucial for maintaining the security and integrity of the network. This objective is achieved through techniques such as micro-segmentation and fine-grained access control, which are essential for limiting the reach and impact of potential attackers. +By applying these methods, organizations can reduce the likelihood of a breach, and ensure that even if one segment is compromised, the attacker’s movement within the network is restricted, thus protecting the overall system. ### Fine-grained Access Control @@ -525,13 +551,15 @@ This type of Access Control can be configured to block service requests based on ### Micro-Segmentation -Micro-segmentation allows for the division of a network into smaller, isolated segments. Access control gates must be implemented within the cloud cluster network, ideally in front of every service or service instance. Such gates should support fine-grained access control ensuring access is given to specific client identities approaching specific services. Such gates should also support dynamic access control ensuring that access is granted based on Confidence Levels of the client, the client request, and the service. +Micro-segmentation allows for the division of a network into smaller, isolated segments. Access control gates must be implemented within the cloud cluster network, ideally in front of every service or service instance. Such gates should support fine-grained access control ensuring access is given to specific client identities approaching specific services. +Such gates should also support dynamic access control ensuring that access is granted based on Confidence Levels of the client, the client request, and the service. Using this approach, the attack surface is significantly reduced by implementing strict access controls and separating resources into smaller compartments. Even if an attacker manages to compromise one microsegment, their lateral movement is limited, preventing them from accessing other parts of the network. ## Establish Limited Trust -Identity verification can be based on either client-sent tokens, mTLS client certificates, or both. Typically, the identity of the workload or service is represented by an Identity Token or Access Token, which is included with every request. This token can be inspected by Policy Enforcement Points to control access. Certificates, on the other hand, are designed to encrypt the connection between two points and can guarantee the identity of one or both access points (via TLS or mTLS). +Identity verification can be based on either client-sent tokens, mTLS client certificates, or both. Typically, the identity of the workload or service is represented by an Identity Token or Access Token, which is included with every request. +This token can be inspected by Policy Enforcement Points to control access. Certificates, on the other hand, are designed to encrypt the connection between two points and can guarantee the identity of one or both access points (via TLS or mTLS). Identity verification is the first step in confirming the client’s identity. Verified identities must also be monitored by an Active Observer to ensure credentials are not misused for malicious activity. @@ -559,7 +587,8 @@ Additional Confidence Level data can be aggregated from all service requests emi # Conclusion -While the philosophy behind Zero Trust has been around for decades, its application in cloud native environments introduces unique challenges and opportunities. Protecting data confidentiality and integrity is a paramount in these dynamic and distributed systems. Every service request and instance must be continuously verified to ensure that only authorized entities gain access to sensitive data. Such verification includes both identity verification and behavioral verification using Security Behavior Analytics. This approach helps cloud systems cope with threats while assuming cyber breaches are unavoidable. +While the philosophy behind Zero Trust has been around for decades, its application in cloud native environments introduces unique challenges and opportunities. Protecting data confidentiality and integrity is a paramount in these dynamic and distributed systems. +Every service request and instance must be continuously verified to ensure that only authorized entities gain access to sensitive data. Such verification includes both identity verification and behavioral verification using Security Behavior Analytics. This approach helps cloud systems cope with threats while assuming cyber breaches are unavoidable. Defining fine-grain access controls becomes critical in this context, allowing for more precise adjustments to who or what can access specific resources. To further enhance security, dynamic access controls based on the Confidence Level of requests should be introduced, adjusting access privileges in real-time according to the trustworthiness of each interaction. @@ -827,7 +856,7 @@ Fundamental ideas and concepts that underpin the Zero Trust security model, incl A structured approach to implementing Zero Trust principles, involving the continuous identification, analysis, and control of entities and interactions within the environment. -## References & Citations +## References and Citations ## Contributors @@ -887,7 +916,7 @@ Thank you for being an integral part of this endeavor! - Identity and Access Management section of tag-security whitepaper: [https://github.com/cncf/tag-security/blob/main/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper.md#access](https://github.com/cncf/tag-security/blob/main/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper.md#access) - Help implementing zero trust architecture (UK): [https://www.ncsc.gov.uk/collection/zero-trust-architecture/implementing-zta](https://www.ncsc.gov.uk/collection/zero-trust-architecture/implementing-zta) - Zero Trust Security Model (Canada): [https://www.cyber.gc.ca/en/guidance/zero-trust-security-model-itsap10008](https://www.cyber.gc.ca/en/guidance/zero-trust-security-model-itsap10008) -- Essential Eight Maturity Model (Australia): [https://www.cyber.gov.au/sites/default/files/2023-11/PROTECT%20-%20Essential%20Eight%20Maturity%20Model%20%28November%202023%29.pdf](https://www.cyber.gov.au/sites/default/files/2023-11/PROTECT%20-%20Essential%20Eight%20Maturity%20Model%20%28November%202023%29.pdf) +- Essential Eight Maturity Model (Australia): [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model) - Cybersecurity Policies (Europe): [https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-policies](https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-policies) - Success Story: Israel National Cyber Directorate Version 2.0 | NIST: [https://www.nist.gov/cyberframework/success-stories/israel-national-cyber-directorate-version-20](https://www.nist.gov/cyberframework/success-stories/israel-national-cyber-directorate-version-20) - Government Zero Trust Architecture (GovZTA) | Singapore Government Developer Portal (tech.gov.sg): [https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/government-zero-trust-architecture](https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/government-zero-trust-architecture) From 293f1af34a3b664bdd1032036fbe4af0e40848b3 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 29 Oct 2024 16:20:14 -0400 Subject: [PATCH 06/24] README.md Signed-off-by: Mariusz Sabath --- .../resources/zero-trust-whitepaper/README.md | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 community/resources/zero-trust-whitepaper/README.md diff --git a/community/resources/zero-trust-whitepaper/README.md b/community/resources/zero-trust-whitepaper/README.md new file mode 100644 index 000000000..aff5fb658 --- /dev/null +++ b/community/resources/zero-trust-whitepaper/README.md @@ -0,0 +1,79 @@ +# Cloud Native Zero Trust Whitepaper + + + + +> :sunflower: **Click +> _[here](v1/cloud-native-zero-trust-whitepaper.pdf)_ for +> _version 1_ (PDF) whitepaper** + +## About + +The Cloud Native Zero Trust Whitepaper (CNZTWP) is a TAG-Security effort to ensure +the cloud native community has access to information about building, +distributing, deploying, and running applications in accordance with Zero Trust principles. + +## Updates to the paper + +The Cloud Native Zero Trust Whitepaper (CNZTWP) is intended to be a living document +created and maintained for the community, by its members. + +Updates to the whitepaper, suggestions for updates, or discussion for updates +should initiate with an [issue](https://github.com/cncf/tag-security/issues) +submitted to the repo and labeled with "suggestion" and "whitepaper". + +### Markdown + +The living CNZTWP is maintained in [markdown][whitepaper-v1-md] +and all updates will be made in markdown. + +### Contributing updates + +All members of the community are welcome to contribute updates to this whitepaper. +We ask potential contributors to refer to the original design decisions, listed +below, as guidance when determining the content of their updates. + +It is highly recommended that you seek peer review for your updates beyond that +of the Technical Leads and Co-Chairs of the TAG. + +Once the PR is submitted, please place the link in the CNCF TAG-Security Channel +for the CNZTWP: +[#tag-security-whitepaper](https://cloud-native.slack.com/archives/C017K5AN70T) +to request a review. + +### Versioning and publishing + +It is expected that many minor updates will occur, corrections to grammar, +spelling, clarification in language, translations, etc. When these occur they +are considered minor changes to the overall content and will not warrant the +regeneration of the PDF. + +When significant changes to the intent, content, or numerous minor changes +occur, the CNZTWP working group will assess and determine if a new major version +of the PDF needs published.When this decision is made, the markdown content +will be converted to text document and sent to the CNCF technical writers to +create the PDF. The PDF will then be published back into the repository +annotating the new version, updating the links in the README.md accordingly. + +Minor updates to the markdown shall receive a minor version bump indicated in +the Metadata table of the document and recorded as WIP. When enough significant +changes have been recorded, the markdown will be placed "In Review" (via PR) and +solicited to the CNCF TAG-Security and TOC mailing list for review, at a +minimum. + +Upon completion of review, the TAG-Security TOC Liaison shall provide final +approval on the PR. At which point the markdown state will be changed to +"Approved" and merged. + +## Links + +### Version 1 + +* [Managed version in markdown][whitepaper-v1-md] +* [Posted PDF first version][whitepaper-pdf-v1] +* [Original Issue](https://github.com/cncf/tag-security/issues/950) + +[whitepaper-v1-md]: +./v1/cloud-native-zero-trust-whitepaper.md +[whitepaper-pdf-v1]: +./v1/cloud-native-zero-trust-whitepaper.pdf From 5e3a745cc97ece996fd98731fb5383428398d39a Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 29 Oct 2024 19:31:12 -0400 Subject: [PATCH 07/24] Fix lint errors Signed-off-by: Mariusz Sabath --- community/resources/zero-trust-whitepaper/README.md | 1 - .../v1/cloud-native-zero-trust-whitepaper.md | 1 - 2 files changed, 2 deletions(-) diff --git a/community/resources/zero-trust-whitepaper/README.md b/community/resources/zero-trust-whitepaper/README.md index aff5fb658..9928c7a65 100644 --- a/community/resources/zero-trust-whitepaper/README.md +++ b/community/resources/zero-trust-whitepaper/README.md @@ -2,7 +2,6 @@ - > :sunflower: **Click > _[here](v1/cloud-native-zero-trust-whitepaper.pdf)_ for > _version 1_ (PDF) whitepaper** diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index f980c4446..1a27a0b3f 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -916,7 +916,6 @@ Thank you for being an integral part of this endeavor! - Identity and Access Management section of tag-security whitepaper: [https://github.com/cncf/tag-security/blob/main/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper.md#access](https://github.com/cncf/tag-security/blob/main/community/resources/security-whitepaper/v2/cloud-native-security-whitepaper.md#access) - Help implementing zero trust architecture (UK): [https://www.ncsc.gov.uk/collection/zero-trust-architecture/implementing-zta](https://www.ncsc.gov.uk/collection/zero-trust-architecture/implementing-zta) - Zero