<?xml version="1.0"?>
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/">
	<channel>
		<title>PiRho Knowledgebase  - Recent changes [en-gb]</title>
		<link>https://knowledgebase.pirho.net/wiki/Special:RecentChanges</link>
		<description>Track the most recent changes to the wiki in this feed.</description>
		<language>en-GB</language>
		<generator>MediaWiki 1.43.0</generator>
		<lastBuildDate>Sat, 11 Jul 2026 13:00:31 GMT</lastBuildDate>
		<item>
			<title>Don&#039;t Use Windows Server 2016 for Android Development</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Don%27t_Use_Windows_Server_2016_for_Android_Development&amp;diff=437&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Don%27t_Use_Windows_Server_2016_for_Android_Development&amp;diff=437&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;Windows Server 2016 remains a capable platform for infrastructure services, Active Directory, IIS, SQL Server, SharePoint, and laboratory environments. However, it is increasingly unsuitable as a primary platform for modern Android development.  As Android Studio, Gradle, Java, and associated tooling evolve, they increasingly depend upon operating system functionality that was not available when Windows Server 2016 was released. This can result in obscure compatibility i...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;Windows Server 2016 remains a capable platform for infrastructure services, Active Directory, IIS, SQL Server, SharePoint, and laboratory environments. However, it is increasingly unsuitable as a primary platform for modern Android development.&lt;br /&gt;
&lt;br /&gt;
As Android Studio, Gradle, Java, and associated tooling evolve, they increasingly depend upon operating system functionality that was not available when Windows Server 2016 was released. This can result in obscure compatibility issues, misleading error messages, and significant time spent troubleshooting before a single line of application code is executed.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Many IT professionals maintain development environments on server operating systems for convenience, familiarity, or because a virtual machine already exists within their laboratory infrastructure.&lt;br /&gt;
&lt;br /&gt;
This approach often works well for:&lt;br /&gt;
&lt;br /&gt;
* Infrastructure automation&lt;br /&gt;
* Web development&lt;br /&gt;
* Database development&lt;br /&gt;
* PowerShell scripting&lt;br /&gt;
* Legacy application support&lt;br /&gt;
* Systems administration&lt;br /&gt;
&lt;br /&gt;
Android development is different.&lt;br /&gt;
&lt;br /&gt;
Modern Android development relies upon a large collection of interconnected tooling:&lt;br /&gt;
&lt;br /&gt;
* Android Studio&lt;br /&gt;
* Android SDK&lt;br /&gt;
* Android Emulator&lt;br /&gt;
* Java Development Kits&lt;br /&gt;
* Gradle&lt;br /&gt;
* Android Gradle Plugin (AGP)&lt;br /&gt;
* Native helper libraries&lt;br /&gt;
&lt;br /&gt;
Each component evolves independently and may introduce dependencies on newer operating system features.&lt;br /&gt;
&lt;br /&gt;
== The Assumption ==&lt;br /&gt;
&lt;br /&gt;
A reasonable assumption is:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
If Android Studio installs successfully,&lt;br /&gt;
Android development should work.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Unfortunately, this assumption is no longer always true.&lt;br /&gt;
&lt;br /&gt;
In many cases:&lt;br /&gt;
&lt;br /&gt;
* Android Studio installs correctly.&lt;br /&gt;
* The Android SDK downloads successfully.&lt;br /&gt;
* The Android Emulator installs correctly.&lt;br /&gt;
* Gradle downloads successfully.&lt;br /&gt;
* A project can be created.&lt;br /&gt;
&lt;br /&gt;
Yet the project still fails before the first build.&lt;br /&gt;
&lt;br /&gt;
== A Real-World Investigation ==&lt;br /&gt;
&lt;br /&gt;
While creating a new Android project on a fully patched Windows Server 2016 system, Android Studio repeatedly failed when attempting to build even the default starter project.&lt;br /&gt;
&lt;br /&gt;
Gradle reported:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Could not initialize native services.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Further investigation produced:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Unable to start daemon process.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The error messages suggested a configuration problem involving:&lt;br /&gt;
&lt;br /&gt;
* Java&lt;br /&gt;
* Gradle&lt;br /&gt;
* JVM settings&lt;br /&gt;
* Build configuration&lt;br /&gt;
&lt;br /&gt;
All appeared to be logical areas to investigate.&lt;br /&gt;
&lt;br /&gt;
Unfortunately, none of them were the actual cause.&lt;br /&gt;
&lt;br /&gt;
== The Root Cause ==&lt;br /&gt;
&lt;br /&gt;
The failure originated inside Gradle&amp;#039;s native file monitoring subsystem.&lt;br /&gt;
&lt;br /&gt;
The critical error eventually became:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
gradle-fileevents.dll&lt;br /&gt;
&lt;br /&gt;
The specified procedure could not be found&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
At first glance this appears to indicate a missing DLL.&lt;br /&gt;
&lt;br /&gt;
In reality, the DLL existed and loaded successfully.&lt;br /&gt;
&lt;br /&gt;
The problem was that the DLL depended upon a Windows API function that was unavailable on Windows Server 2016.&lt;br /&gt;
&lt;br /&gt;
Using dependency analysis tools revealed the missing import:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
ReadDirectoryChangesExW&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This API is used for advanced file system monitoring.&lt;br /&gt;
&lt;br /&gt;
Modern Gradle implementations use this functionality to detect changes to project files efficiently.&lt;br /&gt;
&lt;br /&gt;
The dependency chain became:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Android Studio&lt;br /&gt;
    ↓&lt;br /&gt;
Android Gradle Plugin&lt;br /&gt;
    ↓&lt;br /&gt;
Gradle&lt;br /&gt;
    ↓&lt;br /&gt;
gradle-fileevents.dll&lt;br /&gt;
    ↓&lt;br /&gt;
ReadDirectoryChangesExW&lt;br /&gt;
    ↓&lt;br /&gt;
Windows Server 2016&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Because the operating system did not provide the required API, Gradle failed during startup.&lt;br /&gt;
&lt;br /&gt;
== Why This Is So Frustrating ==&lt;br /&gt;
&lt;br /&gt;
The most frustrating aspect of the problem is that the reported error bears little resemblance to the actual cause.&lt;br /&gt;
&lt;br /&gt;
Developers may spend hours investigating:&lt;br /&gt;
&lt;br /&gt;
* JVM versions&lt;br /&gt;
* Gradle versions&lt;br /&gt;
* Build scripts&lt;br /&gt;
* Android SDK installation&lt;br /&gt;
* Environment variables&lt;br /&gt;
* Visual C++ Redistributables&lt;br /&gt;
* IDE configuration&lt;br /&gt;
&lt;br /&gt;
while the real issue exists at the operating system API level.&lt;br /&gt;
&lt;br /&gt;
The visible symptom:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Could not initialize native services.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The actual cause:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Required Windows API unavailable.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
These are very different problems.&lt;br /&gt;
&lt;br /&gt;
== Diagnostic Lessons Learned ==&lt;br /&gt;
&lt;br /&gt;
Several useful lessons emerged from the investigation.&lt;br /&gt;
&lt;br /&gt;
=== Startup Errors Matter ===&lt;br /&gt;
&lt;br /&gt;
If a development environment reports unexpected errors during first launch, do not dismiss them too quickly.&lt;br /&gt;
&lt;br /&gt;
Early failures often indicate environmental issues rather than project issues.&lt;br /&gt;
&lt;br /&gt;
=== Installation Success Does Not Equal Compatibility ===&lt;br /&gt;
&lt;br /&gt;
A successful installation proves only that the software installed.&lt;br /&gt;
&lt;br /&gt;
It does not prove that all functionality is supported by the host operating system.&lt;br /&gt;
&lt;br /&gt;
=== Dependency Analysis Tools Are Valuable ===&lt;br /&gt;
&lt;br /&gt;
Tools such as Dependencies can reveal the real source of native library failures.&lt;br /&gt;
&lt;br /&gt;
Without dependency analysis, the actual root cause would have remained hidden behind multiple layers of abstraction.&lt;br /&gt;
&lt;br /&gt;
=== Modern Toolchains Move Quickly ===&lt;br /&gt;
&lt;br /&gt;
Development tooling often adopts new platform capabilities far faster than organisations upgrade operating systems.&lt;br /&gt;
&lt;br /&gt;
This creates situations where systems remain technically supported but are no longer practical development environments.&lt;br /&gt;
&lt;br /&gt;
== Cost of the Problem ==&lt;br /&gt;
&lt;br /&gt;
The largest cost is not technical.&lt;br /&gt;
&lt;br /&gt;
The largest cost is time.&lt;br /&gt;
&lt;br /&gt;
Instead of working on application development, time is spent:&lt;br /&gt;
&lt;br /&gt;
* Investigating build systems&lt;br /&gt;
* Reading logs&lt;br /&gt;
* Testing software versions&lt;br /&gt;
* Reinstalling components&lt;br /&gt;
* Researching compatibility issues&lt;br /&gt;
&lt;br /&gt;
The result is:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
No progress on the actual project.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Development environments should reduce friction rather than create it.&lt;br /&gt;
&lt;br /&gt;
== Recommended Platforms for Android Development ==&lt;br /&gt;
&lt;br /&gt;
=== Windows 11 ===&lt;br /&gt;
&lt;br /&gt;
Windows 11 is currently the simplest choice for Android development.&lt;br /&gt;
&lt;br /&gt;
Benefits include:&lt;br /&gt;
&lt;br /&gt;
* Modern operating system APIs&lt;br /&gt;
* Strong Android Studio support&lt;br /&gt;
* Full compatibility with current tooling&lt;br /&gt;
* Long-term viability&lt;br /&gt;
&lt;br /&gt;
=== Windows Server 2022 ===&lt;br /&gt;
&lt;br /&gt;
For developers who prefer server operating systems:&lt;br /&gt;
&lt;br /&gt;
* Modern Windows API support&lt;br /&gt;
* Better compatibility with current development tools&lt;br /&gt;
* Familiar administrative experience&lt;br /&gt;
&lt;br /&gt;
=== Linux (Ubuntu / Xubuntu) ===&lt;br /&gt;
&lt;br /&gt;
Linux has become an excellent Android development platform.&lt;br /&gt;
&lt;br /&gt;
Advantages include:&lt;br /&gt;
&lt;br /&gt;
* First-class Android Studio support&lt;br /&gt;
* Strong Java ecosystem&lt;br /&gt;
* Reliable Gradle support&lt;br /&gt;
* Lower system overhead&lt;br /&gt;
* Fewer legacy compatibility concerns&lt;br /&gt;
&lt;br /&gt;
Xubuntu in particular provides a lightweight development environment that performs well even on modest virtual machines.&lt;br /&gt;
&lt;br /&gt;
== What Windows Server 2016 Is Still Good At ==&lt;br /&gt;
&lt;br /&gt;
None of this should be interpreted as criticism of Windows Server 2016 itself.&lt;br /&gt;
&lt;br /&gt;
Windows Server 2016 remains entirely suitable for:&lt;br /&gt;
&lt;br /&gt;
* Active Directory&lt;br /&gt;
* IIS&lt;br /&gt;
* SQL Server&lt;br /&gt;
* SharePoint&lt;br /&gt;
* File services&lt;br /&gt;
* Infrastructure laboratories&lt;br /&gt;
* Legacy application testing&lt;br /&gt;
* Systems administration training&lt;br /&gt;
&lt;br /&gt;
The issue is not that Server 2016 is a bad operating system.&lt;br /&gt;
&lt;br /&gt;
The issue is that modern Android development tooling has moved beyond the platform assumptions available when Server 2016 was released.&lt;br /&gt;
&lt;br /&gt;
== Recommendation ==&lt;br /&gt;
&lt;br /&gt;
If Android development is a primary objective, do not use Windows Server 2016 as the primary development workstation.&lt;br /&gt;
&lt;br /&gt;
Even on a fully patched installation, modern Android toolchains may depend upon operating system functionality that is unavailable.&lt;br /&gt;
&lt;br /&gt;
A modern desktop operating system or Linux distribution will typically provide:&lt;br /&gt;
&lt;br /&gt;
* Better compatibility&lt;br /&gt;
* Faster setup&lt;br /&gt;
* Fewer troubleshooting sessions&lt;br /&gt;
* A smoother development experience&lt;br /&gt;
&lt;br /&gt;
Most importantly, it allows developers to spend time writing software rather than debugging the toolchain.&lt;br /&gt;
&lt;br /&gt;
== Conclusion ==&lt;br /&gt;
&lt;br /&gt;
Windows Server 2016 remains a capable infrastructure platform, but it is no longer an optimal environment for Android development.&lt;br /&gt;
&lt;br /&gt;
Modern Android tooling increasingly assumes operating system capabilities that were introduced after Server 2016&amp;#039;s release.&lt;br /&gt;
&lt;br /&gt;
When development tools fail because of hidden platform dependencies, significant time can be lost before the real cause is identified.&lt;br /&gt;
&lt;br /&gt;
The simplest and most productive solution is usually not to fight the platform, but to choose a development environment that aligns with the expectations of the modern Android ecosystem.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Android Studio]]&lt;br /&gt;
* [[Gradle]]&lt;br /&gt;
* [[Java Development Kit]]&lt;br /&gt;
* [[Development Environment Selection]]&lt;br /&gt;
* [[Linux for Development]]&lt;br /&gt;
* [[Windows Server 2016]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* Android Studio Documentation&lt;br /&gt;
* Gradle Documentation&lt;br /&gt;
* Microsoft Windows API Documentation&lt;br /&gt;
* Dependency Analysis Tools Documentation&lt;/div&gt;</description>
			<pubDate>Mon, 06 Jul 2026 11:16:01 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Don%27t_Use_Windows_Server_2016_for_Android_Development</comments>
		</item>
		<item>
			<title>Security by Design: Building Trust Through Zero Trust, Cyber Essentials, GDPR and Compliance Frameworks</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Security_by_Design:_Building_Trust_Through_Zero_Trust,_Cyber_Essentials,_GDPR_and_Compliance_Frameworks&amp;diff=436&amp;oldid=420</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Security_by_Design:_Building_Trust_Through_Zero_Trust,_Cyber_Essentials,_GDPR_and_Compliance_Frameworks&amp;diff=436&amp;oldid=420</guid>
			<description>&lt;p&gt;&lt;/p&gt;
&lt;a href=&quot;https://knowledgebase.pirho.net/index.php?title=Security_by_Design:_Building_Trust_Through_Zero_Trust,_Cyber_Essentials,_GDPR_and_Compliance_Frameworks&amp;amp;diff=436&amp;amp;oldid=420&quot;&gt;Show changes&lt;/a&gt;</description>
			<pubDate>Mon, 06 Jul 2026 08:06:01 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Security_by_Design:_Building_Trust_Through_Zero_Trust,_Cyber_Essentials,_GDPR_and_Compliance_Frameworks</comments>
		</item>
		<item>
			<title>Cloud Security Architecture</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Cloud_Security_Architecture&amp;diff=432&amp;oldid=429</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Cloud_Security_Architecture&amp;diff=432&amp;oldid=429</guid>
			<description>&lt;p&gt;&lt;/p&gt;
&lt;a href=&quot;https://knowledgebase.pirho.net/index.php?title=Cloud_Security_Architecture&amp;amp;diff=432&amp;amp;oldid=429&quot;&gt;Show changes&lt;/a&gt;</description>
			<pubDate>Mon, 06 Jul 2026 07:01:18 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Cloud_Security_Architecture</comments>
		</item>
		<item>
			<title>Business Continuity &amp; Disaster Recovery</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Business_Continuity_%26_Disaster_Recovery&amp;diff=431&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Business_Continuity_%26_Disaster_Recovery&amp;diff=431&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;  Business Continuity (BC) and Disaster Recovery (DR) are often discussed together, but they solve different problems.  Business Continuity focuses on keeping critical business functions operating during disruption, while Disaster Recovery focuses on restoring systems, applications, and data after a failure has occurred.  A successful organisation does not eliminate risk. Instead, it understands its risks, prepares for likely failure scenarios, and develops...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Business Continuity (BC) and Disaster Recovery (DR) are often discussed together, but they solve different problems.&lt;br /&gt;
&lt;br /&gt;
Business Continuity focuses on keeping critical business functions operating during disruption, while Disaster Recovery focuses on restoring systems, applications, and data after a failure has occurred.&lt;br /&gt;
&lt;br /&gt;
A successful organisation does not eliminate risk. Instead, it understands its risks, prepares for likely failure scenarios, and develops practical procedures that allow the business to continue operating when incidents occur.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Every organisation experiences disruption.&lt;br /&gt;
&lt;br /&gt;
The cause may be technical, environmental, operational, or human:&lt;br /&gt;
&lt;br /&gt;
* Hardware failure&lt;br /&gt;
* Software defects&lt;br /&gt;
* Cyber attacks&lt;br /&gt;
* Power outages&lt;br /&gt;
* Internet connectivity failures&lt;br /&gt;
* Flooding&lt;br /&gt;
* Fire&lt;br /&gt;
* Human error&lt;br /&gt;
* Supplier failure&lt;br /&gt;
&lt;br /&gt;
The question is not whether disruption will occur, but whether the organisation can continue operating when it does.&lt;br /&gt;
&lt;br /&gt;
Business Continuity and Disaster Recovery provide the framework for answering that question.&lt;br /&gt;
&lt;br /&gt;
=== Common Misconceptions ===&lt;br /&gt;
&lt;br /&gt;
* Backups are not a Disaster Recovery strategy.&lt;br /&gt;
* Disaster Recovery is not Business Continuity.&lt;br /&gt;
* Cloud services do not automatically eliminate business continuity risks.&lt;br /&gt;
* Redundancy does not replace planning.&lt;br /&gt;
* Technology alone cannot solve continuity challenges.&lt;br /&gt;
&lt;br /&gt;
=== Why It Matters ===&lt;br /&gt;
&lt;br /&gt;
The impact of service disruption extends far beyond IT systems.&lt;br /&gt;
&lt;br /&gt;
Potential consequences include:&lt;br /&gt;
&lt;br /&gt;
* Lost revenue&lt;br /&gt;
* Decreased productivity&lt;br /&gt;
* Regulatory consequences&lt;br /&gt;
* Reputational damage&lt;br /&gt;
* Loss of customer confidence&lt;br /&gt;
* Contractual penalties&lt;br /&gt;
&lt;br /&gt;
The longer an outage continues, the more expensive it becomes.&lt;br /&gt;
&lt;br /&gt;
== Core Concepts ==&lt;br /&gt;
&lt;br /&gt;
=== Business Continuity ===&lt;br /&gt;
&lt;br /&gt;
Business Continuity focuses on maintaining business operations during disruption.&lt;br /&gt;
&lt;br /&gt;
Typical questions include:&lt;br /&gt;
&lt;br /&gt;
* Can staff continue working?&lt;br /&gt;
* Can customers still receive services?&lt;br /&gt;
* Can orders still be processed?&lt;br /&gt;
* Can communication continue?&lt;br /&gt;
&lt;br /&gt;
Business Continuity planning often involves:&lt;br /&gt;
&lt;br /&gt;
* Alternative work locations&lt;br /&gt;
* Manual fallback procedures&lt;br /&gt;
* Communication plans&lt;br /&gt;
* Alternative suppliers&lt;br /&gt;
* Emergency operating procedures&lt;br /&gt;
&lt;br /&gt;
The objective is to ensure the business remains functional.&lt;br /&gt;
&lt;br /&gt;
=== Disaster Recovery ===&lt;br /&gt;
&lt;br /&gt;
Disaster Recovery focuses on restoring technology services.&lt;br /&gt;
&lt;br /&gt;
Typical questions include:&lt;br /&gt;
&lt;br /&gt;
* How quickly can systems be restored?&lt;br /&gt;
* How much data loss is acceptable?&lt;br /&gt;
* Which systems must be recovered first?&lt;br /&gt;
* What dependencies exist?&lt;br /&gt;
&lt;br /&gt;
Disaster Recovery planning commonly includes:&lt;br /&gt;
&lt;br /&gt;
* Backup strategies&lt;br /&gt;
* Replication technologies&lt;br /&gt;
* Recovery procedures&lt;br /&gt;
* Recovery testing&lt;br /&gt;
* Infrastructure replacement plans&lt;br /&gt;
&lt;br /&gt;
The objective is to restore technical services within acceptable timescales.&lt;br /&gt;
&lt;br /&gt;
=== Recovery Time Objective (RTO) ===&lt;br /&gt;
&lt;br /&gt;
RTO defines the maximum acceptable duration of service outage.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
* Email system: 8 hours&lt;br /&gt;
* Customer portal: 1 hour&lt;br /&gt;
* Public website: 24 hours&lt;br /&gt;
&lt;br /&gt;
The lower the RTO, the greater the complexity and cost of the solution.&lt;br /&gt;
&lt;br /&gt;
=== Recovery Point Objective (RPO) ===&lt;br /&gt;
&lt;br /&gt;
RPO defines the maximum acceptable amount of data loss.&lt;br /&gt;
&lt;br /&gt;
Examples:&lt;br /&gt;
&lt;br /&gt;
* 24-hour RPO = potentially lose one day&amp;#039;s data&lt;br /&gt;
* 1-hour RPO = potentially lose one hour&amp;#039;s data&lt;br /&gt;
* Near-zero RPO = continuous replication&lt;br /&gt;
&lt;br /&gt;
Like RTO, lower RPOs generally increase implementation costs.&lt;br /&gt;
&lt;br /&gt;
== Reference Architectures ==&lt;br /&gt;
&lt;br /&gt;
=== Small Organisation ===&lt;br /&gt;
&lt;br /&gt;
A typical small business recovery model might consist of:&lt;br /&gt;
&lt;br /&gt;
* On-premises servers&lt;br /&gt;
* Local backups&lt;br /&gt;
* Cloud backup repository&lt;br /&gt;
* Basic recovery documentation&lt;br /&gt;
&lt;br /&gt;
Benefits:&lt;br /&gt;
&lt;br /&gt;
* Low cost&lt;br /&gt;
* Simple management&lt;br /&gt;
&lt;br /&gt;
Limitations:&lt;br /&gt;
&lt;br /&gt;
* Longer recovery times&lt;br /&gt;
* Greater operational dependency on individuals&lt;br /&gt;
&lt;br /&gt;
=== Enterprise Organisation ===&lt;br /&gt;
&lt;br /&gt;
Enterprise environments typically introduce:&lt;br /&gt;
&lt;br /&gt;
* Geographic redundancy&lt;br /&gt;
* Multiple data centres&lt;br /&gt;
* Clustered infrastructure&lt;br /&gt;
* Replicated storage&lt;br /&gt;
* Automated failover systems&lt;br /&gt;
&lt;br /&gt;
Benefits:&lt;br /&gt;
&lt;br /&gt;
* Reduced downtime&lt;br /&gt;
* Greater resilience&lt;br /&gt;
&lt;br /&gt;
Limitations:&lt;br /&gt;
&lt;br /&gt;
* Increased complexity&lt;br /&gt;
* Higher implementation and operational costs&lt;br /&gt;
&lt;br /&gt;
=== Hybrid Approach ===&lt;br /&gt;
&lt;br /&gt;
Many organisations operate between these extremes.&lt;br /&gt;
&lt;br /&gt;
Common examples include:&lt;br /&gt;
&lt;br /&gt;
* Microsoft 365 with on-premises line-of-business applications&lt;br /&gt;
* Cloud-hosted infrastructure with local file services&lt;br /&gt;
* Hybrid Active Directory deployments&lt;br /&gt;
&lt;br /&gt;
Hybrid models often provide an effective balance between cost, flexibility, and resilience.&lt;br /&gt;
&lt;br /&gt;
== Operational Lifecycle ==&lt;br /&gt;
&lt;br /&gt;
=== Build ===&lt;br /&gt;
&lt;br /&gt;
During the design phase:&lt;br /&gt;
&lt;br /&gt;
* Identify critical services&lt;br /&gt;
* Determine dependencies&lt;br /&gt;
* Define RTO and RPO requirements&lt;br /&gt;
* Assess risk exposure&lt;br /&gt;
&lt;br /&gt;
=== Run ===&lt;br /&gt;
&lt;br /&gt;
During normal operations:&lt;br /&gt;
&lt;br /&gt;
* Monitor systems&lt;br /&gt;
* Verify backups&lt;br /&gt;
* Review changes&lt;br /&gt;
* Maintain documentation&lt;br /&gt;
&lt;br /&gt;
=== Maintain ===&lt;br /&gt;
&lt;br /&gt;
Continuity plans must evolve alongside the environment.&lt;br /&gt;
&lt;br /&gt;
Review should occur when:&lt;br /&gt;
&lt;br /&gt;
* New systems are introduced&lt;br /&gt;
* Infrastructure changes significantly&lt;br /&gt;
* Business processes change&lt;br /&gt;
* Suppliers change&lt;br /&gt;
&lt;br /&gt;
=== Retire ===&lt;br /&gt;
&lt;br /&gt;
Decommissioning systems should include:&lt;br /&gt;
&lt;br /&gt;
* Data archival requirements&lt;br /&gt;
* Regulatory retention obligations&lt;br /&gt;
* Recovery plan updates&lt;br /&gt;
* Documentation updates&lt;br /&gt;
&lt;br /&gt;
== Practical Application ==&lt;br /&gt;
&lt;br /&gt;
=== Identifying Critical Services ===&lt;br /&gt;
&lt;br /&gt;
Not all systems are equal.&lt;br /&gt;
&lt;br /&gt;
A common mistake is assuming every service is mission critical.&lt;br /&gt;
&lt;br /&gt;
Instead, classify systems according to business impact.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
! System&lt;br /&gt;
! Priority&lt;br /&gt;
! Business Impact&lt;br /&gt;
|-&lt;br /&gt;
| ERP System&lt;br /&gt;
| Critical&lt;br /&gt;
| Financial operation stops&lt;br /&gt;
|-&lt;br /&gt;
| Email&lt;br /&gt;
| High&lt;br /&gt;
| Significant disruption&lt;br /&gt;
|-&lt;br /&gt;
| Intranet&lt;br /&gt;
| Medium&lt;br /&gt;
| Operational inconvenience&lt;br /&gt;
|-&lt;br /&gt;
| Archive Server&lt;br /&gt;
| Low&lt;br /&gt;
| Minimal immediate impact&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
Recovery efforts should prioritise critical systems first.&lt;br /&gt;
&lt;br /&gt;
=== Mapping Dependencies ===&lt;br /&gt;
&lt;br /&gt;
Many recovery failures occur because dependencies were not identified.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
Customer Portal&lt;br /&gt;
    |&lt;br /&gt;
    +-- SQL Database&lt;br /&gt;
    |&lt;br /&gt;
    +-- Active Directory&lt;br /&gt;
    |&lt;br /&gt;
    +-- DNS&lt;br /&gt;
    |&lt;br /&gt;
    +-- Internet Connectivity&lt;br /&gt;
    |&lt;br /&gt;
    +-- SSL Certificates&lt;br /&gt;
&lt;br /&gt;
Recovering the portal without restoring its dependencies achieves nothing.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Backups Are Never Tested ===&lt;br /&gt;
&lt;br /&gt;
A backup is merely a theory until restoration has been successfully demonstrated.&lt;br /&gt;
&lt;br /&gt;
Regular restore testing should be mandatory.&lt;br /&gt;
&lt;br /&gt;
=== Documentation Exists Only in Production ===&lt;br /&gt;
&lt;br /&gt;
Recovery procedures stored on failed systems are of little value.&lt;br /&gt;
&lt;br /&gt;
Critical documentation should exist in multiple accessible locations.&lt;br /&gt;
&lt;br /&gt;
=== Key Knowledge Resides with One Person ===&lt;br /&gt;
&lt;br /&gt;
Many organisations possess undocumented systems understood by only one administrator.&lt;br /&gt;
&lt;br /&gt;
This represents a significant business risk.&lt;br /&gt;
&lt;br /&gt;
=== Recovery Plans Are Never Practised ===&lt;br /&gt;
&lt;br /&gt;
The first execution of a DR plan should never occur during a real disaster.&lt;br /&gt;
&lt;br /&gt;
Testing frequently exposes assumptions, dependencies, and documentation gaps.&lt;br /&gt;
&lt;br /&gt;
== Security Implications ==&lt;br /&gt;
&lt;br /&gt;
Business Continuity and Cyber Security are closely related.&lt;br /&gt;
&lt;br /&gt;
Attackers increasingly target:&lt;br /&gt;
&lt;br /&gt;
* Backup systems&lt;br /&gt;
* Replication systems&lt;br /&gt;
* Identity services&lt;br /&gt;
* Recovery infrastructure&lt;br /&gt;
&lt;br /&gt;
Key recommendations include:&lt;br /&gt;
&lt;br /&gt;
* Immutable backups&lt;br /&gt;
* Offline backup copies&lt;br /&gt;
* Multi-factor authentication&lt;br /&gt;
* Privileged access controls&lt;br /&gt;
* Separate recovery credentials&lt;br /&gt;
&lt;br /&gt;
Recovery systems should be considered critical security assets.&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting &amp;amp; Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
When assessing resilience, ask:&lt;br /&gt;
&lt;br /&gt;
=== Backup Health ===&lt;br /&gt;
&lt;br /&gt;
* Are backups completing successfully?&lt;br /&gt;
* Are failures monitored?&lt;br /&gt;
* Are restore tests performed?&lt;br /&gt;
&lt;br /&gt;
=== Infrastructure Resilience ===&lt;br /&gt;
&lt;br /&gt;
* Are there single points of failure?&lt;br /&gt;
* Is failover tested?&lt;br /&gt;
* Is monitoring effective?&lt;br /&gt;
&lt;br /&gt;
=== Operational Readiness ===&lt;br /&gt;
&lt;br /&gt;
* Is documentation current?&lt;br /&gt;
* Are responsibilities assigned?&lt;br /&gt;
* Are contact lists accurate?&lt;br /&gt;
&lt;br /&gt;
=== Recovery Capability ===&lt;br /&gt;
&lt;br /&gt;
* Has recovery been rehearsed?&lt;br /&gt;
* Are recovery times measured?&lt;br /&gt;
* Can critical services actually meet RTO targets?&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Scalability ===&lt;br /&gt;
&lt;br /&gt;
Recovery solutions should grow alongside the business.&lt;br /&gt;
&lt;br /&gt;
=== Security ===&lt;br /&gt;
&lt;br /&gt;
Protect recovery infrastructure as carefully as production systems.&lt;br /&gt;
&lt;br /&gt;
=== Maintainability ===&lt;br /&gt;
&lt;br /&gt;
Complex recovery solutions often fail because they become difficult to support.&lt;br /&gt;
&lt;br /&gt;
Prefer solutions that operations teams understand and can maintain confidently.&lt;br /&gt;
&lt;br /&gt;
=== Backwards Compatibility ===&lt;br /&gt;
&lt;br /&gt;
Legacy systems frequently outlive expectations.&lt;br /&gt;
&lt;br /&gt;
Recovery planning should account for unsupported applications and historical dependencies.&lt;br /&gt;
&lt;br /&gt;
== Lessons from the Real World ==&lt;br /&gt;
&lt;br /&gt;
Most major outages are not caused by dramatic disasters.&lt;br /&gt;
&lt;br /&gt;
They are usually caused by ordinary events:&lt;br /&gt;
&lt;br /&gt;
* Failed storage&lt;br /&gt;
* Expired certificates&lt;br /&gt;
* Configuration mistakes&lt;br /&gt;
* Software updates&lt;br /&gt;
* Human error&lt;br /&gt;
* Supplier outages&lt;br /&gt;
&lt;br /&gt;
The most resilient organisations are not those that never fail.&lt;br /&gt;
&lt;br /&gt;
They are the organisations that expect failure, prepare for it, and recover methodically.&lt;br /&gt;
&lt;br /&gt;
A continuity plan should never aim to create the illusion that disruption is impossible.&lt;br /&gt;
&lt;br /&gt;
Its purpose is to ensure that disruption becomes manageable.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Risk Management]]&lt;br /&gt;
* [[High Availability]]&lt;br /&gt;
* [[Backup Strategies]]&lt;br /&gt;
* [[Infrastructure Architecture]]&lt;br /&gt;
* [[Capacity Planning]]&lt;br /&gt;
* [[Cyber Security Fundamentals]]&lt;br /&gt;
* [[Cloud Migration Strategy]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* ISO 22301 Business Continuity Management&lt;br /&gt;
* ISO 27001 Information Security Management&lt;br /&gt;
* NIST Cybersecurity Framework&lt;br /&gt;
* NIST SP 800-34 Contingency Planning Guide&lt;br /&gt;
* Vendor backup and recovery documentation&lt;/div&gt;</description>
			<pubDate>Mon, 06 Jul 2026 06:57:25 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Business_Continuity_%26_Disaster_Recovery</comments>
		</item>
		<item>
			<title>Data Classification and Handling</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Data_Classification_and_Handling&amp;diff=430&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Data_Classification_and_Handling&amp;diff=430&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039; Data classification and handling provides a structured approach for identifying the sensitivity, value, and criticality of information, and applying appropriate controls throughout its lifecycle. Effective classification helps organisations protect information assets, comply with regulatory obligations, reduce risk, and ensure that data is used, transmitted, stored, and disposed of appropriately.  == Context ==  Every organisation generates, stores, and pr...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
Data classification and handling provides a structured approach for identifying the sensitivity, value, and criticality of information, and applying appropriate controls throughout its lifecycle. Effective classification helps organisations protect information assets, comply with regulatory obligations, reduce risk, and ensure that data is used, transmitted, stored, and disposed of appropriately.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Every organisation generates, stores, and processes information. Some of that information is intended for public consumption, while other information may be commercially sensitive, legally protected, or critical to operational success.&lt;br /&gt;
&lt;br /&gt;
Without a formal classification scheme, employees are left to make subjective decisions about how information should be protected, increasing the risk of accidental disclosure, regulatory breaches, and operational disruption.&lt;br /&gt;
&lt;br /&gt;
Data classification provides consistency. It establishes a common understanding of the sensitivity of information and defines the controls required to protect it.&lt;br /&gt;
&lt;br /&gt;
=== Common Drivers ===&lt;br /&gt;
&lt;br /&gt;
* Information security&lt;br /&gt;
* Privacy protection&lt;br /&gt;
* Regulatory compliance&lt;br /&gt;
* Contractual obligations&lt;br /&gt;
* Business continuity&lt;br /&gt;
* Intellectual property protection&lt;br /&gt;
* Risk management&lt;br /&gt;
&lt;br /&gt;
=== Common Misconceptions ===&lt;br /&gt;
&lt;br /&gt;
* Classification is not simply applying a label.&lt;br /&gt;
* Classification is not exclusively an IT responsibility.&lt;br /&gt;
* Classification does not automatically provide protection.&lt;br /&gt;
* Classification schemes are ineffective without handling procedures.&lt;br /&gt;
&lt;br /&gt;
== Why Data Classification Matters ==&lt;br /&gt;
&lt;br /&gt;
Data classification is the foundation of information governance.&lt;br /&gt;
&lt;br /&gt;
An organisation cannot effectively protect information if it does not understand the sensitivity and value of the information it possesses.&lt;br /&gt;
&lt;br /&gt;
Classification enables organisations to:&lt;br /&gt;
&lt;br /&gt;
* Apply proportionate security controls&lt;br /&gt;
* Define access requirements&lt;br /&gt;
* Determine encryption requirements&lt;br /&gt;
* Establish retention periods&lt;br /&gt;
* Support regulatory compliance&lt;br /&gt;
* Prioritise monitoring and auditing activities&lt;br /&gt;
* Reduce the impact of security incidents&lt;br /&gt;
&lt;br /&gt;
=== Risk Reduction ===&lt;br /&gt;
&lt;br /&gt;
Not all information carries the same level of risk.&lt;br /&gt;
&lt;br /&gt;
The accidental publication of a company newsletter may have little consequence. The accidental disclosure of customer records, financial information, or intellectual property could result in significant financial, legal, or reputational damage.&lt;br /&gt;
&lt;br /&gt;
Classification allows protective controls to be aligned with actual risk.&lt;br /&gt;
&lt;br /&gt;
=== Regulatory Requirements ===&lt;br /&gt;
&lt;br /&gt;
Many regulations and standards require organisations to identify and appropriately protect sensitive information.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* General Data Protection Regulation (GDPR)&lt;br /&gt;
* ISO 27001&lt;br /&gt;
* PCI-DSS&lt;br /&gt;
* NHS Data Security Standards&lt;br /&gt;
* Government security frameworks&lt;br /&gt;
&lt;br /&gt;
Classification helps demonstrate that information is being managed in accordance with legal and contractual obligations.&lt;br /&gt;
&lt;br /&gt;
=== Operational Consistency ===&lt;br /&gt;
&lt;br /&gt;
A clear classification scheme ensures that employees, contractors, and third parties handle information consistently across the organisation.&lt;br /&gt;
&lt;br /&gt;
This reduces ambiguity and improves decision-making.&lt;br /&gt;
&lt;br /&gt;
== Classification Levels ==&lt;br /&gt;
&lt;br /&gt;
There is no universal classification model. Organisations should adopt a model appropriate to their operational requirements and risk profile.&lt;br /&gt;
&lt;br /&gt;
A common commercial model is shown below.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Public&lt;br /&gt;
│&lt;br /&gt;
├── Internal&lt;br /&gt;
│&lt;br /&gt;
├── Confidential&lt;br /&gt;
│&lt;br /&gt;
└── Restricted&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Public ===&lt;br /&gt;
&lt;br /&gt;
Information intended for unrestricted distribution.&lt;br /&gt;
&lt;br /&gt;
Examples:&lt;br /&gt;
&lt;br /&gt;
* Marketing materials&lt;br /&gt;
* Published product information&lt;br /&gt;
* Press releases&lt;br /&gt;
* Public website content&lt;br /&gt;
&lt;br /&gt;
Disclosure presents little or no risk to the organisation.&lt;br /&gt;
&lt;br /&gt;
=== Internal ===&lt;br /&gt;
&lt;br /&gt;
Information intended for use within the organisation.&lt;br /&gt;
&lt;br /&gt;
Examples:&lt;br /&gt;
&lt;br /&gt;
* Internal procedures&lt;br /&gt;
* Staff directories&lt;br /&gt;
* Meeting notes&lt;br /&gt;
* Standard operating documentation&lt;br /&gt;
&lt;br /&gt;
Unauthorised disclosure may cause inconvenience but is unlikely to result in significant harm.&lt;br /&gt;
&lt;br /&gt;
=== Confidential ===&lt;br /&gt;
&lt;br /&gt;
Information that could harm the organisation, its customers, or its partners if disclosed.&lt;br /&gt;
&lt;br /&gt;
Examples:&lt;br /&gt;
&lt;br /&gt;
* Customer information&lt;br /&gt;
* Financial records&lt;br /&gt;
* Commercial contracts&lt;br /&gt;
* Project documentation&lt;br /&gt;
* Security documentation&lt;br /&gt;
&lt;br /&gt;
Confidential information typically requires controlled access and protected transmission methods.&lt;br /&gt;
&lt;br /&gt;
=== Restricted ===&lt;br /&gt;
&lt;br /&gt;
Highly sensitive information requiring the highest level of protection.&lt;br /&gt;
&lt;br /&gt;
Examples:&lt;br /&gt;
&lt;br /&gt;
* Cryptographic material&lt;br /&gt;
* Merger and acquisition information&lt;br /&gt;
* Security incident investigations&lt;br /&gt;
* Authentication systems&lt;br /&gt;
* Strategic business plans&lt;br /&gt;
&lt;br /&gt;
Disclosure could cause severe financial, operational, legal, or reputational damage.&lt;br /&gt;
&lt;br /&gt;
== Data Handling Requirements ==&lt;br /&gt;
&lt;br /&gt;
Classification only becomes meaningful when it drives handling requirements.&lt;br /&gt;
&lt;br /&gt;
Every classification level should define how information is:&lt;br /&gt;
&lt;br /&gt;
* Stored&lt;br /&gt;
* Accessed&lt;br /&gt;
* Transmitted&lt;br /&gt;
* Retained&lt;br /&gt;
* Disposed of&lt;br /&gt;
&lt;br /&gt;
=== The Four States of Information ===&lt;br /&gt;
&lt;br /&gt;
Information exists in multiple states throughout its lifecycle.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Data at Rest&lt;br /&gt;
      ↓&lt;br /&gt;
Data in Use&lt;br /&gt;
      ↓&lt;br /&gt;
Data in Transit&lt;br /&gt;
      ↓&lt;br /&gt;
Data in Disposal&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Protective controls should be considered for every state.&lt;br /&gt;
&lt;br /&gt;
=== Data at Rest ===&lt;br /&gt;
&lt;br /&gt;
Data at rest refers to information stored on systems or media.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* File servers&lt;br /&gt;
* Databases&lt;br /&gt;
* SharePoint&lt;br /&gt;
* OneDrive&lt;br /&gt;
* Backup systems&lt;br /&gt;
* Portable storage devices&lt;br /&gt;
&lt;br /&gt;
Controls may include:&lt;br /&gt;
&lt;br /&gt;
* Encryption&lt;br /&gt;
* Access controls&lt;br /&gt;
* Data segregation&lt;br /&gt;
* Monitoring&lt;br /&gt;
* Backup protection&lt;br /&gt;
&lt;br /&gt;
=== Data in Use ===&lt;br /&gt;
&lt;br /&gt;
Data in use refers to information actively being viewed or processed.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Documents opened on workstations&lt;br /&gt;
* Reports displayed on-screen&lt;br /&gt;
* Data processed by applications&lt;br /&gt;
&lt;br /&gt;
Controls may include:&lt;br /&gt;
&lt;br /&gt;
* Session timeouts&lt;br /&gt;
* Screen locking&lt;br /&gt;
* Privileged access management&lt;br /&gt;
* Endpoint protection&lt;br /&gt;
* Rights management solutions&lt;br /&gt;
&lt;br /&gt;
=== Data in Transit ===&lt;br /&gt;
&lt;br /&gt;
Data in transit refers to information moving between systems.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Email&lt;br /&gt;
* API communications&lt;br /&gt;
* File transfers&lt;br /&gt;
* Web traffic&lt;br /&gt;
&lt;br /&gt;
Controls may include:&lt;br /&gt;
&lt;br /&gt;
* TLS encryption&lt;br /&gt;
* VPN technologies&lt;br /&gt;
* Protected file sharing platforms&lt;br /&gt;
* Secure messaging solutions&lt;br /&gt;
&lt;br /&gt;
=== Disposal ===&lt;br /&gt;
&lt;br /&gt;
Information must remain protected until it is securely destroyed.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Physical records&lt;br /&gt;
* Hard drives&lt;br /&gt;
* Backup media&lt;br /&gt;
* Archived documents&lt;br /&gt;
&lt;br /&gt;
Controls may include:&lt;br /&gt;
&lt;br /&gt;
* Secure shredding&lt;br /&gt;
* Cryptographic erasure&lt;br /&gt;
* Certified destruction services&lt;br /&gt;
* Retention enforcement policies&lt;br /&gt;
&lt;br /&gt;
== Practical Examples ==&lt;br /&gt;
&lt;br /&gt;
=== Customer Records ===&lt;br /&gt;
&lt;br /&gt;
Customer information often contains:&lt;br /&gt;
&lt;br /&gt;
* Names&lt;br /&gt;
* Addresses&lt;br /&gt;
* Contact details&lt;br /&gt;
* Transaction history&lt;br /&gt;
&lt;br /&gt;
Such information would normally be classified as Confidential and protected through access controls, monitoring, and encryption.&lt;br /&gt;
&lt;br /&gt;
=== Financial Information ===&lt;br /&gt;
&lt;br /&gt;
Financial reports, forecasts, and budgets may influence business decisions and commercial negotiations.&lt;br /&gt;
&lt;br /&gt;
Access should typically be restricted to authorised personnel and management.&lt;br /&gt;
&lt;br /&gt;
=== Technical Documentation ===&lt;br /&gt;
&lt;br /&gt;
Not all technical documentation is sensitive.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
* User guides may be Public.&lt;br /&gt;
* Internal architecture documents may be Internal.&lt;br /&gt;
* Network diagrams and security configurations may be Confidential or Restricted.&lt;br /&gt;
&lt;br /&gt;
Classification depends upon potential impact rather than document type alone.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Classification Without Controls ===&lt;br /&gt;
&lt;br /&gt;
One of the most common failures is implementing labels without corresponding handling requirements.&lt;br /&gt;
&lt;br /&gt;
A document marked &amp;quot;Confidential&amp;quot; provides little protection if:&lt;br /&gt;
&lt;br /&gt;
* Anyone can access it.&lt;br /&gt;
* It can be freely emailed externally.&lt;br /&gt;
* It can be copied to unmanaged devices.&lt;br /&gt;
&lt;br /&gt;
Classification must drive action.&lt;br /&gt;
&lt;br /&gt;
=== Over-Classification ===&lt;br /&gt;
&lt;br /&gt;
Classifying everything as highly sensitive creates operational friction.&lt;br /&gt;
&lt;br /&gt;
Employees eventually ignore classifications that appear excessive or unrealistic.&lt;br /&gt;
&lt;br /&gt;
The objective is accuracy, not maximum restriction.&lt;br /&gt;
&lt;br /&gt;
=== User Confusion ===&lt;br /&gt;
&lt;br /&gt;
If employees cannot easily determine the correct classification, incorrect classifications become inevitable.&lt;br /&gt;
&lt;br /&gt;
Classification schemes should be simple, understandable, and practical.&lt;br /&gt;
&lt;br /&gt;
=== Focusing Only on Storage ===&lt;br /&gt;
&lt;br /&gt;
Many organisations secure data repositories but overlook what happens after information leaves them.&lt;br /&gt;
&lt;br /&gt;
Common examples include:&lt;br /&gt;
&lt;br /&gt;
* Screenshots&lt;br /&gt;
* Printed documents&lt;br /&gt;
* Downloads&lt;br /&gt;
* Email attachments&lt;br /&gt;
* Mobile device storage&lt;br /&gt;
&lt;br /&gt;
Handling controls must follow information throughout its lifecycle.&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
Classification should drive security architecture decisions.&lt;br /&gt;
&lt;br /&gt;
The relationship is typically:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Classification&lt;br /&gt;
       ↓&lt;br /&gt;
Access Control&lt;br /&gt;
       ↓&lt;br /&gt;
Protection Mechanisms&lt;br /&gt;
       ↓&lt;br /&gt;
Monitoring&lt;br /&gt;
       ↓&lt;br /&gt;
Retention&lt;br /&gt;
       ↓&lt;br /&gt;
Disposal&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Access Control ===&lt;br /&gt;
&lt;br /&gt;
Access should be granted according to business need rather than convenience.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Role-Based Access Control (RBAC)&lt;br /&gt;
* Attribute-Based Access Control (ABAC)&lt;br /&gt;
* Least privilege principles&lt;br /&gt;
&lt;br /&gt;
=== Encryption ===&lt;br /&gt;
&lt;br /&gt;
Encryption requirements should align with classification levels.&lt;br /&gt;
&lt;br /&gt;
Higher classifications generally require stronger protections for storage and transmission.&lt;br /&gt;
&lt;br /&gt;
=== Monitoring ===&lt;br /&gt;
&lt;br /&gt;
Sensitive information should attract increased monitoring and auditing.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Access logging&lt;br /&gt;
* Data access monitoring&lt;br /&gt;
* Anomaly detection&lt;br /&gt;
* Data Loss Prevention (DLP)&lt;br /&gt;
&lt;br /&gt;
=== Retention and Disposal ===&lt;br /&gt;
&lt;br /&gt;
Information should not be retained indefinitely.&lt;br /&gt;
&lt;br /&gt;
Retention policies should balance:&lt;br /&gt;
&lt;br /&gt;
* Legal requirements&lt;br /&gt;
* Business requirements&lt;br /&gt;
* Security considerations&lt;br /&gt;
* Storage costs&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting &amp;amp; Auditing ==&lt;br /&gt;
&lt;br /&gt;
=== Classification Reviews ===&lt;br /&gt;
&lt;br /&gt;
Regular reviews help ensure classifications remain accurate as business requirements evolve.&lt;br /&gt;
&lt;br /&gt;
Key questions include:&lt;br /&gt;
&lt;br /&gt;
* Is the classification still appropriate?&lt;br /&gt;
* Has the information become public?&lt;br /&gt;
* Have regulatory requirements changed?&lt;br /&gt;
&lt;br /&gt;
=== Access Auditing ===&lt;br /&gt;
&lt;br /&gt;
Periodic audits should verify that:&lt;br /&gt;
&lt;br /&gt;
* Access remains justified.&lt;br /&gt;
* Permissions remain appropriate.&lt;br /&gt;
* Former employees no longer retain access.&lt;br /&gt;
&lt;br /&gt;
=== Incident Investigation ===&lt;br /&gt;
&lt;br /&gt;
Classification information is valuable during security investigations.&lt;br /&gt;
&lt;br /&gt;
It helps determine:&lt;br /&gt;
&lt;br /&gt;
* Potential impact&lt;br /&gt;
* Notification requirements&lt;br /&gt;
* Escalation paths&lt;br /&gt;
* Remediation priorities&lt;br /&gt;
&lt;br /&gt;
== Design Philosophy ==&lt;br /&gt;
&lt;br /&gt;
Data classification should not be viewed as a compliance exercise.&lt;br /&gt;
&lt;br /&gt;
It is an operational mechanism for making informed security decisions.&lt;br /&gt;
&lt;br /&gt;
The objective is not to label information.&lt;br /&gt;
&lt;br /&gt;
The objective is to understand the impact of compromise and apply controls proportionate to the associated risk.&lt;br /&gt;
&lt;br /&gt;
When implemented correctly, classification becomes the foundation upon which access control, encryption, monitoring, retention, and disposal strategies are built.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Information Security Fundamentals]]&lt;br /&gt;
* [[Information Lifecycle Management]]&lt;br /&gt;
* [[Data Loss Prevention]]&lt;br /&gt;
* [[Access Control Models]]&lt;br /&gt;
* [[Encryption Technologies]]&lt;br /&gt;
* [[Records Management]]&lt;br /&gt;
* [[GDPR]]&lt;br /&gt;
* [[Microsoft Purview Information Protection]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* ISO/IEC 27001&lt;br /&gt;
* ISO/IEC 27002&lt;br /&gt;
* ISO/IEC 27701&lt;br /&gt;
* GDPR&lt;br /&gt;
* NIST Information Classification Guidance&lt;br /&gt;
* PCI-DSS&lt;br /&gt;