Trust Security Model (Canada): [https://www.cyber.gc.ca/en/guidance/zero-trust-security-model-itsap10008](https://www.cyber.gc.ca/en/guidance/zero-trust-security-model-itsap10008) -- Essential Eight Maturity Model (Australia): [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model) - Cybersecurity Policies (Europe): [https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-policies](https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-policies) - Success Story: Israel National Cyber Directorate Version 2.0 | NIST: [https://www.nist.gov/cyberframework/success-stories/israel-national-cyber-directorate-version-20](https://www.nist.gov/cyberframework/success-stories/israel-national-cyber-directorate-version-20) - Government Zero Trust Architecture (GovZTA) | Singapore Government Developer Portal (tech.gov.sg): [https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/government-zero-trust-architecture](https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/government-zero-trust-architecture) From c1022a316c5b95654f9901a620299f8da92b28e9 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 29 Oct 2024 19:36:03 -0400 Subject: [PATCH 08/24] Add dummy PDF Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.pdf | Bin 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.pdf diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.pdf b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.pdf new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 From a72d12fac29bb0af928744c79331fa7a0e1e1119 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 12 Nov 2024 21:59:14 -0700 Subject: [PATCH 09/24] Update community/resources/zero-trust-whitepaper/README.md Co-authored-by: Emily Fox <33327273+TheFoxAtWork@users.noreply.github.com> Signed-off-by: Mariusz Sabath --- community/resources/zero-trust-whitepaper/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community/resources/zero-trust-whitepaper/README.md b/community/resources/zero-trust-whitepaper/README.md index 9928c7a65..321a3c23d 100644 --- a/community/resources/zero-trust-whitepaper/README.md +++ b/community/resources/zero-trust-whitepaper/README.md @@ -49,7 +49,7 @@ regeneration of the PDF. When significant changes to the intent, content, or numerous minor changes occur, the CNZTWP working group will assess and determine if a new major version -of the PDF needs published.When this decision is made, the markdown content +of the PDF needs published. When this decision is made, the markdown content will be converted to text document and sent to the CNCF technical writers to create the PDF. The PDF will then be published back into the repository annotating the new version, updating the links in the README.md accordingly. From a3b408a9c8b7bd3195b0570afa1750be47974023 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 12 Nov 2024 22:01:00 -0700 Subject: [PATCH 10/24] Update community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md Co-authored-by: Emily Fox <33327273+TheFoxAtWork@users.noreply.github.com> Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index 1a27a0b3f..cd1894739 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -56,7 +56,7 @@ Project Lead: Mariusz Sabath, David Hadas # Abstract -Contrary to what the name might suggest, the real world application of “Zero Trust” is far more nuanced than simply *trusting nothing*. The Zero Trust defense strategy assumes that the internal network is not to be trusted. This contrasts with a perimeter-based defense, which is designed to construct a trustworthy internal network. Instead, we can introduce measures to evaluate trustworthiness, then use such evaluations to control the network communications and its connected devices. +Contrary to what the name might suggest, the real world application of “Zero Trust” is far more nuanced than simply *trusting nothing*. The Zero Trust defense strategy considers an internal network and its components to potentially be compromised and therefore must have there trustworthiness asserted at every connection. Without this assertion and verification, it cannot be trusted. This contrasts with a perimeter-based defense, which is designed to provide sufficient protections at the boundary such that the internal network is implicitly secure because nothing could possibly get in from the outside that is unauthorized. Zero Trust principles allow organizations and technologists to introduce measures that evaluate and verify trustworthiness, enabling the output of these evaluations to direct and enforce communications and activity within a network by the connected devices. While many of the well-worn concepts behind Zero Trust apply to *any* system, there remains a gap with regards to discussing Zero Trust from a Cloud Native perspective. This document seeks to codify the philosophy alongside an ideal design for implementing it in a Cloud Native system. From a6eced9f27dd54fecc092ecdf03a6719541b9bda Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 12 Nov 2024 22:07:25 -0700 Subject: [PATCH 11/24] Update community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md Co-authored-by: Emily Fox <33327273+TheFoxAtWork@users.noreply.github.com> Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index cd1894739..823aeb869 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -201,7 +201,7 @@ The evidence for the principles below is discussed in **[NIST SP 800-207](https: ### 1. Every Image Includes Vulnerabilities -Organizations must recognize that all cloud native images inherently contain vulnerabilities. It is imperative to understand that no image is free from potential security flaws. Dependencies, base images, development tools, repositories, and continuous integration/continuous deployment (CI/CD) tools are all susceptible to exploitation, leading to vulnerable images. The extensive amount of code that constitutes these systems presents numerous opportunities for malicious actors over a large period. +Organizations must recognize that all cloud native images inherently contain vulnerabilities. It is imperative to understand that no image is free from potential security flaws. Dependencies, base images, development tools, repositories, and continuous integration/continuous deployment (CI/CD) tools are all susceptible to exploitation, leading to vulnerable images. The extensive amount of code and complexity in how that code is introduced in the build systems or final image built presents numerous opportunities for threat actors to compromise target application and environments throughout their lifecycle. ### 2. Every Service is Vulnerable From 318427242cf5ac8b2e333143b624f961f72148ca Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 12 Nov 2024 22:09:14 -0700 Subject: [PATCH 12/24] Update community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md Co-authored-by: Emily Fox <33327273+TheFoxAtWork@users.noreply.github.com> Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index 823aeb869..c6a7e96b7 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -205,7 +205,7 @@ Organizations must recognize that all cloud native images inherently contain vul ### 2. Every Service is Vulnerable -Organizations must acknowledge that all deployed services are inherently vulnerable. This assumption should guide the planning and implementation of security measures. Any service deployed within a cloud native environment should be presumed to operate based on a vulnerable image and/or vulnerable configuration and to expose vulnerabilities through its service API. +Organizations must acknowledge that all deployed services are inherently vulnerable. This assumption should guide the planning and implementation of security measures. Any service deployed within a cloud native environment should be presumed to operate based on a vulnerable image and/or vulnerable configuration and that it will expose those vulnerabilities through its service API. It is common for organizations to become aware of vulnerabilities when Common Vulnerabilities and Exposures (CVEs) related to their services are published. However, this awareness often comes after a period during which the services were susceptible to attack. The absence of a known vulnerability does not equate to security; vulnerabilities may exist that have yet to be discovered or disclosed. CVEs are typically published following the detection and reporting by white hat security researchers, but malicious actors may exploit these vulnerabilities long before they are publicly known. From 56e7b7bdde57494e7bfadd91ba439b2fcc0341d5 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 12 Nov 2024 22:10:52 -0700 Subject: [PATCH 13/24] Update community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md Co-authored-by: Emily Fox <33327273+TheFoxAtWork@users.noreply.github.com> Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index c6a7e96b7..7f3c2ae6c 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -208,7 +208,7 @@ Organizations must recognize that all cloud native images inherently contain vul Organizations must acknowledge that all deployed services are inherently vulnerable. This assumption should guide the planning and implementation of security measures. Any service deployed within a cloud native environment should be presumed to operate based on a vulnerable image and/or vulnerable configuration and that it will expose those vulnerabilities through its service API. It is common for organizations to become aware of vulnerabilities when Common Vulnerabilities and Exposures (CVEs) related to their services are published. However, this awareness often comes after a period during which the services were susceptible to attack. -The absence of a known vulnerability does not equate to security; vulnerabilities may exist that have yet to be discovered or disclosed. CVEs are typically published following the detection and reporting by white hat security researchers, but malicious actors may exploit these vulnerabilities long before they are publicly known. +The absence of a known vulnerability does not mean a system is secure; vulnerabilities may exist that have yet to be discovered or disclosed. CVEs are typically published following the detection and reporting by white hat security researchers, but malicious actors may exploit these vulnerabilities long before they are publicly known. ### 3. Every Service Will be Exploited From d40a1410c4336b840b8cbe88477cd1183d089819 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 12 Nov 2024 22:39:49 -0700 Subject: [PATCH 14/24] Update cloud-native-zero-trust-whitepaper.md Update the approvals metadata heading Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index 7f3c2ae6c..dccd2d545 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -8,17 +8,17 @@ TAG Security issue: [https://github.com/cncf/tag-security/issues/950](https://github.com/cncf/tag-security/issues/950) -STAG Representative - Eddie Knight +**Version**: 1.0 **Created**: 30 Nov 2024 **Status**: WIP | **In Review** | Approved -Project Lead: Mariusz Sabath, David Hadas - -**Version**: 1.0 **Created**: 30 Nov 2024 +**Last Reviewed**: DD MMM 2024, **PDF Published**: DD MMM 2024 **Release Version**: 1.0 -**Status**: WIP | **In Review** | Approved +**TAG Sponsor Approver** [X] @eddie-knight +**TOC Liaison Approvers** [] @TheFoxAtWork [] $GITHUBHANDLE -**Last Reviewed**: DD MMM 2024, **PDF Published**: DD MMM 2024 **Release Version**: 1.0 +* **Project Lead**: @mrsabath, @davidhadas +* **Contributors** (in alphabetical order): Aradhna Chetal, Asad Faizi, David Hadas, Eddie Knight, Kishore Nadendla, Mariusz Sabath, Philip Griffiths, Victor Lu +* **Reviewers**: Pushkar Joglekar, Nate Waddington, Andrés Vega, Valerie Silverthorne, Yoshiyuki Tabata -**Final PDF Approvers** [] @name1 [] @name1 ## Table of Contents From 9cc1c70205d8571bc8f57dc31581433fbe2d493f Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 12 Nov 2024 22:49:42 -0700 Subject: [PATCH 15/24] Update cloud-native-zero-trust-whitepaper.md Replace *open-source* with *open source* Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index dccd2d545..5c990b1cf 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -79,7 +79,7 @@ This model, which segmented networks into zones with varying levels of trust, ai The implementation of Zero Trust principles was notably