* Microsoft Purview Information Protection Documentation&lt;/div&gt;</description>
			<pubDate>Mon, 06 Jul 2026 06:56:50 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Data_Classification_and_Handling</comments>
		</item>
		<item>
			<title>Cloud Security Architecture</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Cloud_Security_Architecture&amp;diff=429&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Cloud_Security_Architecture&amp;diff=429&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;== Introduction ==  Cloud Security Architecture is the structured design of security controls, policies, technologies, and operational processes intended to protect cloud-based systems, applications, data, and services. It provides a framework for securing cloud environments while supporting business objectives such as scalability, availability, performance, compliance, and cost efficiency.  As organisations increasingly migrate workloads to public, private, and hybrid c...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
Cloud Security Architecture is the structured design of security controls, policies, technologies, and operational processes intended to protect cloud-based systems, applications, data, and services. It provides a framework for securing cloud environments while supporting business objectives such as scalability, availability, performance, compliance, and cost efficiency.&lt;br /&gt;
&lt;br /&gt;
As organisations increasingly migrate workloads to public, private, and hybrid cloud platforms, security architecture has become a fundamental discipline that ensures the confidentiality, integrity, and availability of information assets across distributed and often globally accessible environments.&lt;br /&gt;
&lt;br /&gt;
Cloud Security Architecture combines traditional information security principles with cloud-native technologies and operational practices to create a resilient and adaptable security posture.&lt;br /&gt;
&lt;br /&gt;
== Objectives ==&lt;br /&gt;
&lt;br /&gt;
The primary objectives of Cloud Security Architecture include:&lt;br /&gt;
&lt;br /&gt;
* Protecting sensitive information and business assets.&lt;br /&gt;
* Ensuring regulatory and legal compliance.&lt;br /&gt;
* Managing risk associated with cloud adoption.&lt;br /&gt;
* Enabling secure digital transformation initiatives.&lt;br /&gt;
* Supporting business continuity and disaster recovery.&lt;br /&gt;
* Preventing unauthorised access to systems and data.&lt;br /&gt;
* Detecting and responding to threats in real-time.&lt;br /&gt;
* Maintaining trust with customers, partners, and stakeholders.&lt;br /&gt;
&lt;br /&gt;
== Shared Responsibility Model ==&lt;br /&gt;
&lt;br /&gt;
A fundamental concept in cloud security is the &amp;#039;&amp;#039;&amp;#039;Shared Responsibility Model&amp;#039;&amp;#039;&amp;#039;, which defines the division of security responsibilities between the cloud provider and the customer.&lt;br /&gt;
&lt;br /&gt;
=== Cloud Provider Responsibilities ===&lt;br /&gt;
&lt;br /&gt;
Typically include:&lt;br /&gt;
&lt;br /&gt;
* Physical data centre security.&lt;br /&gt;
* Hardware security.&lt;br /&gt;
* Network infrastructure protection.&lt;br /&gt;
* Hypervisor security.&lt;br /&gt;
* Availability of cloud services.&lt;br /&gt;
&lt;br /&gt;
=== Customer Responsibilities ===&lt;br /&gt;
&lt;br /&gt;
Typically include:&lt;br /&gt;
&lt;br /&gt;
* Identity and access management.&lt;br /&gt;
* Data protection and classification.&lt;br /&gt;
* Operating system security (Infrastructure as a Service).&lt;br /&gt;
* Application security.&lt;br /&gt;
* Configuration management.&lt;br /&gt;
* Security monitoring and governance.&lt;br /&gt;
&lt;br /&gt;
The exact allocation of responsibilities varies depending on the cloud service model.&lt;br /&gt;
&lt;br /&gt;
== Cloud Service Models ==&lt;br /&gt;
&lt;br /&gt;
=== Infrastructure as a Service (IaaS) ===&lt;br /&gt;
&lt;br /&gt;
Provides customers with virtualised infrastructure components including:&lt;br /&gt;
&lt;br /&gt;
* Virtual machines.&lt;br /&gt;
* Storage services.&lt;br /&gt;
* Networking components.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Microsoft Azure Virtual Machines.&lt;br /&gt;
* Amazon EC2.&lt;br /&gt;
* Google Compute Engine.&lt;br /&gt;
&lt;br /&gt;
Customers are responsible for securing operating systems, applications, and data.&lt;br /&gt;
&lt;br /&gt;
=== Platform as a Service (PaaS) ===&lt;br /&gt;
&lt;br /&gt;
Provides managed platforms for application development and deployment.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Azure App Services.&lt;br /&gt;
* Azure SQL Database.&lt;br /&gt;
* Google App Engine.&lt;br /&gt;
&lt;br /&gt;
Security responsibilities shift toward application and data protection.&lt;br /&gt;
&lt;br /&gt;
=== Software as a Service (SaaS) ===&lt;br /&gt;
&lt;br /&gt;
Provides fully managed applications delivered over the internet.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Microsoft 365.&lt;br /&gt;
* Salesforce.&lt;br /&gt;
* ServiceNow.&lt;br /&gt;
&lt;br /&gt;
Customers primarily focus on access control, data governance, and compliance.&lt;br /&gt;
&lt;br /&gt;
== Core Architectural Principles ==&lt;br /&gt;
&lt;br /&gt;
=== Defence in Depth ===&lt;br /&gt;
&lt;br /&gt;
Defence in Depth employs multiple layers of security controls to prevent a single point of failure.&lt;br /&gt;
&lt;br /&gt;
Typical layers include:&lt;br /&gt;
&lt;br /&gt;
# Physical Security&lt;br /&gt;
# Network Security&lt;br /&gt;
# Perimeter Security&lt;br /&gt;
# Identity Security&lt;br /&gt;
# Endpoint Security&lt;br /&gt;
# Application Security&lt;br /&gt;
# Data Security&lt;br /&gt;
# Monitoring and Response&lt;br /&gt;
&lt;br /&gt;
=== Zero Trust ===&lt;br /&gt;
&lt;br /&gt;
Zero Trust assumes that no user, device, application, or network should be automatically trusted.&lt;br /&gt;
&lt;br /&gt;
Core principles include:&lt;br /&gt;
&lt;br /&gt;
* Verify explicitly.&lt;br /&gt;
* Use least privilege access.&lt;br /&gt;
* Assume breach.&lt;br /&gt;
* Continuously validate trust.&lt;br /&gt;
* Monitor all activity.&lt;br /&gt;
&lt;br /&gt;
=== Least Privilege ===&lt;br /&gt;
&lt;br /&gt;
Users and systems should only receive the minimum permissions necessary to perform required tasks.&lt;br /&gt;
&lt;br /&gt;
Benefits include:&lt;br /&gt;
&lt;br /&gt;
* Reduced attack surface.&lt;br /&gt;
* Lower risk of privilege escalation.&lt;br /&gt;
* Improved compliance.&lt;br /&gt;
&lt;br /&gt;
=== Secure by Design ===&lt;br /&gt;
&lt;br /&gt;
Security requirements should be integrated during system design rather than added after deployment.&lt;br /&gt;
&lt;br /&gt;
This includes:&lt;br /&gt;
&lt;br /&gt;
* Threat modelling.&lt;br /&gt;
* Security architecture reviews.&lt;br /&gt;
* Security testing.&lt;br /&gt;
* Secure coding practices.&lt;br /&gt;
&lt;br /&gt;
== Cloud Security Domains ==&lt;br /&gt;
&lt;br /&gt;
=== Identity and Access Management ===&lt;br /&gt;
&lt;br /&gt;
Identity is the primary security perimeter in modern cloud environments.&lt;br /&gt;
&lt;br /&gt;
Key controls include:&lt;br /&gt;
&lt;br /&gt;
* Multi-Factor Authentication (MFA).&lt;br /&gt;
* Conditional Access Policies.&lt;br /&gt;
* Single Sign-On (SSO).&lt;br /&gt;
* Privileged Identity Management (PIM).&lt;br /&gt;
* Role-Based Access Control (RBAC).&lt;br /&gt;
* Federated Authentication.&lt;br /&gt;
&lt;br /&gt;
=== Network Security ===&lt;br /&gt;
&lt;br /&gt;
Cloud network security controls protect communication between resources.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Virtual Networks.&lt;br /&gt;
* Network Security Groups.&lt;br /&gt;
* Firewalls.&lt;br /&gt;
* Web Application Firewalls (WAF).&lt;br /&gt;
* Private Endpoints.&lt;br /&gt;
* VPN Gateways.&lt;br /&gt;
* Bastion Hosts.&lt;br /&gt;
&lt;br /&gt;
=== Data Security ===&lt;br /&gt;
&lt;br /&gt;
Data protection measures focus on securing information throughout its lifecycle.&lt;br /&gt;
&lt;br /&gt;
Controls typically include:&lt;br /&gt;
&lt;br /&gt;
* Encryption at rest.&lt;br /&gt;
* Encryption in transit.&lt;br /&gt;
* Encryption in use.&lt;br /&gt;
* Key Management Systems.&lt;br /&gt;
* Data Loss Prevention (DLP).&lt;br /&gt;
* Information Classification.&lt;br /&gt;
* Data Retention Policies.&lt;br /&gt;
&lt;br /&gt;
=== Application Security ===&lt;br /&gt;
&lt;br /&gt;
Application security protects software workloads deployed in cloud environments.&lt;br /&gt;
&lt;br /&gt;
Key techniques include:&lt;br /&gt;
&lt;br /&gt;
* Secure Development Lifecycle (SDLC).&lt;br /&gt;
* Static Application Security Testing (SAST).&lt;br /&gt;
* Dynamic Application Security Testing (DAST).&lt;br /&gt;
* Dependency Scanning.&lt;br /&gt;
* API Security.&lt;br /&gt;
* Secure Code Reviews.&lt;br /&gt;
&lt;br /&gt;
=== Endpoint Security ===&lt;br /&gt;
&lt;br /&gt;
Endpoints connecting to cloud services require protection through:&lt;br /&gt;
&lt;br /&gt;
* Endpoint Detection and Response (EDR).&lt;br /&gt;
* Anti-malware solutions.&lt;br /&gt;
* Device compliance policies.&lt;br /&gt;
* Mobile Device Management (MDM).&lt;br /&gt;
* Device encryption.&lt;br /&gt;
&lt;br /&gt;
=== Security Operations ===&lt;br /&gt;
&lt;br /&gt;
Security operations provide visibility into cloud environments.&lt;br /&gt;
&lt;br /&gt;
Capabilities include:&lt;br /&gt;
&lt;br /&gt;
* Log aggregation.&lt;br /&gt;
* Security Information and Event Management (SIEM).&lt;br /&gt;
* Security Orchestration, Automation and Response (SOAR).&lt;br /&gt;
* Threat Intelligence.&lt;br /&gt;
* Incident Response.&lt;br /&gt;
* Security Analytics.&lt;br /&gt;
&lt;br /&gt;
== Security Architecture Components ==&lt;br /&gt;
&lt;br /&gt;
=== Governance Layer ===&lt;br /&gt;
&lt;br /&gt;
Provides strategic oversight through:&lt;br /&gt;
&lt;br /&gt;
* Security policies.&lt;br /&gt;
* Security standards.&lt;br /&gt;
* Risk management frameworks.&lt;br /&gt;
* Compliance controls.&lt;br /&gt;
* Audit programmes.&lt;br /&gt;
&lt;br /&gt;
=== Control Layer ===&lt;br /&gt;
&lt;br /&gt;
Implements technical and administrative controls.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Access controls.&lt;br /&gt;
* Monitoring controls.&lt;br /&gt;
* Encryption controls.&lt;br /&gt;
* Configuration standards.&lt;br /&gt;
&lt;br /&gt;
=== Monitoring Layer ===&lt;br /&gt;
&lt;br /&gt;
Provides continuous operational visibility.&lt;br /&gt;
&lt;br /&gt;
Includes:&lt;br /&gt;
&lt;br /&gt;
* Log collection.&lt;br /&gt;
* Event monitoring.&lt;br /&gt;
* Alerting mechanisms.&lt;br /&gt;
* Threat detection systems.&lt;br /&gt;
&lt;br /&gt;
=== Response Layer ===&lt;br /&gt;
&lt;br /&gt;
Manages security incidents through:&lt;br /&gt;
&lt;br /&gt;
* Incident response plans.&lt;br /&gt;
* Security playbooks.&lt;br /&gt;
* Automated remediation.&lt;br /&gt;
* Forensic investigations.&lt;br /&gt;
&lt;br /&gt;
== Cloud Security Technologies ==&lt;br /&gt;
&lt;br /&gt;
Common technologies within modern cloud architectures include:&lt;br /&gt;
&lt;br /&gt;
* Microsoft Defender for Cloud.&lt;br /&gt;
* Microsoft Sentinel.&lt;br /&gt;
* Azure Firewall.&lt;br /&gt;
* Azure Key Vault.&lt;br /&gt;
* Azure DDoS Protection.&lt;br /&gt;
* AWS GuardDuty.&lt;br /&gt;
* AWS Security Hub.&lt;br /&gt;
* Google Security Command Center.&lt;br /&gt;
* CrowdStrike Falcon.&lt;br /&gt;
* Palo Alto Prisma Cloud.&lt;br /&gt;
&lt;br /&gt;
== Common Threats ==&lt;br /&gt;
&lt;br /&gt;
=== Misconfiguration ===&lt;br /&gt;
&lt;br /&gt;
One of the most significant causes of cloud security incidents.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Publicly accessible storage.&lt;br /&gt;
* Excessive permissions.&lt;br /&gt;
* Open network ports.&lt;br /&gt;
&lt;br /&gt;
=== Credential Theft ===&lt;br /&gt;
&lt;br /&gt;
Compromised credentials may allow attackers to gain access to cloud resources.&lt;br /&gt;
&lt;br /&gt;
Mitigation techniques include:&lt;br /&gt;
&lt;br /&gt;
* MFA.&lt;br /&gt;
* Passwordless authentication.&lt;br /&gt;
* Conditional Access.&lt;br /&gt;
&lt;br /&gt;
=== Insider Threats ===&lt;br /&gt;
&lt;br /&gt;
May originate from employees, contractors, or partners who misuse legitimate access.&lt;br /&gt;
&lt;br /&gt;
=== Supply Chain Attacks ===&lt;br /&gt;
&lt;br /&gt;
Compromise of software, services, or third-party dependencies used within cloud environments.&lt;br /&gt;
&lt;br /&gt;
=== Ransomware ===&lt;br /&gt;
&lt;br /&gt;
Attackers may target cloud-hosted workloads, backup systems, or synchronised data repositories.&lt;br /&gt;
&lt;br /&gt;
== Compliance and Regulatory Considerations ==&lt;br /&gt;
&lt;br /&gt;
Cloud Security Architecture often supports compliance with standards and regulations including:&lt;br /&gt;
&lt;br /&gt;
* ISO 27001&lt;br /&gt;
* ISO 27017&lt;br /&gt;
* ISO 27018&lt;br /&gt;
* SOC 2&lt;br /&gt;
* PCI-DSS&lt;br /&gt;
* GDPR&lt;br /&gt;
* HIPAA&lt;br /&gt;
* NIST Cybersecurity Framework&lt;br /&gt;
* NIST SP 800-53&lt;br /&gt;
&lt;br /&gt;
Compliance should be considered throughout the solution lifecycle rather than as a final validation exercise.&lt;br /&gt;
&lt;br /&gt;
== Cloud Security Architecture Lifecycle ==&lt;br /&gt;
&lt;br /&gt;
=== 1. Assessment ===&lt;br /&gt;
&lt;br /&gt;
Identify:&lt;br /&gt;
&lt;br /&gt;
* Assets.&lt;br /&gt;
* Risks.&lt;br /&gt;
* Threats.&lt;br /&gt;
* Compliance requirements.&lt;br /&gt;
&lt;br /&gt;
=== 2. Design ===&lt;br /&gt;
&lt;br /&gt;
Develop:&lt;br /&gt;
&lt;br /&gt;
* Security controls.&lt;br /&gt;
* Trust boundaries.&lt;br /&gt;
* Network architecture.&lt;br /&gt;
* Identity architecture.&lt;br /&gt;
&lt;br /&gt;
=== 3. Implementation ===&lt;br /&gt;
&lt;br /&gt;
Deploy:&lt;br /&gt;
&lt;br /&gt;
* Security technologies.&lt;br /&gt;
* Policies.&lt;br /&gt;
* Monitoring capabilities.&lt;br /&gt;
&lt;br /&gt;
=== 4. Validation ===&lt;br /&gt;
&lt;br /&gt;
Perform:&lt;br /&gt;
&lt;br /&gt;
* Vulnerability assessments.&lt;br /&gt;
* Penetration testing.&lt;br /&gt;
* Architecture reviews.&lt;br /&gt;
&lt;br /&gt;
=== 5. Operations ===&lt;br /&gt;
&lt;br /&gt;
Maintain:&lt;br /&gt;
&lt;br /&gt;
* Monitoring.&lt;br /&gt;
* Incident response.&lt;br /&gt;
* Change management.&lt;br /&gt;
&lt;br /&gt;
=== 6. Continuous Improvement ===&lt;br /&gt;
&lt;br /&gt;
Review and enhance controls based on:&lt;br /&gt;
&lt;br /&gt;
* Emerging threats.&lt;br /&gt;
* Business changes.&lt;br /&gt;
* Security incidents.&lt;br /&gt;
* Regulatory updates.&lt;br /&gt;
&lt;br /&gt;
== Emerging Trends ==&lt;br /&gt;
&lt;br /&gt;
Several trends are shaping the future of Cloud Security Architecture:&lt;br /&gt;
&lt;br /&gt;
* AI-assisted threat detection.&lt;br /&gt;
* Security Copilots and automated investigations.&lt;br /&gt;
* Extended Detection and Response (XDR).&lt;br /&gt;
* Cloud-Native Application Protection Platforms (CNAPP).&lt;br /&gt;
* Secure Access Service Edge (SASE).&lt;br /&gt;
* Security Service Edge (SSE).&lt;br /&gt;
* Confidential Computing.&lt;br /&gt;
* Post-Quantum Cryptography preparedness.&lt;br /&gt;
* Identity-first security models.&lt;br /&gt;
&lt;br /&gt;
== Best Practices ==&lt;br /&gt;
&lt;br /&gt;
* Adopt a Zero Trust strategy.&lt;br /&gt;
* Enable Multi-Factor Authentication everywhere possible.&lt;br /&gt;
* Apply least privilege access principles.&lt;br /&gt;
* Encrypt sensitive data.&lt;br /&gt;
* Continuously monitor cloud environments.&lt;br /&gt;
* Automate security operations where appropriate.&lt;br /&gt;
* Conduct regular security reviews.&lt;br /&gt;
* Maintain comprehensive logging.&lt;br /&gt;
* Implement robust backup and recovery procedures.&lt;br /&gt;
* Integrate security throughout the development lifecycle.&lt;br /&gt;
&lt;br /&gt;
== Conclusion ==&lt;br /&gt;
&lt;br /&gt;
Cloud Security Architecture provides the strategic and technical foundation required to secure modern cloud environments. By integrating governance, identity, data protection, monitoring, and incident response capabilities into a cohesive architecture, organisations can confidently leverage cloud technologies while managing risk and maintaining compliance. Successful cloud security architecture is not a one-time project but an ongoing discipline that evolves alongside threats, technologies, and business requirements.&lt;br /&gt;
&lt;br /&gt;
[[Category:Cloud Computing]]&lt;br /&gt;
[[Category:Cyber Security]]&lt;br /&gt;
[[Category:Enterprise Architecture]]&lt;br /&gt;
[[Category:Information Security]]&lt;br /&gt;
[[Category:Microsoft Azure]]&lt;br /&gt;
[[Category:Infrastructure]]&lt;/div&gt;</description>
			<pubDate>Mon, 06 Jul 2026 06:54:37 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Cloud_Security_Architecture</comments>
		</item>
		<item>
			<title>Risk Management</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Risk_Management&amp;diff=428&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Risk_Management&amp;diff=428&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039; Risk Management is the structured process of identifying, assessing, treating, monitoring, and reviewing uncertainty that could affect the achievement of objectives. Effective risk management improves decision-making, protects assets, supports business continuity, and enables organisations to pursue opportunities with greater confidence.  Risk exists in every activity, whether managing infrastructure, delivering projects, operating services, deploying soft...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
Risk Management is the structured process of identifying, assessing, treating, monitoring, and reviewing uncertainty that could affect the achievement of objectives. Effective risk management improves decision-making, protects assets, supports business continuity, and enables organisations to pursue opportunities with greater confidence.&lt;br /&gt;
&lt;br /&gt;
Risk exists in every activity, whether managing infrastructure, delivering projects, operating services, deploying software, or making strategic business decisions. The goal is not to eliminate risk entirely, but to understand it well enough to make informed choices.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
=== Why Risk Management Matters ===&lt;br /&gt;
&lt;br /&gt;
Every organisation operates in an environment filled with uncertainty. Systems fail, suppliers become unavailable, projects encounter delays, security threats emerge, and business priorities change.&lt;br /&gt;
&lt;br /&gt;
Without a structured approach to risk management, organisations often react to problems only after they occur. This reactive approach can lead to increased costs, service disruption, damaged reputation, regulatory issues, and missed opportunities.&lt;br /&gt;
&lt;br /&gt;
Risk management provides a framework for anticipating potential problems before they become incidents.&lt;br /&gt;
&lt;br /&gt;
=== Risk Is Not Always Negative ===&lt;br /&gt;
&lt;br /&gt;
A common misconception is that risk only refers to threats and undesirable outcomes.&lt;br /&gt;
&lt;br /&gt;
In practice, risk is uncertainty that may have either a positive or negative effect on objectives.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
* A new technology may introduce implementation risks.&lt;br /&gt;
* The same technology may also create opportunities for increased efficiency.&lt;br /&gt;
* Entering a new market may expose a business to financial uncertainty.&lt;br /&gt;
* The same decision may create significant growth opportunities.&lt;br /&gt;
&lt;br /&gt;
Good risk management considers both threats and opportunities.&lt;br /&gt;
&lt;br /&gt;
=== Common Misconceptions ===&lt;br /&gt;
&lt;br /&gt;
Some organisations view risk management as a compliance exercise performed solely to satisfy auditors.&lt;br /&gt;
&lt;br /&gt;
Others believe that maintaining a risk register is sufficient.&lt;br /&gt;
&lt;br /&gt;
In reality, risk management is most valuable when it influences day-to-day decision-making and becomes part of organisational culture.&lt;br /&gt;
&lt;br /&gt;
== Core Concepts ==&lt;br /&gt;
&lt;br /&gt;
=== Risk ===&lt;br /&gt;
&lt;br /&gt;
A risk is a potential event or condition that may impact one or more objectives.&lt;br /&gt;
&lt;br /&gt;
A useful format for documenting risks is:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
If [event occurs],&lt;br /&gt;
Then [impact may result],&lt;br /&gt;
Affecting [objective].&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
If the primary internet connection fails,&lt;br /&gt;
Then remote access services may become unavailable,&lt;br /&gt;
Affecting business operations.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Threat ===&lt;br /&gt;
&lt;br /&gt;
A threat is something capable of causing harm.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Cyber attacks&lt;br /&gt;
* Hardware failure&lt;br /&gt;
* Human error&lt;br /&gt;
* Extreme weather&lt;br /&gt;
* Supply chain disruption&lt;br /&gt;
&lt;br /&gt;
=== Vulnerability ===&lt;br /&gt;
&lt;br /&gt;
A vulnerability is a weakness that could be exploited by a threat.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Unsupported software&lt;br /&gt;
* Single points of failure&lt;br /&gt;
* Weak authentication controls&lt;br /&gt;
* Insufficient backups&lt;br /&gt;
&lt;br /&gt;
=== Impact ===&lt;br /&gt;
&lt;br /&gt;
Impact measures the consequences should a risk occur.&lt;br /&gt;
&lt;br /&gt;
Impact may be measured in:&lt;br /&gt;
&lt;br /&gt;
* Financial loss&lt;br /&gt;
* Service outage duration&lt;br /&gt;
* Regulatory penalties&lt;br /&gt;
* Reputational damage&lt;br /&gt;
* Health and safety effects&lt;br /&gt;
&lt;br /&gt;
=== Likelihood ===&lt;br /&gt;
&lt;br /&gt;
Likelihood estimates the probability of a risk occurring within a defined period.&lt;br /&gt;
&lt;br /&gt;
Likelihood should be based on evidence wherever possible rather than guesswork.&lt;br /&gt;
&lt;br /&gt;
=== Risk Appetite ===&lt;br /&gt;
&lt;br /&gt;
Risk appetite defines the level of risk an organisation is willing to accept in pursuit of its objectives.&lt;br /&gt;
&lt;br /&gt;
Different organisations have different appetites for risk.&lt;br /&gt;
&lt;br /&gt;
A financial institution may have a very low tolerance for security risks, while a technology startup may willingly accept greater operational risks in exchange for faster innovation.&lt;br /&gt;
&lt;br /&gt;
== The Risk Management Lifecycle ==&lt;br /&gt;
&lt;br /&gt;
=== Risk Identification ===&lt;br /&gt;
&lt;br /&gt;
The first step is discovering potential risks.&lt;br /&gt;
&lt;br /&gt;
Common techniques include:&lt;br /&gt;
&lt;br /&gt;
* Workshops&lt;br /&gt;
* Interviews&lt;br /&gt;
* Brainstorming sessions&lt;br /&gt;
* Lessons learned reviews&lt;br /&gt;
* Security assessments&lt;br /&gt;
* Architecture reviews&lt;br /&gt;
* Audit findings&lt;br /&gt;
&lt;br /&gt;
The objective is to identify risks before they manifest as issues.&lt;br /&gt;
&lt;br /&gt;
=== Risk Assessment ===&lt;br /&gt;
&lt;br /&gt;
Each identified risk is evaluated based on:&lt;br /&gt;
&lt;br /&gt;
* Likelihood&lt;br /&gt;
* Impact&lt;br /&gt;
* Existing controls&lt;br /&gt;
&lt;br /&gt;
This assessment determines the overall level of risk and helps prioritise mitigation efforts.&lt;br /&gt;
&lt;br /&gt;
=== Risk Treatment ===&lt;br /&gt;
&lt;br /&gt;
Treatment involves selecting an appropriate response.&lt;br /&gt;
&lt;br /&gt;
Common responses include:&lt;br /&gt;
&lt;br /&gt;
* Accept&lt;br /&gt;
* Avoid&lt;br /&gt;
* Mitigate&lt;br /&gt;
* Transfer&lt;br /&gt;
&lt;br /&gt;
These are explored later in this article.&lt;br /&gt;
&lt;br /&gt;
=== Risk Monitoring ===&lt;br /&gt;
&lt;br /&gt;
Risk environments change continuously.&lt;br /&gt;
&lt;br /&gt;
A risk that was acceptable six months ago may become critical due to changing business requirements, emerging threats, or environmental changes.&lt;br /&gt;
&lt;br /&gt;
Monitoring ensures records remain accurate and relevant.&lt;br /&gt;
&lt;br /&gt;
=== Risk Review ===&lt;br /&gt;
&lt;br /&gt;
Periodic reviews validate assumptions and determine whether controls remain effective.&lt;br /&gt;
&lt;br /&gt;
Reviews should occur:&lt;br /&gt;
&lt;br /&gt;
* At defined intervals&lt;br /&gt;
* After significant incidents&lt;br /&gt;
* Following major changes&lt;br /&gt;
* At project milestones&lt;br /&gt;
&lt;br /&gt;
== Risk Assessment Methods ==&lt;br /&gt;
&lt;br /&gt;
=== Qualitative Assessment ===&lt;br /&gt;
&lt;br /&gt;
Qualitative approaches use subjective ratings such as:&lt;br /&gt;
&lt;br /&gt;
* Low&lt;br /&gt;
* Medium&lt;br /&gt;
* High&lt;br /&gt;
&lt;br /&gt;
or&lt;br /&gt;
&lt;br /&gt;
* Very Low&lt;br /&gt;
* Low&lt;br /&gt;
* Moderate&lt;br /&gt;
* High&lt;br /&gt;
* Critical&lt;br /&gt;
&lt;br /&gt;
These methods are simple and suitable for many operational environments.&lt;br /&gt;
&lt;br /&gt;
=== Quantitative Assessment ===&lt;br /&gt;
&lt;br /&gt;
Quantitative approaches assign numerical values to likelihood and impact.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Financial exposure&lt;br /&gt;
* Expected annual loss&lt;br /&gt;
* Statistical probability models&lt;br /&gt;
&lt;br /&gt;
These approaches support more detailed decision-making but require reliable data.&lt;br /&gt;
&lt;br /&gt;
=== Risk Matrix Models ===&lt;br /&gt;
&lt;br /&gt;
Many organisations use a risk matrix.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Impact&lt;br /&gt;
          Low  Med  High&lt;br /&gt;
Low       Low  Low  Med&lt;br /&gt;
Medium    Low  Med  High&lt;br /&gt;
High      Med  High Critical&lt;br /&gt;
          Likelihood&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Risk matrices help stakeholders quickly visualise priorities.&lt;br /&gt;
&lt;br /&gt;
== Practical Application ==&lt;br /&gt;
&lt;br /&gt;
=== Project Risk Management ===&lt;br /&gt;
&lt;br /&gt;
Projects introduce uncertainty through:&lt;br /&gt;
&lt;br /&gt;
* Budget constraints&lt;br /&gt;
* Resource limitations&lt;br /&gt;
* Technical complexity&lt;br /&gt;
* External dependencies&lt;br /&gt;
&lt;br /&gt;
Project risks should be reviewed regularly throughout the project lifecycle rather than only during initiation.&lt;br /&gt;
&lt;br /&gt;
=== Operational Risk Management ===&lt;br /&gt;
&lt;br /&gt;
Operational risks affect day-to-day business functions.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Infrastructure failure&lt;br /&gt;
* Staffing shortages&lt;br /&gt;
* Supplier issues&lt;br /&gt;
* Process failures&lt;br /&gt;
&lt;br /&gt;
These risks are often ongoing and require continuous monitoring.&lt;br /&gt;
&lt;br /&gt;
=== Information Security Risk Management ===&lt;br /&gt;
&lt;br /&gt;
Information security is fundamentally a risk management discipline.&lt;br /&gt;
&lt;br /&gt;
Controls such as:&lt;br /&gt;
&lt;br /&gt;
* Multi-factor authentication&lt;br /&gt;
* Encryption&lt;br /&gt;
* Network segmentation&lt;br /&gt;
* Monitoring and alerting&lt;br /&gt;
&lt;br /&gt;
exist to reduce risk to acceptable levels.&lt;br /&gt;
&lt;br /&gt;
Absolute security is rarely achievable; the objective is managed risk.&lt;br /&gt;
&lt;br /&gt;
=== Business Continuity Considerations ===&lt;br /&gt;
&lt;br /&gt;
Business continuity planning focuses on maintaining essential services when risks materialise.&lt;br /&gt;
&lt;br /&gt;
Questions often include:&lt;br /&gt;
&lt;br /&gt;
* What happens if this system fails?&lt;br /&gt;
* How long can the business function without it?&lt;br /&gt;
* What alternatives exist?&lt;br /&gt;
* How quickly must recovery occur?&lt;br /&gt;
&lt;br /&gt;
Risk management provides the information required to answer these questions.&lt;br /&gt;
&lt;br /&gt;
== Common Risk Treatment Strategies ==&lt;br /&gt;
&lt;br /&gt;
=== Accept ===&lt;br /&gt;
&lt;br /&gt;
A risk may be accepted when:&lt;br /&gt;
&lt;br /&gt;
* Impact is minimal&lt;br /&gt;
* Likelihood is low&lt;br /&gt;
* Mitigation costs exceed potential losses&lt;br /&gt;
&lt;br /&gt;
Acceptance should always be a conscious decision.&lt;br /&gt;
&lt;br /&gt;
=== Avoid ===&lt;br /&gt;
&lt;br /&gt;
Avoidance removes the activity that creates the risk.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
A business may choose not to deploy an unsupported application rather than assume the associated security risk.&lt;br /&gt;
&lt;br /&gt;
=== Mitigate ===&lt;br /&gt;
&lt;br /&gt;
Mitigation reduces either likelihood or impact.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Redundant systems&lt;br /&gt;
* Automated backups&lt;br /&gt;
* Security controls&lt;br /&gt;
* Additional testing&lt;br /&gt;
&lt;br /&gt;
Most organisational risk management activity falls into this category.&lt;br /&gt;
&lt;br /&gt;
=== Transfer ===&lt;br /&gt;
&lt;br /&gt;
Transfer shifts some responsibility to another party.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Insurance&lt;br /&gt;
* Outsourced services&lt;br /&gt;
* Contractual agreements&lt;br /&gt;
&lt;br /&gt;
Responsibility may be transferred, but accountability often remains.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Treating Risk Registers as a Tick-Box Exercise ===&lt;br /&gt;
&lt;br /&gt;
A risk register that is never reviewed provides little value.&lt;br /&gt;
&lt;br /&gt;
Risk information must inform decision-making.&lt;br /&gt;
&lt;br /&gt;
=== Ignoring Low Probability, High Impact Events ===&lt;br /&gt;
&lt;br /&gt;
Rare events may still be catastrophic.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Major cyber incidents&lt;br /&gt;
* Datacentre destruction&lt;br /&gt;
* Long-term supplier failure&lt;br /&gt;
&lt;br /&gt;
These events often justify contingency planning despite their low probability.&lt;br /&gt;
&lt;br /&gt;
=== Failure to Review Risks Regularly ===&lt;br /&gt;
&lt;br /&gt;
Environments change.&lt;br /&gt;
&lt;br /&gt;
Technology changes.&lt;br /&gt;
&lt;br /&gt;
Threat actors change.&lt;br /&gt;
&lt;br /&gt;
Businesses change.&lt;br /&gt;
&lt;br /&gt;
Risk records must evolve accordingly.&lt;br /&gt;
&lt;br /&gt;
=== Confusing Issues with Risks ===&lt;br /&gt;
&lt;br /&gt;
A risk is a potential future event.&lt;br /&gt;
&lt;br /&gt;
An issue is something that has already occurred.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Risk:&lt;br /&gt;
The storage platform may exceed capacity.&lt;br /&gt;
&lt;br /&gt;
Issue:&lt;br /&gt;
The storage platform has exceeded capacity.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This distinction is important for effective governance.&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Risk Ownership ===&lt;br /&gt;
&lt;br /&gt;
Every significant risk should have a clearly identified owner.&lt;br /&gt;
&lt;br /&gt;
Risk owners are responsible for:&lt;br /&gt;
&lt;br /&gt;
* Monitoring&lt;br /&gt;
* Reporting&lt;br /&gt;
* Reviewing&lt;br /&gt;
* Escalating when required&lt;br /&gt;
&lt;br /&gt;
=== Escalation Paths ===&lt;br /&gt;
&lt;br /&gt;
High-priority risks require clear escalation procedures.&lt;br /&gt;
&lt;br /&gt;
Decision-makers should understand:&lt;br /&gt;
&lt;br /&gt;
* Severity&lt;br /&gt;
* Potential consequences&lt;br /&gt;
* Required actions&lt;br /&gt;
* Time sensitivity&lt;br /&gt;
&lt;br /&gt;
=== Reporting and Communication ===&lt;br /&gt;
&lt;br /&gt;
Risk information should be understandable by both technical and non-technical audiences.&lt;br /&gt;
&lt;br /&gt;
Effective reporting focuses on:&lt;br /&gt;
&lt;br /&gt;
* Business impact&lt;br /&gt;
* Trends&lt;br /&gt;
* Control effectiveness&lt;br /&gt;
* Required decisions&lt;br /&gt;
&lt;br /&gt;
=== Culture and Accountability ===&lt;br /&gt;
&lt;br /&gt;
Strong risk cultures encourage individuals to report concerns early.&lt;br /&gt;
&lt;br /&gt;
The objective is not assigning blame.&lt;br /&gt;
&lt;br /&gt;
The objective is identifying and managing uncertainty before it causes harm.&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting &amp;amp; Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
=== Indicators of Poor Risk Management ===&lt;br /&gt;
&lt;br /&gt;
Warning signs may include:&lt;br /&gt;
&lt;br /&gt;
* Repeated incidents&lt;br /&gt;
* Surprise failures&lt;br /&gt;
* Unmaintained risk registers&lt;br /&gt;
* Lack of ownership&lt;br /&gt;
* Poor disaster recovery preparedness&lt;br /&gt;
&lt;br /&gt;
=== Reviewing Failed Controls ===&lt;br /&gt;
&lt;br /&gt;
When an incident occurs, organisations should examine:&lt;br /&gt;
&lt;br /&gt;
* Which controls failed?&lt;br /&gt;
* Why did they fail?&lt;br /&gt;
* Were assumptions accurate?&lt;br /&gt;
* Were warnings missed?&lt;br /&gt;
&lt;br /&gt;
This process improves future decision-making.&lt;br /&gt;
&lt;br /&gt;
=== Lessons Learned Processes ===&lt;br /&gt;
&lt;br /&gt;
Post-incident reviews often provide the most valuable risk management insights.&lt;br /&gt;
&lt;br /&gt;
A mature organisation treats incidents as opportunities for improvement rather than simply restoring service and moving on.&lt;br /&gt;
&lt;br /&gt;
== Design Philosophy ==&lt;br /&gt;
&lt;br /&gt;
Risk management should not become a barrier to progress.&lt;br /&gt;
&lt;br /&gt;
Every meaningful activity involves uncertainty.&lt;br /&gt;
&lt;br /&gt;
The purpose of risk management is to provide visibility, support informed decisions, and ensure organisations understand the consequences of their choices.&lt;br /&gt;
&lt;br /&gt;
The most effective risk management practices are often the least visible. They are embedded within planning, architecture, operations, governance, and culture.&lt;br /&gt;
&lt;br /&gt;
When done well, risk management does not eliminate uncertainty.&lt;br /&gt;
&lt;br /&gt;
It allows organisations to move forward with their eyes open.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Business Continuity]]&lt;br /&gt;
* [[Disaster Recovery]]&lt;br /&gt;
* [[Incident Management]]&lt;br /&gt;
* [[Information Security Management]]&lt;br /&gt;
* [[Project Governance]]&lt;br /&gt;
* [[ISO 9001]]&lt;br /&gt;
* [[ISO 27001]]&lt;br /&gt;
* [[Change Management]]&lt;br /&gt;
* [[Infrastructure Resilience]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* ISO 31000 – Risk Management Guidelines&lt;br /&gt;
* ISO 9001 – Quality Management Systems&lt;br /&gt;
* ISO 27001 – Information Security Management Systems&lt;br /&gt;
* NIST Risk Management Framework (RMF)&lt;br /&gt;
* NIST Cybersecurity Framework (CSF)&lt;br /&gt;
* COBIT Governance Framework&lt;br /&gt;
* PMI Project Management Body of Knowledge (PMBOK)&lt;/div&gt;</description>
			<pubDate>Mon, 06 Jul 2026 06:53:11 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Risk_Management</comments>
		</item>
		<item>
			<title>Security Operations (SecOps)</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Security_Operations_(SecOps)&amp;diff=427&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Security_Operations_(SecOps)&amp;diff=427&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;  Security Operations (SecOps) is the discipline of continuously monitoring, detecting, investigating, and responding to security threats within an organisation&amp;#039;s technology environment. It combines people, processes, and technology to protect business systems, data, infrastructure, and services from attack while maintaining normal business operations.  == Context ==  Modern organisations face an evolving threat landscape consisting of malware, ransomware,...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Security Operations (SecOps) is the discipline of continuously monitoring, detecting, investigating, and responding to security threats within an organisation&amp;#039;s technology environment. It combines people, processes, and technology to protect business systems, data, infrastructure, and services from attack while maintaining normal business operations.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Modern organisations face an evolving threat landscape consisting of malware, ransomware, phishing attacks, credential theft, insider threats, data breaches, and targeted intrusions.&lt;br /&gt;
&lt;br /&gt;
Historically, security was often treated as a separate function from infrastructure and operations teams. As environments became more interconnected and attacks became more sophisticated, organisations increasingly recognised that security must become an operational responsibility rather than an occasional activity.&lt;br /&gt;
&lt;br /&gt;
Security Operations emerged as the practical discipline responsible for the day-to-day defence of information systems.&lt;br /&gt;
&lt;br /&gt;
Common challenges include:&lt;br /&gt;
&lt;br /&gt;
* Alert fatigue&lt;br /&gt;
* Incomplete visibility&lt;br /&gt;
* Misconfigured security controls&lt;br /&gt;
* Delayed incident response&lt;br /&gt;
* Lack of skilled personnel&lt;br /&gt;
* Insufficient logging and monitoring&lt;br /&gt;
&lt;br /&gt;
== What is Security Operations? ==&lt;br /&gt;
&lt;br /&gt;
Security Operations is the continuous process of protecting organisational assets through monitoring, analysis, investigation, response, and improvement.&lt;br /&gt;
&lt;br /&gt;
A mature SecOps capability focuses on:&lt;br /&gt;
&lt;br /&gt;
* Detecting malicious activity&lt;br /&gt;
* Investigating suspicious behaviour&lt;br /&gt;
* Responding to incidents&lt;br /&gt;
* Recovering affected systems&lt;br /&gt;
* Improving defensive controls&lt;br /&gt;
&lt;br /&gt;
Security Operations differs from compliance activities because it is focused on actively managing real-world threats rather than simply meeting regulatory requirements.&lt;br /&gt;
&lt;br /&gt;
== Core SecOps Functions ==&lt;br /&gt;
&lt;br /&gt;
=== Monitoring ===&lt;br /&gt;
&lt;br /&gt;
Monitoring involves collecting information from infrastructure, applications, network devices, cloud services, and security products.&lt;br /&gt;
&lt;br /&gt;
Sources commonly include:&lt;br /&gt;
&lt;br /&gt;
* Firewalls&lt;br /&gt;
* Endpoint protection platforms&lt;br /&gt;
* Servers&lt;br /&gt;
* Identity systems&lt;br /&gt;
* Cloud services&lt;br /&gt;
* Network devices&lt;br /&gt;
* Application logs&lt;br /&gt;
&lt;br /&gt;
The objective is to establish visibility across the environment.&lt;br /&gt;
&lt;br /&gt;
=== Detection ===&lt;br /&gt;
&lt;br /&gt;
Detection identifies activity that may indicate malicious behaviour.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Multiple failed logon attempts&lt;br /&gt;
* Suspicious PowerShell execution&lt;br /&gt;
* Malware detections&lt;br /&gt;
* Privilege escalation events&lt;br /&gt;
* Data exfiltration patterns&lt;br /&gt;
* Unusual network traffic&lt;br /&gt;
&lt;br /&gt;
Effective detection combines signatures, behavioural analytics, threat intelligence, and contextual awareness.&lt;br /&gt;
&lt;br /&gt;
=== Investigation ===&lt;br /&gt;
&lt;br /&gt;
Security analysts investigate alerts to determine whether suspicious activity represents a genuine threat.&lt;br /&gt;
&lt;br /&gt;
Typical questions include:&lt;br /&gt;
&lt;br /&gt;
* What happened?&lt;br /&gt;
* When did it occur?&lt;br /&gt;
* Who was affected?&lt;br /&gt;
* How did it happen?&lt;br /&gt;
* What systems were involved?&lt;br /&gt;
* Is the threat still active?&lt;br /&gt;
&lt;br /&gt;
The goal is to separate genuine incidents from false positives.&lt;br /&gt;
&lt;br /&gt;
=== Response ===&lt;br /&gt;
&lt;br /&gt;
Response activities are intended to contain and eradicate threats.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Isolating compromised devices&lt;br /&gt;
* Disabling accounts&lt;br /&gt;
* Blocking malicious IP addresses&lt;br /&gt;
* Removing malware&lt;br /&gt;
* Revoking credentials&lt;br /&gt;
* Applying security patches&lt;br /&gt;
&lt;br /&gt;
Rapid containment often reduces the overall impact of an incident.&lt;br /&gt;
&lt;br /&gt;
=== Recovery ===&lt;br /&gt;
&lt;br /&gt;
Recovery returns services to normal operation.&lt;br /&gt;
&lt;br /&gt;
Activities may include:&lt;br /&gt;
&lt;br /&gt;
* Restoring systems from backup&lt;br /&gt;
* Rebuilding infrastructure&lt;br /&gt;
* Verifying data integrity&lt;br /&gt;
* Monitoring for reinfection&lt;br /&gt;
* Re-enabling services&lt;br /&gt;
&lt;br /&gt;
Recovery should be performed in a controlled and documented manner.&lt;br /&gt;
&lt;br /&gt;
== SecOps Team Roles ==&lt;br /&gt;
&lt;br /&gt;
A mature Security Operations capability may include:&lt;br /&gt;
&lt;br /&gt;
=== Security Analyst ===&lt;br /&gt;
&lt;br /&gt;
Monitors alerts, investigates incidents, and performs triage activities.&lt;br /&gt;
&lt;br /&gt;
=== Incident Responder ===&lt;br /&gt;
&lt;br /&gt;
Coordinates containment, eradication, and recovery efforts.&lt;br /&gt;
&lt;br /&gt;
=== Threat Hunter ===&lt;br /&gt;
&lt;br /&gt;
Proactively searches for evidence of threats that have not yet generated alerts.&lt;br /&gt;
&lt;br /&gt;
=== Security Engineer ===&lt;br /&gt;
&lt;br /&gt;
Implements and maintains security technologies and monitoring platforms.&lt;br /&gt;
&lt;br /&gt;
=== Security Architect ===&lt;br /&gt;
&lt;br /&gt;
Designs secure systems, controls, and defensive strategies.&lt;br /&gt;
&lt;br /&gt;
== Security Operations Centre (SOC) ==&lt;br /&gt;
&lt;br /&gt;
A Security Operations Centre (SOC) is the operational hub responsible for monitoring and protecting organisational systems.&lt;br /&gt;
&lt;br /&gt;
A SOC may be:&lt;br /&gt;
&lt;br /&gt;
* Internal&lt;br /&gt;
* Outsourced&lt;br /&gt;
* Hybrid&lt;br /&gt;
&lt;br /&gt;
A typical SOC continuously monitors security telemetry and coordinates incident response activities.&lt;br /&gt;
&lt;br /&gt;
=== Simplified SOC Overview ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
+-------------+&lt;br /&gt;
| Endpoints   |&lt;br /&gt;
+-------------+&lt;br /&gt;
       |&lt;br /&gt;
       v&lt;br /&gt;
+-------------+&lt;br /&gt;
| Log Sources |&lt;br /&gt;
+-------------+&lt;br /&gt;
       |&lt;br /&gt;
       v&lt;br /&gt;
+-------------+&lt;br /&gt;
|   SIEM      |&lt;br /&gt;
+-------------+&lt;br /&gt;
       |&lt;br /&gt;
       v&lt;br /&gt;
+-------------+&lt;br /&gt;
| Analysts    |&lt;br /&gt;
+-------------+&lt;br /&gt;
       |&lt;br /&gt;
       v&lt;br /&gt;
+-------------+&lt;br /&gt;
| Response    |&lt;br /&gt;
+-------------+&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Security Technologies Used in SecOps ==&lt;br /&gt;
&lt;br /&gt;
Common technologies include:&lt;br /&gt;
&lt;br /&gt;
=== SIEM ===&lt;br /&gt;
&lt;br /&gt;
Security Information and Event Management platforms aggregate and analyse security events from multiple sources.&lt;br /&gt;
&lt;br /&gt;
=== EDR ===&lt;br /&gt;
&lt;br /&gt;
Endpoint Detection and Response platforms provide visibility and response capabilities for workstations and servers.&lt;br /&gt;
&lt;br /&gt;
=== SOAR ===&lt;br /&gt;
&lt;br /&gt;
Security Orchestration, Automation and Response platforms automate repetitive security tasks.&lt;br /&gt;
&lt;br /&gt;
=== IDS/IPS ===&lt;br /&gt;
&lt;br /&gt;
Intrusion Detection and Prevention Systems identify suspicious network activity.&lt;br /&gt;
&lt;br /&gt;
=== Threat Intelligence Platforms ===&lt;br /&gt;
&lt;br /&gt;
Provide information regarding known indicators of compromise and emerging threats.&lt;br /&gt;
&lt;br /&gt;
== Event to Incident Lifecycle ==&lt;br /&gt;
&lt;br /&gt;
Not every event becomes an incident.&lt;br /&gt;
&lt;br /&gt;
A typical progression is:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Event&lt;br /&gt;
  |&lt;br /&gt;
  v&lt;br /&gt;
Alert&lt;br /&gt;
  |&lt;br /&gt;
  v&lt;br /&gt;
Investigation&lt;br /&gt;
  |&lt;br /&gt;
  v&lt;br /&gt;
Incident&lt;br /&gt;
  |&lt;br /&gt;
  v&lt;br /&gt;
Response&lt;br /&gt;
  |&lt;br /&gt;
  v&lt;br /&gt;
Recovery&lt;br /&gt;
  |&lt;br /&gt;
  v&lt;br /&gt;
Lessons Learned&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The final stage is critical because improvements made after incidents strengthen future defences.&lt;br /&gt;
&lt;br /&gt;
== Practical Security Operations Workflow ==&lt;br /&gt;
&lt;br /&gt;
A typical daily workflow may involve:&lt;br /&gt;
&lt;br /&gt;
# Reviewing security dashboards&lt;br /&gt;
# Investigating alerts&lt;br /&gt;
# Correlating evidence&lt;br /&gt;
# Escalating incidents&lt;br /&gt;
# Implementing containment actions&lt;br /&gt;
# Conducting root cause analysis&lt;br /&gt;
# Updating detection rules&lt;br /&gt;
# Producing management reports&lt;br /&gt;
&lt;br /&gt;
Mature organisations continuously refine this cycle.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Alert Fatigue ===&lt;br /&gt;
&lt;br /&gt;
Analysts become overwhelmed by excessive alerts, leading to missed threats.&lt;br /&gt;
&lt;br /&gt;
=== Excessive Tooling ===&lt;br /&gt;
&lt;br /&gt;
Deploying too many security products without integration can reduce effectiveness.&lt;br /&gt;
&lt;br /&gt;
=== Poor Visibility ===&lt;br /&gt;
&lt;br /&gt;
Blind spots in logging and monitoring prevent effective detection.&lt;br /&gt;
&lt;br /&gt;
=== Lack of Documentation ===&lt;br /&gt;
&lt;br /&gt;
Inconsistent processes increase response times during incidents.&lt;br /&gt;
&lt;br /&gt;
=== Reactive Security ===&lt;br /&gt;
&lt;br /&gt;
Focusing only on active incidents while neglecting proactive improvements creates long-term risk.&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
When designing a Security Operations capability, consider:&lt;br /&gt;
&lt;br /&gt;
=== Scalability ===&lt;br /&gt;
&lt;br /&gt;
Monitoring solutions must support organisational growth.&lt;br /&gt;
&lt;br /&gt;
=== Security ===&lt;br /&gt;
&lt;br /&gt;
Monitoring infrastructure becomes a high-value target and must be protected.&lt;br /&gt;
&lt;br /&gt;
=== Maintainability ===&lt;br /&gt;
&lt;br /&gt;
Security controls should be documented, tested, and regularly reviewed.&lt;br /&gt;
&lt;br /&gt;
=== Automation ===&lt;br /&gt;
&lt;br /&gt;
Routine activities should be automated where practical.&lt;br /&gt;
&lt;br /&gt;
=== Backwards Compatibility ===&lt;br /&gt;
&lt;br /&gt;
Legacy systems often remain critical business assets and may require alternative monitoring approaches.&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting &amp;amp; Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
When investigating security monitoring issues:&lt;br /&gt;
&lt;br /&gt;
* Verify log collection&lt;br /&gt;
* Confirm time synchronisation&lt;br /&gt;
* Check alert rules&lt;br /&gt;
* Review data retention&lt;br /&gt;
* Validate network connectivity&lt;br /&gt;
* Confirm agent health&lt;br /&gt;
* Examine system performance&lt;br /&gt;
&lt;br /&gt;
A surprisingly high percentage of security monitoring failures are caused by missing or incomplete telemetry rather than detection logic itself.&lt;br /&gt;
&lt;br /&gt;
== Future Trends ==&lt;br /&gt;
&lt;br /&gt;
Emerging areas influencing Security Operations include:&lt;br /&gt;
&lt;br /&gt;
* Artificial Intelligence&lt;br /&gt;
* Machine Learning&lt;br /&gt;
* Extended Detection and Response (XDR)&lt;br /&gt;
* Cloud-native security monitoring&lt;br /&gt;
* Security automation&lt;br /&gt;
* Zero Trust architectures&lt;br /&gt;