advanced by [Google's BeyondCorp initiative in 2009](https://www.beyondcorp.com/#:~:text=The%20BeyondCorp%20Story,and%20devices%20access%20internal%20applications.). BeyondCorp shifted security focus from the perimeter to individual users and devices, emphasizing continuous verification and least-privilege access. This approach was driven by the need to address sophisticated threats, as demonstrated by incidents like [Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora) and the [MUSCULAR joint surveillance program](https://en.wikipedia.org/wiki/MUSCULAR) operated by the NSA and GCHQ against the internal networks of Google and Yahoo. -The proliferation of open-source projects such as Istio, Knative, SPIFFE, and OpenFGA has also played a crucial role in advancing Zero Trust. These projects provide robust frameworks for identity management, policy enforcement, Security Behavior Analytics, and secure communication within cloud native environments. +The proliferation of open source projects such as Istio, Knative, SPIFFE, and OpenFGA has also played a crucial role in advancing Zero Trust. These projects provide robust frameworks for identity management, policy enforcement, Security Behavior Analytics, and secure communication within cloud native environments. The National Institute of Standards and Technology (NIST) has been pivotal in formalizing the Zero Trust model. [NIST's guidelines on Zero Trust Architecture](https://csrc.nist.gov/pubs/sp/800/207/final) outline key tenets such as continuous verification, least-privilege access, and micro-segmentation. These principles ensure that security measures are consistently applied across all network layers and endpoints, reinforcing the Zero Trust approach. @@ -616,7 +616,7 @@ A cloud-native certificate management controller for Kubernetes, which automates #### **[Cilium](https://cilium.io/)** -An open-source software that provides networking, security, and observability for cloud-native environments using the Linux kernel's extended Berkeley Packet Filter (eBPF) technology. Cilium enables fine-grained security policies and high-performance networking for Kubernetes clusters. +An open source software that provides networking, security, and observability for cloud-native environments using the Linux kernel's extended Berkeley Packet Filter (eBPF) technology. Cilium enables fine-grained security policies and high-performance networking for Kubernetes clusters. #### **[CNCF Knative’s Security-Guard](https://knative.dev/docs/serving/app-security/security-guard-about/)** @@ -624,11 +624,11 @@ A security extension developed as part of Knative. Security-Guard provides capab #### **[Curiefense](https://www.curiefense.io/)** -An open-source, cloud-native application security platform that integrates a Web Application Firewall (WAF), API security, and bot management. Curiefense provides comprehensive protection for web applications and APIs against a wide range of threats, including injection attacks, cross-site scripting (XSS), and denial-of-service (DoS) attacks. +An open source, cloud-native application security platform that integrates a Web Application Firewall (WAF), API security, and bot management. Curiefense provides comprehensive protection for web applications and APIs against a wide range of threats, including injection attacks, cross-site scripting (XSS), and denial-of-service (DoS) attacks. #### **[Dapr](https://dapr.io/)** -Distributed Application Runtime, an open-source project that provides APIs and runtime support for building resilient, stateless, and stateful microservices. Dapr simplifies the development of microservices by providing building blocks for common capabilities such as service invocation, state management, and pub/sub messaging. +Distributed Application Runtime, an open source project that provides APIs and runtime support for building resilient, stateless, and stateful microservices. Dapr simplifies the development of microservices by providing building blocks for common capabilities such as service invocation, state management, and pub/sub messaging. #### **[Dex](https://dexidp.io/)** @@ -636,11 +636,11 @@ An OpenID Connect (OIDC) identity provider and OAuth 2.0 provider that provides #### **[Falco](https://falco.org/)** -An open-source runtime security tool for Kubernetes that uses eBPF and system call monitoring to detect anomalous behavior, threats, and security events in real-time. Falco helps in enforcing security policies and responding to incidents by integrating with various alerting and incident response systems. +An open source runtime security tool for Kubernetes that uses eBPF and system call monitoring to detect anomalous behavior, threats, and security events in real-time. Falco helps in enforcing security policies and responding to incidents by integrating with various alerting and incident response systems. #### **[Istio](https://istio.io/)** -An open-source service mesh that provides traffic management, security, and observability for microservices. Istio enables secure service-to-service communication, fine-grained access control, and detailed monitoring and tracing of application traffic within Kubernetes clusters. +An open source service mesh that provides traffic management, security, and observability for microservices. Istio enables secure service-to-service communication, fine-grained access control, and detailed monitoring and tracing of application traffic within Kubernetes clusters. #### **[JSON Web Tokens (JWT)](https://datatracker.ietf.org/doc/rfc7519/)** @@ -648,7 +648,7 @@ A compact, URL-safe means of representing claims to be transferred between two p #### **[Keycloak](https://www.keycloak.org/)** -An open-source Identity and Access Management (IAM) solution that provides single sign-on (SSO), user federation, and fine-grained access control. Keycloak supports various authentication protocols and integrates with numerous applications and services to manage user identities and permissions. +An open source Identity and Access Management (IAM) solution that provides single sign-on (SSO), user federation, and fine-grained access control. Keycloak supports various authentication