&lt;br /&gt;
These technologies improve visibility and reduce analyst workload, but they do not eliminate the need for skilled security professionals.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Security Information and Event Management]]&lt;br /&gt;
* [[Incident Response]]&lt;br /&gt;
* [[Threat Hunting]]&lt;br /&gt;
* [[Zero Trust]]&lt;br /&gt;
* [[Identity and Access Management]]&lt;br /&gt;
* [[Cybersecurity Architecture]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* NIST Cybersecurity Framework&lt;br /&gt;
* NIST Incident Response Guide&lt;br /&gt;
* MITRE ATT&amp;amp;CK Framework&lt;br /&gt;
* CIS Controls&lt;br /&gt;
* ISO/IEC 27001&lt;br /&gt;
* Vendor documentation&lt;/div&gt;</description>
			<pubDate>Mon, 06 Jul 2026 06:42:20 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Security_Operations_(SecOps)</comments>
		</item>
		<item>
			<title>Information Security Management Systems (ISMS)</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Information_Security_Management_Systems_(ISMS)&amp;diff=426&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Information_Security_Management_Systems_(ISMS)&amp;diff=426&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;  An Information Security Management System (ISMS) is a structured framework used to identify, manage, reduce, and continually improve information security risks within an organisation. Rather than being a product or technology, an ISMS is a management system that combines people, processes, policies, and technical controls to protect information assets while supporting business objectives.  == Context ==  Organisations rely upon information to conduct busi...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
An Information Security Management System (ISMS) is a structured framework used to identify, manage, reduce, and continually improve information security risks within an organisation. Rather than being a product or technology, an ISMS is a management system that combines people, processes, policies, and technical controls to protect information assets while supporting business objectives.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Organisations rely upon information to conduct business, deliver services, make decisions, and maintain customer trust. Information exists in many forms, including electronic records, paper documents, intellectual property, emails, databases, source code, and verbal communications.&lt;br /&gt;
&lt;br /&gt;
As organisations grow, information becomes increasingly distributed across users, devices, networks, cloud services, suppliers, and customers. This creates additional security risks that must be understood and managed.&lt;br /&gt;
&lt;br /&gt;
An ISMS provides a systematic approach to addressing these risks.&lt;br /&gt;
&lt;br /&gt;
Common drivers for implementing an ISMS include:&lt;br /&gt;
&lt;br /&gt;
* Regulatory compliance&lt;br /&gt;
* Customer requirements&lt;br /&gt;
* Protection of intellectual property&lt;br /&gt;
* Cybersecurity risk reduction&lt;br /&gt;
* Contractual obligations&lt;br /&gt;
* Business continuity planning&lt;br /&gt;
* Demonstrating security maturity&lt;br /&gt;
&lt;br /&gt;
== Core Concepts ==&lt;br /&gt;
&lt;br /&gt;
=== Information as an Asset ===&lt;br /&gt;
&lt;br /&gt;
An ISMS treats information as a valuable business asset.&lt;br /&gt;
&lt;br /&gt;
Just as organisations protect buildings, equipment, and finances, they must also protect information from:&lt;br /&gt;
&lt;br /&gt;
* Unauthorised disclosure&lt;br /&gt;
* Alteration&lt;br /&gt;
* Destruction&lt;br /&gt;
* Loss&lt;br /&gt;
* Unavailability&lt;br /&gt;
&lt;br /&gt;
Not all information has equal value. One of the first tasks in an ISMS is identifying information assets and understanding their importance to the organisation.&lt;br /&gt;
&lt;br /&gt;
=== The CIA Triad ===&lt;br /&gt;
&lt;br /&gt;
Most information security principles are built upon three core objectives:&lt;br /&gt;
&lt;br /&gt;
* Confidentiality&lt;br /&gt;
* Integrity&lt;br /&gt;
* Availability&lt;br /&gt;
&lt;br /&gt;
==== Confidentiality ====&lt;br /&gt;
&lt;br /&gt;
Information should only be accessible to authorised individuals.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Access controls&lt;br /&gt;
* Encryption&lt;br /&gt;
* Security classifications&lt;br /&gt;
* Need-to-know policies&lt;br /&gt;
&lt;br /&gt;
==== Integrity ====&lt;br /&gt;
&lt;br /&gt;
Information must remain accurate, complete, and trustworthy.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Change control procedures&lt;br /&gt;
* Version management&lt;br /&gt;
* Hash verification&lt;br /&gt;
* Audit trails&lt;br /&gt;
&lt;br /&gt;
==== Availability ====&lt;br /&gt;
&lt;br /&gt;
Information and services must be accessible when required.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Backups&lt;br /&gt;
* Disaster recovery planning&lt;br /&gt;
* High availability systems&lt;br /&gt;
* Capacity management&lt;br /&gt;
&lt;br /&gt;
=== Risk-Based Decision Making ===&lt;br /&gt;
&lt;br /&gt;
An ISMS does not attempt to eliminate all risk.&lt;br /&gt;
&lt;br /&gt;
Instead, it seeks to:&lt;br /&gt;
&lt;br /&gt;
# Identify risks&lt;br /&gt;
# Assess their likelihood and impact&lt;br /&gt;
# Apply appropriate controls&lt;br /&gt;
# Accept, transfer, mitigate, or avoid the risk&lt;br /&gt;
&lt;br /&gt;
This risk-based approach ensures resources are spent where they deliver the greatest value.&lt;br /&gt;
&lt;br /&gt;
== ISMS Lifecycle ==&lt;br /&gt;
&lt;br /&gt;
An ISMS is a continuous cycle rather than a one-time implementation.&lt;br /&gt;
&lt;br /&gt;
The process is often represented using the Plan-Do-Check-Act (PDCA) model.&lt;br /&gt;
&lt;br /&gt;
=== Plan ===&lt;br /&gt;
&lt;br /&gt;
Identify:&lt;br /&gt;
&lt;br /&gt;
* Information assets&lt;br /&gt;
* Security risks&lt;br /&gt;
* Legal requirements&lt;br /&gt;
* Business requirements&lt;br /&gt;
&lt;br /&gt;
Define:&lt;br /&gt;
&lt;br /&gt;
* Security objectives&lt;br /&gt;
* Policies&lt;br /&gt;
* Controls&lt;br /&gt;
* Responsibilities&lt;br /&gt;
&lt;br /&gt;
=== Do ===&lt;br /&gt;
&lt;br /&gt;
Implement controls and procedures.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Access control policies&lt;br /&gt;
* Training programmes&lt;br /&gt;
* Backup systems&lt;br /&gt;
* Incident response procedures&lt;br /&gt;
* Supplier management processes&lt;br /&gt;
&lt;br /&gt;
=== Check ===&lt;br /&gt;
&lt;br /&gt;
Evaluate effectiveness through:&lt;br /&gt;
&lt;br /&gt;
* Audits&lt;br /&gt;
* Monitoring&lt;br /&gt;
* Security reviews&lt;br /&gt;
* Risk assessments&lt;br /&gt;
* Management reviews&lt;br /&gt;
&lt;br /&gt;
=== Act ===&lt;br /&gt;
&lt;br /&gt;
Make improvements based on findings.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Updating security controls&lt;br /&gt;
* Revising policies&lt;br /&gt;
* Addressing audit observations&lt;br /&gt;
* Introducing new security measures&lt;br /&gt;
&lt;br /&gt;
== Risk Assessment ==&lt;br /&gt;
&lt;br /&gt;
Risk assessment forms the foundation of an ISMS.&lt;br /&gt;
&lt;br /&gt;
A simple model can be expressed as:&lt;br /&gt;
&lt;br /&gt;
Risk = Likelihood × Impact&lt;br /&gt;
&lt;br /&gt;
For each identified risk, the organisation evaluates:&lt;br /&gt;
&lt;br /&gt;
* What could happen?&lt;br /&gt;
* How likely is it?&lt;br /&gt;
* What would the consequences be?&lt;br /&gt;
* Are existing controls sufficient?&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
A company stores customer records on a file server.&lt;br /&gt;
&lt;br /&gt;
Potential risk:&lt;br /&gt;
* Ransomware encrypts the server.&lt;br /&gt;
&lt;br /&gt;
Impact:&lt;br /&gt;
* High&lt;br /&gt;
&lt;br /&gt;
Likelihood:&lt;br /&gt;
* Medium&lt;br /&gt;
&lt;br /&gt;
Existing controls:&lt;br /&gt;
* Endpoint protection&lt;br /&gt;
* Backups&lt;br /&gt;
* User training&lt;br /&gt;
&lt;br /&gt;
Residual risk:&lt;br /&gt;
* Reduced but not eliminated&lt;br /&gt;
&lt;br /&gt;
== Controls ==&lt;br /&gt;
&lt;br /&gt;
Controls are measures used to reduce risk.&lt;br /&gt;
&lt;br /&gt;
They generally fall into three categories.&lt;br /&gt;
&lt;br /&gt;
=== Administrative Controls ===&lt;br /&gt;
&lt;br /&gt;
People and process focused.&lt;br /&gt;
&lt;br /&gt;
Examples:&lt;br /&gt;
&lt;br /&gt;
* Policies&lt;br /&gt;
* Procedures&lt;br /&gt;
* Security awareness training&lt;br /&gt;
* Supplier agreements&lt;br /&gt;
* Change management&lt;br /&gt;
&lt;br /&gt;
=== Technical Controls ===&lt;br /&gt;
&lt;br /&gt;
Implemented through technology.&lt;br /&gt;
&lt;br /&gt;
Examples:&lt;br /&gt;
&lt;br /&gt;
* Firewalls&lt;br /&gt;
* Multi-factor authentication&lt;br /&gt;
* Anti-malware solutions&lt;br /&gt;
* Encryption&lt;br /&gt;
* Security monitoring&lt;br /&gt;
&lt;br /&gt;
=== Physical Controls ===&lt;br /&gt;
&lt;br /&gt;
Designed to protect physical assets.&lt;br /&gt;
&lt;br /&gt;
Examples:&lt;br /&gt;
&lt;br /&gt;
* Locks&lt;br /&gt;
* Access cards&lt;br /&gt;
* CCTV&lt;br /&gt;
* Secure storage&lt;br /&gt;
* Environmental monitoring&lt;br /&gt;
&lt;br /&gt;
== ISO 27001 and the ISMS ==&lt;br /&gt;
&lt;br /&gt;
The most widely recognised ISMS standard is ISO/IEC 27001.&lt;br /&gt;
&lt;br /&gt;
ISO 27001 provides a framework for establishing, implementing, maintaining, and continually improving an ISMS.&lt;br /&gt;
&lt;br /&gt;
The standard does not prescribe specific technologies.&lt;br /&gt;
&lt;br /&gt;
Instead, it focuses on:&lt;br /&gt;
&lt;br /&gt;
* Governance&lt;br /&gt;
* Risk management&lt;br /&gt;
* Policies&lt;br /&gt;
* Responsibilities&lt;br /&gt;
* Evidence of effectiveness&lt;br /&gt;
* Continuous improvement&lt;br /&gt;
&lt;br /&gt;
Certification demonstrates that an organisation has established a structured and auditable approach to information security management.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Treating the ISMS as a Documentation Exercise ===&lt;br /&gt;
&lt;br /&gt;
Policies alone do not improve security.&lt;br /&gt;
&lt;br /&gt;
An ISMS must be embedded into day-to-day business operations.&lt;br /&gt;
&lt;br /&gt;
=== Focusing Only on Technology ===&lt;br /&gt;
&lt;br /&gt;
Technology is only one component of security.&lt;br /&gt;
&lt;br /&gt;
People and processes are often responsible for the largest security failures.&lt;br /&gt;
&lt;br /&gt;
=== Implementing Controls Without Risk Assessment ===&lt;br /&gt;
&lt;br /&gt;
Controls should address identified risks.&lt;br /&gt;
&lt;br /&gt;
Deploying security measures without understanding the threats can waste resources and create operational friction.&lt;br /&gt;
&lt;br /&gt;
=== Lack of Management Support ===&lt;br /&gt;
&lt;br /&gt;
An ISMS requires leadership involvement.&lt;br /&gt;
&lt;br /&gt;
Without management commitment, policies often become ineffective and compliance deteriorates.&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
When designing an ISMS, organisations should consider:&lt;br /&gt;
&lt;br /&gt;
=== Scalability ===&lt;br /&gt;
&lt;br /&gt;
The ISMS should grow with the organisation.&lt;br /&gt;
&lt;br /&gt;
=== Maintainability ===&lt;br /&gt;
&lt;br /&gt;
Policies and procedures should remain practical and achievable.&lt;br /&gt;
&lt;br /&gt;
=== Security by Design ===&lt;br /&gt;
&lt;br /&gt;
Security should be incorporated into projects and systems from the beginning rather than added later.&lt;br /&gt;
&lt;br /&gt;
=== Integration ===&lt;br /&gt;
&lt;br /&gt;
The ISMS should integrate with:&lt;br /&gt;
&lt;br /&gt;
* Quality Management Systems (QMS)&lt;br /&gt;
* Business Continuity Management (BCMS)&lt;br /&gt;
* IT Service Management (ITSM)&lt;br /&gt;
* Risk Management frameworks&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting &amp;amp; Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
Indicators that an ISMS may not be functioning effectively include:&lt;br /&gt;
&lt;br /&gt;
* Repeated security incidents&lt;br /&gt;
* Audit findings that reoccur&lt;br /&gt;
* Incomplete risk assessments&lt;br /&gt;
* Outdated policies&lt;br /&gt;
* Poor staff security awareness&lt;br /&gt;
* Lack of evidence for implemented controls&lt;br /&gt;
&lt;br /&gt;
Useful diagnostic activities include:&lt;br /&gt;
&lt;br /&gt;
* Internal audits&lt;br /&gt;
* Security reviews&lt;br /&gt;
* Incident trend analysis&lt;br /&gt;
* Policy compliance assessments&lt;br /&gt;
* Management review meetings&lt;br /&gt;
&lt;br /&gt;
== Benefits of an ISMS ==&lt;br /&gt;
&lt;br /&gt;
A mature ISMS can provide:&lt;br /&gt;
&lt;br /&gt;
* Improved risk visibility&lt;br /&gt;
* Better regulatory compliance&lt;br /&gt;
* Increased customer confidence&lt;br /&gt;
* Improved incident response capability&lt;br /&gt;
* Reduced likelihood of security breaches&lt;br /&gt;
* Better governance and accountability&lt;br /&gt;
* Continuous organisational improvement&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[ISO 27001]]&lt;br /&gt;
* [[Risk Management]]&lt;br /&gt;
* [[Information Classification]]&lt;br /&gt;
* [[Business Continuity Management]]&lt;br /&gt;
* [[Incident Response]]&lt;br /&gt;
* [[Security Controls]]&lt;br /&gt;
* [[Access Control]]&lt;br /&gt;
* [[Data Protection]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* ISO/IEC 27001&lt;br /&gt;
* ISO/IEC 27002&lt;br /&gt;
* ISO 31000 Risk Management&lt;br /&gt;
* NIST Cybersecurity Framework&lt;br /&gt;
* CIS Controls&lt;/div&gt;</description>
			<pubDate>Mon, 06 Jul 2026 06:41:44 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Information_Security_Management_Systems_(ISMS)</comments>
		</item>
		<item>
			<title>Multi-Factor Authentication (MFA)</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Multi-Factor_Authentication_(MFA)&amp;diff=425&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Multi-Factor_Authentication_(MFA)&amp;diff=425&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039; Multi-Factor Authentication (MFA) is a security mechanism that requires users to present two or more independent forms of authentication before access is granted. MFA significantly reduces the risk of compromise caused by stolen passwords and has become a fundamental component of modern identity and access management strategies.  == Context ==  For many years, usernames and passwords were the primary method of authentication. While simple and widely suppor...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
Multi-Factor Authentication (MFA) is a security mechanism that requires users to present two or more independent forms of authentication before access is granted. MFA significantly reduces the risk of compromise caused by stolen passwords and has become a fundamental component of modern identity and access management strategies.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
For many years, usernames and passwords were the primary method of authentication. While simple and widely supported, passwords alone suffer from numerous weaknesses including phishing, password reuse, credential stuffing, brute force attacks, and accidental disclosure.&lt;br /&gt;
&lt;br /&gt;
MFA addresses these weaknesses by requiring additional evidence that the user is who they claim to be.&lt;br /&gt;
&lt;br /&gt;
A successful MFA implementation can greatly reduce the likelihood that a compromised password alone will result in unauthorized access.&lt;br /&gt;
&lt;br /&gt;
=== Real-World Usage ===&lt;br /&gt;
&lt;br /&gt;
MFA is commonly used for:&lt;br /&gt;
&lt;br /&gt;
* Microsoft 365&lt;br /&gt;
* Cloud services&lt;br /&gt;
* Virtual Private Networks (VPNs)&lt;br /&gt;
* Remote Desktop Services (RDS)&lt;br /&gt;
* Administrative accounts&lt;br /&gt;
* Banking platforms&lt;br /&gt;
* Customer portals&lt;br /&gt;
* Privileged infrastructure access&lt;br /&gt;
&lt;br /&gt;
=== Common Misconceptions ===&lt;br /&gt;
&lt;br /&gt;
* MFA makes systems impossible to compromise.&lt;br /&gt;
* MFA only applies to cloud platforms.&lt;br /&gt;
* SMS-based MFA is always secure.&lt;br /&gt;
* MFA eliminates the need for strong passwords.&lt;br /&gt;
* MFA is only required for administrators.&lt;br /&gt;
&lt;br /&gt;
In reality, MFA significantly increases security but remains one layer within a broader defence strategy.&lt;br /&gt;
&lt;br /&gt;
=== Typical Failure Points ===&lt;br /&gt;
&lt;br /&gt;
* Users enrolling incorrect devices.&lt;br /&gt;
* Lost or replaced mobiles.&lt;br /&gt;
* Poor recovery procedures.&lt;br /&gt;
* Legacy applications that cannot perform modern authentication.&lt;br /&gt;
* Overreliance on SMS authentication.&lt;br /&gt;
* MFA fatigue attacks.&lt;br /&gt;
&lt;br /&gt;
== Core Concepts ==&lt;br /&gt;
&lt;br /&gt;
=== Authentication Factors ===&lt;br /&gt;
&lt;br /&gt;
Authentication factors are traditionally divided into categories:&lt;br /&gt;
&lt;br /&gt;
==== Something You Know ====&lt;br /&gt;
&lt;br /&gt;
Knowledge-based factors include:&lt;br /&gt;
&lt;br /&gt;
* Passwords&lt;br /&gt;
* PIN numbers&lt;br /&gt;
* Security phrases&lt;br /&gt;
&lt;br /&gt;
==== Something You Have ====&lt;br /&gt;
&lt;br /&gt;
Possession-based factors include:&lt;br /&gt;
&lt;br /&gt;
* Mobile authentication applications&lt;br /&gt;
* Hardware tokens&lt;br /&gt;
* Smart cards&lt;br /&gt;
* FIDO2 security keys&lt;br /&gt;
&lt;br /&gt;
==== Something You Are ====&lt;br /&gt;
&lt;br /&gt;
Biometric factors include:&lt;br /&gt;
&lt;br /&gt;
* Fingerprints&lt;br /&gt;
* Facial recognition&lt;br /&gt;
* Iris recognition&lt;br /&gt;
* Voice recognition&lt;br /&gt;
&lt;br /&gt;
=== Multi-Factor vs Two-Factor Authentication ===&lt;br /&gt;
&lt;br /&gt;
Two-Factor Authentication (2FA) requires two distinct factors.&lt;br /&gt;
&lt;br /&gt;
Multi-Factor Authentication extends this concept and may require multiple independent factors depending on policy, risk level, location, or device trust.&lt;br /&gt;
&lt;br /&gt;
All 2FA implementations are MFA, but not all MFA implementations are limited to two factors.&lt;br /&gt;
&lt;br /&gt;
== Core Authentication Methods ==&lt;br /&gt;
&lt;br /&gt;
=== SMS One-Time Passcodes ===&lt;br /&gt;
&lt;br /&gt;
The user receives a temporary verification code by text message.&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* Simple deployment&lt;br /&gt;
* No application installation required&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
&lt;br /&gt;
* Vulnerable to SIM-swap attacks&lt;br /&gt;
* Dependent on mobile coverage&lt;br /&gt;
* Less secure than modern alternatives&lt;br /&gt;
&lt;br /&gt;
=== Authenticator Applications ===&lt;br /&gt;
&lt;br /&gt;
Applications generate time-based one-time passcodes (TOTP).&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Microsoft Authenticator&lt;br /&gt;
* Google Authenticator&lt;br /&gt;
* Authy&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* More secure than SMS&lt;br /&gt;
* Works offline&lt;br /&gt;
* Simple user experience&lt;br /&gt;
&lt;br /&gt;
=== Push Notifications ===&lt;br /&gt;
&lt;br /&gt;
The user receives an approval request on a registered device.&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* User friendly&lt;br /&gt;
* Fast authentication process&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
&lt;br /&gt;
* Vulnerable to MFA fatigue attacks if poorly configured&lt;br /&gt;
&lt;br /&gt;
=== Hardware Security Keys ===&lt;br /&gt;
&lt;br /&gt;
Physical authentication devices based on standards such as FIDO2 and WebAuthn.&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* Resistant to phishing&lt;br /&gt;
* Strong cryptographic protection&lt;br /&gt;
* No reliance on cellular networks&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
&lt;br /&gt;
* Hardware cost&lt;br /&gt;
* Device management requirements&lt;br /&gt;
&lt;br /&gt;
=== Smart Cards and Certificates ===&lt;br /&gt;
&lt;br /&gt;
Widely used in government, healthcare, military, and enterprise environments.&lt;br /&gt;
&lt;br /&gt;
Authentication is based upon possession of a certificate and associated private key.&lt;br /&gt;
&lt;br /&gt;
== Practical Application ==&lt;br /&gt;
&lt;br /&gt;
=== Small Business Deployment ===&lt;br /&gt;
&lt;br /&gt;
A typical deployment may require:&lt;br /&gt;
&lt;br /&gt;
* Password&lt;br /&gt;
* Mobile authenticator application&lt;br /&gt;
* Recovery methods&lt;br /&gt;
&lt;br /&gt;
This provides substantial protection with minimal infrastructure requirements.&lt;br /&gt;
&lt;br /&gt;
=== Enterprise Deployment ===&lt;br /&gt;
&lt;br /&gt;
Larger organizations often combine:&lt;br /&gt;
&lt;br /&gt;
* Conditional Access policies&lt;br /&gt;
* Device compliance checks&lt;br /&gt;
* MFA enforcement&lt;br /&gt;
* Identity protection systems&lt;br /&gt;
* Privileged access controls&lt;br /&gt;
&lt;br /&gt;
Access decisions become risk-based rather than relying solely on static credentials.&lt;br /&gt;
&lt;br /&gt;
=== Administrative Accounts ===&lt;br /&gt;
&lt;br /&gt;
Administrative accounts should always be protected by MFA.&lt;br /&gt;
&lt;br /&gt;
Recommended approaches include:&lt;br /&gt;
&lt;br /&gt;
* Hardware security keys&lt;br /&gt;
* Certificate-based authentication&lt;br /&gt;
* Dedicated administrative accounts&lt;br /&gt;
* Privileged access workstations&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Treating MFA as a Silver Bullet ===&lt;br /&gt;
&lt;br /&gt;
MFA is highly effective but does not prevent:&lt;br /&gt;
&lt;br /&gt;
* Malware infections&lt;br /&gt;
* Session hijacking&lt;br /&gt;
* Insider threats&lt;br /&gt;
* Compromised endpoints&lt;br /&gt;
&lt;br /&gt;
=== Weak Recovery Processes ===&lt;br /&gt;
&lt;br /&gt;
Many organizations secure authentication but leave account recovery procedures vulnerable.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Helpdesk password resets without verification&lt;br /&gt;
* Shared recovery email addresses&lt;br /&gt;
* Uncontrolled break-glass accounts&lt;br /&gt;
&lt;br /&gt;
=== MFA Fatigue Attacks ===&lt;br /&gt;
&lt;br /&gt;
Attackers repeatedly trigger authentication prompts hoping users will eventually approve one.&lt;br /&gt;
&lt;br /&gt;
Mitigations include:&lt;br /&gt;
&lt;br /&gt;
* Number matching&lt;br /&gt;
* Geographic verification&lt;br /&gt;
* User training&lt;br /&gt;
* Risk-based sign-in controls&lt;br /&gt;
&lt;br /&gt;
=== Legacy Systems ===&lt;br /&gt;
&lt;br /&gt;
Older applications may rely on:&lt;br /&gt;
&lt;br /&gt;
* Basic authentication&lt;br /&gt;
* POP3&lt;br /&gt;
* IMAP&lt;br /&gt;
* Legacy APIs&lt;br /&gt;
&lt;br /&gt;
These systems often require modernization before MFA can be fully implemented.&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Security ===&lt;br /&gt;
&lt;br /&gt;
Prioritize phishing-resistant authentication where possible.&lt;br /&gt;
&lt;br /&gt;
Preferred order:&lt;br /&gt;
&lt;br /&gt;
# FIDO2 Security Keys&lt;br /&gt;
# Certificate-Based Authentication&lt;br /&gt;
# Authenticator Applications&lt;br /&gt;
# SMS Authentication&lt;br /&gt;
&lt;br /&gt;
=== Scalability ===&lt;br /&gt;
&lt;br /&gt;
Consider:&lt;br /&gt;
&lt;br /&gt;
* Enrollment processes&lt;br /&gt;
* Device lifecycle management&lt;br /&gt;
* Self-service registration&lt;br /&gt;
* Self-service password reset&lt;br /&gt;
&lt;br /&gt;
=== Maintainability ===&lt;br /&gt;
&lt;br /&gt;
Successful deployments require:&lt;br /&gt;
&lt;br /&gt;
* Documented procedures&lt;br /&gt;
* User training&lt;br /&gt;
* Disaster recovery planning&lt;br /&gt;
* Recovery code management&lt;br /&gt;
&lt;br /&gt;
=== Backwards Compatibility ===&lt;br /&gt;
&lt;br /&gt;
Some environments must support legacy systems temporarily.&lt;br /&gt;
&lt;br /&gt;
Where modernization is not immediately possible:&lt;br /&gt;
&lt;br /&gt;
* Isolate legacy systems&lt;br /&gt;
* Restrict network access&lt;br /&gt;
* Monitor authentication activity&lt;br /&gt;
* Plan migration away from legacy protocols&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting &amp;amp; Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
=== User Cannot Receive Authentication Prompt ===&lt;br /&gt;
&lt;br /&gt;
Check:&lt;br /&gt;
&lt;br /&gt;
* Device registration status&lt;br /&gt;
* Internet connectivity&lt;br /&gt;
* Authenticator application health&lt;br /&gt;
* Notification permissions&lt;br /&gt;
&lt;br /&gt;
=== User Replaced Their Mobile Device ===&lt;br /&gt;
&lt;br /&gt;
Verify:&lt;br /&gt;
&lt;br /&gt;
* Recovery methods exist&lt;br /&gt;
* Secondary authentication factors are available&lt;br /&gt;
* Enrollment process is documented&lt;br /&gt;
&lt;br /&gt;
=== Authentication Works for Some Services Only ===&lt;br /&gt;
&lt;br /&gt;
Investigate:&lt;br /&gt;
&lt;br /&gt;
* Conditional Access policies&lt;br /&gt;
* Legacy authentication usage&lt;br /&gt;
* Application compatibility&lt;br /&gt;
* Federation configuration&lt;br /&gt;
&lt;br /&gt;
=== Unexpected MFA Challenges ===&lt;br /&gt;
&lt;br /&gt;
Review:&lt;br /&gt;
&lt;br /&gt;
* User location&lt;br /&gt;
* Device trust state&lt;br /&gt;
* Risk policies&lt;br /&gt;
* Recent identity protection alerts&lt;br /&gt;
&lt;br /&gt;
== Architectural Overview ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
+------------------+&lt;br /&gt;
| User             |&lt;br /&gt;
+--------+---------+&lt;br /&gt;
         |&lt;br /&gt;
         v&lt;br /&gt;
+------------------+&lt;br /&gt;
| Identity System  |&lt;br /&gt;
| (Azure AD / IdP) |&lt;br /&gt;
+--------+---------+&lt;br /&gt;
         |&lt;br /&gt;
         v&lt;br /&gt;
+------------------+&lt;br /&gt;
| Password Check   |&lt;br /&gt;
+--------+---------+&lt;br /&gt;
         |&lt;br /&gt;
         v&lt;br /&gt;
+------------------+&lt;br /&gt;
| MFA Challenge    |&lt;br /&gt;
| Push / Token     |&lt;br /&gt;
| Key / Biometrics |&lt;br /&gt;
+--------+---------+&lt;br /&gt;
         |&lt;br /&gt;
         v&lt;br /&gt;
+------------------+&lt;br /&gt;
| Access Granted   |&lt;br /&gt;
+------------------+&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Best Practices ==&lt;br /&gt;
&lt;br /&gt;
* Enforce MFA for all users.&lt;br /&gt;
* Require stronger methods for privileged accounts.&lt;br /&gt;
* Use phishing-resistant authentication where possible.&lt;br /&gt;
* Disable legacy authentication protocols.&lt;br /&gt;
* Implement Conditional Access policies.&lt;br /&gt;
* Test account recovery procedures regularly.&lt;br /&gt;
* Monitor sign-in logs and authentication anomalies.&lt;br /&gt;
* Educate users about phishing and MFA fatigue attacks.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Identity and Access Management]]&lt;br /&gt;
* [[Conditional Access]]&lt;br /&gt;
* [[Single Sign-On]]&lt;br /&gt;
* [[Passwordless Authentication]]&lt;br /&gt;
* [[Public Key Infrastructure]]&lt;br /&gt;
* [[Zero Trust Architecture]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* FIDO2 Specifications&lt;br /&gt;
* WebAuthn Standards&lt;br /&gt;
* NIST Digital Identity Guidelines&lt;br /&gt;
* Microsoft Entra ID Documentation&lt;br /&gt;
* RFC 6238 (Time-Based One-Time Password Algorithm)&lt;br /&gt;
&lt;br /&gt;
&amp;lt;!--&lt;br /&gt;
Category: Security&lt;br /&gt;
Audience: Technical / Architectural&lt;br /&gt;
Depth: Intermediate&lt;br /&gt;
Last Reviewed: 2026-07-06&lt;br /&gt;
--&amp;gt;&lt;/div&gt;</description>
			<pubDate>Mon, 06 Jul 2026 06:39:27 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Multi-Factor_Authentication_(MFA)</comments>
		</item>
		<item>
			<title>Identity &amp; Access Management (IAM)</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Identity_%26_Access_Management_(IAM)&amp;diff=424&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Identity_%26_Access_Management_(IAM)&amp;diff=424&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039; Identity &amp;amp; Access Management (IAM) is the collection of policies, processes, technologies, and controls used to manage digital identities and regulate access to systems, applications, data, and services. Effective IAM ensures that the right people have the right access to the right resources at the right time, while reducing security risks and supporting compliance requirements.  == Context ==  Modern organisations depend upon hundreds, sometimes thousands...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
Identity &amp;amp; Access Management (IAM) is the collection of policies, processes, technologies, and controls used to manage digital identities and regulate access to systems, applications, data, and services. Effective IAM ensures that the right people have the right access to the right resources at the right time, while reducing security risks and supporting compliance requirements.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Modern organisations depend upon hundreds, sometimes thousands, of interconnected systems. Employees, contractors, customers, partners, applications, services, and devices all require some form of digital identity.&lt;br /&gt;
&lt;br /&gt;
Without a structured approach to managing identities and access permissions, organisations quickly face security challenges, operational inefficiencies, and compliance risks.&lt;br /&gt;
&lt;br /&gt;
IAM provides a framework for:&lt;br /&gt;
&lt;br /&gt;
* Identifying users and systems&lt;br /&gt;
* Authenticating identities&lt;br /&gt;
* Authorising access&lt;br /&gt;
* Managing permissions&lt;br /&gt;
* Auditing activity&lt;br /&gt;
* Enforcing security policies&lt;br /&gt;
&lt;br /&gt;
While IAM is often associated with user logins, it extends far beyond authentication and forms a critical component of modern cybersecurity architecture.&lt;br /&gt;
&lt;br /&gt;
=== Common Misconceptions ===&lt;br /&gt;
&lt;br /&gt;
* IAM is not simply Active Directory.&lt;br /&gt;
* IAM is not just password management.&lt;br /&gt;
* IAM is not solely a security concern.&lt;br /&gt;
* IAM is both a business process and a technical implementation.&lt;br /&gt;
&lt;br /&gt;
Many access-related incidents result from poor governance rather than technical failures.&lt;br /&gt;
&lt;br /&gt;
== Core Concepts ==&lt;br /&gt;
&lt;br /&gt;
=== Identity ===&lt;br /&gt;
&lt;br /&gt;
An identity represents a person, service, application, device, or process within a system.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Employee accounts&lt;br /&gt;
* Service accounts&lt;br /&gt;
* Application identities&lt;br /&gt;
* Customer identities&lt;br /&gt;
* Managed devices&lt;br /&gt;
&lt;br /&gt;
An identity should uniquely represent a single entity.&lt;br /&gt;
&lt;br /&gt;
=== Authentication ===&lt;br /&gt;
&lt;br /&gt;
Authentication answers the question:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;quot;Who are you?&amp;quot;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Common authentication methods include:&lt;br /&gt;
&lt;br /&gt;
* Username and password&lt;br /&gt;
* Multi-Factor Authentication (MFA)&lt;br /&gt;
* Smart cards&lt;br /&gt;
* Certificates&lt;br /&gt;
* Biometrics&lt;br /&gt;
* Security keys&lt;br /&gt;
&lt;br /&gt;
Authentication establishes confidence in an identity claim.&lt;br /&gt;
&lt;br /&gt;
=== Authorisation ===&lt;br /&gt;
&lt;br /&gt;
Authorisation answers the question:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;quot;What are you allowed to do?&amp;quot;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
After authentication succeeds, systems evaluate permissions, roles, policies, and access rules before granting access to resources.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Read access&lt;br /&gt;
* Modify access&lt;br /&gt;
* Administrative privileges&lt;br /&gt;
* Application-specific permissions&lt;br /&gt;
&lt;br /&gt;
=== Accounting and Auditing ===&lt;br /&gt;
&lt;br /&gt;
Authentication and authorisation are only part of the picture.&lt;br /&gt;
&lt;br /&gt;
Organisations must also record:&lt;br /&gt;
&lt;br /&gt;
* Login activity&lt;br /&gt;
* Permission changes&lt;br /&gt;
* Administrative actions&lt;br /&gt;
* Resource access events&lt;br /&gt;
&lt;br /&gt;
These records support security investigations, compliance audits, and operational troubleshooting.&lt;br /&gt;
&lt;br /&gt;
== Identity Lifecycle Management ==&lt;br /&gt;
&lt;br /&gt;
IAM is fundamentally about managing identities throughout their lifecycle.&lt;br /&gt;
&lt;br /&gt;
=== Joiner ===&lt;br /&gt;
&lt;br /&gt;
When a new employee joins:&lt;br /&gt;
&lt;br /&gt;
* Identity is created&lt;br /&gt;
* Accounts are provisioned&lt;br /&gt;
* Access is assigned&lt;br /&gt;
* Security policies are applied&lt;br /&gt;
&lt;br /&gt;
=== Mover ===&lt;br /&gt;
&lt;br /&gt;
When responsibilities change:&lt;br /&gt;
&lt;br /&gt;
* Permissions are reviewed&lt;br /&gt;
* New roles are assigned&lt;br /&gt;
* Old permissions are removed&lt;br /&gt;
&lt;br /&gt;
=== Leaver ===&lt;br /&gt;
&lt;br /&gt;
When an individual leaves:&lt;br /&gt;
&lt;br /&gt;
* Accounts are disabled&lt;br /&gt;
* Authentication methods are revoked&lt;br /&gt;
* Access permissions are removed&lt;br /&gt;
* Audit records are retained&lt;br /&gt;
&lt;br /&gt;
Failure to properly manage the Joiner-Mover-Leaver process is one of the most common causes of excessive permissions and unauthorised access.&lt;br /&gt;
&lt;br /&gt;
== Access Control Models ==&lt;br /&gt;
&lt;br /&gt;
=== Role Based Access Control (RBAC) ===&lt;br /&gt;
&lt;br /&gt;
Users are assigned roles.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
* Helpdesk Operator&lt;br /&gt;
* HR Manager&lt;br /&gt;
* Finance Administrator&lt;br /&gt;
&lt;br /&gt;
Permissions are granted to roles rather than individual users.&lt;br /&gt;
&lt;br /&gt;
Benefits include:&lt;br /&gt;
&lt;br /&gt;
* Simplified administration&lt;br /&gt;
* Consistency&lt;br /&gt;
* Easier auditing&lt;br /&gt;
&lt;br /&gt;
=== Attribute Based Access Control (ABAC) ===&lt;br /&gt;
&lt;br /&gt;
Access decisions are based upon attributes.&lt;br /&gt;
&lt;br /&gt;
Examples:&lt;br /&gt;
&lt;br /&gt;
* Department&lt;br /&gt;
* Location&lt;br /&gt;
* Device compliance state&lt;br /&gt;
* Time of day&lt;br /&gt;
* Security clearance&lt;br /&gt;
&lt;br /&gt;
ABAC enables highly flexible policy-driven access decisions.&lt;br /&gt;
&lt;br /&gt;
=== Policy-Based Access Control ===&lt;br /&gt;
&lt;br /&gt;
Modern cloud platforms frequently use policy engines to evaluate access requests dynamically.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Conditional Access&lt;br /&gt;
* Zero Trust Policies&lt;br /&gt;
* Risk-Based Access Controls&lt;br /&gt;
&lt;br /&gt;
== Authentication Technologies ==&lt;br /&gt;
&lt;br /&gt;
=== Multi-Factor Authentication (MFA) ===&lt;br /&gt;
&lt;br /&gt;
MFA combines multiple forms of verification.&lt;br /&gt;
&lt;br /&gt;
Typical factors include:&lt;br /&gt;
&lt;br /&gt;
* Something you know (password)&lt;br /&gt;
* Something you have (token)&lt;br /&gt;
* Something you are (biometric)&lt;br /&gt;
&lt;br /&gt;
Compromised credentials remain one of the most common attack vectors, making MFA a foundational security control.&lt;br /&gt;
&lt;br /&gt;
=== Single Sign-On (SSO) ===&lt;br /&gt;
&lt;br /&gt;
SSO allows users to authenticate once and access multiple systems.&lt;br /&gt;
&lt;br /&gt;
Benefits include:&lt;br /&gt;
&lt;br /&gt;
* Improved user experience&lt;br /&gt;
* Reduced password fatigue&lt;br /&gt;
* Centralised security control&lt;br /&gt;
&lt;br /&gt;
=== Federation ===&lt;br /&gt;
&lt;br /&gt;
Federation enables organisations to trust external identity providers.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Microsoft Entra ID&lt;br /&gt;
* Active Directory Federation Services (ADFS)&lt;br /&gt;
* OAuth Providers&lt;br /&gt;
* OpenID Connect Providers&lt;br /&gt;
&lt;br /&gt;
Users authenticate with their home identity provider rather than maintaining separate credentials in every application.&lt;br /&gt;
&lt;br /&gt;
== Practical Application ==&lt;br /&gt;
&lt;br /&gt;
A typical modern enterprise IAM platform may provide:&lt;br /&gt;
&lt;br /&gt;
* Directory services&lt;br /&gt;
* Single Sign-On&lt;br /&gt;
* Multi-Factor Authentication&lt;br /&gt;
* Self-Service Password Reset&lt;br /&gt;
* Conditional Access&lt;br /&gt;
* Identity Governance&lt;br /&gt;
* Privileged Access Management&lt;br /&gt;
* Audit Reporting&lt;br /&gt;
&lt;br /&gt;
A common architecture might look like:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
                    +------------------+&lt;br /&gt;
                    | Identity Source  |&lt;br /&gt;
                    |  HR System       |&lt;br /&gt;
                    +---------+--------+&lt;br /&gt;
                              |&lt;br /&gt;
                              v&lt;br /&gt;
                    +------------------+&lt;br /&gt;
                    | IAM Platform     |&lt;br /&gt;
                    | Identity Store   |&lt;br /&gt;
                    +---------+--------+&lt;br /&gt;
                              |&lt;br /&gt;
          +-------------------+-------------------+&lt;br /&gt;
          |                   |                   |&lt;br /&gt;
          v                   v                   v&lt;br /&gt;
&lt;br /&gt;
   +-------------+    +-------------+    +-------------+&lt;br /&gt;
   | Microsoft   |    | SaaS Apps   |    | On-Premise  |&lt;br /&gt;
   | 365         |    | CRM, ERP    |    | Systems     |&lt;br /&gt;
   +-------------+    +-------------+    +-------------+&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Identity Governance ==&lt;br /&gt;
&lt;br /&gt;
Identity Governance focuses on ensuring access remains appropriate over time.&lt;br /&gt;
&lt;br /&gt;
Typical controls include:&lt;br /&gt;
&lt;br /&gt;
* Access reviews&lt;br /&gt;
* Segregation of duties&lt;br /&gt;
* Approval workflows&lt;br /&gt;
* Periodic recertification&lt;br /&gt;
* Exception management&lt;br /&gt;
&lt;br /&gt;
Governance prevents permission accumulation and reduces insider risk.&lt;br /&gt;
&lt;br /&gt;
== Privileged Access Management (PAM) ==&lt;br /&gt;
&lt;br /&gt;
Administrative accounts represent high-value targets.&lt;br /&gt;
&lt;br /&gt;
PAM solutions help organisations:&lt;br /&gt;
&lt;br /&gt;
* Separate administrative and user accounts&lt;br /&gt;
* Implement just-in-time access&lt;br /&gt;
* Record privileged sessions&lt;br /&gt;
* Protect sensitive credentials&lt;br /&gt;
* Reduce standing privilege&lt;br /&gt;
&lt;br /&gt;
Modern security strategies increasingly assume that privileged access should be temporary rather than permanent.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Permission Creep ===&lt;br /&gt;
&lt;br /&gt;
Users gradually accumulate permissions over time.&lt;br /&gt;
&lt;br /&gt;
This often occurs when role changes are not accompanied by access reviews.&lt;br /&gt;
&lt;br /&gt;
=== Shared Accounts ===&lt;br /&gt;
&lt;br /&gt;
Shared accounts reduce accountability and complicate auditing.&lt;br /&gt;
&lt;br /&gt;
Where possible, every action should be traceable to a unique identity.&lt;br /&gt;
&lt;br /&gt;
=== Service Account Neglect ===&lt;br /&gt;
&lt;br /&gt;
Service accounts frequently:&lt;br /&gt;
&lt;br /&gt;
* Use static passwords&lt;br /&gt;
* Avoid MFA&lt;br /&gt;
* Remain undocumented&lt;br /&gt;
&lt;br /&gt;
These accounts often become overlooked security risks.&lt;br /&gt;
&lt;br /&gt;
=== Excessive Administrator Access ===&lt;br /&gt;
&lt;br /&gt;
Granting broad administrative permissions for convenience frequently increases the impact of compromise.&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
When designing an IAM solution, consider:&lt;br /&gt;
&lt;br /&gt;
=== Scalability ===&lt;br /&gt;
&lt;br /&gt;
Can the solution support organisational growth?&lt;br /&gt;
&lt;br /&gt;
=== Security ===&lt;br /&gt;
&lt;br /&gt;
Does it support:&lt;br /&gt;
&lt;br /&gt;
* MFA&lt;br /&gt;
* Conditional Access&lt;br /&gt;
* Strong authentication&lt;br /&gt;
* Risk-based controls&lt;br /&gt;
&lt;br /&gt;
=== Maintainability ===&lt;br /&gt;
&lt;br /&gt;
Can administrators easily:&lt;br /&gt;
&lt;br /&gt;
* Onboard users&lt;br /&gt;
* Remove access&lt;br /&gt;
* Audit permissions&lt;br /&gt;
* Automate processes&lt;br /&gt;
&lt;br /&gt;
=== Integration ===&lt;br /&gt;
&lt;br /&gt;
Can identities be integrated across:&lt;br /&gt;
&lt;br /&gt;
* Cloud platforms&lt;br /&gt;
* On-premise systems&lt;br /&gt;
* Third-party applications&lt;br /&gt;
* APIs and services&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting &amp;amp; Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
When access issues occur, investigate:&lt;br /&gt;
&lt;br /&gt;
=== Identity Issues ===&lt;br /&gt;
&lt;br /&gt;
* Does the account exist?&lt;br /&gt;
* Is it enabled?&lt;br /&gt;
* Is it synchronised correctly?&lt;br /&gt;
&lt;br /&gt;
=== Authentication Issues ===&lt;br /&gt;
&lt;br /&gt;
* Password problems&lt;br /&gt;
* MFA failures&lt;br /&gt;
* Certificate errors&lt;br /&gt;
* Token expiration&lt;br /&gt;
&lt;br /&gt;
=== Authorisation Issues ===&lt;br /&gt;
&lt;br /&gt;
* Missing role assignments&lt;br /&gt;
* Group membership problems&lt;br /&gt;
* Conditional access restrictions&lt;br /&gt;
* Policy conflicts&lt;br /&gt;
&lt;br /&gt;
=== Audit Logs ===&lt;br /&gt;
&lt;br /&gt;
Review:&lt;br /&gt;
&lt;br /&gt;
* Authentication logs&lt;br /&gt;
* Access logs&lt;br /&gt;
* Security alerts&lt;br /&gt;
* Provisioning events&lt;br /&gt;
&lt;br /&gt;
Audit trails often reveal the root cause faster than troubleshooting individual systems.&lt;br /&gt;
&lt;br /&gt;
== Design Philosophy ==&lt;br /&gt;
&lt;br /&gt;
Strong IAM systems should follow a simple principle:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;Trust identities only after verification, grant access only when required, and continuously validate that access remains appropriate.&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
This philosophy aligns closely with modern Zero Trust security models, where no user, device, application, or network location is automatically trusted.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Authentication]]&lt;br /&gt;
* [[Authorisation]]&lt;br /&gt;
* [[Active Directory]]&lt;br /&gt;
* [[Microsoft Entra ID]]&lt;br /&gt;
* [[Multi-Factor Authentication]]&lt;br /&gt;
* [[Single Sign-On]]&lt;br /&gt;
* [[Conditional Access]]&lt;br /&gt;
* [[Privileged Access Management]]&lt;br /&gt;
* [[Zero Trust Architecture]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* NIST Digital Identity Guidelines&lt;br /&gt;
* NIST Zero Trust Architecture&lt;br /&gt;
* Microsoft Entra Documentation&lt;br /&gt;
* OAuth 2.0 Specifications&lt;br /&gt;
* OpenID Connect Specifications&lt;br /&gt;
* ISO 27001&lt;br /&gt;
* CIS Controls&lt;/div&gt;</description>
			<pubDate>Mon, 06 Jul 2026 06:37:36 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Identity_%26_Access_Management_(IAM)</comments>
		</item>
		<item>
			<title>Access Based Enumeration (ABE)</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Access_Based_Enumeration_(ABE)&amp;diff=423&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Access_Based_Enumeration_(ABE)&amp;diff=423&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039; Access Based Enumeration (ABE) is a security and usability feature that hides files, folders, libraries, sites, and other resources from users who do not have permission to access them. Rather than presenting resources and generating &amp;#039;&amp;#039;Access Denied&amp;#039;&amp;#039; messages when users attempt to open them, ABE ensures that users only see resources they are authorised to access.  ABE is commonly used in Windows File Services, SharePoint environments, and enterprise conte...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
Access Based Enumeration (ABE) is a security and usability feature that hides files, folders, libraries, sites, and other resources from users who do not have permission to access them. Rather than presenting resources and generating &amp;#039;&amp;#039;Access Denied&amp;#039;&amp;#039; messages when users attempt to open them, ABE ensures that users only see resources they are authorised to access.&lt;br /&gt;
&lt;br /&gt;
ABE is commonly used in Windows File Services, SharePoint environments, and enterprise content management systems to improve navigation, reduce information disclosure, and support least-privilege security models.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
=== Why Access Based Enumeration Exists ===&lt;br /&gt;
&lt;br /&gt;
In traditional file systems and content repositories, users may be able to see the names of resources even when they cannot access their contents. While permissions prevent unauthorised access, the visibility of resource names can still reveal useful information about departments, projects, customers, suppliers, or business activities.&lt;br /&gt;
&lt;br /&gt;
Access Based Enumeration addresses this issue by aligning resource visibility with resource permissions.&lt;br /&gt;
&lt;br /&gt;
Instead of showing every available resource, the system evaluates the user&amp;#039;s permissions and displays only the items they are authorised to access.&lt;br /&gt;
&lt;br /&gt;
=== Security vs Visibility ===&lt;br /&gt;
&lt;br /&gt;
A common misconception is that Access Based Enumeration provides security.&lt;br /&gt;
&lt;br /&gt;
It does not.&lt;br /&gt;
&lt;br /&gt;
Permissions provide security.&lt;br /&gt;
&lt;br /&gt;
Access Based Enumeration provides visibility control.&lt;br /&gt;
&lt;br /&gt;
A resource protected by correctly configured permissions remains secure regardless of whether Access Based Enumeration is enabled. ABE simply removes inaccessible resources from view.&lt;br /&gt;
&lt;br /&gt;
=== Common Misconceptions ===&lt;br /&gt;
&lt;br /&gt;
* ABE is not a replacement for permissions.&lt;br /&gt;
* ABE does not encrypt data.&lt;br /&gt;
* ABE does not grant or remove access rights.&lt;br /&gt;
* ABE does not prevent administrators from seeing resources.&lt;br /&gt;
* ABE improves the user experience but should not be relied upon as a security boundary.&lt;br /&gt;
&lt;br /&gt;
== Core Concepts ==&lt;br /&gt;
&lt;br /&gt;
=== Visibility Is Not Security ===&lt;br /&gt;
&lt;br /&gt;
Consider a locked office door.&lt;br /&gt;
&lt;br /&gt;
A person may be able to see the door, the room number, and the department name, but they cannot enter without a key.&lt;br /&gt;
&lt;br /&gt;
The lock provides security.&lt;br /&gt;
&lt;br /&gt;
Removing the department name from the door reduces information disclosure.&lt;br /&gt;
&lt;br /&gt;
Access Based Enumeration operates in a similar way.&lt;br /&gt;
&lt;br /&gt;
Permissions determine whether access is allowed.&lt;br /&gt;
&lt;br /&gt;
ABE determines whether the resource is visible.&lt;br /&gt;
&lt;br /&gt;
=== Permissions Drive Enumeration ===&lt;br /&gt;
&lt;br /&gt;
When a user views a folder, share, library, or site, the platform evaluates the permissions assigned to that user.&lt;br /&gt;
&lt;br /&gt;
Resources that the user can access are displayed.&lt;br /&gt;
&lt;br /&gt;
Resources that the user cannot access are hidden.&lt;br /&gt;
&lt;br /&gt;
The resulting view differs between users depending upon their access rights.&lt;br /&gt;