protocols and integrates with numerous applications and services to manage user identities and permissions. #### **[KubeArmor](https://kubearmor.io/)** @@ -660,19 +660,19 @@ A set of rules that define how groups of pods can communicate with each other an #### **[Knative](https://knative.dev/)** -An open-source platform built on Kubernetes that provides components for deploying, managing, and running serverless workloads. Knative abstracts the complexity of Kubernetes, enabling developers to focus on writing code without worrying about infrastructure management. +An open source platform built on Kubernetes that provides components for deploying, managing, and running serverless workloads. Knative abstracts the complexity of Kubernetes, enabling developers to focus on writing code without worrying about infrastructure management. #### **[Linkerd](https://linkerd.io/)** -An open-source service mesh that provides observability, security, and reliability for Kubernetes applications. Linkerd offers features such as automatic mTLS, traffic splitting, and detailed metrics to help manage and secure microservices. +An open source service mesh that provides observability, security, and reliability for Kubernetes applications. Linkerd offers features such as automatic mTLS, traffic splitting, and detailed metrics to help manage and secure microservices. #### **[Pixie](https://docs.px.dev/)** -An open-source observability platform for Kubernetes that uses eBPF to collect and analyze performance, debugging, and security data from running applications. Pixie provides real-time insights into the health and performance of cloud-native applications, enabling developers to troubleshoot issues quickly. +An open source observability platform for Kubernetes that uses eBPF to collect and analyze performance, debugging, and security data from running applications. Pixie provides real-time insights into the health and performance of cloud-native applications, enabling developers to troubleshoot issues quickly. #### **[SPIFFE and SPIRE](https://spiffe.io/)** -The Secure Production Identity Framework for Everyone (SPIFFE) is a set of open-source standards for securely identifying and authenticating services in dynamic and heterogeneous environments. SPIRE (SPIFFE Runtime Environment) is the reference implementation of SPIFFE, providing tools to manage and distribute service identities across cloud-native platforms. +The Secure Production Identity Framework for Everyone (SPIFFE) is a set of open source standards for securely identifying and authenticating services in dynamic and heterogeneous environments. SPIRE (SPIFFE Runtime Environment) is the reference implementation of SPIFFE, providing tools to manage and distribute service identities across cloud-native platforms. ### Terms From 7cc75f679ed814a8aa83582b49dac6b7b22f53e3 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 12 Nov 2024 22:53:17 -0700 Subject: [PATCH 16/24] Update community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md Co-authored-by: Emily Fox <33327273+TheFoxAtWork@users.noreply.github.com> Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index 5c990b1cf..364f3997c 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -95,7 +95,7 @@ Building on the extensive discourse surrounding Zero Trust principles over the y To follow the tenet of *Assume a Breach*, organizations must operate as if their systems are already hacked. This mindset encourages the development and implementation of security strategies that are inherently resilient and capable of detecting, containing, and mitigating threats in real time. -The tenet of Always Verify emphasizes the necessity of continuous authentication, authorization, and monitoring for every interaction within the system, regardless of its origin. This tenet rejects the notion of implicit trust, instead insisting on rigorous verification of all entities — users and services, internal and external. In practice, this involves the actions of eliminating implicit trust, minimizing explicit trust, and monitoring behavior to verify trustworthiness. +The tenet of *Always Verify* emphasizes the necessity of continuous authentication, authorization, and monitoring for every interaction within the system, regardless of its origin. This tenet rejects the notion of implicit trust, instead insisting on rigorous verification of all entities — users and services, internal and external. In practice, this involves the actions of eliminating implicit trust, minimizing explicit trust, and monitoring behavior to verify trustworthiness. The following table summarizes the Cloud Native principles of Zero Trust as detailed in the remainder of this chapter. The evidence for the principles below is discussed in **[NIST SP 800-207](https://csrc.nist.gov/pubs/sp/800/207/final)** chapter 2 *“Zero trust Basics”* with further details in chapter 3 “*Logical Components of Zero Trust Architecture*”*.* While the NIST paper discusses all kinds of systems, in generic terms such as assets and resources, here we focus solely on Cloud Native systems with a higher level of nuance. From 66f6c1b856cde19aae7baea1b41a3964066b405a Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Wed, 13 Nov 2024 07:35:07 -0700 Subject: [PATCH 17/24] Update community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md Co-authored-by: David Hadas Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index 364f3997c..13710a5bc 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -64,7 +64,7 @@ The authors have compiled their experience and research findings into a set of p Confidence Levels can be produced by “Active Observers,” a previously unnamed category of tools. Active Observers continuously monitor and analyze the security-related attributes and behaviors of entities in the system to quantify trustworthiness. -By applying the philosophies of Zero Trust to an entire Cloud Native system with consideration paid to the unique context, this paper crafts a Cloud Native Zero Trust Architecture design. Using the latest technologies, it is becoming possible to build a system in such a way that Active Observers assign Confidence Levels to every