&lt;br /&gt;
=== Administrator View vs User View ===&lt;br /&gt;
&lt;br /&gt;
Administrators frequently see more resources than standard users because administrative permissions allow broader access.&lt;br /&gt;
&lt;br /&gt;
This often leads to troubleshooting conversations where an administrator can see a folder while an end user cannot.&lt;br /&gt;
&lt;br /&gt;
Understanding that ABE produces different views for different users is essential when diagnosing visibility issues.&lt;br /&gt;
&lt;br /&gt;
== How Access Based Enumeration Works ==&lt;br /&gt;
&lt;br /&gt;
=== Traditional Resource Enumeration ===&lt;br /&gt;
&lt;br /&gt;
Without Access Based Enumeration:&lt;br /&gt;
&lt;br /&gt;
* The system returns all resource names.&lt;br /&gt;
* Users can browse the entire structure.&lt;br /&gt;
* Clicking inaccessible resources produces access denied errors.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Departments&lt;br /&gt;
├── Finance&lt;br /&gt;
├── Human Resources&lt;br /&gt;
├── IT&lt;br /&gt;
└── Sales&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Every user may see all departmental folders even though they only have access to one of them.&lt;br /&gt;
&lt;br /&gt;
=== Enumerated Resource Lists ===&lt;br /&gt;
&lt;br /&gt;
With Access Based Enumeration enabled, the system filters the list before presenting it to the user.&lt;br /&gt;
&lt;br /&gt;
A Sales user may see:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Departments&lt;br /&gt;
└── Sales&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
An HR user may see:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Departments&lt;br /&gt;
└── Human Resources&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The underlying structure remains unchanged.&lt;br /&gt;
&lt;br /&gt;
Only the visible representation differs.&lt;br /&gt;
&lt;br /&gt;
=== Permission Evaluation Process ===&lt;br /&gt;
&lt;br /&gt;
The process typically follows these steps:&lt;br /&gt;
&lt;br /&gt;
# User requests a resource listing.&lt;br /&gt;
# The system identifies the user&amp;#039;s security context.&lt;br /&gt;
# Permissions are evaluated against each resource.&lt;br /&gt;
# Accessible resources are returned.&lt;br /&gt;
# Inaccessible resources are omitted.&lt;br /&gt;
&lt;br /&gt;
This evaluation occurs each time content is enumerated.&lt;br /&gt;
&lt;br /&gt;
=== Performance Considerations ===&lt;br /&gt;
&lt;br /&gt;
Access Based Enumeration introduces additional permission checks during enumeration.&lt;br /&gt;
&lt;br /&gt;
In most modern environments the impact is negligible.&lt;br /&gt;
&lt;br /&gt;
However, large environments containing millions of objects or complex permission structures may experience increased processing overhead during content enumeration.&lt;br /&gt;
&lt;br /&gt;
== Access Based Enumeration in Windows File Services ==&lt;br /&gt;
&lt;br /&gt;
=== SMB Shares ===&lt;br /&gt;
&lt;br /&gt;
Access Based Enumeration is commonly used on Windows file servers hosting departmental shares.&lt;br /&gt;
&lt;br /&gt;
Without ABE, users may see folders belonging to every department.&lt;br /&gt;
&lt;br /&gt;
With ABE enabled, users only see the departments they are authorised to access.&lt;br /&gt;
&lt;br /&gt;
=== Departmental Shares ===&lt;br /&gt;
&lt;br /&gt;
A common implementation is:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
\\FILESERVER\Departments&lt;br /&gt;
&lt;br /&gt;
├── Finance&lt;br /&gt;
├── HR&lt;br /&gt;
├── IT&lt;br /&gt;
├── Marketing&lt;br /&gt;
└── Sales&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
ABE allows a single share structure while presenting different views to different groups.&lt;br /&gt;
&lt;br /&gt;
This simplifies administration while reducing user confusion.&lt;br /&gt;
&lt;br /&gt;
=== Operational Benefits ===&lt;br /&gt;
&lt;br /&gt;
Benefits include:&lt;br /&gt;
&lt;br /&gt;
* Cleaner navigation experience&lt;br /&gt;
* Reduced accidental browsing&lt;br /&gt;
* Lower helpdesk call volumes&lt;br /&gt;
* Reduced information disclosure&lt;br /&gt;
* Improved departmental segregation&lt;br /&gt;
&lt;br /&gt;
== Access Based Enumeration in SharePoint ==&lt;br /&gt;
&lt;br /&gt;
=== SharePoint Sites ===&lt;br /&gt;
&lt;br /&gt;
SharePoint applies similar principles through security trimming.&lt;br /&gt;
&lt;br /&gt;
Users typically see sites, libraries, pages, and content that they are authorised to access.&lt;br /&gt;
&lt;br /&gt;
Resources outside their permission scope are hidden from navigation and search results.&lt;br /&gt;
&lt;br /&gt;
=== Document Libraries ===&lt;br /&gt;
&lt;br /&gt;
Document libraries can be configured with unique permissions.&lt;br /&gt;
&lt;br /&gt;
When combined with security trimming, users only see information relevant to their role.&lt;br /&gt;
&lt;br /&gt;
This is particularly useful within:&lt;br /&gt;
&lt;br /&gt;
* Project portals&lt;br /&gt;
* Department sites&lt;br /&gt;
* Human Resources systems&lt;br /&gt;
* Customer extranets&lt;br /&gt;
&lt;br /&gt;
=== List Content ===&lt;br /&gt;
&lt;br /&gt;
Permissions can also be applied at item level.&lt;br /&gt;
&lt;br /&gt;
As permissions become more granular, users may see entirely different views of the same list.&lt;br /&gt;
&lt;br /&gt;
Care should be taken to avoid excessive complexity when implementing item-level security.&lt;br /&gt;
&lt;br /&gt;
=== Microsoft 365 Considerations ===&lt;br /&gt;
&lt;br /&gt;
Modern Microsoft 365 deployments increasingly rely on security trimming, group membership, and role-based access models.&lt;br /&gt;
&lt;br /&gt;
Although users may not encounter the term &amp;quot;Access Based Enumeration&amp;quot; directly, the underlying visibility principles remain the same.&lt;br /&gt;
&lt;br /&gt;
== Practical Applications ==&lt;br /&gt;
&lt;br /&gt;
=== Department-Based Information Segregation ===&lt;br /&gt;
&lt;br /&gt;
Large organisations frequently organise data around departments.&lt;br /&gt;
&lt;br /&gt;
ABE allows a single logical structure while presenting appropriate content to each department.&lt;br /&gt;
&lt;br /&gt;
=== Project Portals ===&lt;br /&gt;
&lt;br /&gt;
Project teams often require isolated workspaces.&lt;br /&gt;
&lt;br /&gt;
Access Based Enumeration prevents project teams from being distracted by unrelated projects while protecting sensitive information.&lt;br /&gt;
&lt;br /&gt;
=== Human Resources Systems ===&lt;br /&gt;
&lt;br /&gt;
HR systems commonly contain confidential employee data.&lt;br /&gt;
&lt;br /&gt;
Access Based Enumeration helps ensure that sensitive content remains visible only to authorised personnel.&lt;br /&gt;
&lt;br /&gt;
=== Multi-Tenant Knowledgebases ===&lt;br /&gt;
&lt;br /&gt;
Service providers and consultants may host content for multiple customers within a single environment.&lt;br /&gt;
&lt;br /&gt;
ABE helps maintain separation between tenants while simplifying the underlying infrastructure.&lt;br /&gt;
&lt;br /&gt;
== Security Implications ==&lt;br /&gt;
&lt;br /&gt;
=== Reducing Information Disclosure ===&lt;br /&gt;
&lt;br /&gt;
Even folder names can disclose sensitive information.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Confidential projects&lt;br /&gt;
* Acquisition activities&lt;br /&gt;
* Legal matters&lt;br /&gt;
* Customer names&lt;br /&gt;
* Planned initiatives&lt;br /&gt;
&lt;br /&gt;
ABE reduces this form of exposure.&lt;br /&gt;
&lt;br /&gt;
=== Supporting Least Privilege ===&lt;br /&gt;
&lt;br /&gt;
Organisations implementing least-privilege principles seek to provide users with only the access necessary to perform their duties.&lt;br /&gt;
&lt;br /&gt;
ABE complements this approach by ensuring that users also see only what is relevant to them.&lt;br /&gt;
&lt;br /&gt;
=== Regulatory and Compliance Benefits ===&lt;br /&gt;
&lt;br /&gt;
Many compliance frameworks require appropriate control of information visibility and access.&lt;br /&gt;
&lt;br /&gt;
While ABE alone does not satisfy compliance requirements, it can support broader governance and information security objectives.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Permission Sprawl ===&lt;br /&gt;
&lt;br /&gt;
Frequent permission exceptions can create environments that are difficult to understand and maintain.&lt;br /&gt;
&lt;br /&gt;
Over time this may result in unexpected visibility behaviour.&lt;br /&gt;
&lt;br /&gt;
=== Broken Inheritance Confusion ===&lt;br /&gt;
&lt;br /&gt;
In SharePoint environments, broken permission inheritance can lead to situations where content unexpectedly appears or disappears.&lt;br /&gt;
&lt;br /&gt;
Permission design should be documented and reviewed regularly.&lt;br /&gt;
&lt;br /&gt;
=== Users Believe Data Has Been Deleted ===&lt;br /&gt;
&lt;br /&gt;
A common support call occurs when users lose access to a resource and assume it has been deleted.&lt;br /&gt;
&lt;br /&gt;
In reality, permission changes may simply have removed the resource from view.&lt;br /&gt;
&lt;br /&gt;
=== Over-Reliance on ABE ===&lt;br /&gt;
&lt;br /&gt;
ABE should never be considered a substitute for proper security design.&lt;br /&gt;
&lt;br /&gt;
Resources must remain protected by appropriate permissions regardless of whether ABE is enabled.&lt;br /&gt;
&lt;br /&gt;
== Design and Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Flat vs Deep Structures ===&lt;br /&gt;
&lt;br /&gt;
Deep folder hierarchies can become difficult to manage and troubleshoot.&lt;br /&gt;
&lt;br /&gt;
Where possible, structures should remain logical and predictable.&lt;br /&gt;
&lt;br /&gt;
=== Group-Based Security Models ===&lt;br /&gt;
&lt;br /&gt;
Permissions should generally be assigned to security groups rather than individual users.&lt;br /&gt;
&lt;br /&gt;
Benefits include:&lt;br /&gt;
&lt;br /&gt;
* Easier administration&lt;br /&gt;
* Improved scalability&lt;br /&gt;
* Consistent access control&lt;br /&gt;
* Simplified auditing&lt;br /&gt;
&lt;br /&gt;
=== Role-Based Access Control ===&lt;br /&gt;
&lt;br /&gt;
Role-Based Access Control (RBAC) works particularly well with ABE.&lt;br /&gt;
&lt;br /&gt;
Users receive access based on organisational roles rather than manual assignments.&lt;br /&gt;
&lt;br /&gt;
This simplifies both provisioning and maintenance.&lt;br /&gt;
&lt;br /&gt;
=== Maintainability at Scale ===&lt;br /&gt;
&lt;br /&gt;
As environments grow, visibility models become increasingly important.&lt;br /&gt;
&lt;br /&gt;
Architectures designed around groups, roles, and inheritance are typically easier to support than architectures built around numerous individual exceptions.&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting and Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
=== Resource Missing From View ===&lt;br /&gt;
&lt;br /&gt;
When a user reports that a file, folder, or site is missing:&lt;br /&gt;
&lt;br /&gt;
# Confirm the user&amp;#039;s identity.&lt;br /&gt;
# Verify group membership.&lt;br /&gt;
# Review inherited permissions.&lt;br /&gt;
# Check unique permissions.&lt;br /&gt;
# Validate visibility from the user&amp;#039;s perspective.&lt;br /&gt;
&lt;br /&gt;
=== Permission Verification Process ===&lt;br /&gt;
&lt;br /&gt;
Administrators should always verify effective permissions before assuming a fault exists.&lt;br /&gt;
&lt;br /&gt;
In many cases the visibility behaviour is operating exactly as designed.&lt;br /&gt;
&lt;br /&gt;
=== Effective Permissions Analysis ===&lt;br /&gt;
&lt;br /&gt;
Questions to investigate include:&lt;br /&gt;
&lt;br /&gt;
* What groups is the user a member of?&lt;br /&gt;
* What permissions are assigned to those groups?&lt;br /&gt;
* Are permissions inherited or unique?&lt;br /&gt;
* Has membership recently changed?&lt;br /&gt;
&lt;br /&gt;
=== Auditing Visibility Issues ===&lt;br /&gt;
&lt;br /&gt;
Visibility problems often originate from:&lt;br /&gt;
&lt;br /&gt;
* Security group configuration&lt;br /&gt;
* Membership changes&lt;br /&gt;
* Permission inheritance breaks&lt;br /&gt;
* Administrative modifications&lt;br /&gt;
&lt;br /&gt;
Auditing these areas usually identifies the root cause.&lt;br /&gt;
&lt;br /&gt;
== Best Practices ==&lt;br /&gt;
&lt;br /&gt;
=== Use Security Groups Rather Than Individuals ===&lt;br /&gt;
&lt;br /&gt;
Avoid assigning permissions directly to users wherever possible.&lt;br /&gt;
&lt;br /&gt;
Group-based administration scales significantly better.&lt;br /&gt;
&lt;br /&gt;
=== Document Permission Models ===&lt;br /&gt;
&lt;br /&gt;
Document:&lt;br /&gt;
&lt;br /&gt;
* Permission structures&lt;br /&gt;
* Group ownership&lt;br /&gt;
* Inheritance boundaries&lt;br /&gt;
* Exception processes&lt;br /&gt;
&lt;br /&gt;
Good documentation reduces future confusion.&lt;br /&gt;
&lt;br /&gt;
=== Conduct Regular Reviews ===&lt;br /&gt;
&lt;br /&gt;
Permissions should be reviewed periodically to ensure they continue to reflect business requirements.&lt;br /&gt;
&lt;br /&gt;
=== Keep Structures Logical ===&lt;br /&gt;
&lt;br /&gt;
Users should be able to predict where information belongs.&lt;br /&gt;
&lt;br /&gt;
Simple structures are easier to understand, govern, and troubleshoot.&lt;br /&gt;
&lt;br /&gt;
== Conclusion ==&lt;br /&gt;
&lt;br /&gt;
Access Based Enumeration is best understood as a visibility management feature rather than a security feature.&lt;br /&gt;
&lt;br /&gt;
Permissions determine who can access a resource.&lt;br /&gt;
&lt;br /&gt;
Access Based Enumeration determines who can see it.&lt;br /&gt;
&lt;br /&gt;
When combined with well-designed permission structures, role-based access controls, and least-privilege principles, ABE improves user experience, reduces information disclosure, simplifies navigation, and supports scalable enterprise information architectures.&lt;br /&gt;
&lt;br /&gt;
A useful rule of thumb is:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Permissions control access.&lt;br /&gt;
&lt;br /&gt;
Access Based Enumeration controls visibility.&lt;br /&gt;
&lt;br /&gt;
Security comes first.&lt;br /&gt;
&lt;br /&gt;
Enumeration merely reflects it.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Role Based Access Control]]&lt;br /&gt;
* [[Principle of Least Privilege]]&lt;br /&gt;
* [[SharePoint Permissions]]&lt;br /&gt;
* [[NTFS Permissions]]&lt;br /&gt;
* [[Security Group Design]]&lt;br /&gt;
* [[Information Governance]]&lt;br /&gt;
* [[Microsoft 365 Security]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* Microsoft Access-Based Enumeration Documentation&lt;br /&gt;
* Microsoft SharePoint Security Documentation&lt;br /&gt;
* Microsoft SMB File Services Documentation&lt;br /&gt;
* Principle of Least Privilege Security Guidance&lt;br /&gt;
* Organisational Access Control Frameworks&lt;/div&gt;</description>
			<pubDate>Mon, 06 Jul 2026 06:36:45 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Access_Based_Enumeration_(ABE)</comments>
		</item>
		<item>
			<title>Least Privilege Access</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Least_Privilege_Access&amp;diff=422&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Least_Privilege_Access&amp;diff=422&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;  Least Privilege Access (sometimes called the &amp;#039;&amp;#039;Principle of Least Privilege&amp;#039;&amp;#039; or &amp;#039;&amp;#039;PoLP&amp;#039;&amp;#039;) is a security model that restricts users, systems, applications, and services to the minimum permissions required to perform their intended function.  Rather than granting broad access &amp;quot;just in case&amp;quot;, permissions are carefully assigned based on business need, operational responsibility, and security requirements. This reduces the impact of mistakes, limits opportuni...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Least Privilege Access (sometimes called the &amp;#039;&amp;#039;Principle of Least Privilege&amp;#039;&amp;#039; or &amp;#039;&amp;#039;PoLP&amp;#039;&amp;#039;) is a security model that restricts users, systems, applications, and services to the minimum permissions required to perform their intended function.&lt;br /&gt;
&lt;br /&gt;
Rather than granting broad access &amp;quot;just in case&amp;quot;, permissions are carefully assigned based on business need, operational responsibility, and security requirements. This reduces the impact of mistakes, limits opportunities for abuse, and helps contain security incidents when they occur.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Every permission granted within a system represents trust.&lt;br /&gt;
&lt;br /&gt;
The more permissions a user or service receives, the greater the potential impact if those permissions are misused, accidentally exercised, or compromised by an attacker.&lt;br /&gt;
&lt;br /&gt;
Historically, many systems were designed around convenience rather than security. Users were often granted broad privileges to reduce administration overhead and minimise support requests. While convenient in the short term, this approach frequently resulted in excessive access rights and increased security risk.&lt;br /&gt;
&lt;br /&gt;
Modern security architectures place greater emphasis on controlling access to information, systems, and services. Least Privilege has become a foundational principle within security frameworks, compliance standards, operating system design, cloud platforms, and enterprise infrastructure.&lt;br /&gt;
&lt;br /&gt;
== What is Least Privilege Access? ==&lt;br /&gt;
&lt;br /&gt;
The Principle of Least Privilege states that an entity should be granted only the permissions necessary to perform its required task and no more.&lt;br /&gt;
&lt;br /&gt;
An entity may be:&lt;br /&gt;
&lt;br /&gt;
* A user&lt;br /&gt;
* A service account&lt;br /&gt;
* An application&lt;br /&gt;
* A process&lt;br /&gt;
* A device&lt;br /&gt;
* An automated workflow&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
* A receptionist may require access to visitor records but not payroll data.&lt;br /&gt;
* A developer may require access to source code repositories but not production financial systems.&lt;br /&gt;
* A web application may require permission to read customer records but not modify server configuration.&lt;br /&gt;
* A backup service may require access to read files but not to alter them.&lt;br /&gt;
&lt;br /&gt;
The principle can be summarised as:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;Provide the minimum access required, for the minimum time required.&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
== Why Least Privilege Matters ==&lt;br /&gt;
&lt;br /&gt;
Without access controls, permissions tend to accumulate over time.&lt;br /&gt;
&lt;br /&gt;
Employees change departments.&lt;br /&gt;
&lt;br /&gt;
Projects come and go.&lt;br /&gt;
&lt;br /&gt;
Temporary permissions become permanent.&lt;br /&gt;
&lt;br /&gt;
New systems are integrated into existing environments.&lt;br /&gt;
&lt;br /&gt;
Over time, this creates a phenomenon commonly known as &amp;#039;&amp;#039;&amp;#039;privilege creep&amp;#039;&amp;#039;&amp;#039;.&lt;br /&gt;
&lt;br /&gt;
Privilege creep increases risk because:&lt;br /&gt;
&lt;br /&gt;
* More data becomes accessible&lt;br /&gt;
* More systems can be modified&lt;br /&gt;
* More attack paths become available&lt;br /&gt;
* Auditing becomes more difficult&lt;br /&gt;
* Security incidents become harder to contain&lt;br /&gt;
&lt;br /&gt;
If a compromised account has unrestricted access, an attacker may gain access to multiple systems, applications, and datasets.&lt;br /&gt;
&lt;br /&gt;
If the same account operates under least privilege principles, the attacker&amp;#039;s capabilities are significantly restricted.&lt;br /&gt;
&lt;br /&gt;
== Core Principles ==&lt;br /&gt;
&lt;br /&gt;
=== Need to Know ===&lt;br /&gt;
&lt;br /&gt;
Access should only be granted where there is a legitimate business requirement.&lt;br /&gt;
&lt;br /&gt;
Users should not be able to access information simply because it exists or because access might be useful in the future.&lt;br /&gt;
&lt;br /&gt;
Permission should be justified by operational need.&lt;br /&gt;
&lt;br /&gt;
=== Just Enough Access ===&lt;br /&gt;
&lt;br /&gt;
Access should be restricted to the lowest permission level capable of completing the required task.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Read instead of Modify&lt;br /&gt;
* Modify instead of Full Control&lt;br /&gt;
* Contributor instead of Administrator&lt;br /&gt;
* Site-specific access rather than organisation-wide access&lt;br /&gt;
&lt;br /&gt;
Reducing permissions limits potential damage while still allowing work to be completed.&lt;br /&gt;
&lt;br /&gt;
=== Time-Limited Access ===&lt;br /&gt;
&lt;br /&gt;
Many elevated permissions are only required temporarily.&lt;br /&gt;
&lt;br /&gt;
Common examples include:&lt;br /&gt;
&lt;br /&gt;
* System upgrades&lt;br /&gt;
* Data migration projects&lt;br /&gt;
* Disaster recovery operations&lt;br /&gt;
* Vendor support requests&lt;br /&gt;
* Infrastructure maintenance&lt;br /&gt;
&lt;br /&gt;
Rather than permanently assigning elevated privileges, organisations should grant temporary access with an expiry date.&lt;br /&gt;
&lt;br /&gt;
Once the task is complete, the permission should be removed automatically.&lt;br /&gt;
&lt;br /&gt;
=== Separation of Duties ===&lt;br /&gt;
&lt;br /&gt;
Critical business processes should not rely on a single person having complete control.&lt;br /&gt;
&lt;br /&gt;
Instead, responsibilities are divided across multiple individuals or teams.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* One person requests access while another approves it.&lt;br /&gt;
* Developers create code while administrators deploy it.&lt;br /&gt;
* System administrators manage infrastructure while security teams monitor compliance.&lt;br /&gt;
&lt;br /&gt;
This reduces the risk of fraud, misuse, and accidental changes.&lt;br /&gt;
&lt;br /&gt;
== Practical Application ==&lt;br /&gt;
&lt;br /&gt;
=== User Accounts ===&lt;br /&gt;
&lt;br /&gt;
Users should normally operate with standard user permissions.&lt;br /&gt;
&lt;br /&gt;
Administrative privileges should only be used when administrative functions are required.&lt;br /&gt;
&lt;br /&gt;
This approach limits the impact of:&lt;br /&gt;
&lt;br /&gt;
* Malware&lt;br /&gt;
* Accidental configuration changes&lt;br /&gt;
* Unauthorised software installation&lt;br /&gt;
* Credential theft&lt;br /&gt;
&lt;br /&gt;
A compromised standard account is generally less damaging than a compromised administrator account.&lt;br /&gt;
&lt;br /&gt;
=== Administrative Accounts ===&lt;br /&gt;
&lt;br /&gt;
Many organisations provide separate administrative identities.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
* dex.white&lt;br /&gt;
* dex.white.admin&lt;br /&gt;
&lt;br /&gt;
The standard account is used for email, collaboration, and business activities.&lt;br /&gt;
&lt;br /&gt;
The privileged account is used only when elevated rights are necessary.&lt;br /&gt;
&lt;br /&gt;
This separation improves auditing and reduces risk.&lt;br /&gt;
&lt;br /&gt;
=== Applications and Service Accounts ===&lt;br /&gt;
&lt;br /&gt;
Applications frequently operate using service accounts.&lt;br /&gt;
&lt;br /&gt;
These accounts are often granted excessive permissions because doing so simplifies deployment.&lt;br /&gt;
&lt;br /&gt;
Unfortunately, excessive permissions make service accounts attractive targets.&lt;br /&gt;
&lt;br /&gt;
A better approach is to grant access only to:&lt;br /&gt;
&lt;br /&gt;
* Required databases&lt;br /&gt;
* Required file locations&lt;br /&gt;
* Required API endpoints&lt;br /&gt;
* Required message queues&lt;br /&gt;
&lt;br /&gt;
Nothing more.&lt;br /&gt;
&lt;br /&gt;
=== Network Segmentation ===&lt;br /&gt;
&lt;br /&gt;
Least Privilege also applies to networks.&lt;br /&gt;
&lt;br /&gt;
Systems should only be able to communicate with devices and services that are necessary for their operation.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* VLAN segmentation&lt;br /&gt;
* Management network isolation&lt;br /&gt;
* Firewall rule restrictions&lt;br /&gt;
* Micro-segmentation&lt;br /&gt;
* Restricted administrative interfaces&lt;br /&gt;
&lt;br /&gt;
Reducing network access limits lateral movement during security incidents.&lt;br /&gt;
&lt;br /&gt;
=== Cloud Platforms ===&lt;br /&gt;
&lt;br /&gt;
Cloud providers commonly implement Least Privilege using Role-Based Access Control (RBAC).&lt;br /&gt;
&lt;br /&gt;
Permissions are grouped into predefined or custom roles which can be assigned according to operational responsibility.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Reader&lt;br /&gt;
* Contributor&lt;br /&gt;
* Backup Operator&lt;br /&gt;
* Security Administrator&lt;br /&gt;
* Billing Administrator&lt;br /&gt;
&lt;br /&gt;
This simplifies permission management while maintaining strong security controls.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Privilege Creep ===&lt;br /&gt;
&lt;br /&gt;
Permissions accumulate but are never reviewed.&lt;br /&gt;
&lt;br /&gt;
Users continue to retain access long after it is required.&lt;br /&gt;
&lt;br /&gt;
Regular access reviews help identify and remove unnecessary permissions.&lt;br /&gt;
&lt;br /&gt;
=== Convenience-Based Security ===&lt;br /&gt;
&lt;br /&gt;
Granting broad permissions often appears to solve immediate operational challenges.&lt;br /&gt;
&lt;br /&gt;
However, this frequently creates larger security issues later.&lt;br /&gt;
&lt;br /&gt;
Administrative access should not be used as a substitute for proper design.&lt;br /&gt;
&lt;br /&gt;
=== Shared Accounts ===&lt;br /&gt;
&lt;br /&gt;
Shared accounts reduce accountability.&lt;br /&gt;
&lt;br /&gt;
When multiple people use the same credentials, it becomes difficult to determine who performed a particular action.&lt;br /&gt;
&lt;br /&gt;
Individual identities should always be preferred.&lt;br /&gt;
&lt;br /&gt;
=== Excessive Service Permissions ===&lt;br /&gt;
&lt;br /&gt;
Applications often receive broad access because accurately defining requirements requires additional effort.&lt;br /&gt;
&lt;br /&gt;
This convenience introduces unnecessary risk.&lt;br /&gt;
&lt;br /&gt;
Service accounts should be reviewed regularly to ensure permissions remain appropriate.&lt;br /&gt;
&lt;br /&gt;
== Design and Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
Least Privilege is most effective when incorporated during system design rather than added after deployment.&lt;br /&gt;
&lt;br /&gt;
Architects should ask:&lt;br /&gt;
&lt;br /&gt;
* What access is genuinely required?&lt;br /&gt;
* Who requires it?&lt;br /&gt;
* How long is it required?&lt;br /&gt;
* How will it be audited?&lt;br /&gt;
* How will it be revoked?&lt;br /&gt;
* What is the impact if the account is compromised?&lt;br /&gt;
&lt;br /&gt;
A mature access control strategy typically combines:&lt;br /&gt;
&lt;br /&gt;
* Least Privilege&lt;br /&gt;
* Role Based Access Control (RBAC)&lt;br /&gt;
* Multi-Factor Authentication (MFA)&lt;br /&gt;
* Access Reviews&lt;br /&gt;
* Activity Monitoring&lt;br /&gt;
* Security Logging&lt;br /&gt;
* Network Segmentation&lt;br /&gt;
&lt;br /&gt;
Together these controls provide multiple layers of protection.&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting and Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
One of the challenges of implementing Least Privilege is balancing security with operational requirements.&lt;br /&gt;
&lt;br /&gt;
Symptoms of insufficient permissions may include:&lt;br /&gt;
&lt;br /&gt;
* Access denied errors&lt;br /&gt;
* Failed application authentication&lt;br /&gt;
* Incomplete data visibility&lt;br /&gt;
* Workflow failures&lt;br /&gt;
* Service startup issues&lt;br /&gt;
&lt;br /&gt;
When troubleshooting:&lt;br /&gt;
&lt;br /&gt;
# Identify the exact operation being performed.&lt;br /&gt;
# Determine the specific permission required.&lt;br /&gt;
# Grant only the missing permission.&lt;br /&gt;
# Retest the operation.&lt;br /&gt;
# Document the change.&lt;br /&gt;
# Review whether the permission remains necessary after implementation.&lt;br /&gt;
&lt;br /&gt;
Avoid assigning broad permissions merely to eliminate an error message.&lt;br /&gt;
&lt;br /&gt;
The objective is not unrestricted access.&lt;br /&gt;
&lt;br /&gt;
The objective is appropriate access.&lt;br /&gt;
&lt;br /&gt;
== Example Permission Model ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
+------------------------------------------------+&lt;br /&gt;
|               Organisation Systems             |&lt;br /&gt;
+------------------------------------------------+&lt;br /&gt;
                    |&lt;br /&gt;
                    v&lt;br /&gt;
      +-------------------------------+&lt;br /&gt;
      | Role Based Permission Model   |&lt;br /&gt;
      +-------------------------------+&lt;br /&gt;
           |              |&lt;br /&gt;
           |              |&lt;br /&gt;
           v              v&lt;br /&gt;
&lt;br /&gt;
 +----------------+  +----------------+&lt;br /&gt;
 | Standard User  |  | Administrator  |&lt;br /&gt;
 +----------------+  +----------------+&lt;br /&gt;
 | Email          |  | Server Access  |&lt;br /&gt;
 | Documents      |  | System Config  |&lt;br /&gt;
 | Collaboration  |  | Security Tools |&lt;br /&gt;
 +----------------+  +----------------+&lt;br /&gt;
&lt;br /&gt;
           Principle:&lt;br /&gt;
  Every account receives only the permissions&lt;br /&gt;
  required to perform its assigned function.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Best Practices ==&lt;br /&gt;
&lt;br /&gt;
* Review permissions regularly.&lt;br /&gt;
* Remove unused accounts promptly.&lt;br /&gt;
* Use separate administrative identities.&lt;br /&gt;
* Implement Multi-Factor Authentication.&lt;br /&gt;
* Monitor privileged account activity.&lt;br /&gt;
* Use temporary privilege elevation where possible.&lt;br /&gt;
* Audit service account permissions.&lt;br /&gt;
* Apply network segmentation.&lt;br /&gt;
* Document access approval processes.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Role Based Access Control]]&lt;br /&gt;
* [[Identity and Access Management]]&lt;br /&gt;
* [[Multi-Factor Authentication]]&lt;br /&gt;
* [[Zero Trust Architecture]]&lt;br /&gt;
* [[Defence in Depth]]&lt;br /&gt;
* [[Network Segmentation]]&lt;br /&gt;
* [[Privilege Creep]]&lt;br /&gt;
* [[Just-In-Time Access]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* Principle of Least Privilege (PoLP)&lt;br /&gt;
* NIST Access Control Guidance&lt;br /&gt;
* CIS Critical Security Controls&lt;br /&gt;
* ISO 27001&lt;br /&gt;
* Microsoft Identity and Access Management Documentation&lt;br /&gt;
* Zero Trust Security Models&lt;/div&gt;</description>
			<pubDate>Mon, 06 Jul 2026 06:35:15 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Least_Privilege_Access</comments>
		</item>
		<item>
			<title>Defence in Depth</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Defence_in_Depth&amp;diff=421&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Defence_in_Depth&amp;diff=421&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;  Defence in Depth is a security strategy that uses multiple, independent layers of protection to reduce risk. Rather than relying on a single security control, organisations deploy overlapping preventative, detective, and corrective measures throughout their infrastructure.  The approach assumes that any individual security control can fail, be bypassed, misconfigured, or become obsolete. By introducing multiple protective layers, an attacker who defeats o...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Defence in Depth is a security strategy that uses multiple, independent layers of protection to reduce risk. Rather than relying on a single security control, organisations deploy overlapping preventative, detective, and corrective measures throughout their infrastructure.&lt;br /&gt;
&lt;br /&gt;
The approach assumes that any individual security control can fail, be bypassed, misconfigured, or become obsolete. By introducing multiple protective layers, an attacker who defeats one control should encounter additional barriers before reaching valuable assets.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Security is often incorrectly viewed as a single product or technology.&lt;br /&gt;
&lt;br /&gt;
Organisations commonly ask questions such as:&lt;br /&gt;
&lt;br /&gt;
* &amp;quot;Do we have a firewall?&amp;quot;&lt;br /&gt;
* &amp;quot;Do we have antivirus?&amp;quot;&lt;br /&gt;
* &amp;quot;Do we have Multi-Factor Authentication?&amp;quot;&lt;br /&gt;
&lt;br /&gt;
While these technologies are important, none of them alone provide comprehensive protection.&lt;br /&gt;
&lt;br /&gt;
A firewall may be misconfigured.&lt;br /&gt;
&lt;br /&gt;
An antivirus product may not recognise a new threat.&lt;br /&gt;
&lt;br /&gt;
A user may inadvertently disclose credentials.&lt;br /&gt;
&lt;br /&gt;
Defence in Depth recognises that security failures occur and designs systems accordingly.&lt;br /&gt;
&lt;br /&gt;
The objective is not to create an impenetrable system. The objective is to increase the effort, time, complexity, and visibility required to compromise a system successfully.&lt;br /&gt;
&lt;br /&gt;
== Core Concepts ==&lt;br /&gt;
&lt;br /&gt;
=== Multiple Security Layers ===&lt;br /&gt;
&lt;br /&gt;
Security controls should exist at multiple points throughout an environment.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Physical security&lt;br /&gt;
* Network security&lt;br /&gt;
* Endpoint security&lt;br /&gt;
* Identity security&lt;br /&gt;
* Application security&lt;br /&gt;
* Data security&lt;br /&gt;
* Monitoring and detection&lt;br /&gt;
* Incident response&lt;br /&gt;
&lt;br /&gt;
Each layer provides protection independently of the others.&lt;br /&gt;
&lt;br /&gt;
=== Assume Breach ===&lt;br /&gt;
&lt;br /&gt;
A useful mindset is to assume that attackers will eventually bypass some form of protection.&lt;br /&gt;
&lt;br /&gt;
Rather than asking:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;quot;How do we stop attacks completely?&amp;quot;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Defence in Depth asks:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;quot;What happens if this control fails?&amp;quot;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
This approach naturally leads to resilient designs.&lt;br /&gt;
&lt;br /&gt;
=== Prevention, Detection, and Response ===&lt;br /&gt;
&lt;br /&gt;
Protection alone is insufficient.&lt;br /&gt;
&lt;br /&gt;
An effective security architecture consists of:&lt;br /&gt;
&lt;br /&gt;
* Preventative controls&lt;br /&gt;
* Detective controls&lt;br /&gt;
* Corrective controls&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
! Function&lt;br /&gt;
! Example&lt;br /&gt;
|-&lt;br /&gt;
| Prevent&lt;br /&gt;
| Firewall Rules&lt;br /&gt;
|-&lt;br /&gt;
| Detect&lt;br /&gt;
| SIEM Alert&lt;br /&gt;
|-&lt;br /&gt;
| Respond&lt;br /&gt;
| Incident Response Procedure&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
Together, these form a complete security lifecycle.&lt;br /&gt;
&lt;br /&gt;
== The Castle Analogy ==&lt;br /&gt;
&lt;br /&gt;
A useful way to visualise Defence in Depth is a medieval castle.&lt;br /&gt;
&lt;br /&gt;
An attacker must overcome:&lt;br /&gt;
&lt;br /&gt;
* The moat&lt;br /&gt;
* The drawbridge&lt;br /&gt;
* The outer wall&lt;br /&gt;
* The gatehouse&lt;br /&gt;
* The inner wall&lt;br /&gt;
* The guards&lt;br /&gt;
* The keep&lt;br /&gt;
&lt;br /&gt;
No single defence is expected to stop every attack.&lt;br /&gt;
&lt;br /&gt;
Instead, each layer slows progress and increases the likelihood of detection.&lt;br /&gt;
&lt;br /&gt;
Modern IT systems follow the same principle.&lt;br /&gt;
&lt;br /&gt;
== Practical Application ==&lt;br /&gt;
&lt;br /&gt;
=== Physical Security ===&lt;br /&gt;
&lt;br /&gt;
The first security layer often exists before an attacker reaches a computer system.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Locked buildings&lt;br /&gt;
* Access cards&lt;br /&gt;
* Security guards&lt;br /&gt;
* CCTV&lt;br /&gt;
* Secure server rooms&lt;br /&gt;
&lt;br /&gt;
Physical access frequently bypasses technical controls.&lt;br /&gt;
&lt;br /&gt;
=== Network Security ===&lt;br /&gt;
&lt;br /&gt;
Network controls limit exposure and restrict movement.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Firewalls&lt;br /&gt;
* VLAN segmentation&lt;br /&gt;
* Access control lists&lt;br /&gt;
* VPN gateways&lt;br /&gt;
* Intrusion Prevention Systems&lt;br /&gt;
&lt;br /&gt;
Even if one network segment is compromised, segmentation should prevent unrestricted access to the remainder of the environment.&lt;br /&gt;
&lt;br /&gt;
=== Identity and Access Management ===&lt;br /&gt;
&lt;br /&gt;
Identity controls focus on users and services.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Active Directory&lt;br /&gt;
* Role-Based Access Control&lt;br /&gt;
* Multi-Factor Authentication&lt;br /&gt;
* Conditional Access Policies&lt;br /&gt;
* Privileged Access Management&lt;br /&gt;
&lt;br /&gt;
Compromising a single account should not automatically grant unrestricted administrative access.&lt;br /&gt;
&lt;br /&gt;
=== Endpoint Security ===&lt;br /&gt;
&lt;br /&gt;
Endpoints remain one of the most common attack vectors.&lt;br /&gt;
&lt;br /&gt;
Typical controls include:&lt;br /&gt;
&lt;br /&gt;
* Anti-malware solutions&lt;br /&gt;
* Device encryption&lt;br /&gt;
* Application control&lt;br /&gt;
* Patch management&lt;br /&gt;
* Device compliance policies&lt;br /&gt;
&lt;br /&gt;
A compromised endpoint should still encounter additional security layers.&lt;br /&gt;
&lt;br /&gt;
=== Application Security ===&lt;br /&gt;
&lt;br /&gt;
Applications require security controls independent of the infrastructure hosting them.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Input validation&lt;br /&gt;
* Authentication controls&lt;br /&gt;
* Authorisation checks&lt;br /&gt;
* Secure coding practices&lt;br /&gt;
* API security controls&lt;br /&gt;
&lt;br /&gt;
A secure network does not compensate for insecure application design.&lt;br /&gt;
&lt;br /&gt;
=== Data Protection ===&lt;br /&gt;
&lt;br /&gt;
Ultimately, most attacks target data.&lt;br /&gt;
&lt;br /&gt;
Controls may include:&lt;br /&gt;
&lt;br /&gt;
* File permissions&lt;br /&gt;
* Information classification&lt;br /&gt;
* Encryption at rest&lt;br /&gt;
* Encryption in transit&lt;br /&gt;
* Data Loss Prevention (DLP)&lt;br /&gt;
&lt;br /&gt;
Even if a system is compromised, protected data may remain inaccessible.&lt;br /&gt;
&lt;br /&gt;
=== Monitoring and Detection ===&lt;br /&gt;
&lt;br /&gt;
Many organisations invest heavily in prevention while neglecting detection.&lt;br /&gt;
&lt;br /&gt;
Detection controls include:&lt;br /&gt;
&lt;br /&gt;
* Security Information and Event Management (SIEM)&lt;br /&gt;
* Audit logging&lt;br /&gt;
* Behavioural analytics&lt;br /&gt;
* Endpoint Detection and Response (EDR)&lt;br /&gt;
* Threat intelligence feeds&lt;br /&gt;
&lt;br /&gt;
A security incident cannot be managed if nobody knows it is happening.&lt;br /&gt;
&lt;br /&gt;
== Reference Architecture ==&lt;br /&gt;
&lt;br /&gt;
A simplified Defence in Depth model might appear as follows:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Internet&lt;br /&gt;
    │&lt;br /&gt;
    ▼&lt;br /&gt;
Firewall&lt;br /&gt;
    │&lt;br /&gt;
    ▼&lt;br /&gt;
DMZ Services&lt;br /&gt;
    │&lt;br /&gt;
    ▼&lt;br /&gt;
Internal Firewall&lt;br /&gt;
    │&lt;br /&gt;
    ▼&lt;br /&gt;
Corporate Network&lt;br /&gt;
    │&lt;br /&gt;
    ├── User Devices&lt;br /&gt;
    │&lt;br /&gt;
    ├── Application Servers&lt;br /&gt;
    │&lt;br /&gt;
    └── Management Network&lt;br /&gt;
           │&lt;br /&gt;
           ▼&lt;br /&gt;
      Critical Systems&lt;br /&gt;
           │&lt;br /&gt;
           ▼&lt;br /&gt;
        Protected Data&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Additional security controls exist at every layer.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
* MFA protects identities&lt;br /&gt;
* EDR protects endpoints&lt;br /&gt;
* SIEM monitors activity&lt;br /&gt;
* Encryption protects information&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Reliance on a Single Control ===&lt;br /&gt;
&lt;br /&gt;
Many environments unknowingly rely on one technology as their primary defence.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* &amp;quot;The firewall will stop it.&amp;quot;&lt;br /&gt;
* &amp;quot;The antivirus will catch it.&amp;quot;&lt;br /&gt;
* &amp;quot;The cloud provider secures everything.&amp;quot;&lt;br /&gt;
&lt;br /&gt;
This creates single points of failure.&lt;br /&gt;
&lt;br /&gt;
=== Flat Networks ===&lt;br /&gt;
&lt;br /&gt;
Flat networks allow attackers to move laterally after an initial compromise.&lt;br /&gt;
&lt;br /&gt;
Network segmentation significantly reduces this risk.&lt;br /&gt;
&lt;br /&gt;
=== Excessive Administrative Privileges ===&lt;br /&gt;
&lt;br /&gt;
Users frequently possess more permissions than necessary.&lt;br /&gt;
&lt;br /&gt;
This magnifies the impact of credential theft.&lt;br /&gt;
&lt;br /&gt;
=== Lack of Monitoring ===&lt;br /&gt;
&lt;br /&gt;
Attacks may remain undetected for weeks or months if monitoring is insufficient.&lt;br /&gt;
&lt;br /&gt;
Without visibility, incident response becomes reactive rather than proactive.&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Scalability ===&lt;br /&gt;
&lt;br /&gt;
Security controls should scale alongside the environment.&lt;br /&gt;
&lt;br /&gt;
A design suitable for ten users may become ineffective for a thousand.&lt;br /&gt;
&lt;br /&gt;
=== Security vs Usability ===&lt;br /&gt;
&lt;br /&gt;
Security mechanisms should support business operations rather than obstruct them unnecessarily.&lt;br /&gt;
&lt;br /&gt;
Excessively restrictive controls often encourage users to develop unsafe workarounds.&lt;br /&gt;
&lt;br /&gt;
=== Layer Independence ===&lt;br /&gt;
&lt;br /&gt;
Where possible, security layers should fail independently.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
* Authentication systems should not rely entirely on network controls.&lt;br /&gt;
* Encryption should not rely entirely on physical security.&lt;br /&gt;
* Monitoring should function even when preventative controls fail.&lt;br /&gt;
&lt;br /&gt;
=== Zero Trust Alignment ===&lt;br /&gt;
&lt;br /&gt;
Modern Zero Trust architectures build upon Defence in Depth principles.&lt;br /&gt;
&lt;br /&gt;
Both assume that trust should be continuously verified rather than assumed.&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting &amp;amp; Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
When assessing security posture, ask:&lt;br /&gt;
&lt;br /&gt;
* What happens if the firewall fails?&lt;br /&gt;
* What happens if a password is stolen?&lt;br /&gt;
* What happens if a workstation becomes infected?&lt;br /&gt;
* What happens if a privileged account is compromised?&lt;br /&gt;
&lt;br /&gt;
If a single failure results in complete compromise, additional security layers are required.&lt;br /&gt;
&lt;br /&gt;
A useful exercise is to follow a hypothetical attacker path through the environment and identify where detection or containment should occur.&lt;br /&gt;
&lt;br /&gt;
== Key Takeaways ==&lt;br /&gt;
&lt;br /&gt;
* No security control is perfect.&lt;br /&gt;
* Security controls should overlap rather than operate in isolation.&lt;br /&gt;
* Prevention, detection, and response are equally important.&lt;br /&gt;
* Security architecture should assume that individual controls will fail.&lt;br /&gt;
* The goal is to increase resistance, reduce impact, and improve visibility.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Zero Trust Architecture]]&lt;br /&gt;
* [[Principle of Least Privilege]]&lt;br /&gt;
* [[Network Segmentation]]&lt;br /&gt;
* [[Identity and Access Management]]&lt;br /&gt;
* [[Security Information and Event Management]]&lt;br /&gt;
* [[Multi-Factor Authentication]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* NIST Cybersecurity Framework&lt;br /&gt;
* NIST SP 800-53 Security Controls&lt;br /&gt;
* NIST Zero Trust Architecture (SP 800-207)&lt;br /&gt;
* CIS Critical Security Controls&lt;br /&gt;
* ISO/IEC 27001&lt;/div&gt;</description>
			<pubDate>Mon, 06 Jul 2026 06:33:34 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Defence_in_Depth</comments>
		</item>
		<item>
			<title>Security by Design: Building Trust Through Zero Trust, Cyber Essentials, GDPR and Compliance Frameworks</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Security_by_Design:_Building_Trust_Through_Zero_Trust,_Cyber_Essentials,_GDPR_and_Compliance_Frameworks&amp;diff=420&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Security_by_Design:_Building_Trust_Through_Zero_Trust,_Cyber_Essentials,_GDPR_and_Compliance_Frameworks&amp;diff=420&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;  Modern organisations face increasing cyber threats, stricter regulatory requirements, and growing customer expectations around security and privacy. Security can no longer be treated as a perimeter defence or an afterthought.  This article explores how Secure by Design principles, Zero Trust Architecture, Cyber Essentials, GDPR, ISO 27001, PCI DSS, and related frameworks work together to create resilient, secure, and auditable systems.  == Context ==  Man...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Modern organisations face increasing cyber threats, stricter regulatory requirements, and growing customer expectations around security and privacy. Security can no longer be treated as a perimeter defence or an afterthought.&lt;br /&gt;
&lt;br /&gt;
This article explores how Secure by Design principles, Zero Trust Architecture, Cyber Essentials, GDPR, ISO 27001, PCI DSS, and related frameworks work together to create resilient, secure, and auditable systems.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Many organisations approach security from the wrong direction.&lt;br /&gt;
&lt;br /&gt;
They purchase security products, deploy anti-virus software, install firewalls, and then assume they are secure.&lt;br /&gt;
&lt;br /&gt;
Unfortunately, significant security incidents frequently occur despite these controls.&lt;br /&gt;
&lt;br /&gt;
The challenge is that modern environments no longer have a clearly defined security perimeter. Users work remotely, applications are hosted in the cloud, systems integrate with third-party suppliers, and business processes increasingly depend upon APIs and SaaS platforms.&lt;br /&gt;
&lt;br /&gt;
The traditional concept of a &amp;quot;trusted internal network&amp;quot; has largely disappeared.&lt;br /&gt;
&lt;br /&gt;
This is where Secure by Design and Zero Trust become important.&lt;br /&gt;
&lt;br /&gt;
== The Security Pyramid ==&lt;br /&gt;
&lt;br /&gt;
Rather than viewing regulations, certifications, and security technologies as separate initiatives, it is helpful to view them as layers within a broader security strategy.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
                 Compliance&lt;br /&gt;
        (ISO 27001, PCI DSS, GDPR)&lt;br /&gt;
&lt;br /&gt;
             Security Governance&lt;br /&gt;
      (Policies, Risk Management, Auditing)&lt;br /&gt;
&lt;br /&gt;
            Security Architecture&lt;br /&gt;
        (Zero Trust, Secure by Design)&lt;br /&gt;
&lt;br /&gt;
             Technical Controls&lt;br /&gt;
     (MFA, Encryption, Firewalls, EDR)&lt;br /&gt;
&lt;br /&gt;
              Technology Assets&lt;br /&gt;
      (Users, Devices, Applications, Data)&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Each layer depends upon the layers beneath it.&lt;br /&gt;
&lt;br /&gt;
An organisation cannot achieve meaningful compliance without first implementing sound security practices and architecture.&lt;br /&gt;
&lt;br /&gt;
== What Does &amp;quot;Secure by Design&amp;quot; Mean? ==&lt;br /&gt;
&lt;br /&gt;
Secure by Design is the practice of considering security requirements throughout the entire system lifecycle.&lt;br /&gt;
&lt;br /&gt;
Rather than adding security controls after a system has been built, security is incorporated during planning, design, development, deployment, and operation.&lt;br /&gt;
&lt;br /&gt;
=== Traditional Approach ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Build System&lt;br /&gt;
      ↓&lt;br /&gt;
Deploy System&lt;br /&gt;
      ↓&lt;br /&gt;
Discover Security Problems&lt;br /&gt;
      ↓&lt;br /&gt;
Add Controls&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This often leads to expensive remediation projects, operational disruption, and increased risk.&lt;br /&gt;
&lt;br /&gt;
=== Secure by Design Approach ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Identify Risks&lt;br /&gt;
      ↓&lt;br /&gt;
Design Controls&lt;br /&gt;
      ↓&lt;br /&gt;
Build Secure Components&lt;br /&gt;
      ↓&lt;br /&gt;
Deploy Secure Solution&lt;br /&gt;
      ↓&lt;br /&gt;
Continually Improve&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
By considering security from the outset, organisations can reduce both risk and long-term operational costs.&lt;br /&gt;
&lt;br /&gt;
=== Core Principles ===&lt;br /&gt;
&lt;br /&gt;
* Security should be considered during requirements gathering.&lt;br /&gt;
* Risks should be identified before implementation begins.&lt;br /&gt;
* Sensitive data should be protected by default.&lt;br /&gt;
* Access should follow the principle of least privilege.&lt;br /&gt;
* Security controls should be proportionate and measurable.&lt;br /&gt;
* Systems should be designed to fail safely.&lt;br /&gt;
&lt;br /&gt;
== Understanding Zero Trust ==&lt;br /&gt;
&lt;br /&gt;
Zero Trust is one of the most widely discussed and frequently misunderstood security concepts.&lt;br /&gt;
&lt;br /&gt;
It does &amp;#039;&amp;#039;not&amp;#039;&amp;#039; mean:&lt;br /&gt;
&lt;br /&gt;
* Trust nobody.&lt;br /&gt;
* Block all access.&lt;br /&gt;
* Constantly challenge users with endless authentication prompts.&lt;br /&gt;
&lt;br /&gt;
Instead, Zero Trust follows a simple principle:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;Never trust automatically. Always verify appropriately.&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Historically, organisations protected a trusted internal network using firewalls and perimeter controls.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Internet&lt;br /&gt;
    │&lt;br /&gt;
Firewall&lt;br /&gt;
    │&lt;br /&gt;
Trusted Network&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This model worked reasonably well when users, devices, and applications remained inside the organisation&amp;#039;s physical boundaries.&lt;br /&gt;
&lt;br /&gt;
Modern environments are different.&lt;br /&gt;
&lt;br /&gt;
Attackers routinely obtain legitimate credentials through:&lt;br /&gt;
&lt;br /&gt;
* Phishing attacks&lt;br /&gt;
* Password reuse&lt;br /&gt;
* Malware infections&lt;br /&gt;
* Session theft&lt;br /&gt;
* Social engineering&lt;br /&gt;
&lt;br /&gt;
Once inside an environment, attackers often move laterally between systems.&lt;br /&gt;
&lt;br /&gt;
=== The Zero Trust Model ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
User → Verification&lt;br /&gt;
Device → Verification&lt;br /&gt;
Application → Verification&lt;br /&gt;
Data Request → Verification&lt;br /&gt;
Access Granted&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Every request is evaluated based upon factors such as:&lt;br /&gt;
&lt;br /&gt;
* User identity&lt;br /&gt;
* Device health&lt;br /&gt;
* Location&lt;br /&gt;
* Risk level&lt;br /&gt;
* Access requirements&lt;br /&gt;
* Business justification&lt;br /&gt;
&lt;br /&gt;
Trust becomes dynamic and contextual rather than permanent.&lt;br /&gt;
&lt;br /&gt;
== Cyber Essentials: The Foundation Layer ==&lt;br /&gt;
&lt;br /&gt;
Cyber Essentials provides a practical baseline of technical security controls.&lt;br /&gt;
&lt;br /&gt;
Its strength lies in simplicity.&lt;br /&gt;
&lt;br /&gt;
Whilst it does not provide a complete information security programme, it establishes a solid foundation upon which more advanced security practices can be built.&lt;br /&gt;
&lt;br /&gt;
=== Firewalls ===&lt;br /&gt;
&lt;br /&gt;
Control and monitor traffic entering and leaving networks.&lt;br /&gt;
&lt;br /&gt;
=== Secure Configuration ===&lt;br /&gt;
&lt;br /&gt;
Reduce attack surface by removing unnecessary services, software, and functionality.&lt;br /&gt;
&lt;br /&gt;
=== Access Control ===&lt;br /&gt;
&lt;br /&gt;
Ensure users only receive the permissions they require to perform their role.&lt;br /&gt;
&lt;br /&gt;
=== Malware Protection ===&lt;br /&gt;
&lt;br /&gt;
Prevent malicious software from executing or spreading within the environment.&lt;br /&gt;
&lt;br /&gt;
=== Vulnerability and Patch Management ===&lt;br /&gt;
&lt;br /&gt;
Reduce exposure to known vulnerabilities by maintaining software and operating systems.&lt;br /&gt;
&lt;br /&gt;
=== Why Cyber Essentials Matters ===&lt;br /&gt;
&lt;br /&gt;
Cyber Essentials demonstrates that security does not always begin with complex technologies.&lt;br /&gt;
&lt;br /&gt;
Many successful attacks exploit basic weaknesses that could have been prevented through fundamental security hygiene.&lt;br /&gt;
&lt;br /&gt;
== GDPR: Security Through Privacy ==&lt;br /&gt;
&lt;br /&gt;
The General Data Protection Regulation (GDPR) is often viewed solely as a legal or compliance requirement.&lt;br /&gt;
&lt;br /&gt;
In reality, many GDPR principles align closely with established security best practices.&lt;br /&gt;
&lt;br /&gt;
=== Data Minimisation ===&lt;br /&gt;
&lt;br /&gt;
Collect only the information genuinely required for business purposes.&lt;br /&gt;
&lt;br /&gt;
=== Purpose Limitation ===&lt;br /&gt;
&lt;br /&gt;
Use information only for the purposes for which it was collected.&lt;br /&gt;
&lt;br /&gt;
=== Access Control ===&lt;br /&gt;
&lt;br /&gt;
Ensure personal data is accessible only to authorised individuals.&lt;br /&gt;
&lt;br /&gt;
=== Accountability ===&lt;br /&gt;
&lt;br /&gt;
Maintain evidence demonstrating compliance and appropriate governance.&lt;br /&gt;
&lt;br /&gt;
=== Privacy by Design ===&lt;br /&gt;
&lt;br /&gt;
Consider privacy implications throughout the design and development lifecycle.&lt;br /&gt;
&lt;br /&gt;
=== Breach Management ===&lt;br /&gt;
&lt;br /&gt;
Implement mechanisms to detect, investigate, and report incidents appropriately.&lt;br /&gt;
&lt;br /&gt;
Many organisations discover that implementing a mature Zero Trust architecture naturally supports numerous GDPR requirements.&lt;br /&gt;
&lt;br /&gt;
== ISO 27001: Governance and Continuous Improvement ==&lt;br /&gt;
&lt;br /&gt;
Cyber Essentials focuses primarily on technical controls.&lt;br /&gt;
&lt;br /&gt;
ISO 27001 focuses on governance, risk management, and continual improvement.&lt;br /&gt;
&lt;br /&gt;
An ISO 27001 Information Security Management System (ISMS) encourages organisations to ask important questions:&lt;br /&gt;
&lt;br /&gt;
* What information assets exist?&lt;br /&gt;
* What risks affect those assets?&lt;br /&gt;
* How are security decisions made?&lt;br /&gt;
* How are controls monitored?&lt;br /&gt;
* How is improvement measured?&lt;br /&gt;
&lt;br /&gt;
=== The Continuous Improvement Cycle ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Identify Assets&lt;br /&gt;
       ↓&lt;br /&gt;
Assess Risks&lt;br /&gt;
       ↓&lt;br /&gt;
Implement Controls&lt;br /&gt;
       ↓&lt;br /&gt;
Monitor&lt;br /&gt;
       ↓&lt;br /&gt;
Review&lt;br /&gt;
       ↓&lt;br /&gt;
Improve&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The objective is not simply to achieve certification.&lt;br /&gt;
&lt;br /&gt;
The objective is to create a repeatable and measurable security management process.&lt;br /&gt;
&lt;br /&gt;
=== Benefits of ISO 27001 ===&lt;br /&gt;
&lt;br /&gt;
* Improved risk visibility&lt;br /&gt;
* Clear governance structures&lt;br /&gt;
* Better audit readiness&lt;br /&gt;
* Stronger customer confidence&lt;br /&gt;
* Continuous security improvement&lt;br /&gt;
&lt;br /&gt;
== PCI DSS: Protecting Payment Data ==&lt;br /&gt;
&lt;br /&gt;
The Payment Card Industry Data Security Standard (PCI DSS) applies to organisations that process, store, or transmit payment card information.&lt;br /&gt;
&lt;br /&gt;
PCI DSS requirements focus on protecting cardholder data throughout its lifecycle.&lt;br /&gt;
&lt;br /&gt;
Common requirements include:&lt;br /&gt;
&lt;br /&gt;
* Network segmentation&lt;br /&gt;
* Encryption of sensitive data&lt;br /&gt;
* Vulnerability management&lt;br /&gt;
* Access controls&lt;br /&gt;
* Security monitoring&lt;br /&gt;
* Logging and auditing&lt;br /&gt;
* Incident response procedures&lt;br /&gt;
&lt;br /&gt;
A common mistake is viewing PCI DSS as a compliance exercise rather than a security initiative.&lt;br /&gt;
&lt;br /&gt;
The most successful organisations use PCI requirements to improve their overall security posture rather than simply passing audits.&lt;br /&gt;
&lt;br /&gt;
== How These Frameworks Work Together ==&lt;br /&gt;
&lt;br /&gt;
These frameworks are often portrayed as competing standards.&lt;br /&gt;
&lt;br /&gt;
In reality, they address different aspects of the same challenge.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
! Framework&lt;br /&gt;
! Primary Focus&lt;br /&gt;
|-&lt;br /&gt;
| Secure by Design&lt;br /&gt;
| Building secure systems from the outset&lt;br /&gt;
|-&lt;br /&gt;
| Zero Trust&lt;br /&gt;
| Security architecture and access verification&lt;br /&gt;
|-&lt;br /&gt;
| Cyber Essentials&lt;br /&gt;
| Baseline technical controls&lt;br /&gt;
|-&lt;br /&gt;
| GDPR&lt;br /&gt;
| Privacy and personal data protection&lt;br /&gt;
|-&lt;br /&gt;
| ISO 27001&lt;br /&gt;
| Governance and risk management&lt;br /&gt;
|-&lt;br /&gt;
| PCI DSS&lt;br /&gt;
| Protection of payment card data&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
Viewed together, they form a comprehensive security strategy.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Secure by Design&lt;br /&gt;
        ↓&lt;br /&gt;
Zero Trust Architecture&lt;br /&gt;
        ↓&lt;br /&gt;
Cyber Essentials Controls&lt;br /&gt;
        ↓&lt;br /&gt;
Operational Security&lt;br /&gt;
        ↓&lt;br /&gt;
GDPR / PCI DSS Compliance&lt;br /&gt;
        ↓&lt;br /&gt;
ISO 27001 Governance&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Each framework contributes a different piece of the overall security model.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Treating Compliance as Security ===&lt;br /&gt;
&lt;br /&gt;
Passing an audit does not guarantee security.&lt;br /&gt;
&lt;br /&gt;
Compliance demonstrates alignment with specific requirements at a particular moment in time.&lt;br /&gt;
&lt;br /&gt;
Security is an ongoing process.&lt;br /&gt;
&lt;br /&gt;
=== Buying Products Instead of Solving Problems ===&lt;br /&gt;
&lt;br /&gt;
Security products should support a security strategy.&lt;br /&gt;
&lt;br /&gt;
They should not become the strategy.&lt;br /&gt;
&lt;br /&gt;
=== Excessive Trust ===&lt;br /&gt;
&lt;br /&gt;
Many breaches occur because systems, devices, or users are trusted implicitly.&lt;br /&gt;
&lt;br /&gt;
Assumptions should be minimised wherever possible.&lt;br /&gt;
&lt;br /&gt;
=== Ignoring Human Factors ===&lt;br /&gt;
&lt;br /&gt;
Technology alone cannot solve security challenges.&lt;br /&gt;
&lt;br /&gt;
Training, awareness, communication, and organisational culture remain critical.&lt;br /&gt;
&lt;br /&gt;
=== Lack of Visibility ===&lt;br /&gt;
&lt;br /&gt;
You cannot protect assets that you do not know exist.&lt;br /&gt;
&lt;br /&gt;
Effective asset management, monitoring, logging, and auditing remain essential.&lt;br /&gt;
&lt;br /&gt;
== Design and Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
When designing modern systems:&lt;br /&gt;
&lt;br /&gt;
* Assume credentials may eventually be compromised.&lt;br /&gt;
* Implement least privilege wherever practical.&lt;br /&gt;
* Encrypt data at rest and in transit.&lt;br /&gt;
* Separate duties between administrative functions.&lt;br /&gt;
* Log important events and activities.&lt;br /&gt;
* Monitor continuously.&lt;br /&gt;
* Automate detection where possible.&lt;br /&gt;
* Design for recovery as well as prevention.&lt;br /&gt;
* Treat compliance requirements as design requirements.&lt;br /&gt;
&lt;br /&gt;
The best security architectures are typically invisible to legitimate users whilst remaining resistant to misuse or abuse.&lt;br /&gt;
&lt;br /&gt;
Security should enable business objectives, not obstruct them.&lt;br /&gt;
&lt;br /&gt;
== A Practical Security Model ==&lt;br /&gt;
&lt;br /&gt;
A useful way to think about modern security is:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
People&lt;br /&gt;
   ↓&lt;br /&gt;
Identity&lt;br /&gt;
   ↓&lt;br /&gt;
Devices&lt;br /&gt;
   ↓&lt;br /&gt;
Applications&lt;br /&gt;
   ↓&lt;br /&gt;
Data&lt;br /&gt;
   ↓&lt;br /&gt;
Governance&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Every layer requires appropriate controls.&lt;br /&gt;
&lt;br /&gt;
A weakness in any layer can compromise the entire system.&lt;br /&gt;
&lt;br /&gt;
Security is therefore not a single technology, policy, or certification.&lt;br /&gt;
&lt;br /&gt;
It is the combined result of people, processes, technology, and governance working together.&lt;br /&gt;
&lt;br /&gt;
== Conclusion ==&lt;br /&gt;
&lt;br /&gt;
Secure by Design, Zero Trust, Cyber Essentials, GDPR, ISO 27001, PCI DSS, and related frameworks are not competing initiatives.&lt;br /&gt;
&lt;br /&gt;
They represent different perspectives on the same objective:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Protecting information, maintaining trust, and enabling organisations to operate securely and effectively.&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Rather than asking:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;quot;Which framework should we adopt?&amp;quot;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Organisations should ask:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;quot;How do these frameworks support our overall security architecture?&amp;quot;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
The answer is usually that each framework contributes valuable guidance, controls, and governance mechanisms.&lt;br /&gt;
&lt;br /&gt;
True security ultimately comes from thoughtful design, disciplined operation, continuous improvement, and a culture that recognises security as everyone&amp;#039;s responsibility.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Defence in Depth]]&lt;br /&gt;
* [[Least Privilege]]&lt;br /&gt;
* [[Identity and Access Management]]&lt;br /&gt;
* [[Multi-Factor Authentication]]&lt;br /&gt;
* [[Risk Management]]&lt;br /&gt;
* [[Information Security Management Systems]]&lt;br /&gt;
* [[Security Operations]]&lt;br /&gt;
* [[Cloud Security Architecture]]&lt;br /&gt;
* [[Data Classification]]&lt;br /&gt;
* [[Business Continuity]]&lt;br /&gt;
* [[Disaster Recovery]]&lt;br /&gt;
* [[Cyber Essentials]]&lt;br /&gt;
* [[ISO 27001]]&lt;br /&gt;
* [[PCI DSS]]&lt;br /&gt;
* [[GDPR]]&lt;br /&gt;
* [[Zero Trust Architecture]]&lt;/div&gt;</description>
			<pubDate>Mon, 06 Jul 2026 06:32:29 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Security_by_Design:_Building_Trust_Through_Zero_Trust,_Cyber_Essentials,_GDPR_and_Compliance_Frameworks</comments>
		</item>
		<item>
			<title>Server-Side Rendering (SSR), Client-Side Rendering (CSR), and Hybrid Rendering</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Server-Side_Rendering_(SSR),_Client-Side_Rendering_(CSR),_and_Hybrid_Rendering&amp;diff=419&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Server-Side_Rendering_(SSR),_Client-Side_Rendering_(CSR),_and_Hybrid_Rendering&amp;diff=419&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039; Modern web applications can render their user interfaces in several different ways. The three most common approaches are &amp;#039;&amp;#039;&amp;#039;Server-Side Rendering (SSR)&amp;#039;&amp;#039;&amp;#039;, &amp;#039;&amp;#039;&amp;#039;Client-Side Rendering (CSR)&amp;#039;&amp;#039;&amp;#039;, and &amp;#039;&amp;#039;&amp;#039;Hybrid Rendering&amp;#039;&amp;#039;&amp;#039;. Each approach offers distinct advantages and disadvantages, and the most suitable choice depends on factors such as performance, scalability, compatibility, accessibility, and user experience.  In practice, the question is rarely which appro...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
Modern web applications can render their user interfaces in several different ways. The three most common approaches are &amp;#039;&amp;#039;&amp;#039;Server-Side Rendering (SSR)&amp;#039;&amp;#039;&amp;#039;, &amp;#039;&amp;#039;&amp;#039;Client-Side Rendering (CSR)&amp;#039;&amp;#039;&amp;#039;, and &amp;#039;&amp;#039;&amp;#039;Hybrid Rendering&amp;#039;&amp;#039;&amp;#039;. Each approach offers distinct advantages and disadvantages, and the most suitable choice depends on factors such as performance, scalability, compatibility, accessibility, and user experience.&lt;br /&gt;
&lt;br /&gt;
In practice, the question is rarely which approach is &amp;#039;&amp;#039;best&amp;#039;&amp;#039;. Instead, it is usually a matter of balancing resource utilisation and user experience requirements.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Since the earliest days of the web, browsers have requested HTML pages that were generated by a web server. This model became known as Server-Side Rendering.&lt;br /&gt;
&lt;br /&gt;
As browsers became more capable and JavaScript evolved into a powerful application platform, rendering increasingly shifted to the client device. This approach became known as Client-Side Rendering.&lt;br /&gt;
&lt;br /&gt;
Modern applications often combine both techniques, producing an initial server-rendered experience and then enhancing it with client-side functionality. This combined approach is generally referred to as Hybrid Rendering.&lt;br /&gt;
&lt;br /&gt;
When designing an application, it is important to consider:&lt;br /&gt;
&lt;br /&gt;
* Server resource consumption&lt;br /&gt;
* Client resource consumption&lt;br /&gt;
* Network performance&lt;br /&gt;
* Search engine visibility&lt;br /&gt;
* Accessibility requirements&lt;br /&gt;
* Browser compatibility&lt;br /&gt;
* Perceived responsiveness&lt;br /&gt;
* Long-term maintainability&lt;br /&gt;
&lt;br /&gt;
== Server-Side Rendering (SSR) ==&lt;br /&gt;
&lt;br /&gt;
=== What is SSR? ===&lt;br /&gt;
&lt;br /&gt;
Server-Side Rendering generates HTML on the web server before the response is sent to the client.&lt;br /&gt;
&lt;br /&gt;
The browser receives a complete document that can usually be displayed immediately.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Browser&lt;br /&gt;
    |&lt;br /&gt;
    | Request&lt;br /&gt;
    v&lt;br /&gt;
Web Server&lt;br /&gt;
    |&lt;br /&gt;
    | Generate HTML&lt;br /&gt;
    v&lt;br /&gt;
HTML Response&lt;br /&gt;
    |&lt;br /&gt;
    v&lt;br /&gt;
Rendered Page&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Advantages ===&lt;br /&gt;
&lt;br /&gt;
==== Fast Initial Rendering ====&lt;br /&gt;
&lt;br /&gt;
The browser receives content that has already been rendered.&lt;br /&gt;
&lt;br /&gt;
Users can often begin reading and navigating before any client-side code executes.&lt;br /&gt;
&lt;br /&gt;
==== Broad Compatibility ====&lt;br /&gt;
&lt;br /&gt;
SSR works well with:&lt;br /&gt;
&lt;br /&gt;
* Older browsers&lt;br /&gt;
* Embedded browsers&lt;br /&gt;
* Accessibility technologies&lt;br /&gt;
* Search engines&lt;br /&gt;
* NOSCRIPT environments&lt;br /&gt;
&lt;br /&gt;
Because the rendered content already exists within the document, JavaScript is not required to display the primary content.&lt;br /&gt;
&lt;br /&gt;
==== Improved Accessibility ====&lt;br /&gt;
&lt;br /&gt;
Assistive technologies can often interpret and navigate server-rendered content more reliably because the document structure exists immediately when loaded.&lt;br /&gt;
&lt;br /&gt;
==== SEO Friendly ====&lt;br /&gt;
&lt;br /&gt;
Search engines can easily discover and index content that is present within the initial HTML response.&lt;br /&gt;
&lt;br /&gt;
=== Disadvantages ===&lt;br /&gt;
&lt;br /&gt;
==== Increased Server Load ====&lt;br /&gt;
&lt;br /&gt;
Every request may require server-side rendering operations.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
100 Users&lt;br /&gt;
     |&lt;br /&gt;
     v&lt;br /&gt;
100 Server Render Operations&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
As user numbers increase, additional server resources may be required.&lt;br /&gt;
&lt;br /&gt;
==== Reduced Client Offloading ====&lt;br /&gt;
&lt;br /&gt;
Modern devices possess significant processing capability.&lt;br /&gt;
&lt;br /&gt;
SSR may place work on the server that could otherwise be distributed across client devices.&lt;br /&gt;
&lt;br /&gt;
==== Less Dynamic User Experience ====&lt;br /&gt;
&lt;br /&gt;
Traditional SSR applications often rely on page reloads to update content.&lt;br /&gt;
&lt;br /&gt;
Although modern techniques can reduce this limitation, SSR alone is less suited to highly interactive applications.&lt;br /&gt;
&lt;br /&gt;
== Client-Side Rendering (CSR) ==&lt;br /&gt;
&lt;br /&gt;
=== What is CSR? ===&lt;br /&gt;
&lt;br /&gt;
Client-Side Rendering delivers an application shell to the browser along with JavaScript.&lt;br /&gt;
&lt;br /&gt;
The browser executes the application and constructs the user interface locally.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Browser&lt;br /&gt;
    |&lt;br /&gt;
    | Request&lt;br /&gt;
    v&lt;br /&gt;
Web Server&lt;br /&gt;
    |&lt;br /&gt;
    | HTML + JavaScript&lt;br /&gt;
    v&lt;br /&gt;
Browser&lt;br /&gt;
    |&lt;br /&gt;
    | Execute Application&lt;br /&gt;
    v&lt;br /&gt;
Render Interface&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Advantages ===&lt;br /&gt;
&lt;br /&gt;
==== Reduced Server Rendering Load ====&lt;br /&gt;
&lt;br /&gt;
The server primarily delivers resources and data.&lt;br /&gt;
&lt;br /&gt;
Rendering work is transferred to the client device.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
100 Users&lt;br /&gt;
     |&lt;br /&gt;
     v&lt;br /&gt;
100 Clients Render Locally&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This allows server resources to be allocated elsewhere.&lt;br /&gt;
&lt;br /&gt;
==== Rich Interactive Experiences ====&lt;br /&gt;
&lt;br /&gt;
CSR is particularly effective for:&lt;br /&gt;
&lt;br /&gt;
* Dashboards&lt;br /&gt;
* Control panels&lt;br /&gt;
* Workflow systems&lt;br /&gt;
* Real-time monitoring&lt;br /&gt;
* Collaborative applications&lt;br /&gt;
* Single-page applications&lt;br /&gt;
&lt;br /&gt;
==== Partial Updates ====&lt;br /&gt;
&lt;br /&gt;
Rather than replacing an entire page, individual areas of the interface can be updated independently.&lt;br /&gt;
&lt;br /&gt;
This often creates a more responsive and application-like experience.&lt;br /&gt;
&lt;br /&gt;
=== Disadvantages ===&lt;br /&gt;
&lt;br /&gt;
==== Slower First Render ====&lt;br /&gt;
&lt;br /&gt;
Before meaningful content appears, the browser may need to:&lt;br /&gt;
&lt;br /&gt;
# Download JavaScript&lt;br /&gt;
# Parse JavaScript&lt;br /&gt;
# Execute JavaScript&lt;br /&gt;
# Construct the interface&lt;br /&gt;
&lt;br /&gt;
On slower devices or networks, this process may introduce noticeable delays.&lt;br /&gt;
&lt;br /&gt;
==== JavaScript Dependency ====&lt;br /&gt;
&lt;br /&gt;
Without JavaScript:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
No Script&lt;br /&gt;
    =&lt;br /&gt;
No Application&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This can create accessibility, compatibility, and usability challenges.&lt;br /&gt;
&lt;br /&gt;
==== Increased Client Requirements ====&lt;br /&gt;
&lt;br /&gt;
CSR assumes the client device has sufficient CPU, memory, and browser capability to execute the application successfully.&lt;br /&gt;
&lt;br /&gt;
Older devices may struggle with large client-side applications.&lt;br /&gt;
&lt;br /&gt;
== Hybrid Rendering ==&lt;br /&gt;
&lt;br /&gt;
=== What is Hybrid Rendering? ===&lt;br /&gt;
&lt;br /&gt;
Hybrid Rendering combines aspects of both SSR and CSR.&lt;br /&gt;
&lt;br /&gt;
The server generates an initial version of the page while the client subsequently enhances the experience.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Request&lt;br /&gt;
   |&lt;br /&gt;
   v&lt;br /&gt;
Server Renders HTML&lt;br /&gt;
   |&lt;br /&gt;
   v&lt;br /&gt;
Browser Displays Content&lt;br /&gt;
   |&lt;br /&gt;
   v&lt;br /&gt;
Client Runtime Loads&lt;br /&gt;
   |&lt;br /&gt;
   v&lt;br /&gt;
Enhanced Interactivity&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Users can access information immediately while richer functionality becomes available progressively.&lt;br /&gt;
&lt;br /&gt;
=== Progressive Enhancement ===&lt;br /&gt;
&lt;br /&gt;
Hybrid Rendering aligns naturally with Progressive Enhancement principles.&lt;br /&gt;
&lt;br /&gt;
The application provides:&lt;br /&gt;
&lt;br /&gt;
* A functional baseline experience&lt;br /&gt;
* Enhanced functionality when supported&lt;br /&gt;
* Graceful degradation when functionality is unavailable&lt;br /&gt;
&lt;br /&gt;
This allows applications to serve a broader range of devices and environments.&lt;br /&gt;
&lt;br /&gt;
=== Hydration ===&lt;br /&gt;
&lt;br /&gt;
Many modern frameworks refer to the process of attaching client-side behaviour to server-rendered content as &amp;#039;&amp;#039;Hydration&amp;#039;&amp;#039;.&lt;br /&gt;
&lt;br /&gt;
The browser receives a fully rendered document and then associates application logic, events, and state with the existing markup.&lt;br /&gt;
&lt;br /&gt;
=== Continuation ===&lt;br /&gt;
&lt;br /&gt;
Some architectures view hydration as a form of &amp;#039;&amp;#039;Continuation&amp;#039;&amp;#039; rather than reconstruction.&lt;br /&gt;
&lt;br /&gt;
In this model:&lt;br /&gt;
&lt;br /&gt;
* The server establishes the initial state&lt;br /&gt;
* The browser receives a usable interface&lt;br /&gt;
* Client-side execution continues from the established state&lt;br /&gt;
&lt;br /&gt;
The application does not rebuild the page. Instead, it resumes operation from the point where the server left off.&lt;br /&gt;
&lt;br /&gt;
=== Advantages ===&lt;br /&gt;
&lt;br /&gt;
==== Fast Initial Display ====&lt;br /&gt;
&lt;br /&gt;
Content becomes visible quickly because the server has already rendered the initial structure.&lt;br /&gt;
&lt;br /&gt;
==== Rich User Experience ====&lt;br /&gt;
&lt;br /&gt;
Once client-side functionality becomes available, users gain access to advanced features and interactive behaviour.&lt;br /&gt;
&lt;br /&gt;
==== Excellent Compatibility ====&lt;br /&gt;
&lt;br /&gt;
Hybrid approaches can support:&lt;br /&gt;
&lt;br /&gt;
* Modern browsers&lt;br /&gt;
* Legacy browsers&lt;br /&gt;
* Search engines&lt;br /&gt;
* Assistive technologies&lt;br /&gt;
* NOSCRIPT environments&lt;br /&gt;
&lt;br /&gt;
==== Balanced Resource Utilisation ====&lt;br /&gt;
&lt;br /&gt;
Rendering responsibilities are shared between the server and client.&lt;br /&gt;
&lt;br /&gt;
This allows architects to distribute workload appropriately.&lt;br /&gt;
&lt;br /&gt;
=== Disadvantages ===&lt;br /&gt;
&lt;br /&gt;
==== Increased Complexity ====&lt;br /&gt;
&lt;br /&gt;
Developers must consider:&lt;br /&gt;
&lt;br /&gt;
* Server rendering&lt;br /&gt;
* Client rendering&lt;br /&gt;
* State management&lt;br /&gt;
* Context synchronisation&lt;br /&gt;
* Progressive enhancement&lt;br /&gt;
&lt;br /&gt;
==== Multiple Execution Environments ====&lt;br /&gt;
&lt;br /&gt;
Applications must behave consistently across different rendering modes.&lt;br /&gt;
&lt;br /&gt;
Testing and maintaining this consistency requires careful architecture.&lt;br /&gt;
&lt;br /&gt;
== Rendering Strategy Comparison ==&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
! Characteristic&lt;br /&gt;
! SSR&lt;br /&gt;
! CSR&lt;br /&gt;
! Hybrid&lt;br /&gt;
|-&lt;br /&gt;
| Initial Render Speed&lt;br /&gt;
| Excellent&lt;br /&gt;
| Variable&lt;br /&gt;
| Excellent&lt;br /&gt;
|-&lt;br /&gt;
| Server Load&lt;br /&gt;
| High&lt;br /&gt;
| Low&lt;br /&gt;
| Moderate&lt;br /&gt;
|-&lt;br /&gt;
| Client Load&lt;br /&gt;
| Low&lt;br /&gt;
| High&lt;br /&gt;
| Moderate&lt;br /&gt;
|-&lt;br /&gt;
| JavaScript Required&lt;br /&gt;
| No&lt;br /&gt;
| Yes&lt;br /&gt;
| Optional&lt;br /&gt;
|-&lt;br /&gt;
| SEO Friendliness&lt;br /&gt;
| Excellent&lt;br /&gt;
| Variable&lt;br /&gt;
| Excellent&lt;br /&gt;
|-&lt;br /&gt;
| Legacy Browser Support&lt;br /&gt;
| Excellent&lt;br /&gt;
| Variable&lt;br /&gt;
| Excellent&lt;br /&gt;
|-&lt;br /&gt;
| Interactive Features&lt;br /&gt;
| Moderate&lt;br /&gt;
| Excellent&lt;br /&gt;
| Excellent&lt;br /&gt;
|-&lt;br /&gt;
| Progressive Enhancement&lt;br /&gt;
| Excellent&lt;br /&gt;
| Limited&lt;br /&gt;
| Excellent&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
== Choosing the Right Approach ==&lt;br /&gt;
&lt;br /&gt;
=== SSR is Well Suited To ===&lt;br /&gt;
&lt;br /&gt;
* Documentation websites&lt;br /&gt;
* Knowledgebases&lt;br /&gt;
* Government services&lt;br /&gt;
* Public information portals&lt;br /&gt;
* News websites&lt;br /&gt;
* Brochure websites&lt;br /&gt;
&lt;br /&gt;
=== CSR is Well Suited To ===&lt;br /&gt;
&lt;br /&gt;
* Web applications&lt;br /&gt;
* Monitoring systems&lt;br /&gt;
* Interactive dashboards&lt;br /&gt;
* Workflow platforms&lt;br /&gt;
* Collaborative environments&lt;br /&gt;
&lt;br /&gt;
=== Hybrid is Well Suited To ===&lt;br /&gt;
&lt;br /&gt;
* Enterprise portals&lt;br /&gt;
* E-commerce platforms&lt;br /&gt;
* Management consoles&lt;br /&gt;
* Administrative interfaces&lt;br /&gt;
* Business applications&lt;br /&gt;
* Large-scale web platforms&lt;br /&gt;
&lt;br /&gt;
== Common Misconceptions ==&lt;br /&gt;
&lt;br /&gt;
=== &amp;quot;CSR is More Modern&amp;quot; ===&lt;br /&gt;
&lt;br /&gt;
CSR is newer than traditional SSR approaches, but newer does not automatically mean better.&lt;br /&gt;
&lt;br /&gt;
The correct rendering model depends on the application&amp;#039;s requirements.&lt;br /&gt;
&lt;br /&gt;
=== &amp;quot;SSR is Obsolete&amp;quot; ===&lt;br /&gt;
&lt;br /&gt;
SSR remains one of the most widely deployed rendering approaches on the web and continues to provide significant benefits.&lt;br /&gt;
&lt;br /&gt;
=== &amp;quot;Hybrid is a Compromise&amp;quot; ===&lt;br /&gt;
&lt;br /&gt;
Hybrid Rendering is often the result of deliberate architectural decisions rather than compromise.&lt;br /&gt;
&lt;br /&gt;
The objective is to use each rendering technique where it delivers the greatest value.&lt;br /&gt;
&lt;br /&gt;
== Design and Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
Before selecting a rendering model, consider the following questions:&lt;br /&gt;
&lt;br /&gt;
* Will users always have JavaScript enabled?&lt;br /&gt;
* Are legacy devices supported?&lt;br /&gt;
* Is accessibility a priority?&lt;br /&gt;
* Is first-page load performance important?&lt;br /&gt;
* Are real-time updates required?&lt;br /&gt;
* Can server infrastructure absorb rendering load?&lt;br /&gt;
* Is progressive enhancement desirable?&lt;br /&gt;
* Does the system need to function in restricted environments?&lt;br /&gt;
&lt;br /&gt;
The answers will often influence the choice more than technical preference alone.&lt;br /&gt;
&lt;br /&gt;
== Key Insight ==&lt;br /&gt;
&lt;br /&gt;
The debate between SSR and CSR is frequently presented as a competition. In reality, both approaches solve different problems.&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Server-Side Rendering moves work to the server and delivers content quickly.&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Client-Side Rendering moves work to the client and enables highly interactive experiences.&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Hybrid Rendering combines both approaches, providing immediate structure and content while progressively enabling richer functionality.&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
For many modern applications, especially those intended to support both capable and constrained environments, Hybrid Rendering provides an effective balance between performance, compatibility, resource management, and user experience.&lt;/div&gt;</description>
			<pubDate>Mon, 06 Jul 2026 06:31:28 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Server-Side_Rendering_(SSR),_Client-Side_Rendering_(CSR),_and_Hybrid_Rendering</comments>
		</item>
		<item>
			<title>Dirty Bitmaps</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Dirty_Bitmaps&amp;diff=418&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Dirty_Bitmaps&amp;diff=418&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;  A Dirty Bitmap is a change-tracking mechanism used by operating systems, hypervisors, filesystems, storage platforms, backup solutions, and replication technologies to record which blocks of data have been modified since a specific point in time.  By tracking only the regions that have changed, Dirty Bitmaps allow systems to perform efficient incremental backups, replication, synchronization, and recovery operations without repeatedly scanning or copying...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
A Dirty Bitmap is a change-tracking mechanism used by operating systems, hypervisors, filesystems, storage platforms, backup solutions, and replication technologies to record which blocks of data have been modified since a specific point in time.&lt;br /&gt;
&lt;br /&gt;
By tracking only the regions that have changed, Dirty Bitmaps allow systems to perform efficient incremental backups, replication, synchronization, and recovery operations without repeatedly scanning or copying entire datasets.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Many modern data protection and replication technologies need to answer a simple question:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;What changed since the last operation?&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
For small systems this may be relatively straightforward, but in enterprise environments disks may be measured in terabytes or petabytes. Comparing every byte of data to identify modifications would be computationally expensive and time-consuming.&lt;br /&gt;
&lt;br /&gt;
Dirty Bitmaps provide an efficient solution by recording modifications as they occur. Rather than examining an entire disk, a backup or replication engine can consult the bitmap and immediately identify which regions have changed.&lt;br /&gt;
&lt;br /&gt;
This approach is widely used throughout IT infrastructure, including:&lt;br /&gt;
&lt;br /&gt;
* Virtualization platforms&lt;br /&gt;
* Backup solutions&lt;br /&gt;
* Disaster recovery systems&lt;br /&gt;
* Storage replication technologies&lt;br /&gt;
* Filesystems&lt;br /&gt;
* Database engines&lt;br /&gt;
&lt;br /&gt;
== Core Concepts ==&lt;br /&gt;
&lt;br /&gt;
=== What Does &amp;quot;Dirty&amp;quot; Mean? ===&lt;br /&gt;
&lt;br /&gt;
In computing, a resource is considered &amp;#039;&amp;#039;dirty&amp;#039;&amp;#039; when it has been modified since it was last examined, processed, synchronized, or saved.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* A memory page modified by a running application&lt;br /&gt;
* A filesystem block written to disk&lt;br /&gt;
* A virtual disk sector altered by a guest operating system&lt;br /&gt;
* A database page updated by a transaction&lt;br /&gt;
&lt;br /&gt;
A Dirty Bitmap simply records which regions have become dirty.&lt;br /&gt;
&lt;br /&gt;
=== What Is a Bitmap? ===&lt;br /&gt;
&lt;br /&gt;
A bitmap is a compact data structure containing individual binary values.&lt;br /&gt;
&lt;br /&gt;
Each bit represents the state of a corresponding object, block, or region.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Block Number: 0 1 2 3 4 5 6 7&lt;br /&gt;
Bitmap:       0 1 0 1 1 0 0 0&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In this example:&lt;br /&gt;
&lt;br /&gt;
* Block 1 has changed&lt;br /&gt;
* Block 3 has changed&lt;br /&gt;
* Block 4 has changed&lt;br /&gt;
&lt;br /&gt;
All other blocks remain unchanged.&lt;br /&gt;
&lt;br /&gt;
=== Why Use a Bitmap? ===&lt;br /&gt;
&lt;br /&gt;
Bitmaps are extremely space-efficient.&lt;br /&gt;
&lt;br /&gt;
A single bit can represent a large storage region, meaning very large datasets can be monitored with minimal memory consumption.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
1 Bit = One tracked region&lt;br /&gt;
0 = Unchanged&lt;br /&gt;
1 = Changed&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Even very large virtual disks can often be tracked using relatively small bitmap structures.&lt;br /&gt;
&lt;br /&gt;
== How Dirty Bitmaps Work ==&lt;br /&gt;
&lt;br /&gt;
The basic process is straightforward.&lt;br /&gt;
&lt;br /&gt;
=== Step 1 – Tracking Begins ===&lt;br /&gt;
&lt;br /&gt;
A bitmap is created and initialized.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
00000000&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
At this stage, no blocks have changed.&lt;br /&gt;
&lt;br /&gt;
=== Step 2 – Data Is Modified ===&lt;br /&gt;
&lt;br /&gt;
Applications write data to storage.&lt;br /&gt;
&lt;br /&gt;
Suppose Block 3 is written:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
00100000&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The corresponding bitmap entry becomes dirty.&lt;br /&gt;
&lt;br /&gt;
=== Step 3 – Additional Writes Occur ===&lt;br /&gt;
&lt;br /&gt;
Further modifications take place:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
01010100&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Multiple blocks are now marked as changed.&lt;br /&gt;
&lt;br /&gt;
=== Step 4 – Processing Occurs ===&lt;br /&gt;
&lt;br /&gt;
A backup, replication, or synchronization engine examines the bitmap and identifies the blocks requiring processing.&lt;br /&gt;
&lt;br /&gt;
Only dirty blocks are selected.&lt;br /&gt;
&lt;br /&gt;
=== Step 5 – Tracking Resets ===&lt;br /&gt;
&lt;br /&gt;
After successful processing, the bitmap may be cleared, archived, replaced, or merged depending on the implementation.&lt;br /&gt;
&lt;br /&gt;
Tracking then begins again for the next cycle.&lt;br /&gt;
&lt;br /&gt;
== Dirty Bitmaps in Virtualization ==&lt;br /&gt;
&lt;br /&gt;
Virtualization platforms are among the most common users of Dirty Bitmaps.&lt;br /&gt;
&lt;br /&gt;
As a virtual machine runs, the guest operating system continuously writes data to its virtual disks.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Virtual Machine&lt;br /&gt;
       |&lt;br /&gt;
       v&lt;br /&gt;
   Virtual Disk&lt;br /&gt;
       |&lt;br /&gt;
       v&lt;br /&gt;
  Dirty Bitmap&lt;br /&gt;
       |&lt;br /&gt;
       v&lt;br /&gt;
Backup / Replication Engine&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Every write operation updates the bitmap.&lt;br /&gt;
&lt;br /&gt;
When an incremental backup occurs, the backup software can request only the blocks identified as dirty.&lt;br /&gt;
&lt;br /&gt;
This significantly reduces:&lt;br /&gt;
&lt;br /&gt;
* Backup duration&lt;br /&gt;
* Disk I/O requirements&lt;br /&gt;
* CPU overhead&lt;br /&gt;
* Network traffic&lt;br /&gt;
&lt;br /&gt;
Many hypervisors expose this functionality through Changed Block Tracking (CBT) or similar technologies.&lt;br /&gt;
&lt;br /&gt;
== Dirty Bitmaps and Incremental Backups ==&lt;br /&gt;
&lt;br /&gt;
Dirty Bitmaps are a fundamental enabling technology for incremental backups.&lt;br /&gt;
&lt;br /&gt;
Consider a virtual machine with:&lt;br /&gt;
&lt;br /&gt;
* A 2 TB virtual disk&lt;br /&gt;
* 5 GB of modified data&lt;br /&gt;
&lt;br /&gt;
Without change tracking:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Read 2 TB&lt;br /&gt;
Compare 2 TB&lt;br /&gt;
Identify 5 GB&lt;br /&gt;
Backup 5 GB&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
With a Dirty Bitmap:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Read Bitmap&lt;br /&gt;
Identify 5 GB&lt;br /&gt;
Backup 5 GB&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The amount of work required is dramatically reduced.&lt;br /&gt;
&lt;br /&gt;
This allows backup systems to scale to much larger environments while maintaining acceptable backup windows.&lt;br /&gt;
&lt;br /&gt;
== Dirty Bitmaps and Replication ==&lt;br /&gt;
&lt;br /&gt;
Replication technologies use Dirty Bitmaps to determine which data must be transmitted to a secondary system.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Primary System&lt;br /&gt;
       |&lt;br /&gt;
       v&lt;br /&gt;
  Dirty Bitmap&lt;br /&gt;
       |&lt;br /&gt;
Changed Blocks&lt;br /&gt;
       |&lt;br /&gt;
       v&lt;br /&gt;
Secondary System&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Only modified blocks are transferred.&lt;br /&gt;
&lt;br /&gt;
Benefits include:&lt;br /&gt;
&lt;br /&gt;
* Reduced bandwidth consumption&lt;br /&gt;
* Faster synchronization&lt;br /&gt;
* Lower replication latency&lt;br /&gt;
* Improved Recovery Point Objectives (RPO)&lt;br /&gt;
&lt;br /&gt;
This becomes particularly important when replicating across low-bandwidth or high-latency network connections.&lt;br /&gt;
&lt;br /&gt;
== Dirty Bitmaps and Memory Management ==&lt;br /&gt;
&lt;br /&gt;
Dirty Bitmaps are not limited to storage systems.&lt;br /&gt;
&lt;br /&gt;
Operating systems commonly track dirty memory pages.&lt;br /&gt;
&lt;br /&gt;
When memory pages are modified:&lt;br /&gt;
&lt;br /&gt;
* The page is marked dirty&lt;br /&gt;
* The operating system knows it must be written back later&lt;br /&gt;
* Unmodified pages may be ignored&lt;br /&gt;
&lt;br /&gt;
This concept is used extensively in:&lt;br /&gt;
&lt;br /&gt;
* Virtual memory management&lt;br /&gt;
* Hypervisor memory tracking&lt;br /&gt;
* Live migration technologies&lt;br /&gt;
* Memory snapshots&lt;br /&gt;
&lt;br /&gt;
Although the tracked resource differs, the underlying principle remains identical.&lt;br /&gt;
&lt;br /&gt;
== Relationship with Snapshots ==&lt;br /&gt;
&lt;br /&gt;
Dirty Bitmaps and snapshots are often used together but serve different purposes.&lt;br /&gt;
&lt;br /&gt;
=== Snapshot ===&lt;br /&gt;
&lt;br /&gt;
A snapshot preserves a point-in-time view of data.&lt;br /&gt;
&lt;br /&gt;
=== Dirty Bitmap ===&lt;br /&gt;
&lt;br /&gt;
A Dirty Bitmap records what changes after that point in time.&lt;br /&gt;
&lt;br /&gt;
A useful analogy is:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Snapshot     = Photograph&lt;br /&gt;
Dirty Bitmap = List of everything that changed&lt;br /&gt;
               after the photograph was taken&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Many backup products create a snapshot and then use Dirty Bitmaps to identify subsequent changes.&lt;br /&gt;
&lt;br /&gt;
== Granularity and Accuracy ==&lt;br /&gt;
&lt;br /&gt;
One important design consideration is tracking granularity.&lt;br /&gt;
&lt;br /&gt;
Granularity defines the size of the region represented by each bitmap entry.&lt;br /&gt;
&lt;br /&gt;
=== Large Tracking Regions ===&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
1 Bit = 1 MB&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* Smaller bitmap&lt;br /&gt;
* Lower memory overhead&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
&lt;br /&gt;
* Less precise tracking&lt;br /&gt;
&lt;br /&gt;
If a single byte changes within the 1 MB region, the entire region becomes dirty.&lt;br /&gt;
&lt;br /&gt;
=== Small Tracking Regions ===&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
1 Bit = 64 KB&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* More accurate tracking&lt;br /&gt;
* Reduced unnecessary data transfer&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
&lt;br /&gt;
* Larger bitmap&lt;br /&gt;
* Increased management overhead&lt;br /&gt;
&lt;br /&gt;
System designers must balance precision against resource consumption.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Lost Change Tracking Information ===&lt;br /&gt;
&lt;br /&gt;
If Dirty Bitmap information is lost, corrupted, or becomes unreliable, systems may be forced to perform a full backup or complete resynchronization.&lt;br /&gt;
&lt;br /&gt;
=== Excessive Change Rates ===&lt;br /&gt;
&lt;br /&gt;
Some workloads modify large portions of storage continuously.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Database maintenance operations&lt;br /&gt;
* Data migrations&lt;br /&gt;
* Disk defragmentation&lt;br /&gt;
* Large file imports&lt;br /&gt;
&lt;br /&gt;
In these situations, incremental operations may approach the size of a full transfer.&lt;br /&gt;
&lt;br /&gt;
=== Incorrect Reset Operations ===&lt;br /&gt;
&lt;br /&gt;
Resetting tracking information prematurely can result in changed blocks being overlooked.&lt;br /&gt;
&lt;br /&gt;
For this reason, backup and replication systems typically clear bitmap data only after successful processing.&lt;br /&gt;
&lt;br /&gt;
=== Tracking Overhead ===&lt;br /&gt;
&lt;br /&gt;
While generally lightweight, Dirty Bitmap management introduces a small amount of overhead because every write operation must update tracking information.&lt;br /&gt;
&lt;br /&gt;
At enterprise scale, even small overheads can accumulate.&lt;br /&gt;
&lt;br /&gt;
== Design and Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
When designing systems that rely on Dirty Bitmaps, architects should consider:&lt;br /&gt;
&lt;br /&gt;
=== Scalability ===&lt;br /&gt;
&lt;br /&gt;
Can the tracking mechanism efficiently handle increasing data volumes?&lt;br /&gt;
&lt;br /&gt;
=== Accuracy ===&lt;br /&gt;
&lt;br /&gt;
Does the chosen granularity provide sufficient precision?&lt;br /&gt;
&lt;br /&gt;
=== Reliability ===&lt;br /&gt;
&lt;br /&gt;