entity in the system. This enables the architecture to adapt in real-time to emerging threats and anomalies, reinforcing the Zero Trust stance. +By applying the philosophy of Zero Trust to an entire Cloud Native system with consideration paid to the unique context, this paper crafts a Cloud Native Zero Trust Architecture design. Using the latest technologies, it is becoming possible to build a system in such a way that Active Observers assign Confidence Levels to every entity in the system. This enables the architecture to adapt in real-time to emerging threats and anomalies, reinforcing the Zero Trust stance. By incorporating the concepts of Confidence Levels and Active Observers, a cloud architect may come closer to true *Zero Trust* than previously imagined. From c6f958ac29aaf17afda65064c56df265cc438a7f Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Wed, 13 Nov 2024 07:41:58 -0700 Subject: [PATCH 18/24] Update community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md Co-authored-by: David Hadas Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index 13710a5bc..455551acd 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -60,7 +60,7 @@ Contrary to what the name might suggest, the real world application of “Zero T While many of the well-worn concepts behind Zero Trust apply to *any* system, there remains a gap with regards to discussing Zero Trust from a Cloud Native perspective. This document seeks to codify the philosophy alongside an ideal design for implementing it in a Cloud Native system. -The authors have compiled their experience and research findings into a set of principles and approaches. While many of the concepts herein are a distillation of past publications, extending those findings has led to a new proposal to standardize the generation and utilization of “Confidence Levels” as a data type. Confidence Levels quantify the trustworthiness of entities within a system, allowing for more dynamic and responsive security measures. +The authors have compiled their experience and research findings into a set of principles and approaches. Many of the concepts herein such as “Confidence Levels” are a distillation of past publications. Confidence Levels quantify the trustworthiness of entities within a system, allowing for more dynamic and responsive security measures. Extending those findings has led to a new proposal to standardize the generation and utilization of “Confidence Levels” as a data type. Confidence Levels can be produced by “Active Observers,” a previously unnamed category of tools. Active Observers continuously monitor and analyze the security-related attributes and behaviors of entities in the system to quantify trustworthiness. From 580d07a879709d67a7237f87a92d18723c9bbb9f Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Wed, 13 Nov 2024 20:25:25 -0700 Subject: [PATCH 19/24] Update community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md Co-authored-by: David Hadas Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 1 - 1 file changed, 1 deletion(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index 455551acd..ea8dc918e 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -77,7 +77,6 @@ The practical application of Zero Trust coalesced in 2010 when John Kindervag, a This model, which segmented networks into zones with varying levels of trust, aimed to eliminate the vulnerabilities of traditional perimeter-based security systems, where internal networks were often overly trusted. The implementation of Zero Trust principles was notably advanced by [Google's BeyondCorp initiative in 2009](https://www.beyondcorp.com/#:~:text=The%20BeyondCorp%20Story,and%20devices%20access%20internal%20applications.). BeyondCorp shifted security focus from the perimeter to individual users and devices, emphasizing continuous verification and least-privilege access. -This approach was driven by the need to address sophisticated threats, as demonstrated by incidents like [Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora) and the [MUSCULAR joint surveillance program](https://en.wikipedia.org/wiki/MUSCULAR) operated by the NSA and GCHQ against the internal networks of Google and Yahoo. The proliferation of open source projects such as Istio, Knative, SPIFFE, and OpenFGA has also played a crucial role in advancing Zero Trust. These projects provide robust frameworks for identity management, policy enforcement, Security Behavior Analytics, and secure communication within cloud native environments. From 1a201cce67bd10ad226076a4d5aade470d6ca68b Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Wed, 13 Nov 2024 20:29:43 -0700 Subject: [PATCH 20/24] Update community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md Co-authored-by: David Hadas Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index ea8dc918e..fda4e1643 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -80,7 +80,7 @@ The implementation of Zero Trust principles was notably advanced by [Google's Be The proliferation of open source projects such as Istio, Knative, SPIFFE, and OpenFGA has also played a crucial role in advancing Zero Trust. These projects provide robust frameworks for identity management, policy enforcement, Security Behavior Analytics, and secure communication within cloud native environments. -The National Institute of Standards and Technology (NIST) has been pivotal in formalizing the Zero Trust model. [NIST's guidelines on Zero Trust Architecture](https://csrc.nist.gov/pubs/sp/800/207/final) outline key tenets such as continuous verification, least-privilege access, and micro-segmentation. These principles ensure that security measures are consistently applied across all network layers and endpoints, reinforcing the Zero Trust approach. +The National Institute of Standards and Technology (NIST) has been pivotal in formalizing the Zero Trust model. [NIST's guidelines on Zero Trust Architecture](https://csrc.nist.gov/pubs/sp/800/207/final) outline key tenets and principles to help build systems that follows the model. The history of Zero Trust started as a theoretical concept and evolved into a practical, essential cybersecurity framework. The