How is tracking information protected against corruption or loss?&lt;br /&gt;
&lt;br /&gt;
=== Recovery Procedures ===&lt;br /&gt;
&lt;br /&gt;
What happens if the bitmap becomes invalid?&lt;br /&gt;
&lt;br /&gt;
=== Performance ===&lt;br /&gt;
&lt;br /&gt;
Does tracking affect application or storage performance?&lt;br /&gt;
&lt;br /&gt;
=== Integration ===&lt;br /&gt;
&lt;br /&gt;
How will backup, replication, snapshot, and monitoring systems interact with the bitmap infrastructure?&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting and Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
When diagnosing backup or replication issues, the following checks are often useful.&lt;br /&gt;
&lt;br /&gt;
=== Verify Change Tracking Status ===&lt;br /&gt;
&lt;br /&gt;
Confirm that Dirty Bitmap tracking is active and functioning correctly.&lt;br /&gt;
&lt;br /&gt;
=== Monitor Changed Block Counts ===&lt;br /&gt;
&lt;br /&gt;
Unexpected increases may indicate:&lt;br /&gt;
&lt;br /&gt;
* Application behavior changes&lt;br /&gt;
* Malware activity&lt;br /&gt;
* Maintenance operations&lt;br /&gt;
* Data migration activity&lt;br /&gt;
&lt;br /&gt;
=== Check for Tracking Resets ===&lt;br /&gt;
&lt;br /&gt;
Large incremental backups frequently indicate that tracking information has been reset or invalidated.&lt;br /&gt;
&lt;br /&gt;
=== Validate Snapshot Health ===&lt;br /&gt;
&lt;br /&gt;
Many implementations rely on snapshots and Dirty Bitmaps working together.&lt;br /&gt;
&lt;br /&gt;
Problems in either component can affect backup consistency.&lt;br /&gt;
&lt;br /&gt;
=== Review Replication Logs ===&lt;br /&gt;
&lt;br /&gt;
Replication engines often report the volume of changed data detected during each synchronization cycle.&lt;br /&gt;
&lt;br /&gt;
Comparing historical values can reveal anomalies.&lt;br /&gt;
&lt;br /&gt;
== Practical Analogy ==&lt;br /&gt;
&lt;br /&gt;
Imagine a warehouse containing one million storage boxes.&lt;br /&gt;
&lt;br /&gt;
Rather than inspecting every box at the end of each day, workers place a red sticker on any box that has been opened.&lt;br /&gt;
&lt;br /&gt;
When the audit team arrives, they only inspect boxes containing red stickers.&lt;br /&gt;
&lt;br /&gt;
In this analogy:&lt;br /&gt;
&lt;br /&gt;
* The warehouse is the storage system&lt;br /&gt;
* The boxes are storage blocks&lt;br /&gt;
* The stickers are bitmap entries&lt;br /&gt;
* The audit team is the backup or replication process&lt;br /&gt;
&lt;br /&gt;
The principle is identical to the operation of a Dirty Bitmap.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Changed Block Tracking]]&lt;br /&gt;
* [[Incremental Backup]]&lt;br /&gt;
* [[Differential Backup]]&lt;br /&gt;
* [[Data Replication]]&lt;br /&gt;
* [[Virtual Machine Snapshot]]&lt;br /&gt;
* [[Copy-on-Write]]&lt;br /&gt;
* [[Virtualization]]&lt;br /&gt;
* [[Disaster Recovery]]&lt;br /&gt;
* [[Storage Architecture]]&lt;br /&gt;
* [[Virtual Memory]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* Changed Block Tracking (CBT) technologies&lt;br /&gt;
* Virtualization platform documentation&lt;br /&gt;
* Storage replication architecture documentation&lt;br /&gt;
* Operating system memory management documentation&lt;br /&gt;
* Backup and disaster recovery vendor documentation&lt;br /&gt;
* Filesystem implementation and design references&lt;/div&gt;</description>
			<pubDate>Sun, 05 Jul 2026 14:25:28 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Dirty_Bitmaps</comments>
		</item>
		<item>
			<title>GUIDs, UUIDs and the Need for Unique Identifiers</title>
			<link>https://knowledgebase.pirho.net/index.php?title=GUIDs,_UUIDs_and_the_Need_for_Unique_Identifiers&amp;diff=417&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=GUIDs,_UUIDs_and_the_Need_for_Unique_Identifiers&amp;diff=417&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039; Globally Unique Identifiers (GUIDs) and Universally Unique Identifiers (UUIDs) provide a mechanism for uniquely identifying objects, records, and resources across systems without requiring a central authority.  == Context ==  Almost every computer system needs a way to uniquely identify things.  * Users * Documents * Orders * Projects * Devices * Events * Database records  === What is a UUID? ===  UUID stands for:  &amp;lt;pre&amp;gt; Universally Unique Identifier &amp;lt;/pre...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
Globally Unique Identifiers (GUIDs) and Universally Unique Identifiers (UUIDs) provide a mechanism for uniquely identifying objects, records, and resources across systems without requiring a central authority.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Almost every computer system needs a way to uniquely identify things.&lt;br /&gt;
&lt;br /&gt;
* Users&lt;br /&gt;
* Documents&lt;br /&gt;
* Orders&lt;br /&gt;
* Projects&lt;br /&gt;
* Devices&lt;br /&gt;
* Events&lt;br /&gt;
* Database records&lt;br /&gt;
&lt;br /&gt;
=== What is a UUID? ===&lt;br /&gt;
&lt;br /&gt;
UUID stands for:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Universally Unique Identifier&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
A UUID is a 128-bit identifier designed to uniquely identify an object.&lt;br /&gt;
&lt;br /&gt;
=== What is a GUID? ===&lt;br /&gt;
&lt;br /&gt;
GUID stands for:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Globally Unique Identifier&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
GUID is Microsoft&amp;#039;s terminology for a UUID.&lt;br /&gt;
&lt;br /&gt;
In modern systems, a Microsoft GUID is typically a UUID Version 4.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
GUID ≈ UUID v4&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== UUID Versions ==&lt;br /&gt;
&lt;br /&gt;
=== UUID Version 4 ===&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
* Simple&lt;br /&gt;
* Widely supported&lt;br /&gt;
* Difficult to predict&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
* Not time ordered&lt;br /&gt;
* Can fragment indexes&lt;br /&gt;
&lt;br /&gt;
=== UUID Version 7 ===&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
* Time ordered&lt;br /&gt;
* Database friendly&lt;br /&gt;
* Efficient indexing&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
* Approximate creation times can be inferred&lt;br /&gt;
&lt;br /&gt;
== Conclusion ==&lt;br /&gt;
&lt;br /&gt;
GUIDs and UUIDs solve the problem of uniquely identifying objects without central coordination.&lt;/div&gt;</description>
			<pubDate>Sun, 05 Jul 2026 14:22:58 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:GUIDs,_UUIDs_and_the_Need_for_Unique_Identifiers</comments>
		</item>
		<item>
			<title>Folder Redirection</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Folder_Redirection&amp;diff=416&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Folder_Redirection&amp;diff=416&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;  Folder Redirection is a Windows feature that allows user data folders such as Documents, Desktop, Pictures and Downloads to be stored in a location other than the local computer. It is commonly used in Active Directory environments to centralise user data, simplify backup strategies, reduce workstation storage requirements and improve the user experience when moving between devices.  == Context ==  Historically, user data was stored within the user&amp;#039;s prof...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Folder Redirection is a Windows feature that allows user data folders such as Documents, Desktop, Pictures and Downloads to be stored in a location other than the local computer. It is commonly used in Active Directory environments to centralise user data, simplify backup strategies, reduce workstation storage requirements and improve the user experience when moving between devices.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Historically, user data was stored within the user&amp;#039;s profile on the local computer. This created several challenges:&lt;br /&gt;
&lt;br /&gt;
* User files were difficult to back up.&lt;br /&gt;
* Computer failures often resulted in data loss.&lt;br /&gt;
* Users moving between computers could not easily access their files.&lt;br /&gt;
* Profile sizes became large and slow to manage.&lt;br /&gt;
&lt;br /&gt;
Folder Redirection addresses these issues by separating user data from the computer itself.&lt;br /&gt;
&lt;br /&gt;
In most enterprise environments, redirected folders are stored on a file server rather than on the local disk.&lt;br /&gt;
&lt;br /&gt;
=== Common Misconceptions ===&lt;br /&gt;
&lt;br /&gt;
* Folder Redirection is not the same as Roaming Profiles.&lt;br /&gt;
* Folder Redirection does not move the entire user profile.&lt;br /&gt;
* Folder Redirection is not a backup solution by itself.&lt;br /&gt;
* Folder Redirection can be used independently of OneDrive or other cloud storage solutions.&lt;br /&gt;
&lt;br /&gt;
== Core Concepts ==&lt;br /&gt;
&lt;br /&gt;
=== User Profile Structure ===&lt;br /&gt;
&lt;br /&gt;
A Windows user profile typically contains:&lt;br /&gt;
&lt;br /&gt;
* Desktop&lt;br /&gt;
* Documents&lt;br /&gt;
* Pictures&lt;br /&gt;
* Videos&lt;br /&gt;
* Music&lt;br /&gt;
* Downloads&lt;br /&gt;
* AppData&lt;br /&gt;
&lt;br /&gt;
Only selected folders are normally redirected.&lt;br /&gt;
&lt;br /&gt;
AppData is generally left within the local profile unless there is a specific requirement to roam application settings.&lt;br /&gt;
&lt;br /&gt;
=== Redirection Target ===&lt;br /&gt;
&lt;br /&gt;
A target location may be:&lt;br /&gt;
&lt;br /&gt;
* Another volume on the same computer&lt;br /&gt;
* A network file share&lt;br /&gt;
* A DFS Namespace&lt;br /&gt;
* Cloud-synchronised storage&lt;br /&gt;
&lt;br /&gt;
In domain environments, a network file share is the most common approach.&lt;br /&gt;
&lt;br /&gt;
=== Policy-Based Management ===&lt;br /&gt;
&lt;br /&gt;
Folder Redirection is typically controlled through Group Policy.&lt;br /&gt;
&lt;br /&gt;
This allows administrators to:&lt;br /&gt;
&lt;br /&gt;
* Apply consistent settings to many users.&lt;br /&gt;
* Change storage locations centrally.&lt;br /&gt;
* Control permissions automatically.&lt;br /&gt;
* Migrate users without manual intervention.&lt;br /&gt;
&lt;br /&gt;
== Practical Application ==&lt;br /&gt;
&lt;br /&gt;
=== Redirecting a Single Folder ===&lt;br /&gt;
&lt;br /&gt;
A user can manually relocate supported folders:&lt;br /&gt;
&lt;br /&gt;
# Right-click the folder.&lt;br /&gt;
# Select &amp;#039;&amp;#039;Properties&amp;#039;&amp;#039;.&lt;br /&gt;
# Open the &amp;#039;&amp;#039;Location&amp;#039;&amp;#039; tab.&lt;br /&gt;
# Choose &amp;#039;&amp;#039;Move&amp;#039;&amp;#039;.&lt;br /&gt;
# Select a new location.&lt;br /&gt;
&lt;br /&gt;
Windows updates the required registry settings and moves the existing content.&lt;br /&gt;
&lt;br /&gt;
=== Redirecting Through Group Policy ===&lt;br /&gt;
&lt;br /&gt;
Group Policy provides the preferred enterprise approach.&lt;br /&gt;
&lt;br /&gt;
Example folders commonly redirected:&lt;br /&gt;
&lt;br /&gt;
* Documents&lt;br /&gt;
* Desktop&lt;br /&gt;
* Pictures&lt;br /&gt;
* Favourites&lt;br /&gt;
&lt;br /&gt;
Benefits include:&lt;br /&gt;
&lt;br /&gt;
* Centralised storage&lt;br /&gt;
* Simplified backup&lt;br /&gt;
* Reduced profile size&lt;br /&gt;
* Easier workstation replacement&lt;br /&gt;
&lt;br /&gt;
=== Example Architecture ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
+-------------+&lt;br /&gt;
| User Device |&lt;br /&gt;
+------+------+&lt;br /&gt;
       |&lt;br /&gt;
       v&lt;br /&gt;
+-------------+&lt;br /&gt;
| Active      |&lt;br /&gt;
| Directory   |&lt;br /&gt;
+------+------+&lt;br /&gt;
       |&lt;br /&gt;
       v&lt;br /&gt;
+-------------+&lt;br /&gt;
| File Server |&lt;br /&gt;
| Home Folders|&lt;br /&gt;
+-------------+&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Users access their files as normal while data is actually stored on the server.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Redirecting Too Much ===&lt;br /&gt;
&lt;br /&gt;
Redirecting every available folder can create unexpected behaviour.&lt;br /&gt;
&lt;br /&gt;
Downloads, for example, may contain large temporary files that consume server storage unnecessarily.&lt;br /&gt;
&lt;br /&gt;
=== Incorrect Permissions ===&lt;br /&gt;
&lt;br /&gt;
Misconfigured NTFS or Share permissions frequently cause:&lt;br /&gt;
&lt;br /&gt;
* Access denied errors&lt;br /&gt;
* Synchronisation failures&lt;br /&gt;
* Missing folders&lt;br /&gt;
&lt;br /&gt;
=== Network Dependency ===&lt;br /&gt;
&lt;br /&gt;
Redirected folders stored on a file server become dependent upon network connectivity.&lt;br /&gt;
&lt;br /&gt;
Poor network performance often presents itself as:&lt;br /&gt;
&lt;br /&gt;
* Slow file access&lt;br /&gt;
* Delayed login times&lt;br /&gt;
* Application performance issues&lt;br /&gt;
&lt;br /&gt;
=== Legacy Applications ===&lt;br /&gt;
&lt;br /&gt;
Some older applications assume all user data exists locally.&lt;br /&gt;
&lt;br /&gt;
Such applications may not function correctly when data is redirected to remote storage.&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Scalability ===&lt;br /&gt;
&lt;br /&gt;
For small environments, a single file server may be sufficient.&lt;br /&gt;
&lt;br /&gt;
Larger organisations often use:&lt;br /&gt;
&lt;br /&gt;
* DFS Namespaces&lt;br /&gt;
* DFS Replication&lt;br /&gt;
* Clustered storage&lt;br /&gt;
* Cloud-integrated file services&lt;br /&gt;
&lt;br /&gt;
=== Security ===&lt;br /&gt;
&lt;br /&gt;
Consider:&lt;br /&gt;
&lt;br /&gt;
* NTFS permissions&lt;br /&gt;
* Share permissions&lt;br /&gt;
* Access Based Enumeration&lt;br /&gt;
* Encryption&lt;br /&gt;
* Backup retention&lt;br /&gt;
&lt;br /&gt;
User data often contains sensitive business information and should be protected accordingly.&lt;br /&gt;
&lt;br /&gt;
=== Maintainability ===&lt;br /&gt;
&lt;br /&gt;
Folder structures should remain predictable.&lt;br /&gt;
&lt;br /&gt;
A common example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
\\FILESERVER\Users\%USERNAME%\Documents&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Consistent naming simplifies support and migration activities.&lt;br /&gt;
&lt;br /&gt;
=== Modern Alternatives ===&lt;br /&gt;
&lt;br /&gt;
Many organisations are now adopting:&lt;br /&gt;
&lt;br /&gt;
* OneDrive Known Folder Move (KFM)&lt;br /&gt;
* Microsoft 365 integration&lt;br /&gt;
* Hybrid file storage solutions&lt;br /&gt;
&lt;br /&gt;
These approaches provide similar benefits while extending access beyond the traditional corporate network.&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting &amp;amp; Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
=== Verify Group Policy ===&lt;br /&gt;
&lt;br /&gt;
Check:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
gpresult /r&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
or&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
gpresult /h report.html&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
to confirm that Folder Redirection policies have been applied.&lt;br /&gt;
&lt;br /&gt;
=== Verify Folder Path ===&lt;br /&gt;
&lt;br /&gt;
Confirm the expected path using:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
echo %USERPROFILE%&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
and examine the folder&amp;#039;s &amp;#039;&amp;#039;Location&amp;#039;&amp;#039; properties.&lt;br /&gt;
&lt;br /&gt;
=== Check Permissions ===&lt;br /&gt;
&lt;br /&gt;
Verify:&lt;br /&gt;
&lt;br /&gt;
* NTFS permissions&lt;br /&gt;
* Share permissions&lt;br /&gt;
* Effective permissions&lt;br /&gt;
&lt;br /&gt;
Permission issues account for a large proportion of Folder Redirection support cases.&lt;br /&gt;
&lt;br /&gt;
=== Event Logs ===&lt;br /&gt;
&lt;br /&gt;
Review:&lt;br /&gt;
&lt;br /&gt;
* Application Log&lt;br /&gt;
* System Log&lt;br /&gt;
* GroupPolicy Operational Log&lt;br /&gt;
&lt;br /&gt;
These frequently contain useful diagnostics relating to redirection failures.&lt;br /&gt;
&lt;br /&gt;
== Design Recommendations ==&lt;br /&gt;
&lt;br /&gt;
* Use Folder Redirection rather than junction points wherever practical.&lt;br /&gt;
* Avoid moving the entire C:\Users structure on existing systems.&lt;br /&gt;
* Redirect only the folders that provide business value.&lt;br /&gt;
* Combine Folder Redirection with a robust backup strategy.&lt;br /&gt;
* Consider OneDrive integration for modern Microsoft 365 environments.&lt;br /&gt;
* Test policy changes with a pilot group before enterprise-wide deployment.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Roaming Profiles]]&lt;br /&gt;
* [[User Profile Disks]]&lt;br /&gt;
* [[FSLogix Profile Containers]]&lt;br /&gt;
* [[Group Policy]]&lt;br /&gt;
* [[OneDrive Known Folder Move]]&lt;br /&gt;
* [[DFS Namespaces]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* Microsoft Group Policy Documentation&lt;br /&gt;
* Microsoft Folder Redirection Documentation&lt;br /&gt;
* Microsoft FSLogix Documentation&lt;br /&gt;
* Microsoft OneDrive Known Folder Move Documentation&lt;/div&gt;</description>
			<pubDate>Sun, 05 Jul 2026 14:19:12 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Folder_Redirection</comments>
		</item>
		<item>
			<title>QR Codes: The Magic Is Not in the Square</title>
			<link>https://knowledgebase.pirho.net/index.php?title=QR_Codes:_The_Magic_Is_Not_in_the_Square&amp;diff=415&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=QR_Codes:_The_Magic_Is_Not_in_the_Square&amp;diff=415&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039; QR codes often appear to perform remarkable tasks such as connecting devices to Wi-Fi, opening applications, adding contacts, joining meetings, or authenticating users. This can create the impression that QR codes themselves contain special capabilities. In reality, a QR code is simply a method of encoding data. The apparent magic comes from the software that interprets the data and decides what action to take.  == Context ==  Most people encounter QR code...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
QR codes often appear to perform remarkable tasks such as connecting devices to Wi-Fi, opening applications, adding contacts, joining meetings, or authenticating users. This can create the impression that QR codes themselves contain special capabilities. In reality, a QR code is simply a method of encoding data. The apparent magic comes from the software that interprets the data and decides what action to take.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Most people encounter QR codes when scanning a restaurant menu, joining a guest Wi-Fi network, or opening a website from a poster.&lt;br /&gt;
&lt;br /&gt;
As smartphones became more capable, operating systems and applications began recognising common data formats embedded within QR codes. This has led to the perception that QR codes are becoming increasingly intelligent.&lt;br /&gt;
&lt;br /&gt;
In truth, the QR code itself remains remarkably simple.&lt;br /&gt;
&lt;br /&gt;
A QR code is simply a visual representation of data.&lt;br /&gt;
&lt;br /&gt;
The same QR code technology that encodes a website address can also encode plain text, configuration settings, contact details, authentication tokens, or entirely custom data structures.&lt;br /&gt;
&lt;br /&gt;
== What Is A QR Code? ==&lt;br /&gt;
&lt;br /&gt;
A QR (Quick Response) Code is a two-dimensional barcode.&lt;br /&gt;
&lt;br /&gt;
Where a traditional barcode stores data in a single direction, a QR code stores data both horizontally and vertically, allowing significantly more information to be encoded within a relatively small space.&lt;br /&gt;
&lt;br /&gt;
Conceptually:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
+------------+&lt;br /&gt;
| QR Code    |&lt;br /&gt;
+------------+&lt;br /&gt;
        |&lt;br /&gt;
        v&lt;br /&gt;
+------------+&lt;br /&gt;
| Data       |&lt;br /&gt;
+------------+&lt;br /&gt;
        |&lt;br /&gt;
        v&lt;br /&gt;
+------------+&lt;br /&gt;
| Meaning    |&lt;br /&gt;
+------------+&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The QR code itself only stores the data.&lt;br /&gt;
&lt;br /&gt;
The meaning comes later.&lt;br /&gt;
&lt;br /&gt;
== The Common Misconception ==&lt;br /&gt;
&lt;br /&gt;
A common misunderstanding is that QR codes contain instructions.&lt;br /&gt;
&lt;br /&gt;
For example, a Wi-Fi QR code appears to &amp;quot;connect your phone to Wi-Fi&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
This can lead to the assumption that the QR code contains some kind of executable action.&lt;br /&gt;
&lt;br /&gt;
In reality, the QR code simply contains a specially-formatted text string.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
WIFI:T:WPA;S:GuestWiFi;P:Password123;;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a smartphone scans the QR code:&lt;br /&gt;
&lt;br /&gt;
# The camera decodes the text.&lt;br /&gt;
# The operating system recognises the &amp;#039;&amp;#039;WIFI:&amp;#039;&amp;#039; format.&lt;br /&gt;
# The operating system offers to join the network.&lt;br /&gt;
# The device configures itself using the supplied information.&lt;br /&gt;
&lt;br /&gt;
The QR code itself has not performed any action.&lt;br /&gt;
&lt;br /&gt;
The phone has.&lt;br /&gt;
&lt;br /&gt;
== The Real Magic: Recognised Formats ==&lt;br /&gt;
&lt;br /&gt;
The usefulness of QR codes comes from agreed conventions.&lt;br /&gt;
&lt;br /&gt;
Software developers create formats that applications recognise and process automatically.&lt;br /&gt;
&lt;br /&gt;
=== Website Links ===&lt;br /&gt;
&lt;br /&gt;
A QR code containing:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
https://example.com&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
is recognised as a web address.&lt;br /&gt;
&lt;br /&gt;
The browser is opened and navigates to the specified page.&lt;br /&gt;
&lt;br /&gt;
=== Email Addresses ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mailto:support@example.com&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The email application creates a new message.&lt;br /&gt;
&lt;br /&gt;
=== Telephone Numbers ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
tel:+441234567890&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The dialler opens with the number populated.&lt;br /&gt;
&lt;br /&gt;
=== Geographic Locations ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
geo:51.2798,1.0830&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Mapping software opens at the specified coordinates.&lt;br /&gt;
&lt;br /&gt;
=== Contact Cards ===&lt;br /&gt;
&lt;br /&gt;
QR codes can contain complete vCard records:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
BEGIN:VCARD&lt;br /&gt;
VERSION:3.0&lt;br /&gt;
FN:Dex White&lt;br /&gt;
EMAIL:dex@example.com&lt;br /&gt;
END:VCARD&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The device offers to create a new contact.&lt;br /&gt;
&lt;br /&gt;
== Wi-Fi QR Codes Explained ==&lt;br /&gt;
&lt;br /&gt;
Wi-Fi QR codes are perhaps the best example of perceived magic.&lt;br /&gt;
&lt;br /&gt;
The QR code does not contain a wireless signal.&lt;br /&gt;
&lt;br /&gt;
It does not communicate with the access point.&lt;br /&gt;
&lt;br /&gt;
It does not perform authentication.&lt;br /&gt;
&lt;br /&gt;
It simply contains information that would normally be typed by the user.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
SSID: GuestWiFi&lt;br /&gt;
Password: Password123&lt;br /&gt;
Security: WPA2&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The QR code merely packages this information into a format recognised by modern devices.&lt;br /&gt;
&lt;br /&gt;
The process can be visualised as:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
QR Code&lt;br /&gt;
    |&lt;br /&gt;
    v&lt;br /&gt;
Decode Text&lt;br /&gt;
    |&lt;br /&gt;
    v&lt;br /&gt;
Recognise WIFI Format&lt;br /&gt;
    |&lt;br /&gt;
    v&lt;br /&gt;
Configure Device&lt;br /&gt;
    |&lt;br /&gt;
    v&lt;br /&gt;
Connect To Network&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Custom QR Formats ==&lt;br /&gt;
&lt;br /&gt;
Perhaps the most powerful aspect of QR technology is that anybody can define their own format.&lt;br /&gt;
&lt;br /&gt;
A software developer could create:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
PIRHO:DEVICE:SWITCH01&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
or&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
NEURONE://RESOURCE/SWITCHES/CORE01&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The QR code generator does not care what the data contains.&lt;br /&gt;
&lt;br /&gt;
Whether something useful happens depends entirely on the application performing the scan.&lt;br /&gt;
&lt;br /&gt;
This makes QR codes an extremely flexible transport mechanism for structured information.&lt;br /&gt;
&lt;br /&gt;
== QR Codes As A Configuration Delivery Mechanism ==&lt;br /&gt;
&lt;br /&gt;
Many modern systems use QR codes for initial setup.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Wi-Fi onboarding&lt;br /&gt;
* Smart home devices&lt;br /&gt;
* Printers&lt;br /&gt;
* IP cameras&lt;br /&gt;
* Multi-factor authentication&lt;br /&gt;
* Device pairing&lt;br /&gt;
* Conference room equipment&lt;br /&gt;
&lt;br /&gt;
Rather than requiring users to manually enter long configuration values, information can be transferred instantly through a scan.&lt;br /&gt;
&lt;br /&gt;
From an engineering perspective, the QR code functions as a visual configuration file.&lt;br /&gt;
&lt;br /&gt;
== Authentication And Session Transfer ==&lt;br /&gt;
&lt;br /&gt;
Modern authentication systems often use QR codes as a bridge between devices.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
https://example.com/login?token=ABC123&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
A desktop application may display the QR code while a mobile device performs the authentication.&lt;br /&gt;
&lt;br /&gt;
The QR code is not the authentication mechanism itself.&lt;br /&gt;
&lt;br /&gt;
Instead, it carries a temporary identifier that allows multiple systems to coordinate the login process.&lt;br /&gt;
&lt;br /&gt;
This approach is commonly used by messaging platforms, identity providers, and multi-factor authentication systems.&lt;br /&gt;
&lt;br /&gt;
== Design Considerations ==&lt;br /&gt;
&lt;br /&gt;
QR codes are most effective when:&lt;br /&gt;
&lt;br /&gt;
* Manual entry would be cumbersome.&lt;br /&gt;
* Information is static or short-lived.&lt;br /&gt;
* Users may be unfamiliar with technical details.&lt;br /&gt;
* Fast onboarding is desirable.&lt;br /&gt;
&lt;br /&gt;
Good QR code implementations remove friction rather than add functionality.&lt;br /&gt;
&lt;br /&gt;
The QR code itself is rarely the solution.&lt;br /&gt;
&lt;br /&gt;
It is usually just the delivery mechanism.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Confusing Data With Action ===&lt;br /&gt;
&lt;br /&gt;
A QR code stores information.&lt;br /&gt;
&lt;br /&gt;
Applications perform actions.&lt;br /&gt;
&lt;br /&gt;
Keeping this distinction clear helps avoid design misunderstandings.&lt;br /&gt;
&lt;br /&gt;
=== Overloading QR Codes ===&lt;br /&gt;
&lt;br /&gt;
Not every process benefits from a QR code.&lt;br /&gt;
&lt;br /&gt;
If users cannot understand what will happen when they scan it, the experience may be confusing.&lt;br /&gt;
&lt;br /&gt;
=== Assuming Universal Support ===&lt;br /&gt;
&lt;br /&gt;
Different devices and applications recognise different formats.&lt;br /&gt;
&lt;br /&gt;
A custom QR format is only useful if the scanning software understands it.&lt;br /&gt;
&lt;br /&gt;
== Conclusion ==&lt;br /&gt;
&lt;br /&gt;
The enduring success of QR codes comes from their simplicity.&lt;br /&gt;
&lt;br /&gt;
A QR code is not a smart object, an automation platform, or an application.&lt;br /&gt;
&lt;br /&gt;
It is simply a container for data.&lt;br /&gt;
&lt;br /&gt;
The apparent magic comes from the ecosystem around it: operating systems, applications, services, and standards that recognise specific formats and transform data into useful actions.&lt;br /&gt;
&lt;br /&gt;
The square is not magic.&lt;br /&gt;
&lt;br /&gt;
The interpretation is.&lt;/div&gt;</description>
			<pubDate>Sun, 05 Jul 2026 14:17:07 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:QR_Codes:_The_Magic_Is_Not_in_the_Square</comments>
		</item>
		<item>
			<title>Directory Synchronisation Strategies: From XCOPY to Rsync</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Directory_Synchronisation_Strategies:_From_XCOPY_to_Rsync&amp;diff=414&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Directory_Synchronisation_Strategies:_From_XCOPY_to_Rsync&amp;diff=414&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;  Directory synchronisation is the process of keeping files and folders consistent between two or more locations. Whether copying photographs from a USB drive to an archive disk, replicating data between servers, or maintaining a backup copy of critical business data, choosing the correct synchronisation strategy is essential. This article examines common synchronisation approaches and tools including XCOPY, Robocopy, and Rsync, along with their strengths,...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Directory synchronisation is the process of keeping files and folders consistent between two or more locations. Whether copying photographs from a USB drive to an archive disk, replicating data between servers, or maintaining a backup copy of critical business data, choosing the correct synchronisation strategy is essential. This article examines common synchronisation approaches and tools including XCOPY, Robocopy, and Rsync, along with their strengths, weaknesses, and appropriate use cases.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
File synchronisation is a common requirement in both home and enterprise environments.&lt;br /&gt;
&lt;br /&gt;
Typical use cases include:&lt;br /&gt;
&lt;br /&gt;
* Copying files from removable media to permanent storage&lt;br /&gt;
* Maintaining backups of important data&lt;br /&gt;
* Replicating files between servers&lt;br /&gt;
* Synchronising laptop and workstation data&lt;br /&gt;
* Migrating data between storage platforms&lt;br /&gt;
* Maintaining disaster recovery environments&lt;br /&gt;
&lt;br /&gt;
One of the most common mistakes is confusing synchronisation with backup.&lt;br /&gt;
&lt;br /&gt;
=== Synchronisation ===&lt;br /&gt;
&lt;br /&gt;
Synchronisation aims to keep multiple locations aligned.&lt;br /&gt;
&lt;br /&gt;
Changes made in one location are copied to another location so that both contain similar data.&lt;br /&gt;
&lt;br /&gt;
=== Backup ===&lt;br /&gt;
&lt;br /&gt;
A backup is intended to preserve data for recovery purposes.&lt;br /&gt;
&lt;br /&gt;
Unlike synchronisation, a backup typically provides:&lt;br /&gt;
&lt;br /&gt;
* Historical versions&lt;br /&gt;
* Protection against accidental deletion&lt;br /&gt;
* Protection against corruption&lt;br /&gt;
* Recovery points in time&lt;br /&gt;
&lt;br /&gt;
A synchronised copy may form part of a backup strategy, but synchronisation alone should not be considered a complete backup solution.&lt;br /&gt;
&lt;br /&gt;
== Core Concepts ==&lt;br /&gt;
&lt;br /&gt;
=== Source and Destination ===&lt;br /&gt;
&lt;br /&gt;
Every synchronisation operation involves:&lt;br /&gt;
&lt;br /&gt;
* A source&lt;br /&gt;
* A destination&lt;br /&gt;
&lt;br /&gt;
The source is generally considered the authoritative location.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
+-----------+      Sync       +-------------+&lt;br /&gt;
|  Source   | -------------&amp;gt; | Destination |&lt;br /&gt;
+-----------+                +-------------+&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== One-Way Synchronisation ===&lt;br /&gt;
&lt;br /&gt;
In a one-way synchronisation, changes flow from source to destination only.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
USB Drive&lt;br /&gt;
    |&lt;br /&gt;
    v&lt;br /&gt;
Archive HDD&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Changes made to the destination do not affect the source.&lt;br /&gt;
&lt;br /&gt;
This is often the safest approach for archival and backup-related activities.&lt;br /&gt;
&lt;br /&gt;
=== Two-Way Synchronisation ===&lt;br /&gt;
&lt;br /&gt;
In a two-way synchronisation, both locations may be modified independently.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Laptop &amp;lt;------&amp;gt; NAS&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Changes made on either side must be reconciled.&lt;br /&gt;
&lt;br /&gt;
This requires conflict detection and is considerably more complex than one-way synchronisation.&lt;br /&gt;
&lt;br /&gt;
=== Mirroring ===&lt;br /&gt;
&lt;br /&gt;
Mirroring is a special form of synchronisation where the destination becomes an exact copy of the source.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Source                Destination&lt;br /&gt;
&lt;br /&gt;
File A                File A&lt;br /&gt;
File B                File B&lt;br /&gt;
File C                File C&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
If a file is removed from the source, it is also removed from the destination during synchronisation.&lt;br /&gt;
&lt;br /&gt;
While useful, mirroring can be dangerous if performed incorrectly.&lt;br /&gt;
&lt;br /&gt;
== Synchronisation Scenarios ==&lt;br /&gt;
&lt;br /&gt;
=== Scenario 1 – USB Drive to Archive Disk ===&lt;br /&gt;
&lt;br /&gt;
A common requirement is importing data from removable storage while preserving previously archived files.&lt;br /&gt;
&lt;br /&gt;
Objectives:&lt;br /&gt;
&lt;br /&gt;
* Copy new files&lt;br /&gt;
* Skip files that already exist&lt;br /&gt;
* Never delete destination data&lt;br /&gt;
&lt;br /&gt;
A suitable Robocopy command is:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
robocopy E:\ F:\Archive /E /XC /XN /XO&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This command copies only files that do not already exist at the destination.&lt;br /&gt;
&lt;br /&gt;
Typical use cases:&lt;br /&gt;
&lt;br /&gt;
* Digital photo archives&lt;br /&gt;
* Document collections&lt;br /&gt;
* Media ingestion workflows&lt;br /&gt;
&lt;br /&gt;
=== Scenario 2 – Incremental Updates ===&lt;br /&gt;
&lt;br /&gt;
Sometimes files on the source may be newer and should replace older versions at the destination.&lt;br /&gt;
&lt;br /&gt;
Objectives:&lt;br /&gt;
&lt;br /&gt;
* Copy new files&lt;br /&gt;
* Update changed files&lt;br /&gt;
* Preserve existing destination content&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
robocopy E:\ F:\Archive /E /XO&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This approach is useful when repeatedly synchronising a working dataset.&lt;br /&gt;
&lt;br /&gt;
=== Scenario 3 – Exact Mirror ===&lt;br /&gt;
&lt;br /&gt;
Some environments require the destination to exactly match the source.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
robocopy E:\ F:\Mirror /MIR&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* Simple&lt;br /&gt;
* Predictable&lt;br /&gt;
* Produces identical copies&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
&lt;br /&gt;
* Deleted source files are also deleted from the destination&lt;br /&gt;
* Incorrect source selection can result in significant data loss&lt;br /&gt;
&lt;br /&gt;
=== Scenario 4 – Network Share Replication ===&lt;br /&gt;
&lt;br /&gt;
Synchronisation can also occur between remote systems.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
robocopy \\ServerA\Data \\ServerB\Data /MIR /Z&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Common use cases include:&lt;br /&gt;
&lt;br /&gt;
* File server migrations&lt;br /&gt;
* Branch office replication&lt;br /&gt;
* Disaster recovery preparations&lt;br /&gt;
&lt;br /&gt;
=== Scenario 5 – Cross-Platform Synchronisation ===&lt;br /&gt;
&lt;br /&gt;
When synchronising between Linux, Unix, macOS, and mixed-platform environments, Rsync is frequently the preferred solution.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
rsync -avh /source/ /destination/&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Where:&lt;br /&gt;
&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;-a&amp;#039;&amp;#039;&amp;#039; enables archive mode&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;-v&amp;#039;&amp;#039;&amp;#039; enables verbose output&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;-h&amp;#039;&amp;#039;&amp;#039; displays human-readable sizes&lt;br /&gt;
&lt;br /&gt;
== Why Rsync Is So Popular ==&lt;br /&gt;
&lt;br /&gt;
Rsync differs from traditional copy utilities because it can transfer only the portions of a file that have changed.&lt;br /&gt;
&lt;br /&gt;
Traditional copy behaviour:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
10GB File Modified&lt;br /&gt;
        |&lt;br /&gt;
        v&lt;br /&gt;
Copy Entire 10GB&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rsync behaviour:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
10GB File Modified&lt;br /&gt;
        |&lt;br /&gt;
        v&lt;br /&gt;
Transfer Only Changed Blocks&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Benefits include:&lt;br /&gt;
&lt;br /&gt;
* Reduced bandwidth usage&lt;br /&gt;
* Faster synchronisation&lt;br /&gt;
* Lower storage subsystem load&lt;br /&gt;
* Efficient WAN operation&lt;br /&gt;
* Excellent support for remote administration&lt;br /&gt;
&lt;br /&gt;
These characteristics have made Rsync one of the most widely used synchronisation tools in Linux and Unix environments.&lt;br /&gt;
&lt;br /&gt;
== Common Rsync Examples ==&lt;br /&gt;
&lt;br /&gt;
=== Local Synchronisation ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
rsync -avh /data/ /backup/&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Copies new and changed files to a local backup location.&lt;br /&gt;
&lt;br /&gt;
=== Synchronisation Over SSH ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
rsync -avh /data/ user@server:/backup/&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Provides secure synchronisation across networks.&lt;br /&gt;
&lt;br /&gt;
=== Mirroring with Deletion ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
rsync -avh --delete /data/ /backup/&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This functions similarly to:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
robocopy /MIR&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Files removed from the source are removed from the destination.&lt;br /&gt;
&lt;br /&gt;
== Tool Comparison ==&lt;br /&gt;
&lt;br /&gt;
=== XCOPY ===&lt;br /&gt;
&lt;br /&gt;
Strengths:&lt;br /&gt;
&lt;br /&gt;
* Available on older Windows systems&lt;br /&gt;
* Simple syntax&lt;br /&gt;
* Suitable for basic copying&lt;br /&gt;
&lt;br /&gt;
Weaknesses:&lt;br /&gt;
&lt;br /&gt;
* Limited error handling&lt;br /&gt;
* Less efficient for large datasets&lt;br /&gt;
* Considered largely superseded by Robocopy&lt;br /&gt;
&lt;br /&gt;
=== Robocopy ===&lt;br /&gt;
&lt;br /&gt;
Strengths:&lt;br /&gt;
&lt;br /&gt;
* Built into modern Windows&lt;br /&gt;
* Excellent reliability&lt;br /&gt;
* Resumable transfers&lt;br /&gt;
* Detailed logging&lt;br /&gt;
* Suitable for very large datasets&lt;br /&gt;
&lt;br /&gt;
Weaknesses:&lt;br /&gt;
&lt;br /&gt;
* Command-line options can be confusing&lt;br /&gt;
* Mirroring must be used carefully&lt;br /&gt;
&lt;br /&gt;
=== Rsync ===&lt;br /&gt;
&lt;br /&gt;
Strengths:&lt;br /&gt;
&lt;br /&gt;
* Efficient delta transfers&lt;br /&gt;
* Cross-platform support&lt;br /&gt;
* Excellent performance over slow links&lt;br /&gt;
* Well suited to automation&lt;br /&gt;
&lt;br /&gt;
Weaknesses:&lt;br /&gt;
&lt;br /&gt;
* Less familiar to Windows-only administrators&lt;br /&gt;
* Some advanced options require careful understanding&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Accidental Mirroring ===&lt;br /&gt;
&lt;br /&gt;
One of the most common synchronisation mistakes occurs when a mirror operation is performed against an empty source.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Source Empty&lt;br /&gt;
      |&lt;br /&gt;
      v&lt;br /&gt;
Destination Emptied&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Always verify:&lt;br /&gt;
&lt;br /&gt;
* Source path&lt;br /&gt;
* Destination path&lt;br /&gt;
* Synchronisation options&lt;br /&gt;
&lt;br /&gt;
=== Permissions and Ownership ===&lt;br /&gt;
&lt;br /&gt;
File contents may synchronise correctly while access controls do not.&lt;br /&gt;
&lt;br /&gt;
Potential issues include:&lt;br /&gt;
&lt;br /&gt;
* Missing permissions&lt;br /&gt;
* Incorrect ownership&lt;br /&gt;
* Lost audit settings&lt;br /&gt;
&lt;br /&gt;
This becomes particularly important in cross-platform environments.&lt;br /&gt;
&lt;br /&gt;
=== Open Files ===&lt;br /&gt;
&lt;br /&gt;
Some files may change while being copied.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Databases&lt;br /&gt;
* Virtual machine disks&lt;br /&gt;
* PST files&lt;br /&gt;
* Mail stores&lt;br /&gt;
&lt;br /&gt;
A completed file transfer does not necessarily mean the copied file is application-consistent.&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Home Users ===&lt;br /&gt;
&lt;br /&gt;
Recommended approach:&lt;br /&gt;
&lt;br /&gt;
* External hard drives&lt;br /&gt;
* Robocopy&lt;br /&gt;
* Incremental synchronisation&lt;br /&gt;
&lt;br /&gt;
This provides a straightforward and reliable solution.&lt;br /&gt;
&lt;br /&gt;
=== Small Businesses ===&lt;br /&gt;
&lt;br /&gt;
Recommended approach:&lt;br /&gt;
&lt;br /&gt;
* Robocopy scheduled tasks&lt;br /&gt;
* NAS replication&lt;br /&gt;
* Versioned backup systems&lt;br /&gt;
&lt;br /&gt;
Synchronisation should complement backup rather than replace it.&lt;br /&gt;
&lt;br /&gt;
=== Enterprise Environments ===&lt;br /&gt;
&lt;br /&gt;
Recommended approach:&lt;br /&gt;
&lt;br /&gt;
* Rsync&lt;br /&gt;
* Distributed replication systems&lt;br /&gt;
* Storage snapshots&lt;br /&gt;
* Dedicated backup platforms&lt;br /&gt;
&lt;br /&gt;
Enterprise solutions should consider:&lt;br /&gt;
&lt;br /&gt;
* Scalability&lt;br /&gt;
* Security&lt;br /&gt;
* Compliance&lt;br /&gt;
* Disaster recovery requirements&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting &amp;amp; Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
=== Robocopy Dry Run ===&lt;br /&gt;
&lt;br /&gt;
Before performing a large synchronisation, use:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
robocopy Source Destination /L&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This displays what would be copied without making changes.&lt;br /&gt;
&lt;br /&gt;
=== Rsync Dry Run ===&lt;br /&gt;
&lt;br /&gt;
Similarly:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
rsync -avhn /source/ /destination/&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The &amp;#039;&amp;#039;&amp;#039;-n&amp;#039;&amp;#039;&amp;#039; switch performs a trial run.&lt;br /&gt;
&lt;br /&gt;
=== Unexpected File Transfers ===&lt;br /&gt;
&lt;br /&gt;
Large numbers of changed files may indicate:&lt;br /&gt;
&lt;br /&gt;
* Incorrect timestamps&lt;br /&gt;
* Time synchronisation issues&lt;br /&gt;
* Permission changes&lt;br /&gt;
* Altered file attributes&lt;br /&gt;
&lt;br /&gt;
=== Missing Files ===&lt;br /&gt;
&lt;br /&gt;
Investigate:&lt;br /&gt;
&lt;br /&gt;
* Inclusion rules&lt;br /&gt;
* Exclusion rules&lt;br /&gt;
* Access permissions&lt;br /&gt;
* Long path limitations&lt;br /&gt;
* Available disk space&lt;br /&gt;
&lt;br /&gt;
== Best Practice Recommendations ==&lt;br /&gt;
&lt;br /&gt;
* Test synchronisation commands against sample data first.&lt;br /&gt;
* Use dry-run functionality whenever available.&lt;br /&gt;
* Maintain backups before using mirror operations.&lt;br /&gt;
* Document synchronisation processes.&lt;br /&gt;
* Log automated synchronisation jobs.&lt;br /&gt;
* Periodically verify recovery procedures.&lt;br /&gt;
* Never assume synchronisation equals backup.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Backup Strategies]]&lt;br /&gt;
* [[Incremental and Differential Backups]]&lt;br /&gt;
* [[Disaster Recovery Planning]]&lt;br /&gt;
* [[NAS Replication]]&lt;br /&gt;
* [[Storage Snapshots]]&lt;br /&gt;
* [[Rsync over SSH]]&lt;br /&gt;
* [[Robocopy Best Practices]]&lt;br /&gt;
&lt;br /&gt;
== Conclusion ==&lt;br /&gt;
&lt;br /&gt;
There is no universally correct synchronisation tool. The appropriate choice depends on the objective.&lt;br /&gt;
&lt;br /&gt;
If the goal is simply to copy missing files, Robocopy is often ideal for Windows environments.&lt;br /&gt;
&lt;br /&gt;
If systems must remain identical, mirroring may be appropriate, provided suitable safeguards exist.&lt;br /&gt;
&lt;br /&gt;
If data must be synchronised efficiently across platforms or networks, Rsync remains one of the most capable solutions available.&lt;br /&gt;
&lt;br /&gt;
A useful rule of thumb is:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;Copy when you want to preserve data, synchronise when you want consistency, and back up when you want recoverability.&amp;#039;&amp;#039;&lt;/div&gt;</description>
			<pubDate>Sun, 05 Jul 2026 14:15:30 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Directory_Synchronisation_Strategies:_From_XCOPY_to_Rsync</comments>
		</item>
		<item>
			<title>Virtual Hard Disk Management in VMware ESXi</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Virtual_Hard_Disk_Management_in_VMware_ESXi&amp;diff=413&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Virtual_Hard_Disk_Management_in_VMware_ESXi&amp;diff=413&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;  Virtual Hard Disks (VMDKs) are the primary storage mechanism used by VMware virtual machines. Understanding how to create, migrate, convert, expand, troubleshoot, and recover virtual disks is an essential skill for any VMware administrator.  This article explains how VMware virtual hard disks work, common disk formats, migration scenarios, troubleshooting techniques, and practical methods for resolving compatibility issues between VMware products such as...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Virtual Hard Disks (VMDKs) are the primary storage mechanism used by VMware virtual machines. Understanding how to create, migrate, convert, expand, troubleshoot, and recover virtual disks is an essential skill for any VMware administrator.&lt;br /&gt;
&lt;br /&gt;
This article explains how VMware virtual hard disks work, common disk formats, migration scenarios, troubleshooting techniques, and practical methods for resolving compatibility issues between VMware products such as VMware Workstation and VMware ESXi.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
A virtual machine is only as useful as its storage. While CPU and memory resources are relatively straightforward, virtual storage introduces additional layers of abstraction and complexity.&lt;br /&gt;