contributions of early theorists, pioneering implementations by industry leaders, and the formalization by standardization bodies like NIST have collectively shaped the Zero Trust model, making it a cornerstone of modern cybersecurity strategies in cloud native environments. From bbe30947ac1634a7494c34457920e109d353d18d Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Wed, 13 Nov 2024 20:31:03 -0700 Subject: [PATCH 21/24] Update cloud-native-zero-trust-whitepaper.md Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index fda4e1643..394ce8017 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -80,7 +80,7 @@ The implementation of Zero Trust principles was notably advanced by [Google's Be The proliferation of open source projects such as Istio, Knative, SPIFFE, and OpenFGA has also played a crucial role in advancing Zero Trust. These projects provide robust frameworks for identity management, policy enforcement, Security Behavior Analytics, and secure communication within cloud native environments. -The National Institute of Standards and Technology (NIST) has been pivotal in formalizing the Zero Trust model. [NIST's guidelines on Zero Trust Architecture](https://csrc.nist.gov/pubs/sp/800/207/final) outline key tenets and principles to help build systems that follows the model. +The National Institute of Standards and Technology (NIST) has been pivotal in formalizing the Zero Trust model. [NIST's guidelines on Zero Trust Architecture](https://csrc.nist.gov/pubs/sp/800/207/final) outline key tenets and principles to help build systems that follow the model. The history of Zero Trust started as a theoretical concept and evolved into a practical, essential cybersecurity framework. The contributions of early theorists, pioneering implementations by industry leaders, and the formalization by standardization bodies like NIST have collectively shaped the Zero Trust model, making it a cornerstone of modern cybersecurity strategies in cloud native environments. From e9899e03e3e212299e7b137a80714c5e61b03731 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Wed, 13 Nov 2024 20:41:24 -0700 Subject: [PATCH 22/24] Update community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md Co-authored-by: David Hadas Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 1 - 1 file changed, 1 deletion(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index 394ce8017..ed06a8bbc 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -84,7 +84,6 @@ The National Institute of Standards and Technology (NIST) has been pivotal in fo The history of Zero Trust started as a theoretical concept and evolved into a practical, essential cybersecurity framework. The contributions of early theorists, pioneering implementations by industry leaders, and the formalization by standardization bodies like NIST have collectively shaped the Zero Trust model, making it a cornerstone of modern cybersecurity strategies in cloud native environments. -We advise that the tenets of Zero Trust are considered during the design of any networked system. There are many opinions and recommendations regarding what may suffice to construct a Zero Trust Architecture, and the reader is always advised to consider their organizational needs when tailoring a solution suitable for the protected system. In this paper, we wish to emphasize critical elements that we consider as important to construct a Zero Trust Architecture, collate commonly accepted concepts related to Zero Trust and, in isolated cases, propose novel approaches to improve Zero Trust implementations. From ec612f7aa4f352c4fde6f25d218bc77d22888c86 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Wed, 13 Nov 2024 20:43:12 -0700 Subject: [PATCH 23/24] Update community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md Co-authored-by: David Hadas Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 1 - 1 file changed, 1 deletion(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index ed06a8bbc..436c24313 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -85,7 +85,6 @@ The National Institute of Standards and Technology (NIST) has been pivotal in fo The history of Zero Trust started as a theoretical concept and evolved into a practical, essential cybersecurity framework. The contributions of early theorists, pioneering implementations by industry leaders, and the formalization by standardization bodies like NIST have collectively shaped the Zero Trust model, making it a cornerstone of modern cybersecurity strategies in cloud native environments. -In this paper, we wish to emphasize critical elements that we consider as important to construct a Zero Trust Architecture, collate commonly accepted concepts related to Zero Trust and, in isolated cases, propose novel approaches to improve Zero Trust implementations. ## Cloud Native Principles of Zero Trust From b7a72eec84702be0365d2ed58eeae7c820a5eae6 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Wed, 13 Nov 2024 20:45:30 -0700 Subject: [PATCH 24/24] Update cloud-native-zero-trust-whitepaper.md Signed-off-by: Mariusz Sabath --- .../v1/cloud-native-zero-trust-whitepaper.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md index 436c24313..b74cef2be 100644 --- a/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md +++ b/community/resources/zero-trust-whitepaper/v1/cloud-native-zero-trust-whitepaper.md @@ -84,8 +84,6 @@ The National Institute of Standards and Technology (NIST) has been pivotal in fo The history of Zero Trust started as a theoretical concept and evolved into a practical, essential cybersecurity framework. The contributions of early theorists, pioneering implementations by industry leaders, and the formalization by standardization bodies like NIST have collectively shaped the Zero Trust model, making it a cornerstone of modern cybersecurity strategies in cloud native environments. - - ## Cloud Native Principles of Zero Trust Building on the extensive discourse surrounding Zero Trust principles over the years, two foundational tenets have been established: *Assume a Breach* and *Always Verify*. When applying these tenets to cloud native environments, we have delineated eleven governing principles.