&lt;br /&gt;
Administrators commonly encounter virtual disk management tasks when:&lt;br /&gt;
&lt;br /&gt;
* Migrating virtual machines between VMware platforms.&lt;br /&gt;
* Expanding storage capacity.&lt;br /&gt;
* Recovering damaged virtual machines.&lt;br /&gt;
* Consolidating snapshots.&lt;br /&gt;
* Migrating workloads between datastores.&lt;br /&gt;
* Converting physical servers into virtual machines.&lt;br /&gt;
&lt;br /&gt;
A common misconception is that a VMDK is simply a large disk image. In reality, a VMDK typically consists of a descriptor file and one or more data files which together describe both the virtual disk and its contents.&lt;br /&gt;
&lt;br /&gt;
== Core Concepts ==&lt;br /&gt;
&lt;br /&gt;
=== What is a VMDK? ===&lt;br /&gt;
&lt;br /&gt;
A VMware Virtual Machine Disk (VMDK) is a virtual storage device presented to a guest operating system.&lt;br /&gt;
&lt;br /&gt;
A VMDK commonly consists of:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
SERVER01.vmdk&lt;br /&gt;
SERVER01-flat.vmdk&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The descriptor file:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
SERVER01.vmdk&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Contains metadata describing:&lt;br /&gt;
&lt;br /&gt;
* Disk geometry.&lt;br /&gt;
* Provisioning type.&lt;br /&gt;
* Adapter type.&lt;br /&gt;
* References to the disk data extents.&lt;br /&gt;
&lt;br /&gt;
The flat file:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
SERVER01-flat.vmdk&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Contains the actual virtual disk data.&lt;br /&gt;
&lt;br /&gt;
=== Thin and Thick Provisioning ===&lt;br /&gt;
&lt;br /&gt;
==== Thin Provisioning ====&lt;br /&gt;
&lt;br /&gt;
A thin-provisioned disk consumes physical storage only as data is written.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Configured Size : 100 GB&lt;br /&gt;
Actual Usage    : 24 GB&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* Efficient utilisation of datastore capacity.&lt;br /&gt;
* Faster deployment.&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
&lt;br /&gt;
* Potential datastore overcommitment.&lt;br /&gt;
* Greater requirement for storage monitoring.&lt;br /&gt;
&lt;br /&gt;
==== Thick Provisioning ====&lt;br /&gt;
&lt;br /&gt;
A thick-provisioned disk reserves its entire allocation immediately.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Configured Size : 100 GB&lt;br /&gt;
Actual Usage    : 100 GB&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* Predictable storage consumption.&lt;br /&gt;
* Consistent performance characteristics.&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
&lt;br /&gt;
* Higher initial storage requirements.&lt;br /&gt;
&lt;br /&gt;
=== Virtual Storage Controllers ===&lt;br /&gt;
&lt;br /&gt;
Virtual disks are presented through a virtual storage controller.&lt;br /&gt;
&lt;br /&gt;
Common controller types include:&lt;br /&gt;
&lt;br /&gt;
* LSI Logic Parallel&lt;br /&gt;
* LSI Logic SAS&lt;br /&gt;
* VMware Paravirtual (PVSCSI)&lt;br /&gt;
* BusLogic&lt;br /&gt;
&lt;br /&gt;
Changing controller types incorrectly may result in boot failures or inaccessible storage devices within the guest operating system.&lt;br /&gt;
&lt;br /&gt;
== Reference Architectures ==&lt;br /&gt;
&lt;br /&gt;
=== Small Environment ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
ESXi Host&lt;br /&gt;
│&lt;br /&gt;
├── Local Datastore&lt;br /&gt;
│   ├── VM01&lt;br /&gt;
│   ├── VM02&lt;br /&gt;
│   └── VM03&lt;br /&gt;
│&lt;br /&gt;
└── Backup Repository&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Suitable for:&lt;br /&gt;
&lt;br /&gt;
* Home labs.&lt;br /&gt;
* Training environments.&lt;br /&gt;
* Small businesses.&lt;br /&gt;
&lt;br /&gt;
=== Enterprise Environment ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
VMware Cluster&lt;br /&gt;
│&lt;br /&gt;
├── Shared SAN/NAS Storage&lt;br /&gt;
├── Multiple Datastores&lt;br /&gt;
├── High Availability&lt;br /&gt;
├── Storage vMotion&lt;br /&gt;
├── VM Replication&lt;br /&gt;
└── Backup Infrastructure&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Suitable for:&lt;br /&gt;
&lt;br /&gt;
* Production workloads.&lt;br /&gt;
* Critical business systems.&lt;br /&gt;
* High-availability environments.&lt;br /&gt;
&lt;br /&gt;
== Practical Application ==&lt;br /&gt;
&lt;br /&gt;
=== Migrating a Virtual Disk from VMware Workstation to ESXi ===&lt;br /&gt;
&lt;br /&gt;
A common migration scenario involves moving a virtual machine from VMware Workstation to VMware ESXi.&lt;br /&gt;
&lt;br /&gt;
A recommended approach is:&lt;br /&gt;
&lt;br /&gt;
# Shut down the virtual machine cleanly.&lt;br /&gt;
# Remove or consolidate any snapshots.&lt;br /&gt;
# Upload the virtual disk files to the target datastore.&lt;br /&gt;
# Convert the virtual disk into an ESXi-native format.&lt;br /&gt;
# Attach the converted disk to a newly created virtual machine.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
vmkfstools -i source.vmdk destination.vmdk -d thin&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This operation imports and converts the disk into a native ESXi format.&lt;br /&gt;
&lt;br /&gt;
=== Expanding a Virtual Disk ===&lt;br /&gt;
&lt;br /&gt;
Virtual disks can be expanded without recreating the virtual machine.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
vmkfstools -X 150G SERVER01.vmdk&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This increases the virtual disk size to 150 GB.&lt;br /&gt;
&lt;br /&gt;
After expanding the virtual disk, the guest operating system must be instructed to extend its partition or filesystem.&lt;br /&gt;
&lt;br /&gt;
=== Cloning a Virtual Disk ===&lt;br /&gt;
&lt;br /&gt;
Virtual disks can be cloned for migration, backup, or testing purposes.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
vmkfstools -i SERVER01.vmdk SERVER01-CLONE.vmdk -d thin&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Common use cases include:&lt;br /&gt;
&lt;br /&gt;
* Migration between datastores.&lt;br /&gt;
* Converting provisioning formats.&lt;br /&gt;
* Creating test environments.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Copying Only the Descriptor File ===&lt;br /&gt;
&lt;br /&gt;
A frequent mistake is uploading:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
SERVER01.vmdk&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Without:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
SERVER01-flat.vmdk&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The descriptor contains metadata only. Without the associated data file, the virtual machine has no usable storage.&lt;br /&gt;
&lt;br /&gt;
=== Snapshot Chains ===&lt;br /&gt;
&lt;br /&gt;
Snapshot-enabled virtual machines may contain:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
SERVER01.vmdk&lt;br /&gt;
SERVER01-000001.vmdk&lt;br /&gt;
SERVER01-000002.vmdk&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Copying only part of the snapshot chain can produce:&lt;br /&gt;
&lt;br /&gt;
* Inconsistent data.&lt;br /&gt;
* Failed virtual machine boots.&lt;br /&gt;
* Disk consolidation errors.&lt;br /&gt;
&lt;br /&gt;
Always consolidate snapshots before migration where possible.&lt;br /&gt;
&lt;br /&gt;
=== Unsupported Disk Types ===&lt;br /&gt;
&lt;br /&gt;
A common migration error is:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Unsupported or invalid disk type 7&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This often occurs when a VMware Workstation virtual disk has been copied directly into an ESXi datastore without being imported or converted.&lt;br /&gt;
&lt;br /&gt;
Resolution:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
vmkfstools -i source.vmdk imported.vmdk -d thin&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This rewrites the disk into an ESXi-compatible format.&lt;br /&gt;
&lt;br /&gt;
=== Unsupported Guest Operating Systems ===&lt;br /&gt;
&lt;br /&gt;
A guest operating system may be newer than the target hypervisor.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Windows Server 2016 on ESXi 5.5.&lt;br /&gt;
* Windows Server 2019 on older ESXi releases.&lt;br /&gt;
&lt;br /&gt;
In these situations, virtual disk conversion may succeed while guest operating system compatibility issues remain.&lt;br /&gt;
&lt;br /&gt;
== Security Implications ==&lt;br /&gt;
&lt;br /&gt;
Virtual hard disks frequently contain:&lt;br /&gt;
&lt;br /&gt;
* User data.&lt;br /&gt;
* Active Directory databases.&lt;br /&gt;
* Certificates.&lt;br /&gt;
* Application configuration.&lt;br /&gt;
* Sensitive business information.&lt;br /&gt;
&lt;br /&gt;
Best practices include:&lt;br /&gt;
&lt;br /&gt;
* Restricting datastore access.&lt;br /&gt;
* Encrypting backups.&lt;br /&gt;
* Removing temporary migration copies.&lt;br /&gt;
* Following least-privilege administration principles.&lt;br /&gt;
* Performing secure disposal of retired virtual disks.&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting &amp;amp; Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
=== Verify the Disk Descriptor ===&lt;br /&gt;
&lt;br /&gt;
Check whether ESXi can successfully interpret the virtual disk descriptor:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
vmkfstools -e SERVER01.vmdk&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Successful output confirms that the descriptor is readable.&lt;br /&gt;
&lt;br /&gt;
=== Examine the VMDK Descriptor ===&lt;br /&gt;
&lt;br /&gt;
Display the descriptor contents:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cat SERVER01.vmdk&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Look for values such as:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
createType=&amp;quot;monolithicSparse&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
or&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
createType=&amp;quot;streamOptimized&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
These formats are commonly associated with VMware Workstation and OVF exports.&lt;br /&gt;
&lt;br /&gt;
=== Verify Datastore Capacity ===&lt;br /&gt;
&lt;br /&gt;
Check available storage space:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
df -h&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Lack of free datastore space is a common cause of failed imports and conversions.&lt;br /&gt;
&lt;br /&gt;
=== Review VMware Logs ===&lt;br /&gt;
&lt;br /&gt;
Examine:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
vmware.log&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Within the virtual machine directory.&lt;br /&gt;
&lt;br /&gt;
This file frequently contains detailed information regarding:&lt;br /&gt;
&lt;br /&gt;
* Storage controller issues.&lt;br /&gt;
* Disk compatibility problems.&lt;br /&gt;
* Missing files.&lt;br /&gt;
* Snapshot errors.&lt;br /&gt;
&lt;br /&gt;
== Operational Lifecycle ==&lt;br /&gt;
&lt;br /&gt;
=== Build ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Create VM&lt;br /&gt;
   ↓&lt;br /&gt;
Create Virtual Disk&lt;br /&gt;
   ↓&lt;br /&gt;
Install Guest OS&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Run ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Monitor Storage&lt;br /&gt;
   ↓&lt;br /&gt;
Backup Data&lt;br /&gt;
   ↓&lt;br /&gt;
Maintain Capacity&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Maintain ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Expand Disks&lt;br /&gt;
   ↓&lt;br /&gt;
Consolidate Snapshots&lt;br /&gt;
   ↓&lt;br /&gt;
Migrate Storage&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Retire ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Backup&lt;br /&gt;
   ↓&lt;br /&gt;
Archive&lt;br /&gt;
   ↓&lt;br /&gt;
Securely Delete&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
When designing VMware environments:&lt;br /&gt;
&lt;br /&gt;
* Prefer thin provisioning for general-purpose workloads unless specific performance requirements dictate otherwise.&lt;br /&gt;
* Monitor datastore utilisation carefully.&lt;br /&gt;
* Avoid leaving snapshots in place for extended periods.&lt;br /&gt;
* Use shared storage for production workloads where possible.&lt;br /&gt;
* Keep VMware product versions reasonably aligned during migration projects.&lt;br /&gt;
* Validate guest operating system compatibility before undertaking large-scale migrations.&lt;br /&gt;
* Test recovery procedures regularly.&lt;br /&gt;
&lt;br /&gt;
Many virtual disk issues originate not from corruption but from:&lt;br /&gt;
&lt;br /&gt;
* Format incompatibilities.&lt;br /&gt;
* Incomplete snapshot chains.&lt;br /&gt;
* Storage controller mismatches.&lt;br /&gt;
* Unsupported guest operating systems.&lt;br /&gt;
&lt;br /&gt;
== Lessons from the Field ==&lt;br /&gt;
&lt;br /&gt;
One of the most useful troubleshooting techniques is reducing the scope of the problem.&lt;br /&gt;
&lt;br /&gt;
Consider the following scenario:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
VM Fails to Start&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Initially, the fault could exist in:&lt;br /&gt;
&lt;br /&gt;
* The VM configuration.&lt;br /&gt;
* Virtual hardware.&lt;br /&gt;
* Storage controller.&lt;br /&gt;
* Guest operating system.&lt;br /&gt;
* Virtual hard disk.&lt;br /&gt;
* Snapshot chain.&lt;br /&gt;
&lt;br /&gt;
By temporarily removing the virtual hard disk and successfully starting the virtual machine shell, the problem space becomes significantly smaller:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
VM Without Disk = Works&lt;br /&gt;
VM With Disk    = Fails&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The investigation can then focus entirely on the virtual hard disk rather than the whole virtual machine.&lt;br /&gt;
&lt;br /&gt;
A useful engineering principle is:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;blockquote&amp;gt;&lt;br /&gt;
Never solve two problems at the same time.&lt;br /&gt;
&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Isolating components often turns a complex migration failure into a straightforward disk conversion exercise.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[VMware ESXi Datastores]]&lt;br /&gt;
* [[VMware Snapshots]]&lt;br /&gt;
* [[VMware Storage Provisioning]]&lt;br /&gt;
* [[Physical to Virtual Migration]]&lt;br /&gt;
* [[VMware Workstation Migration]]&lt;br /&gt;
* [[VMware Virtual Machine Recovery]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* VMware ESXi Documentation&lt;br /&gt;
* VMware Workstation Documentation&lt;br /&gt;
* VMware vCenter Converter Documentation&lt;br /&gt;
* VMware Virtual Disk Development Kit (VDDK)&lt;br /&gt;
* VMware VMDK Specification&lt;/div&gt;</description>
			<pubDate>Sun, 05 Jul 2026 14:14:29 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Virtual_Hard_Disk_Management_in_VMware_ESXi</comments>
		</item>
		<item>
			<title>Migrating a Virtual Machine Between Datastores in VMware ESXi 5.5</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Migrating_a_Virtual_Machine_Between_Datastores_in_VMware_ESXi_5.5&amp;diff=412&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Migrating_a_Virtual_Machine_Between_Datastores_in_VMware_ESXi_5.5&amp;diff=412&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039; How to safely move a virtual machine from one datastore to another in VMware ESXi 5.5 when Storage vMotion or vCenter Server are unavailable.  == Context ==  === Why Migrate a Virtual Machine? ===  === Common Migration Scenarios ===  == Migration Methods Available in ESXi 5.5 ==  === Storage vMotion ===  === Cold Migration ===  === Manual Migration ===  == Understanding the Limitations ==  === Direct ESXi Host Connections ===  === Free ESXi Licensing ===...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
How to safely move a virtual machine from one datastore to another in VMware ESXi 5.5 when Storage vMotion or vCenter Server are unavailable.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
=== Why Migrate a Virtual Machine? ===&lt;br /&gt;
&lt;br /&gt;
=== Common Migration Scenarios ===&lt;br /&gt;
&lt;br /&gt;
== Migration Methods Available in ESXi 5.5 ==&lt;br /&gt;
&lt;br /&gt;
=== Storage vMotion ===&lt;br /&gt;
&lt;br /&gt;
=== Cold Migration ===&lt;br /&gt;
&lt;br /&gt;
=== Manual Migration ===&lt;br /&gt;
&lt;br /&gt;
== Understanding the Limitations ==&lt;br /&gt;
&lt;br /&gt;
=== Direct ESXi Host Connections ===&lt;br /&gt;
&lt;br /&gt;
=== Free ESXi Licensing ===&lt;br /&gt;
&lt;br /&gt;
=== Why the Migrate Option May Not Appear ===&lt;br /&gt;
&lt;br /&gt;
== Manual Datastore Migration Procedure ==&lt;br /&gt;
&lt;br /&gt;
=== Step 1 – Power Down the Virtual Machine ===&lt;br /&gt;
&lt;br /&gt;
=== Step 2 – Verify Datastore Capacity ===&lt;br /&gt;
&lt;br /&gt;
=== Step 3 – Copy the VM Files ===&lt;br /&gt;
&lt;br /&gt;
=== Step 4 – Remove the VM from Inventory ===&lt;br /&gt;
&lt;br /&gt;
=== Step 5 – Register the VM from the New Datastore ===&lt;br /&gt;
&lt;br /&gt;
=== Step 6 – Power On and Verify ===&lt;br /&gt;
&lt;br /&gt;
=== Step 7 – Remove the Original Copy ===&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Snapshot Files ===&lt;br /&gt;
&lt;br /&gt;
=== Moving vs Copying ===&lt;br /&gt;
&lt;br /&gt;
=== UUID and MAC Address Changes ===&lt;br /&gt;
&lt;br /&gt;
=== Locked Files ===&lt;br /&gt;
&lt;br /&gt;
=== Thin and Thick Provisioned Disks ===&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting &amp;amp; Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
=== VM Will Not Start ===&lt;br /&gt;
&lt;br /&gt;
=== Missing VMDK Files ===&lt;br /&gt;
&lt;br /&gt;
=== Invalid Configuration Errors ===&lt;br /&gt;
&lt;br /&gt;
=== Datastore Space Issues ===&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Operational Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== When Manual Migration Is Appropriate ===&lt;br /&gt;
&lt;br /&gt;
=== When Storage vMotion Is Worth the Investment ===&lt;br /&gt;
&lt;br /&gt;
=== Documentation and Change Control ===&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[VMware Datastores]]&lt;br /&gt;
* [[Storage vMotion]]&lt;br /&gt;
* [[VMFS Volumes]]&lt;br /&gt;
* [[VMware ESXi Administration]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* VMware ESXi Documentation&lt;br /&gt;
* VMware Storage vMotion Documentation&lt;/div&gt;</description>
			<pubDate>Sun, 05 Jul 2026 14:10:56 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Migrating_a_Virtual_Machine_Between_Datastores_in_VMware_ESXi_5.5</comments>
		</item>
		<item>
			<title>How Database Queries Really Work</title>
			<link>https://knowledgebase.pirho.net/index.php?title=How_Database_Queries_Really_Work&amp;diff=411&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=How_Database_Queries_Really_Work&amp;diff=411&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039; A practical explanation of how database engines locate, filter, and return information. Rather than focusing on SQL syntax, this article explores what happens inside a database when a query is executed, from simple record scanning through to indexes, query planners, and modern optimisation techniques.  == Context ==  === The Natural Assumption === Why most people imagine databases simply reading every record.  === The Sieve Analogy === Understanding querie...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
A practical explanation of how database engines locate, filter, and return information. Rather than focusing on SQL syntax, this article explores what happens inside a database when a query is executed, from simple record scanning through to indexes, query planners, and modern optimisation techniques.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
=== The Natural Assumption ===&lt;br /&gt;
Why most people imagine databases simply reading every record.&lt;br /&gt;
&lt;br /&gt;
=== The Sieve Analogy ===&lt;br /&gt;
Understanding queries as records passing through progressively finer filters.&lt;br /&gt;
&lt;br /&gt;
== Core Concepts ==&lt;br /&gt;
&lt;br /&gt;
=== Records, Tables and Predicates ===&lt;br /&gt;
What a query is actually asking for.&lt;br /&gt;
&lt;br /&gt;
=== The Full Table Scan ===&lt;br /&gt;
The simplest possible query engine.&lt;br /&gt;
&lt;br /&gt;
=== Why Full Scans Become Expensive ===&lt;br /&gt;
CPU, memory and storage considerations.&lt;br /&gt;
&lt;br /&gt;
== Indexes: Moving the Sieve Closer to the Data ==&lt;br /&gt;
&lt;br /&gt;
=== B-Tree Indexes ===&lt;br /&gt;
How databases avoid examining every record.&lt;br /&gt;
&lt;br /&gt;
=== Hash Indexes ===&lt;br /&gt;
Optimised equality lookups.&lt;br /&gt;
&lt;br /&gt;
=== Inverted Indexes ===&lt;br /&gt;
How text search works.&lt;br /&gt;
&lt;br /&gt;
=== Bitmap Indexes ===&lt;br /&gt;
Filtering large datasets efficiently.&lt;br /&gt;
&lt;br /&gt;
== Query Planning ==&lt;br /&gt;
&lt;br /&gt;
=== One Query, Many Possible Paths ===&lt;br /&gt;
Why databases must make decisions.&lt;br /&gt;
&lt;br /&gt;
=== Selectivity ===&lt;br /&gt;
Finding the most restrictive filter first.&lt;br /&gt;
&lt;br /&gt;
=== Predicate Pushdown ===&lt;br /&gt;
Applying filters as early as possible.&lt;br /&gt;
&lt;br /&gt;
=== Cost-Based Optimisation ===&lt;br /&gt;
Estimating the cheapest route to an answer.&lt;br /&gt;
&lt;br /&gt;
== Storage Engine Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Row-Oriented Storage ===&lt;br /&gt;
&lt;br /&gt;
=== Column-Oriented Storage ===&lt;br /&gt;
&lt;br /&gt;
=== Why Analytics Databases Feel Faster ===&lt;br /&gt;
&lt;br /&gt;
== Modern Optimisations ==&lt;br /&gt;
&lt;br /&gt;
=== Block Elimination ===&lt;br /&gt;
&lt;br /&gt;
=== Zone Maps ===&lt;br /&gt;
&lt;br /&gt;
=== Bloom Filters ===&lt;br /&gt;
&lt;br /&gt;
=== Vectorised Execution ===&lt;br /&gt;
&lt;br /&gt;
=== Parallel Query Processing ===&lt;br /&gt;
&lt;br /&gt;
== Practical Application ==&lt;br /&gt;
&lt;br /&gt;
=== Building Your Own Query Engine ===&lt;br /&gt;
&lt;br /&gt;
=== A Sensible Evolution Path ===&lt;br /&gt;
* Full scan&lt;br /&gt;
* Indexed lookup&lt;br /&gt;
* Query planner&lt;br /&gt;
* Block skipping&lt;br /&gt;
* Vectorisation&lt;br /&gt;
&lt;br /&gt;
== Common Misconceptions ==&lt;br /&gt;
&lt;br /&gt;
=== Databases Are Not Magic ===&lt;br /&gt;
&lt;br /&gt;
=== SQL Is Not the Query Engine ===&lt;br /&gt;
&lt;br /&gt;
=== Indexes Do Not Eliminate Filtering ===&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Read Optimisation versus Write Optimisation ===&lt;br /&gt;
&lt;br /&gt;
=== Choosing the Right Indexes ===&lt;br /&gt;
&lt;br /&gt;
=== Storage Layout Matters ===&lt;br /&gt;
&lt;br /&gt;
== Conclusion ==&lt;br /&gt;
&lt;br /&gt;
The Goal Is Not Faster Filtering&lt;br /&gt;
&lt;br /&gt;
The Goal Is Filtering Less&lt;/div&gt;</description>
			<pubDate>Sun, 05 Jul 2026 14:09:45 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:How_Database_Queries_Really_Work</comments>
		</item>
		<item>
			<title>Remote Access to macOS Desktops</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Remote_Access_to_macOS_Desktops&amp;diff=410&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Remote_Access_to_macOS_Desktops&amp;diff=410&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039; Remote access to macOS systems differs significantly from remote access to Microsoft Windows systems. While Windows provides Remote Desktop Protocol (RDP) as a native service, macOS relies primarily on Screen Sharing, Apple Remote Desktop, SSH, and various third-party solutions. Understanding these differences is essential when supporting, demonstrating, or developing applications remotely on Apple hardware.  == Context ==  Administrators and developers ac...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
Remote access to macOS systems differs significantly from remote access to Microsoft Windows systems. While Windows provides Remote Desktop Protocol (RDP) as a native service, macOS relies primarily on Screen Sharing, Apple Remote Desktop, SSH, and various third-party solutions. Understanding these differences is essential when supporting, demonstrating, or developing applications remotely on Apple hardware.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Administrators and developers accustomed to Microsoft Windows often expect to connect to macOS systems using RDP. This expectation is understandable, as RDP has become the de facto standard for remote Windows administration and application delivery.&lt;br /&gt;
&lt;br /&gt;
However, macOS was designed around a different remote management model. Rather than exposing native desktop sessions through RDP, Apple provides remote graphical access through Screen Sharing and remote command-line access through SSH.&lt;br /&gt;
&lt;br /&gt;
Common situations where remote access to macOS is required include:&lt;br /&gt;
&lt;br /&gt;
* Remote administration&lt;br /&gt;
* Software support&lt;br /&gt;
* Demonstrating applications&lt;br /&gt;
* Accessing development environments&lt;br /&gt;
* Managing build servers&lt;br /&gt;
* Remote training sessions&lt;br /&gt;
&lt;br /&gt;
== Why Traditional RDP Doesn&amp;#039;t Work on macOS ==&lt;br /&gt;
&lt;br /&gt;
Microsoft&amp;#039;s Remote Desktop Protocol is tightly integrated into the Windows graphics and session management architecture.&lt;br /&gt;
&lt;br /&gt;
macOS uses a completely different graphics subsystem based on Quartz and WindowServer. Because of this architectural difference, macOS does not include a native RDP server.&lt;br /&gt;
&lt;br /&gt;
As a result:&lt;br /&gt;
&lt;br /&gt;
* Microsoft Remote Desktop can connect &amp;#039;&amp;#039;from&amp;#039;&amp;#039; a Mac to a Windows machine.&lt;br /&gt;
* Microsoft Remote Desktop cannot normally connect &amp;#039;&amp;#039;to&amp;#039;&amp;#039; a Mac.&lt;br /&gt;
* Additional software is required if RDP-style access is desired.&lt;br /&gt;
&lt;br /&gt;
=== The xRDP Question ===&lt;br /&gt;
&lt;br /&gt;
Many administrators discover xRDP and assume it provides a simple solution.&lt;br /&gt;
&lt;br /&gt;
While xRDP works exceptionally well on Linux systems, the experience on macOS is significantly more complicated. xRDP was originally designed around X11 desktop environments, whereas modern macOS uses Apple&amp;#039;s native WindowServer architecture.&lt;br /&gt;
&lt;br /&gt;
In practice, xRDP may provide access to an X11 desktop environment but not necessarily the full native macOS graphical experience.&lt;br /&gt;
&lt;br /&gt;
For experimentation, xRDP can be an interesting project. For production use, most organisations prefer purpose-built remote access solutions.&lt;br /&gt;
&lt;br /&gt;
== Native macOS Remote Access Technologies ==&lt;br /&gt;
&lt;br /&gt;
=== Screen Sharing (VNC) ===&lt;br /&gt;
&lt;br /&gt;
Screen Sharing is built directly into macOS.&lt;br /&gt;
&lt;br /&gt;
It allows a remote user to view and control the active desktop session using the Virtual Network Computing (VNC) protocol.&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* Built into macOS&lt;br /&gt;
* No additional software required&lt;br /&gt;
* Simple to enable&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
&lt;br /&gt;
* Performance can be limited over slower links&lt;br /&gt;
* Not as responsive as modern remote display protocols&lt;br /&gt;
* Limited session management capabilities&lt;br /&gt;
&lt;br /&gt;
=== Apple Remote Desktop ===&lt;br /&gt;
&lt;br /&gt;
Apple Remote Desktop builds upon the Screen Sharing framework and provides additional enterprise management capabilities.&lt;br /&gt;
&lt;br /&gt;
Features include:&lt;br /&gt;
&lt;br /&gt;
* Remote desktop control&lt;br /&gt;
* Software deployment&lt;br /&gt;
* Asset management&lt;br /&gt;
* Remote assistance&lt;br /&gt;
* Inventory reporting&lt;br /&gt;
&lt;br /&gt;
Apple Remote Desktop is often used in educational and creative environments with large numbers of Mac systems.&lt;br /&gt;
&lt;br /&gt;
=== SSH Remote Login ===&lt;br /&gt;
&lt;br /&gt;
For command-line administration, SSH remains one of the most reliable and effective options.&lt;br /&gt;
&lt;br /&gt;
Common use cases include:&lt;br /&gt;
&lt;br /&gt;
* Software updates&lt;br /&gt;
* Build automation&lt;br /&gt;
* Script execution&lt;br /&gt;
* Log analysis&lt;br /&gt;
* Service management&lt;br /&gt;
&lt;br /&gt;
Many administrative tasks can be performed more efficiently through SSH than through a graphical desktop session.&lt;br /&gt;
&lt;br /&gt;
== Alternatives to RDP for macOS ==&lt;br /&gt;
&lt;br /&gt;
=== Jump Desktop ===&lt;br /&gt;
&lt;br /&gt;
Jump Desktop is frequently considered the closest experience to a traditional RDP environment on macOS.&lt;br /&gt;
&lt;br /&gt;
It provides:&lt;br /&gt;
&lt;br /&gt;
* High-performance remote display&lt;br /&gt;
* Multi-monitor support&lt;br /&gt;
* Low-latency interaction&lt;br /&gt;
* Good support for development workloads&lt;br /&gt;
&lt;br /&gt;
Many developers use Jump Desktop to access remote Mac development systems.&lt;br /&gt;
&lt;br /&gt;
=== Parsec ===&lt;br /&gt;
&lt;br /&gt;
Originally designed for low-latency streaming, Parsec has become popular among developers and technical professionals.&lt;br /&gt;
&lt;br /&gt;
Advantages include:&lt;br /&gt;
&lt;br /&gt;
* Excellent responsiveness&lt;br /&gt;
* High frame rates&lt;br /&gt;
* Hardware acceleration support&lt;br /&gt;
&lt;br /&gt;
This makes it particularly suitable for demonstrating graphical applications.&lt;br /&gt;
&lt;br /&gt;
=== AnyDesk ===&lt;br /&gt;
&lt;br /&gt;
AnyDesk offers a lightweight and simple deployment model.&lt;br /&gt;
&lt;br /&gt;
Benefits include:&lt;br /&gt;
&lt;br /&gt;
* Fast setup&lt;br /&gt;
* Cross-platform compatibility&lt;br /&gt;
* Good performance&lt;br /&gt;
&lt;br /&gt;
It is often used in support and helpdesk environments.&lt;br /&gt;
&lt;br /&gt;
=== TeamViewer ===&lt;br /&gt;
&lt;br /&gt;
TeamViewer remains a widely deployed remote access platform.&lt;br /&gt;
&lt;br /&gt;
It is particularly useful when supporting users across unmanaged networks where direct connectivity may be difficult.&lt;br /&gt;
&lt;br /&gt;
== Remote Access for Xcode and iOS Development ==&lt;br /&gt;
&lt;br /&gt;
Developers demonstrating iOS applications face a unique challenge.&lt;br /&gt;
&lt;br /&gt;
The requirement is rarely just remote administration. Instead, they need:&lt;br /&gt;
&lt;br /&gt;
* Access to the native macOS desktop&lt;br /&gt;
* Access to Xcode&lt;br /&gt;
* Access to the iOS Simulator&lt;br /&gt;
* Low input latency&lt;br /&gt;
* Smooth graphical rendering&lt;br /&gt;
&lt;br /&gt;
This requirement changes the technology selection considerably.&lt;br /&gt;
&lt;br /&gt;
For iOS development and demonstrations:&lt;br /&gt;
&lt;br /&gt;
* SSH alone is insufficient.&lt;br /&gt;
* xRDP is generally unsuitable.&lt;br /&gt;
* Traditional VNC may feel sluggish.&lt;br /&gt;
* High-performance remote display solutions usually provide the best experience.&lt;br /&gt;
&lt;br /&gt;
When demonstrating applications remotely, responsiveness is often more important than protocol compatibility.&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Security ===&lt;br /&gt;
&lt;br /&gt;
Remote access should always be protected by strong authentication.&lt;br /&gt;
&lt;br /&gt;
Recommended controls include:&lt;br /&gt;
&lt;br /&gt;
* Multi-factor authentication&lt;br /&gt;
* VPN or private overlay networking&lt;br /&gt;
* Principle of least privilege&lt;br /&gt;
* Session logging where appropriate&lt;br /&gt;
&lt;br /&gt;
=== Scalability ===&lt;br /&gt;
&lt;br /&gt;
Single-user remote administration has different requirements from organisation-wide support.&lt;br /&gt;
&lt;br /&gt;
Consider:&lt;br /&gt;
&lt;br /&gt;
* Centralised access management&lt;br /&gt;
* Device inventory&lt;br /&gt;
* Monitoring&lt;br /&gt;
* Automation capabilities&lt;br /&gt;
&lt;br /&gt;
=== Reliability ===&lt;br /&gt;
&lt;br /&gt;
For demonstrations and customer presentations, reliability is often more important than raw performance.&lt;br /&gt;
&lt;br /&gt;
A slightly slower but stable connection is preferable to a faster solution that disconnects unexpectedly during a live demonstration.&lt;br /&gt;
&lt;br /&gt;
=== Maintainability ===&lt;br /&gt;
&lt;br /&gt;
Where possible, use solutions supported by their vendors and integrated into normal operating procedures.&lt;br /&gt;
&lt;br /&gt;
Avoid complex workarounds that may fail after operating system upgrades.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
* Assuming RDP support is built into macOS.&lt;br /&gt;
* Deploying xRDP expecting a native Mac desktop.&lt;br /&gt;
* Overlooking network latency when planning demonstrations.&lt;br /&gt;
* Testing only on local networks before public presentations.&lt;br /&gt;
* Ignoring screen resolution and Retina scaling differences.&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting &amp;amp; Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
When remote access performance is poor, investigate:&lt;br /&gt;
&lt;br /&gt;
=== Network Connectivity ===&lt;br /&gt;
&lt;br /&gt;
Check:&lt;br /&gt;
&lt;br /&gt;
* Latency&lt;br /&gt;
* Packet loss&lt;br /&gt;
* Bandwidth availability&lt;br /&gt;
&lt;br /&gt;
=== System Resources ===&lt;br /&gt;
&lt;br /&gt;
Monitor:&lt;br /&gt;
&lt;br /&gt;
* CPU utilisation&lt;br /&gt;
* Memory utilisation&lt;br /&gt;
* GPU activity&lt;br /&gt;
&lt;br /&gt;
=== Display Settings ===&lt;br /&gt;
&lt;br /&gt;
Excessively high display resolutions can negatively impact responsiveness.&lt;br /&gt;
&lt;br /&gt;
Reducing resolution during demonstrations may improve performance significantly.&lt;br /&gt;
&lt;br /&gt;
=== Application Behaviour ===&lt;br /&gt;
&lt;br /&gt;
Some development tools and simulators consume substantial graphical resources.&lt;br /&gt;
&lt;br /&gt;
Verify that performance issues originate from the remote access layer and not the application workload itself.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Apple Remote Desktop]]&lt;br /&gt;
* [[Remote Administration]]&lt;br /&gt;
* [[SSH Administration]]&lt;br /&gt;
* [[iOS Development]]&lt;br /&gt;
* [[Xcode]]&lt;br /&gt;
* [[Secure Remote Access Architecture]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* Apple Documentation&lt;br /&gt;
* Microsoft Remote Desktop Documentation&lt;br /&gt;
* Apple Remote Desktop Documentation&lt;br /&gt;
* SSH RFC Specifications&lt;br /&gt;
* Vendor Documentation for Jump Desktop, Parsec, AnyDesk and TeamViewer&lt;/div&gt;</description>
			<pubDate>Sun, 05 Jul 2026 14:09:05 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Remote_Access_to_macOS_Desktops</comments>
		</item>
		<item>
			<title>JavaScript for Everyone</title>
			<link>https://knowledgebase.pirho.net/index.php?title=JavaScript_for_Everyone&amp;diff=409&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=JavaScript_for_Everyone&amp;diff=409&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;  JavaScript has evolved significantly since its introduction in the 1990s. Modern JavaScript development often assumes the availability of recent browser features, build pipelines, transpilers, package managers, and evergreen browser updates. While these technologies have improved developer productivity, they can also reduce the range of clients capable of running an application.  This article explores a compatibility-first approach to JavaScript developme...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
JavaScript has evolved significantly since its introduction in the 1990s. Modern JavaScript development often assumes the availability of recent browser features, build pipelines, transpilers, package managers, and evergreen browser updates. While these technologies have improved developer productivity, they can also reduce the range of clients capable of running an application.&lt;br /&gt;
&lt;br /&gt;
This article explores a compatibility-first approach to JavaScript development. By using broadly supported language features, implementing feature detection, embracing progressive enhancement, and understanding the history of browser scripting engines, developers can deliver applications that remain accessible to the widest possible audience.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
The web is often viewed through the lens of modern desktop and mobile browsers. However, many environments continue to rely upon older JavaScript engines and legacy browsers.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Corporate intranet applications&lt;br /&gt;
* Embedded administration interfaces&lt;br /&gt;
* Industrial control systems&lt;br /&gt;
* Kiosk systems&lt;br /&gt;
* Legacy line-of-business applications&lt;br /&gt;
* Long-term support operating systems&lt;br /&gt;
* Assistive technologies using embedded browser controls&lt;br /&gt;
&lt;br /&gt;
A compatibility-first development strategy does not reject modern features. Instead, it asks a simple question:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;blockquote&amp;gt;&lt;br /&gt;
How can we deliver the best possible experience to modern browsers while maintaining functional access for older clients?&lt;br /&gt;
&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== A Brief History of JavaScript ==&lt;br /&gt;
&lt;br /&gt;
JavaScript did not emerge fully standardised.&lt;br /&gt;
&lt;br /&gt;
During the early years of the web, multiple browser vendors implemented their own scripting engines.&lt;br /&gt;
&lt;br /&gt;
Notable implementations included:&lt;br /&gt;
&lt;br /&gt;
* Netscape JavaScript&lt;br /&gt;
* Microsoft JScript&lt;br /&gt;
* Opera&amp;#039;s JavaScript implementation&lt;br /&gt;
&lt;br /&gt;
Although the ECMAScript standard eventually brought consistency to the language, browser differences remained significant for many years.&lt;br /&gt;
&lt;br /&gt;
Developers frequently encountered differences in:&lt;br /&gt;
&lt;br /&gt;
* Event handling&lt;br /&gt;
* Document Object Model (DOM) behaviour&lt;br /&gt;
* Object implementations&lt;br /&gt;
* Security models&lt;br /&gt;
* Supported language features&lt;br /&gt;
&lt;br /&gt;
An understanding of this history explains why many experienced developers still favour defensive programming techniques and compatibility testing.&lt;br /&gt;
&lt;br /&gt;
== Understanding the Compatibility Pyramid ==&lt;br /&gt;
&lt;br /&gt;
The further back a browser&amp;#039;s capabilities extend, the larger the potential audience becomes.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
                 Modern ECMAScript&lt;br /&gt;
                        ▲&lt;br /&gt;
                        │&lt;br /&gt;
                   ES Modules&lt;br /&gt;
                        ▲&lt;br /&gt;
                        │&lt;br /&gt;
                     ES2015&lt;br /&gt;
                        ▲&lt;br /&gt;
                        │&lt;br /&gt;
                       ES5&lt;br /&gt;
                        ▲&lt;br /&gt;
                        │&lt;br /&gt;
                    JScript&lt;br /&gt;
                        ▲&lt;br /&gt;
                        │&lt;br /&gt;
                    DOM Level 0&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Each layer introduces additional capabilities.&lt;br /&gt;
&lt;br /&gt;
Applications designed for maximum compatibility typically establish a foundation at the lower levels and progressively enhance functionality as more capabilities become available.&lt;br /&gt;
&lt;br /&gt;
== Why ES5 Remains Important ==&lt;br /&gt;
&lt;br /&gt;
ECMAScript 5 (ES5) remains one of the most widely supported versions of JavaScript ever released.&lt;br /&gt;
&lt;br /&gt;
Features such as:&lt;br /&gt;
&lt;br /&gt;
* Variables using &amp;lt;code&amp;gt;var&amp;lt;/code&amp;gt;&lt;br /&gt;
* Function declarations&lt;br /&gt;
* Arrays&lt;br /&gt;
* Objects&lt;br /&gt;
* Regular expressions&lt;br /&gt;
* Date handling&lt;br /&gt;
* String manipulation&lt;br /&gt;
&lt;br /&gt;
are available across virtually all modern browsers and a large number of legacy environments.&lt;br /&gt;
&lt;br /&gt;
Because of this, ES5 frequently serves as a practical baseline when broad compatibility is required.&lt;br /&gt;
&lt;br /&gt;
=== Example ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;javascript&amp;quot;&amp;gt;&lt;br /&gt;
var message = &amp;quot;Hello World&amp;quot;;&lt;br /&gt;
&lt;br /&gt;
function greet(name)&lt;br /&gt;
{&lt;br /&gt;
    return &amp;quot;Hello &amp;quot; + name;&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This example executes successfully in a wide range of browsers spanning multiple decades.&lt;br /&gt;
&lt;br /&gt;
== Progressive Enhancement ==&lt;br /&gt;
&lt;br /&gt;
Progressive enhancement is the practice of building a solution from a reliable foundation and then adding more advanced functionality when supported.&lt;br /&gt;
&lt;br /&gt;
A common model is:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTML&lt;br /&gt;
 ▲&lt;br /&gt;
 │&lt;br /&gt;
CSS&lt;br /&gt;
 ▲&lt;br /&gt;
 │&lt;br /&gt;
JavaScript&lt;br /&gt;
 ▲&lt;br /&gt;
 │&lt;br /&gt;
Advanced JavaScript&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Every layer enhances the user experience without making the previous layer unusable.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
* HTML provides content.&lt;br /&gt;
* CSS improves presentation.&lt;br /&gt;
* JavaScript improves interactivity.&lt;br /&gt;
* Modern APIs provide additional convenience.&lt;br /&gt;
&lt;br /&gt;
If one layer becomes unavailable, the layers below continue to function.&lt;br /&gt;
&lt;br /&gt;
== Graceful Degradation ==&lt;br /&gt;
&lt;br /&gt;
Graceful degradation is closely related to progressive enhancement.&lt;br /&gt;
&lt;br /&gt;
Rather than asking:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;blockquote&amp;gt;&lt;br /&gt;
What can the newest browser do?&lt;br /&gt;
&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
it asks:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;blockquote&amp;gt;&lt;br /&gt;
What happens when this feature is unavailable?&lt;br /&gt;
&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;javascript&amp;quot;&amp;gt;&lt;br /&gt;
if (window.localStorage)&lt;br /&gt;
{&lt;br /&gt;
    window.localStorage.setItem(&amp;quot;theme&amp;quot;, &amp;quot;dark&amp;quot;);&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The application can continue operating even if persistent storage is unavailable.&lt;br /&gt;
&lt;br /&gt;
The user may lose convenience, but core functionality remains intact.&lt;br /&gt;
&lt;br /&gt;
== Feature Detection vs Browser Detection ==&lt;br /&gt;
&lt;br /&gt;
One of the most important compatibility practices is feature detection.&lt;br /&gt;
&lt;br /&gt;
=== Avoid Browser Detection ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;javascript&amp;quot;&amp;gt;&lt;br /&gt;
if (navigator.userAgent.indexOf(&amp;quot;Chrome&amp;quot;) &amp;gt; -1)&lt;br /&gt;
{&lt;br /&gt;
    // Chrome-specific logic&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
User agent strings can be inaccurate, spoofed, or change over time.&lt;br /&gt;
&lt;br /&gt;
=== Prefer Feature Detection ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;javascript&amp;quot;&amp;gt;&lt;br /&gt;
if (window.addEventListener)&lt;br /&gt;
{&lt;br /&gt;
    // Modern event handling&lt;br /&gt;
}&lt;br /&gt;
else&lt;br /&gt;
{&lt;br /&gt;
    // Legacy fallback&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Feature detection focuses on actual capability rather than assumptions.&lt;br /&gt;
&lt;br /&gt;
== Supporting Multiple Event Models ==&lt;br /&gt;
&lt;br /&gt;
One of the historic challenges of cross-browser development involved event registration.&lt;br /&gt;
&lt;br /&gt;
=== Modern Event Registration ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;javascript&amp;quot;&amp;gt;&lt;br /&gt;
element.addEventListener(&amp;quot;click&amp;quot;, handler, false);&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Legacy Internet Explorer ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;javascript&amp;quot;&amp;gt;&lt;br /&gt;
element.attachEvent(&amp;quot;onclick&amp;quot;, handler);&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
A compatibility layer can support both:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;javascript&amp;quot;&amp;gt;&lt;br /&gt;
function addEvent(element, eventName, handler)&lt;br /&gt;
{&lt;br /&gt;
    if (element.addEventListener)&lt;br /&gt;
    {&lt;br /&gt;
        element.addEventListener(eventName, handler, false);&lt;br /&gt;
    }&lt;br /&gt;
    else if (element.attachEvent)&lt;br /&gt;
    {&lt;br /&gt;
        element.attachEvent(&amp;quot;on&amp;quot; + eventName, handler);&lt;br /&gt;
    }&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This pattern proved effective for many years and remains useful when supporting older browsers.&lt;br /&gt;
&lt;br /&gt;
== Working with Modern APIs ==&lt;br /&gt;
&lt;br /&gt;
Modern browsers provide many useful capabilities, including:&lt;br /&gt;
&lt;br /&gt;
* Fetch API&lt;br /&gt;
* Promise&lt;br /&gt;
* MutationObserver&lt;br /&gt;
* IntersectionObserver&lt;br /&gt;
* Web Storage&lt;br /&gt;
* Service Workers&lt;br /&gt;
&lt;br /&gt;
However, these capabilities should not be assumed.&lt;br /&gt;
&lt;br /&gt;
=== Example ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;javascript&amp;quot;&amp;gt;&lt;br /&gt;
if (window.fetch)&lt;br /&gt;
{&lt;br /&gt;
    fetch(&amp;quot;/api/data&amp;quot;);&lt;br /&gt;
}&lt;br /&gt;
else&lt;br /&gt;
{&lt;br /&gt;
    var xhr = new XMLHttpRequest();&lt;br /&gt;
    xhr.open(&amp;quot;GET&amp;quot;, &amp;quot;/api/data&amp;quot;, true);&lt;br /&gt;
    xhr.send();&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This allows modern browsers to use newer functionality while maintaining support for older environments.&lt;br /&gt;
&lt;br /&gt;
== JavaScript Namespaces ==&lt;br /&gt;
&lt;br /&gt;
Before native modules became widely available, many applications organised code using namespaces.&lt;br /&gt;
&lt;br /&gt;
=== Example ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;javascript&amp;quot;&amp;gt;&lt;br /&gt;
var PiRho = PiRho || {};&lt;br /&gt;
&lt;br /&gt;
PiRho.Data = PiRho.Data || {};&lt;br /&gt;
PiRho.Data.Source = {};&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Benefits include:&lt;br /&gt;
&lt;br /&gt;
* Logical code organisation&lt;br /&gt;
* Reduced global namespace pollution&lt;br /&gt;
* Broad browser compatibility&lt;br /&gt;
* No dependency on module loaders&lt;br /&gt;
&lt;br /&gt;
Many large applications successfully used namespace-based architectures long before ES Modules were introduced.&lt;br /&gt;
&lt;br /&gt;
== ES Modules and Compatibility ==&lt;br /&gt;
&lt;br /&gt;
ES Modules provide a modern mechanism for separating and organising code.&lt;br /&gt;
&lt;br /&gt;
=== Example ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;javascript&amp;quot;&amp;gt;&lt;br /&gt;
import { Widget } from &amp;quot;./Widget.js&amp;quot;;&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Advantages include:&lt;br /&gt;
&lt;br /&gt;
* Explicit dependencies&lt;br /&gt;
* Improved maintainability&lt;br /&gt;
* Better developer onboarding&lt;br /&gt;
* Enhanced tooling support&lt;br /&gt;
&lt;br /&gt;
However, ES Modules should be viewed as an enhancement when broad compatibility is required.&lt;br /&gt;
&lt;br /&gt;
One effective strategy is:&lt;br /&gt;
&lt;br /&gt;
# Author code using ES Modules.&lt;br /&gt;
# Transpile modules into a namespace-based format.&lt;br /&gt;
# Continue supporting a legacy execution path.&lt;br /&gt;
&lt;br /&gt;
This approach allows modern development practices while preserving compatibility with older browsers.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Assuming Internet Explorer 11 Is the Oldest Browser ===&lt;br /&gt;
&lt;br /&gt;
Many applications continue to run within environments older than Internet Explorer 11.&lt;br /&gt;
&lt;br /&gt;
Support requirements should be determined by actual audience needs rather than assumptions.&lt;br /&gt;
&lt;br /&gt;
=== Depending Entirely on Build Pipelines ===&lt;br /&gt;
&lt;br /&gt;
Build tools can mask compatibility issues.&lt;br /&gt;
&lt;br /&gt;
Developers should understand the code delivered to the browser and the features being relied upon.&lt;br /&gt;
&lt;br /&gt;
=== Using Modern Features Without Fallbacks ===&lt;br /&gt;
&lt;br /&gt;
Features such as:&lt;br /&gt;
&lt;br /&gt;
* Arrow functions&lt;br /&gt;
* Async/await&lt;br /&gt;
* Fetch&lt;br /&gt;
* Promises&lt;br /&gt;
&lt;br /&gt;
may require alternative implementations in older environments.&lt;br /&gt;
&lt;br /&gt;
A fallback strategy should always be considered.&lt;br /&gt;
&lt;br /&gt;
=== Ignoring Non-Browser JavaScript Engines ===&lt;br /&gt;
&lt;br /&gt;
JavaScript executes in a variety of environments beyond mainstream browsers.&lt;br /&gt;
&lt;br /&gt;
Embedded systems, administrative interfaces, and legacy software may use significantly older scripting engines.&lt;br /&gt;
&lt;br /&gt;
== Design and Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
When broad compatibility is a requirement, several principles become important.&lt;br /&gt;
&lt;br /&gt;
=== Prioritise Stability ===&lt;br /&gt;
&lt;br /&gt;
Long-term maintainability is often more valuable than adopting the latest language feature.&lt;br /&gt;
&lt;br /&gt;
=== Optimise for Accessibility ===&lt;br /&gt;
&lt;br /&gt;
Accessibility and compatibility frequently complement one another.&lt;br /&gt;
&lt;br /&gt;
Applications that function with limited capabilities are often more robust overall.&lt;br /&gt;
&lt;br /&gt;
=== Keep Dependencies to a Minimum ===&lt;br /&gt;
&lt;br /&gt;
Every additional dependency introduces:&lt;br /&gt;
&lt;br /&gt;
* Complexity&lt;br /&gt;
* Maintenance overhead&lt;br /&gt;
* Potential compatibility concerns&lt;br /&gt;
&lt;br /&gt;
Native browser capabilities should be preferred whenever practical.&lt;br /&gt;
&lt;br /&gt;
=== Understand Your Audience ===&lt;br /&gt;
&lt;br /&gt;
The appropriate level of compatibility depends upon the intended users.&lt;br /&gt;
&lt;br /&gt;
Public-facing websites often benefit from maximum reach, whereas internal applications may have more controlled requirements.&lt;br /&gt;
&lt;br /&gt;
== Practical Rule of Thumb ==&lt;br /&gt;
&lt;br /&gt;
Before introducing any feature, ask:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;blockquote&amp;gt;&lt;br /&gt;
Can the application still function if this capability is unavailable?&lt;br /&gt;
&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
If the answer is yes, the feature can likely be implemented as a progressive enhancement.&lt;br /&gt;
&lt;br /&gt;
If the answer is no, the feature should be carefully evaluated and justified.&lt;br /&gt;
&lt;br /&gt;
== Conclusion ==&lt;br /&gt;
&lt;br /&gt;
Writing JavaScript for everyone is not about rejecting modern JavaScript. It is about recognising that the web serves an extraordinarily diverse range of users, devices, browsers, and software environments.&lt;br /&gt;
&lt;br /&gt;
By using broadly supported language features, implementing feature detection, embracing progressive enhancement, and understanding the historical evolution of browser scripting engines, developers can create applications that remain useful for the widest possible audience.&lt;br /&gt;
&lt;br /&gt;
Compatibility is not a limitation.&lt;br /&gt;
&lt;br /&gt;
It is a design decision.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Progressive Enhancement]]&lt;br /&gt;
* [[Graceful Degradation]]&lt;br /&gt;
* [[Accessibility]]&lt;br /&gt;
* [[HTML Compatibility]]&lt;br /&gt;
* [[Browser Compatibility]]&lt;br /&gt;
* [[ECMAScript]]&lt;br /&gt;
* [[JavaScript Namespaces]]&lt;br /&gt;
* [[ES Modules]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* ECMAScript Language Specification&lt;br /&gt;
* Microsoft JScript Documentation&lt;br /&gt;
* W3C DOM Specifications&lt;br /&gt;
* MDN Web Docs&lt;br /&gt;
* WHATWG HTML Standard&lt;br /&gt;
* Browser Compatibility Data (BCD)&lt;/div&gt;</description>
			<pubDate>Sun, 05 Jul 2026 14:08:15 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:JavaScript_for_Everyone</comments>
		</item>
		<item>
			<title>MacOS Virtualisation and Desktop as a Service: Why Apple Makes It Difficult</title>
			<link>https://knowledgebase.pirho.net/index.php?title=MacOS_Virtualisation_and_Desktop_as_a_Service:_Why_Apple_Makes_It_Difficult&amp;diff=408&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=MacOS_Virtualisation_and_Desktop_as_a_Service:_Why_Apple_Makes_It_Difficult&amp;diff=408&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039; Virtualisation has become a cornerstone of modern infrastructure. Windows and Linux can be deployed as virtual machines, containers, cloud instances, and Desktop as a Service (DaaS) platforms with relatively few restrictions. macOS, however, remains an outlier. While virtualisation is technically possible, licensing restrictions, hardware dependencies, and platform design decisions make large-scale macOS virtualisation significantly more challenging than e...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
Virtualisation has become a cornerstone of modern infrastructure. Windows and Linux can be deployed as virtual machines, containers, cloud instances, and Desktop as a Service (DaaS) platforms with relatively few restrictions. macOS, however, remains an outlier. While virtualisation is technically possible, licensing restrictions, hardware dependencies, and platform design decisions make large-scale macOS virtualisation significantly more challenging than equivalent Windows or Linux deployments.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Many organisations require macOS environments for legitimate business purposes:&lt;br /&gt;
&lt;br /&gt;
* iOS and macOS software development&lt;br /&gt;
* Safari compatibility testing&lt;br /&gt;
* Build automation&lt;br /&gt;
* User acceptance testing&lt;br /&gt;
* Application packaging and signing&lt;br /&gt;
&lt;br /&gt;
For infrastructure engineers accustomed to VMware, Xen, Hyper-V or KVM, macOS appears to be &amp;quot;just another operating system&amp;quot;. In practice, Apple imposes several constraints which influence architectural decisions.&lt;br /&gt;
&lt;br /&gt;
The result is that macOS virtualisation often becomes a specialised infrastructure component rather than a general-purpose compute platform.&lt;br /&gt;
&lt;br /&gt;
== Why Virtualise macOS? ==&lt;br /&gt;
&lt;br /&gt;
The reasons are largely the same as virtualising any operating system:&lt;br /&gt;
&lt;br /&gt;
* Improved utilisation of hardware&lt;br /&gt;
* Snapshot and rollback capability&lt;br /&gt;
* Isolated testing environments&lt;br /&gt;
* Automated provisioning&lt;br /&gt;
* Continuous Integration and Continuous Deployment (CI/CD)&lt;br /&gt;
* Selenium and browser testing&lt;br /&gt;
&lt;br /&gt;
For development and testing environments, the ability to quickly create and destroy virtual machines can dramatically improve efficiency.&lt;br /&gt;
&lt;br /&gt;
== The Apple Difference ==&lt;br /&gt;
&lt;br /&gt;
=== Hardware Requirements ===&lt;br /&gt;
&lt;br /&gt;
Historically, Apple licensing has required macOS virtual machines to run on Apple hardware.&lt;br /&gt;
&lt;br /&gt;
For organisations heavily invested in virtualisation, this introduces an unusual constraint:&lt;br /&gt;
&lt;br /&gt;
* Windows can run almost anywhere&lt;br /&gt;
* Linux can run almost anywhere&lt;br /&gt;
* macOS requires Apple hardware&lt;br /&gt;
&lt;br /&gt;
This immediately eliminates the possibility of simply deploying macOS workloads onto an existing pool of high-density rack servers.&lt;br /&gt;
&lt;br /&gt;
=== Limited Infrastructure Options ===&lt;br /&gt;
&lt;br /&gt;
A typical enterprise virtualisation environment might contain:&lt;br /&gt;
&lt;br /&gt;
* Dell PowerEdge&lt;br /&gt;
* HP ProLiant&lt;br /&gt;
* Lenovo ThinkSystem&lt;br /&gt;
* Cisco UCS&lt;br /&gt;
&lt;br /&gt;
These systems offer:&lt;br /&gt;
&lt;br /&gt;
* High core counts&lt;br /&gt;
* Large memory capacities&lt;br /&gt;
* Extensive storage options&lt;br /&gt;
* PCIe expansion&lt;br /&gt;
* Dense rack deployment&lt;br /&gt;
&lt;br /&gt;
Apple&amp;#039;s desktop systems were never designed to compete directly in this space.&lt;br /&gt;
&lt;br /&gt;
=== Licensing Considerations ===&lt;br /&gt;
&lt;br /&gt;
Unlike Windows Server Datacenter or many Linux distributions, macOS licensing is not aimed at maximising virtual machine density.&lt;br /&gt;
&lt;br /&gt;
As a result, many architects view macOS virtualisation nodes as specialised resources rather than general-purpose compute hosts.&lt;br /&gt;
&lt;br /&gt;
== Desktop as a Service and macOS ==&lt;br /&gt;
&lt;br /&gt;
=== The DaaS Model ===&lt;br /&gt;
&lt;br /&gt;
Desktop as a Service works exceptionally well for Windows.&lt;br /&gt;
&lt;br /&gt;
A user connects to a remotely hosted desktop while infrastructure teams manage:&lt;br /&gt;
&lt;br /&gt;
* Patching&lt;br /&gt;
* Backups&lt;br /&gt;
* Security&lt;br /&gt;
* Capacity&lt;br /&gt;
&lt;br /&gt;
The model scales efficiently because hardware resources can be shared amongst large numbers of users.&lt;br /&gt;
&lt;br /&gt;
=== Why macOS Is Different ===&lt;br /&gt;
&lt;br /&gt;
Several factors make macOS DaaS less straightforward:&lt;br /&gt;
&lt;br /&gt;
* Hardware restrictions&lt;br /&gt;
* Licensing considerations&lt;br /&gt;
* Smaller ecosystem of management tools&lt;br /&gt;
* More limited hosting options&lt;br /&gt;
&lt;br /&gt;
While cloud-hosted macOS services exist, they are vastly less common than their Windows counterparts.&lt;br /&gt;
&lt;br /&gt;
As a result, organisations often deploy macOS only where absolutely necessary.&lt;br /&gt;
&lt;br /&gt;
== A Practical Approach ==&lt;br /&gt;
&lt;br /&gt;
=== Treat macOS as a Specialised Compute Resource ===&lt;br /&gt;
&lt;br /&gt;
Rather than viewing macOS as another member of a large virtualisation cluster, it can be more effective to treat it as a dedicated service.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Apple Compute Node&lt;br /&gt;
 |&lt;br /&gt;
 +-- iOS Build Environment&lt;br /&gt;
 +-- Safari Testing Environment&lt;br /&gt;
 +-- Code Signing Environment&lt;br /&gt;
 +-- Application Packaging Environment&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The rest of the infrastructure continues to run on conventional server hardware.&lt;br /&gt;
&lt;br /&gt;
=== Keep General Compute Elsewhere ===&lt;br /&gt;
&lt;br /&gt;
In many environments:&lt;br /&gt;
&lt;br /&gt;
* Windows workloads remain on Hyper-V or VMware&lt;br /&gt;
* Linux workloads remain on Xen, KVM or VMware&lt;br /&gt;
* macOS workloads remain on dedicated Apple hosts&lt;br /&gt;
&lt;br /&gt;
This separates licensing concerns from infrastructure design.&lt;br /&gt;
&lt;br /&gt;
== Selenium and Browser Testing ==&lt;br /&gt;
&lt;br /&gt;
One compelling reason to maintain macOS infrastructure is Safari testing.&lt;br /&gt;
&lt;br /&gt;
Unlike Chrome and Firefox, Safari versions are closely tied to macOS releases.&lt;br /&gt;
&lt;br /&gt;
This means:&lt;br /&gt;
&lt;br /&gt;
* Browser coverage requires OS coverage&lt;br /&gt;
* Multiple macOS versions may need to be maintained&lt;br /&gt;
* Testing often benefits from virtualisation and snapshots&lt;br /&gt;
&lt;br /&gt;
=== Golden Image Strategy ===&lt;br /&gt;
&lt;br /&gt;
A particularly effective approach is to maintain a collection of golden images.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Monterey + Safari 16&lt;br /&gt;
Ventura + Safari 17&lt;br /&gt;
Sonoma + Safari 18&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Each image represents a known-good testing environment.&lt;br /&gt;
&lt;br /&gt;
Tests execute against disposable copies rather than persistent machines.&lt;br /&gt;
&lt;br /&gt;
Benefits include:&lt;br /&gt;
&lt;br /&gt;
* Consistency&lt;br /&gt;
* Repeatability&lt;br /&gt;
* Fast rollback&lt;br /&gt;
* Reduced configuration drift&lt;br /&gt;
&lt;br /&gt;
== Architecture Example ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
+----------------------+&lt;br /&gt;
| HP ProLiant Cluster  |&lt;br /&gt;
+----------------------+&lt;br /&gt;
| Linux Services       |&lt;br /&gt;
| Databases            |&lt;br /&gt;
| Message Queues       |&lt;br /&gt;
| APIs                 |&lt;br /&gt;
| General Compute      |&lt;br /&gt;
+----------------------+&lt;br /&gt;
&lt;br /&gt;
          |&lt;br /&gt;
&lt;br /&gt;
+----------------------+&lt;br /&gt;
| Mac Mini ESXi Host   |&lt;br /&gt;
+----------------------+&lt;br /&gt;
| macOS VM A           |&lt;br /&gt;
| macOS VM B           |&lt;br /&gt;
+----------------------+&lt;br /&gt;
&lt;br /&gt;
          |&lt;br /&gt;
&lt;br /&gt;
+----------------------+&lt;br /&gt;
| Selenium Scheduler   |&lt;br /&gt;
+----------------------+&lt;br /&gt;
| Snapshot Selection   |&lt;br /&gt;
| Test Routing         |&lt;br /&gt;
| Capacity Management  |&lt;br /&gt;
+----------------------+&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This design uses Apple hardware only where necessary while allowing the majority of workloads to run on conventional server infrastructure.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
* Treating macOS as a general-purpose virtualisation platform&lt;br /&gt;
* Over-investing in Apple hardware for non-Apple workloads&lt;br /&gt;
* Maintaining long-lived test environments&lt;br /&gt;
* Allowing browser testing environments to drift&lt;br /&gt;
* Ignoring snapshot and image lifecycle management&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
A useful principle is:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Use Apple hardware for Apple problems.&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
If the requirement is:&lt;br /&gt;
&lt;br /&gt;
* Xcode&lt;br /&gt;
* iOS builds&lt;br /&gt;
* Safari testing&lt;br /&gt;
* Code signing&lt;br /&gt;
&lt;br /&gt;
Then macOS is essential.&lt;br /&gt;
&lt;br /&gt;
If the requirement is:&lt;br /&gt;
&lt;br /&gt;
* Databases&lt;br /&gt;
* Web servers&lt;br /&gt;
* Queue processors&lt;br /&gt;
* Infrastructure services&lt;br /&gt;
&lt;br /&gt;
Then conventional server platforms generally offer greater density, flexibility and value.&lt;br /&gt;
&lt;br /&gt;
== Conclusion ==&lt;br /&gt;
&lt;br /&gt;
macOS virtualisation is entirely achievable, but it requires a different mindset from traditional server virtualisation.&lt;br /&gt;
&lt;br /&gt;
The most successful designs do not attempt to build an Apple-centric infrastructure. Instead, they recognise that macOS is a specialised dependency and isolate it accordingly.&lt;br /&gt;
&lt;br /&gt;
By treating Mac hardware as a dedicated compute pool for Apple-specific workloads, organisations can obtain the benefits of virtualisation without sacrificing the flexibility and efficiency of their existing Windows and Linux infrastructure.&lt;/div&gt;</description>
			<pubDate>Sun, 05 Jul 2026 14:06:45 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:MacOS_Virtualisation_and_Desktop_as_a_Service:_Why_Apple_Makes_It_Difficult</comments>
		</item>
		<item>
			<title>Intellectual Property Rights and Software Governance</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Intellectual_Property_Rights_and_Software_Governance&amp;diff=407&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Intellectual_Property_Rights_and_Software_Governance&amp;diff=407&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;  Intellectual Property Rights (IPR) and Software Governance are often viewed as separate disciplines. In reality, they are closely related. Every software project creates intellectual property, and every organisation that develops, licenses, distributes, or maintains software must make decisions regarding ownership, licensing, provenance, security, quality, and compliance.  This article examines Intellectual Property Rights from a software engineering pers...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Intellectual Property Rights (IPR) and Software Governance are often viewed as separate disciplines. In reality, they are closely related. Every software project creates intellectual property, and every organisation that develops, licenses, distributes, or maintains software must make decisions regarding ownership, licensing, provenance, security, quality, and compliance.&lt;br /&gt;
&lt;br /&gt;
This article examines Intellectual Property Rights from a software engineering perspective, exploring how software assets are created, protected, governed, and maintained throughout their lifecycle.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Many developers encounter Intellectual Property Rights only when a copyright notice is added to a source file or a software licence is published alongside a release.&lt;br /&gt;
&lt;br /&gt;
In practice, Intellectual Property Rights influence every stage of software development, including:&lt;br /&gt;
&lt;br /&gt;
* Ownership of source code&lt;br /&gt;
* Rights to modify and distribute software&lt;br /&gt;
* Use of third-party components&lt;br /&gt;
* Protection of proprietary solutions&lt;br /&gt;
* Compliance with contractual obligations&lt;br /&gt;
* Software publication and release management&lt;br /&gt;
&lt;br /&gt;
As software systems grow in complexity, Intellectual Property Rights become part of a wider governance framework that supports quality, security, traceability, and long-term maintainability.&lt;br /&gt;
&lt;br /&gt;
=== Common Misconceptions ===&lt;br /&gt;
&lt;br /&gt;
* Copyright must be formally registered before it exists.&lt;br /&gt;
* Minified code is protected because it is difficult to read.&lt;br /&gt;
* Source code that runs in a browser cannot be protected.&lt;br /&gt;
* Copyright and licensing are the same thing.&lt;br /&gt;
* Third-party dependencies transfer responsibility to the dependency author.&lt;br /&gt;
&lt;br /&gt;
== Intellectual Property Rights in Software ==&lt;br /&gt;
&lt;br /&gt;
=== Copyright ===&lt;br /&gt;
&lt;br /&gt;
Copyright protects the expression of software in source code and executable form.&lt;br /&gt;
&lt;br /&gt;
In many jurisdictions, copyright arises automatically when an original work is created.&lt;br /&gt;
&lt;br /&gt;
Copyright typically grants the owner exclusive rights to:&lt;br /&gt;
&lt;br /&gt;
* Copy the software&lt;br /&gt;
* Modify the software&lt;br /&gt;
* Distribute the software&lt;br /&gt;
* License the software&lt;br /&gt;
* Create derivative works&lt;br /&gt;
&lt;br /&gt;
Copyright protects the implementation of a solution rather than the underlying idea.&lt;br /&gt;
&lt;br /&gt;
For example, a developer may own the copyright to an implementation of a data-processing algorithm, but not necessarily the concept of the algorithm itself.&lt;br /&gt;
&lt;br /&gt;
=== Licensing ===&lt;br /&gt;
&lt;br /&gt;
A licence defines how software may be used by others.&lt;br /&gt;
&lt;br /&gt;
A licence does not transfer ownership. Instead, it grants permission to perform specific activities under defined conditions.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Proprietary licences&lt;br /&gt;
* Commercial licences&lt;br /&gt;
* Freeware licences&lt;br /&gt;
* Open-source licences&lt;br /&gt;
* Evaluation licences&lt;br /&gt;
&lt;br /&gt;
Without a licence, the recipient of software generally has no permission to copy, modify, or redistribute it beyond rights granted by law.&lt;br /&gt;
&lt;br /&gt;
=== Ownership ===&lt;br /&gt;
&lt;br /&gt;
Ownership may not always be as straightforward as it appears.&lt;br /&gt;
&lt;br /&gt;
Ownership can arise from:&lt;br /&gt;
&lt;br /&gt;
* Individual authorship&lt;br /&gt;
* Employment contracts&lt;br /&gt;
* Contractor agreements&lt;br /&gt;
* Purchase or assignment of rights&lt;br /&gt;
* Joint development arrangements&lt;br /&gt;
&lt;br /&gt;
Understanding ownership is essential when software is commercialised, transferred, sold, licensed, or maintained by third parties.&lt;br /&gt;
&lt;br /&gt;
== Intellectual Property as an Organisational Asset ==&lt;br /&gt;
&lt;br /&gt;
Many engineers think of Intellectual Property as a legal concept.&lt;br /&gt;
&lt;br /&gt;
Governance frameworks often treat Intellectual Property as a business asset.&lt;br /&gt;
&lt;br /&gt;
Like any other asset, software should have:&lt;br /&gt;
&lt;br /&gt;
* An identified owner&lt;br /&gt;
* Defined access controls&lt;br /&gt;
* Change management procedures&lt;br /&gt;
* Lifecycle management&lt;br /&gt;
* Retention policies&lt;br /&gt;
* Backup and recovery procedures&lt;br /&gt;
&lt;br /&gt;
Viewing software as an asset encourages organisations to think beyond development and consider long-term stewardship.&lt;br /&gt;
&lt;br /&gt;
== Software Provenance ==&lt;br /&gt;
&lt;br /&gt;
Software provenance describes the history and origin of software assets.&lt;br /&gt;
&lt;br /&gt;
Good provenance provides confidence in:&lt;br /&gt;
&lt;br /&gt;
* Ownership&lt;br /&gt;
* Authenticity&lt;br /&gt;
* Integrity&lt;br /&gt;
* Quality&lt;br /&gt;
* Compliance&lt;br /&gt;
&lt;br /&gt;
=== Sources of Provenance ===&lt;br /&gt;
&lt;br /&gt;
Software provenance may include:&lt;br /&gt;
&lt;br /&gt;
* Source control history&lt;br /&gt;
* Build records&lt;br /&gt;
* Release notes&lt;br /&gt;
* Published versions&lt;br /&gt;
* Change logs&lt;br /&gt;
* Issue tracking records&lt;br /&gt;
* Test results&lt;br /&gt;
* Audit trails&lt;br /&gt;
&lt;br /&gt;
Strong provenance helps demonstrate when software was created, how it evolved, who modified it, and when it was released.&lt;br /&gt;
&lt;br /&gt;
=== Publication Dates and Release History ===&lt;br /&gt;
&lt;br /&gt;
Publication records provide valuable evidence regarding:&lt;br /&gt;
&lt;br /&gt;
* Existence at a point in time&lt;br /&gt;
* Product maturity&lt;br /&gt;
* Development history&lt;br /&gt;
* Software evolution&lt;br /&gt;
&lt;br /&gt;
Version histories and release archives form part of an organisation&amp;#039;s software record and should be retained where practical.&lt;br /&gt;
&lt;br /&gt;
== Software Supply Chain Governance ==&lt;br /&gt;
&lt;br /&gt;
Modern software rarely exists in complete isolation.&lt;br /&gt;
&lt;br /&gt;
Most systems include a combination of:&lt;br /&gt;
&lt;br /&gt;
=== First-Party Software ===&lt;br /&gt;
&lt;br /&gt;
Software developed and owned by the organisation.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Internal applications&lt;br /&gt;
* Proprietary platforms&lt;br /&gt;
* Custom integrations&lt;br /&gt;
* Business-specific tools&lt;br /&gt;
&lt;br /&gt;
=== Second-Party Software ===&lt;br /&gt;
&lt;br /&gt;
Software developed specifically for an organisation by a contractor or supplier.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Custom software development projects&lt;br /&gt;
* Commissioned integrations&lt;br /&gt;
* Bespoke business systems&lt;br /&gt;
&lt;br /&gt;
Ownership and licensing should always be clearly documented.&lt;br /&gt;
&lt;br /&gt;
=== Third-Party Software ===&lt;br /&gt;
&lt;br /&gt;
Software obtained from external sources.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Libraries&lt;br /&gt;
* Frameworks&lt;br /&gt;
* Commercial products&lt;br /&gt;
* Open-source components&lt;br /&gt;
&lt;br /&gt;
Third-party software introduces additional obligations relating to:&lt;br /&gt;
&lt;br /&gt;
* Licensing&lt;br /&gt;
* Security updates&lt;br /&gt;
* Vulnerability management&lt;br /&gt;
* Support lifecycles&lt;br /&gt;
* Vendor dependencies&lt;br /&gt;
&lt;br /&gt;
== Dependency Management ==&lt;br /&gt;
&lt;br /&gt;
Dependencies provide significant benefits, including reduced development effort and accelerated delivery.&lt;br /&gt;
&lt;br /&gt;
However, every dependency introduces operational obligations.&lt;br /&gt;
&lt;br /&gt;
These may include:&lt;br /&gt;
&lt;br /&gt;
* Security monitoring&lt;br /&gt;
* Vulnerability response&lt;br /&gt;
* Version compatibility testing&lt;br /&gt;
* Licence compliance&lt;br /&gt;
* Vendor support management&lt;br /&gt;
&lt;br /&gt;
=== Dependency Density ===&lt;br /&gt;
&lt;br /&gt;
As dependency counts increase, so does the complexity of maintaining a software system.&lt;br /&gt;
&lt;br /&gt;
Risks may include:&lt;br /&gt;
&lt;br /&gt;
* Dependency conflicts&lt;br /&gt;
* Unsupported components&lt;br /&gt;
* Breaking changes&lt;br /&gt;
* Supply-chain attacks&lt;br /&gt;
* Increased attack surface&lt;br /&gt;
&lt;br /&gt;
For this reason, many architects seek to minimise dependency density within core systems while allowing carefully controlled dependencies at integration boundaries.&lt;br /&gt;
&lt;br /&gt;
== Software Publication and Distribution ==&lt;br /&gt;
&lt;br /&gt;
Publishing software is more than simply copying files to a server.&lt;br /&gt;
&lt;br /&gt;
A controlled publication process improves quality, consistency, traceability, and accountability.&lt;br /&gt;
&lt;br /&gt;
=== Example Publication Lifecycle ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
[Develop]&lt;br /&gt;
    ↓&lt;br /&gt;
[Review]&lt;br /&gt;
    ↓&lt;br /&gt;
[Build]&lt;br /&gt;
    ↓&lt;br /&gt;
[Version]&lt;br /&gt;
    ↓&lt;br /&gt;
[Publish]&lt;br /&gt;
    ↓&lt;br /&gt;
[Archive]&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Each stage serves a purpose.&lt;br /&gt;
&lt;br /&gt;
=== Develop ===&lt;br /&gt;
&lt;br /&gt;
Software is written, tested, and refined.&lt;br /&gt;
&lt;br /&gt;
=== Review ===&lt;br /&gt;
&lt;br /&gt;
Code is examined for:&lt;br /&gt;
&lt;br /&gt;
* Quality&lt;br /&gt;
* Security&lt;br /&gt;
* Compliance&lt;br /&gt;
* Architectural consistency&lt;br /&gt;
&lt;br /&gt;
=== Build ===&lt;br /&gt;
&lt;br /&gt;
Release artefacts are generated.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Compiled binaries&lt;br /&gt;
* Packages&lt;br /&gt;
* Archives&lt;br /&gt;
* Distribution files&lt;br /&gt;
&lt;br /&gt;
=== Version ===&lt;br /&gt;
&lt;br /&gt;
A formal version number is assigned.&lt;br /&gt;
&lt;br /&gt;
Versioning provides:&lt;br /&gt;
&lt;br /&gt;
* Traceability&lt;br /&gt;
* Change identification&lt;br /&gt;
* Release management&lt;br /&gt;
&lt;br /&gt;
=== Publish ===&lt;br /&gt;
&lt;br /&gt;
Artefacts are distributed through approved channels.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Internal repositories&lt;br /&gt;
* Web servers&lt;br /&gt;
* Package feeds&lt;br /&gt;
* Content Delivery Networks (CDNs)&lt;br /&gt;
&lt;br /&gt;
=== Archive ===&lt;br /&gt;
&lt;br /&gt;
Released artefacts are preserved to maintain historical records and support future investigations, audits, and recovery activities.&lt;br /&gt;
&lt;br /&gt;
== Compliance Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== ISO 9001 ===&lt;br /&gt;
&lt;br /&gt;
ISO 9001 focuses on quality management and continual improvement.&lt;br /&gt;
&lt;br /&gt;
Relevant software governance topics include:&lt;br /&gt;
&lt;br /&gt;
* Documented processes&lt;br /&gt;
* Change control&lt;br /&gt;
* Traceability&lt;br /&gt;
* Record retention&lt;br /&gt;
* Corrective actions&lt;br /&gt;
* Quality assurance&lt;br /&gt;
&lt;br /&gt;
A structured software publication process supports these objectives.&lt;br /&gt;
&lt;br /&gt;
=== ISO 27001 ===&lt;br /&gt;
&lt;br /&gt;
ISO 27001 focuses on information security management.&lt;br /&gt;
&lt;br /&gt;
Relevant software governance topics include:&lt;br /&gt;
&lt;br /&gt;
* Asset management&lt;br /&gt;
* Access control&lt;br /&gt;
* Secure development&lt;br /&gt;
* Configuration management&lt;br /&gt;
* Supplier management&lt;br /&gt;
* Information classification&lt;br /&gt;
&lt;br /&gt;
Source code, build systems, release repositories, and software artefacts should be treated as information assets.&lt;br /&gt;
&lt;br /&gt;
=== Auditability ===&lt;br /&gt;
&lt;br /&gt;
Auditors frequently seek evidence of:&lt;br /&gt;
&lt;br /&gt;
* Ownership&lt;br /&gt;
* Approval processes&lt;br /&gt;
* Change history&lt;br /&gt;
* Release records&lt;br /&gt;
* Access control&lt;br /&gt;
* Compliance activities&lt;br /&gt;
&lt;br /&gt;
Good governance makes these activities routine rather than disruptive.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Missing Licence Declarations ===&lt;br /&gt;
&lt;br /&gt;
Software is distributed without clearly stating how it may be used.&lt;br /&gt;
&lt;br /&gt;
=== Unclear Ownership ===&lt;br /&gt;
&lt;br /&gt;
Organisations cannot determine who owns the software they depend upon.&lt;br /&gt;
&lt;br /&gt;
=== Poor Provenance ===&lt;br /&gt;
&lt;br /&gt;
Development history is incomplete or unavailable.&lt;br /&gt;
&lt;br /&gt;
=== Direct Production Editing ===&lt;br /&gt;
&lt;br /&gt;
Changes are made directly to published systems without review or version control.&lt;br /&gt;
&lt;br /&gt;
=== Uncontrolled Dependencies ===&lt;br /&gt;
&lt;br /&gt;
Software accumulates dependencies that are poorly understood or inadequately maintained.&lt;br /&gt;
&lt;br /&gt;
=== Inconsistent Release Processes ===&lt;br /&gt;
&lt;br /&gt;
Different releases are published using different methods, reducing traceability and increasing risk.&lt;br /&gt;
&lt;br /&gt;
== Design and Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Protect the Core ===&lt;br /&gt;
&lt;br /&gt;
Core business logic should remain:&lt;br /&gt;
&lt;br /&gt;
* Understandable&lt;br /&gt;
* Maintainable&lt;br /&gt;
* Auditable&lt;br /&gt;
* Well documented&lt;br /&gt;
&lt;br /&gt;
Architectural decisions should minimise unnecessary complexity.&lt;br /&gt;
&lt;br /&gt;
=== Establish Clear Boundaries ===&lt;br /&gt;
&lt;br /&gt;
Separate:&lt;br /&gt;
&lt;br /&gt;
* Core platforms&lt;br /&gt;
* Integration layers&lt;br /&gt;
* SDKs&lt;br /&gt;
* Client applications&lt;br /&gt;
* Third-party components&lt;br /&gt;
&lt;br /&gt;
This reduces coupling and simplifies governance.&lt;br /&gt;
&lt;br /&gt;
=== Prefer Traceability Over Convenience ===&lt;br /&gt;
&lt;br /&gt;
Processes should produce evidence naturally.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Version histories&lt;br /&gt;
* Build records&lt;br /&gt;
* Audit trails&lt;br /&gt;
* Release archives&lt;br /&gt;
&lt;br /&gt;
These records provide long-term value beyond immediate operational needs.&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting and Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
Signs of weak software governance include:&lt;br /&gt;
&lt;br /&gt;
* Unknown software ownership&lt;br /&gt;
* Missing source code&lt;br /&gt;
* Lack of version control&lt;br /&gt;
* Inconsistent release artefacts&lt;br /&gt;
* Unclear licensing status&lt;br /&gt;
* Unsupported dependencies&lt;br /&gt;
* Missing audit records&lt;br /&gt;
&lt;br /&gt;
Investigating these issues early prevents larger operational, legal, and security problems later.&lt;br /&gt;
&lt;br /&gt;
== Conclusion ==&lt;br /&gt;
&lt;br /&gt;
Intellectual Property Rights are not solely a legal concern. Within modern software development they form part of a broader governance framework encompassing ownership, licensing, quality management, information security, release management, and operational control.&lt;br /&gt;
&lt;br /&gt;
Organisations that treat software as a managed asset benefit from improved traceability, stronger compliance, reduced operational risk, and greater confidence in the systems they develop and maintain.&lt;br /&gt;
&lt;br /&gt;
By combining sound Intellectual Property practices with effective Software Governance, organisations can protect their investments while supporting quality, security, and long-term sustainability.&lt;/div&gt;</description>
			<pubDate>Sun, 05 Jul 2026 14:06:02 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Intellectual_Property_Rights_and_Software_Governance</comments>
		</item>
		<item>
			<title>The Importance of Rich Error Messages</title>
			<link>https://knowledgebase.pirho.net/index.php?title=The_Importance_of_Rich_Error_Messages&amp;diff=406&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=The_Importance_of_Rich_Error_Messages&amp;diff=406&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039; Errors are part of every system. Rich, structured error messages allow humans and machines to understand failures, diagnose problems, automate recovery, and improve interoperability.  == Context ==  Many platforms invest significant effort in defining APIs and data models while treating error handling as an afterthought.  A well-designed error response should communicate:  * What happened * Why it happened * Which component detected the problem * Whether t...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
Errors are part of every system. Rich, structured error messages allow humans and machines to understand failures, diagnose problems, automate recovery, and improve interoperability.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Many platforms invest significant effort in defining APIs and data models while treating error handling as an afterthought.&lt;br /&gt;
&lt;br /&gt;
A well-designed error response should communicate:&lt;br /&gt;
&lt;br /&gt;
* What happened&lt;br /&gt;
* Why it happened&lt;br /&gt;
* Which component detected the problem&lt;br /&gt;
* Whether the fault is temporary or permanent&lt;br /&gt;
* What corrective action can be taken&lt;br /&gt;
&lt;br /&gt;
== The Cost of Poor Error Handling ==&lt;br /&gt;
&lt;br /&gt;
=== Increased Support Costs ===&lt;br /&gt;
&lt;br /&gt;
Every missing detail increases diagnosis time.&lt;br /&gt;
&lt;br /&gt;
=== Reduced Automation ===&lt;br /&gt;
&lt;br /&gt;
Structured errors enable automated decision making.&lt;br /&gt;
&lt;br /&gt;
=== Interoperability Challenges ===&lt;br /&gt;
&lt;br /&gt;
Without a common semantic error model, each interface behaves differently.&lt;br /&gt;
&lt;br /&gt;
== What Makes an Error Rich? ==&lt;br /&gt;
&lt;br /&gt;
=== Error Identity ===&lt;br /&gt;
&lt;br /&gt;
* ValidationError&lt;br /&gt;
* AuthenticationFailed&lt;br /&gt;
* ResourceNotFound&lt;br /&gt;
* AccessDenied&lt;br /&gt;
&lt;br /&gt;
=== Human Readable Description ===&lt;br /&gt;
&lt;br /&gt;
Provide a concise explanation for operators and users.&lt;br /&gt;
&lt;br /&gt;
=== Machine Readable Classification ===&lt;br /&gt;
&lt;br /&gt;
* Client Error&lt;br /&gt;
* Server Error&lt;br /&gt;
* Validation Error&lt;br /&gt;
* Security Error&lt;br /&gt;
&lt;br /&gt;
=== Structured Detail ===&lt;br /&gt;
&lt;br /&gt;
Maintain machine-readable diagnostic information.&lt;br /&gt;
&lt;br /&gt;
=== Correlation Information ===&lt;br /&gt;
&lt;br /&gt;
* Request ID&lt;br /&gt;
* Correlation ID&lt;br /&gt;
* Workflow ID&lt;br /&gt;
* Transaction ID&lt;br /&gt;
&lt;br /&gt;
== SOAP Faults and RFC 7807 Solve the Same Problem ==&lt;br /&gt;
&lt;br /&gt;
=== SOAP Fault ===&lt;br /&gt;
&lt;br /&gt;
* Code&lt;br /&gt;
* Subcode&lt;br /&gt;
* Reason&lt;br /&gt;
* Detail&lt;br /&gt;
&lt;br /&gt;
=== RFC 7807 Problem Details ===&lt;br /&gt;
&lt;br /&gt;
* type&lt;br /&gt;
* title&lt;br /&gt;
* status&lt;br /&gt;
* detail&lt;br /&gt;
* instance&lt;br /&gt;
&lt;br /&gt;
== Canonical Error Models ==&lt;br /&gt;
&lt;br /&gt;
A canonical fault model can be projected into:&lt;br /&gt;
&lt;br /&gt;
* SOAP Fault&lt;br /&gt;
* RFC 7807 JSON&lt;br /&gt;
* Event Streams&lt;br /&gt;
* Audit Records&lt;br /&gt;
* Monitoring Systems&lt;br /&gt;
&lt;br /&gt;
== Design Philosophy ==&lt;br /&gt;
&lt;br /&gt;
Success responses describe expected behaviour.&lt;br /&gt;
&lt;br /&gt;
Error responses describe unexpected behaviour.&lt;br /&gt;
&lt;br /&gt;
Rich error messages are not merely diagnostics.&lt;br /&gt;
&lt;br /&gt;
They are part of the platform&amp;#039;s contract.&lt;/div&gt;</description>
			<pubDate>Sun, 05 Jul 2026 14:05:06 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:The_Importance_of_Rich_Error_Messages</comments>
		</item>
		<item>
			<title>Fonts on the Web</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Fonts_on_the_Web&amp;diff=405&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Fonts_on_the_Web&amp;diff=405&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;  Fonts play a significant role in the presentation, readability, accessibility, branding, and performance of modern websites. This article explores the various types of fonts available to web developers, how and when to use them, compatibility considerations across different browsers and devices, and the legal implications of using commercial and open-source typefaces on the web.  == Context ==  Typography is one of the most influential aspects of web desi...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Fonts play a significant role in the presentation, readability, accessibility, branding, and performance of modern websites. This article explores the various types of fonts available to web developers, how and when to use them, compatibility considerations across different browsers and devices, and the legal implications of using commercial and open-source typefaces on the web.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
Typography is one of the most influential aspects of web design. While content remains the primary reason visitors access a website, the selection and implementation of fonts directly affect how easily that content can be consumed.&lt;br /&gt;
&lt;br /&gt;
Early websites were limited to a small collection of fonts commonly installed on operating systems. Advances in browser technology and web standards introduced downloadable web fonts, allowing designers to establish stronger branding and greater visual consistency across different devices.&lt;br /&gt;
&lt;br /&gt;
Today, fonts are not only a design consideration but also a technical, accessibility, performance, and licensing concern.&lt;br /&gt;
&lt;br /&gt;
== Understanding Font Categories ==&lt;br /&gt;
&lt;br /&gt;
=== Serif Fonts ===&lt;br /&gt;
&lt;br /&gt;
Serif fonts include small decorative strokes, known as serifs, at the ends of characters.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Times New Roman&lt;br /&gt;
* Georgia&lt;br /&gt;
* Baskerville&lt;br /&gt;
* Canela&lt;br /&gt;
&lt;br /&gt;
Characteristics:&lt;br /&gt;
&lt;br /&gt;
* Traditional appearance&lt;br /&gt;
* Professional and authoritative&lt;br /&gt;
* Often associated with books, newspapers, and luxury brands&lt;br /&gt;
&lt;br /&gt;
Common uses:&lt;br /&gt;
&lt;br /&gt;
* Editorial websites&lt;br /&gt;
* Long-form reading&lt;br /&gt;
* Branding&lt;br /&gt;
* Headlines and hero banners&lt;br /&gt;
&lt;br /&gt;
=== Sans-Serif Fonts ===&lt;br /&gt;
&lt;br /&gt;
Sans-serif fonts omit decorative strokes and generally provide a cleaner appearance on screens.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Arial&lt;br /&gt;
* Helvetica&lt;br /&gt;
* IBM Plex Sans&lt;br /&gt;
* Inter&lt;br /&gt;
* Verdana&lt;br /&gt;
&lt;br /&gt;
Characteristics:&lt;br /&gt;
&lt;br /&gt;
* Modern appearance&lt;br /&gt;
* Highly legible&lt;br /&gt;
* Excellent for user interfaces&lt;br /&gt;
&lt;br /&gt;
Common uses:&lt;br /&gt;
&lt;br /&gt;
* Application interfaces&lt;br /&gt;
* Navigation systems&lt;br /&gt;
* Forms&lt;br /&gt;
* General website content&lt;br /&gt;
&lt;br /&gt;
=== Monospace Fonts ===&lt;br /&gt;
&lt;br /&gt;
Monospace fonts allocate equal horizontal space to every character.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* IBM Plex Mono&lt;br /&gt;
* Consolas&lt;br /&gt;
* Courier New&lt;br /&gt;
&lt;br /&gt;
Characteristics:&lt;br /&gt;
&lt;br /&gt;
* Predictable character positioning&lt;br /&gt;
* Improved readability for code and technical data&lt;br /&gt;
&lt;br /&gt;
Common uses:&lt;br /&gt;
&lt;br /&gt;
* Source code examples&lt;br /&gt;
* Terminal output&lt;br /&gt;
* Configuration files&lt;br /&gt;
* Technical documentation&lt;br /&gt;
&lt;br /&gt;
=== Display Fonts ===&lt;br /&gt;
&lt;br /&gt;
Display fonts are designed to attract attention and are most effective at larger sizes.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Canela&lt;br /&gt;
* Playfair Display&lt;br /&gt;
* Bodoni&lt;br /&gt;
&lt;br /&gt;
Characteristics:&lt;br /&gt;
&lt;br /&gt;
* Distinctive styling&lt;br /&gt;
* Strong visual impact&lt;br /&gt;
* Branding focused&lt;br /&gt;
&lt;br /&gt;
Common uses:&lt;br /&gt;
&lt;br /&gt;
* Headlines&lt;br /&gt;
* Advertising&lt;br /&gt;
* Brand identities&lt;br /&gt;
* Marketing campaigns&lt;br /&gt;
&lt;br /&gt;
Display fonts should generally be avoided for large blocks of body text.&lt;br /&gt;
&lt;br /&gt;
=== Script and Handwritten Fonts ===&lt;br /&gt;
&lt;br /&gt;
These fonts emulate handwriting, calligraphy, or penmanship.&lt;br /&gt;
&lt;br /&gt;
Characteristics:&lt;br /&gt;
&lt;br /&gt;
* Decorative&lt;br /&gt;
* Informal&lt;br /&gt;
* Highly expressive&lt;br /&gt;
&lt;br /&gt;
Common uses:&lt;br /&gt;
&lt;br /&gt;
* Invitations&lt;br /&gt;
* Event websites&lt;br /&gt;
* Creative portfolios&lt;br /&gt;
&lt;br /&gt;
Due to readability concerns, script fonts should be used sparingly.&lt;br /&gt;
&lt;br /&gt;
== Choosing the Right Font ==&lt;br /&gt;
&lt;br /&gt;
=== Consider the Purpose of the Website ===&lt;br /&gt;
&lt;br /&gt;
Different types of websites benefit from different typography choices.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
! Website Type&lt;br /&gt;
! Typical Font Choice&lt;br /&gt;
|-&lt;br /&gt;
| Corporate&lt;br /&gt;
| Sans-serif&lt;br /&gt;
|-&lt;br /&gt;
| Technical Documentation&lt;br /&gt;
| Sans-serif and Monospace&lt;br /&gt;
|-&lt;br /&gt;
| Luxury Brand&lt;br /&gt;
| Serif and Sans-serif combination&lt;br /&gt;
|-&lt;br /&gt;
| News and Editorial&lt;br /&gt;
| Serif&lt;br /&gt;
|-&lt;br /&gt;
| Web Applications&lt;br /&gt;
| Sans-serif&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Establish a Font Hierarchy ===&lt;br /&gt;
&lt;br /&gt;
A clear hierarchy improves readability and helps users identify content structure.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brand Headings : Canela&lt;br /&gt;
Body Content   : IBM Plex Sans&lt;br /&gt;
Code Examples  : IBM Plex Mono&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
A consistent hierarchy improves both usability and maintainability.&lt;br /&gt;
&lt;br /&gt;
=== Use Fonts Consistently ===&lt;br /&gt;
&lt;br /&gt;
Limiting a website to a small number of complementary fonts creates a more professional appearance.&lt;br /&gt;
&lt;br /&gt;
Most websites can achieve excellent results using:&lt;br /&gt;
&lt;br /&gt;
* One branding font&lt;br /&gt;
* One body font&lt;br /&gt;
* One monospace font&lt;br /&gt;
&lt;br /&gt;
== Web Font Technologies ==&lt;br /&gt;
&lt;br /&gt;
=== System Fonts ===&lt;br /&gt;
&lt;br /&gt;
System fonts are already installed on a user&amp;#039;s device.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
font-family: Arial, Helvetica, sans-serif;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* Fast loading&lt;br /&gt;
* No external dependencies&lt;br /&gt;
* Excellent compatibility&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
&lt;br /&gt;
* Limited branding opportunities&lt;br /&gt;
* Inconsistent appearance between operating systems&lt;br /&gt;
&lt;br /&gt;
=== Web Fonts ===&lt;br /&gt;
&lt;br /&gt;
Web fonts are downloaded by the browser when required.&lt;br /&gt;
&lt;br /&gt;
Common formats include:&lt;br /&gt;
&lt;br /&gt;
* WOFF2&lt;br /&gt;
* WOFF&lt;br /&gt;
* TTF&lt;br /&gt;
* OTF&lt;br /&gt;
&lt;br /&gt;
WOFF2 is currently the preferred format because it provides excellent compression and browser support.&lt;br /&gt;
&lt;br /&gt;
=== Self-Hosted Fonts ===&lt;br /&gt;
&lt;br /&gt;
Self-hosting allows organizations to serve font files from their own infrastructure.&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* Full control&lt;br /&gt;
* Reduced third-party dependencies&lt;br /&gt;
* Enhanced privacy&lt;br /&gt;
* Predictable availability&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
&lt;br /&gt;
* Requires management and maintenance&lt;br /&gt;
* Licensing obligations remain the responsibility of the website owner&lt;br /&gt;
&lt;br /&gt;
=== Third-Party Font Services ===&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Google Fonts&lt;br /&gt;
* Adobe Fonts&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* Simple deployment&lt;br /&gt;
* Managed updates&lt;br /&gt;
* Wide font selection&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
&lt;br /&gt;
* External dependency&lt;br /&gt;
* Potential privacy implications&lt;br /&gt;
* Service availability outside the organization&amp;#039;s control&lt;br /&gt;
&lt;br /&gt;
== Performance Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Fonts Are Downloadable Assets ===&lt;br /&gt;
&lt;br /&gt;
Font files contribute to overall page weight.&lt;br /&gt;
&lt;br /&gt;
Common mistakes include:&lt;br /&gt;
&lt;br /&gt;
* Loading excessive font families&lt;br /&gt;
* Loading unnecessary weights&lt;br /&gt;
* Loading italic variants that are never used&lt;br /&gt;
&lt;br /&gt;
Only load resources that provide genuine value.&lt;br /&gt;
&lt;br /&gt;
=== Provide Meaningful Fallbacks ===&lt;br /&gt;
&lt;br /&gt;
A fallback stack allows content to remain readable while a font is loading or when a font is unavailable.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
font-family: &amp;#039;Canela&amp;#039;, &amp;#039;Playfair Display&amp;#039;, Georgia, serif;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This approach ensures graceful degradation when custom fonts cannot be loaded.&lt;br /&gt;
&lt;br /&gt;
=== Use font-display ===&lt;br /&gt;
&lt;br /&gt;
The &amp;#039;&amp;#039;font-display&amp;#039;&amp;#039; property controls how browsers display text while web fonts load.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
@font-face {&lt;br /&gt;
    font-family: &amp;#039;Canela&amp;#039;;&lt;br /&gt;
    src: url(&amp;#039;/fonts/canela.woff2&amp;#039;) format(&amp;#039;woff2&amp;#039;);&lt;br /&gt;
    font-display: swap;&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Using &amp;#039;&amp;#039;swap&amp;#039;&amp;#039; allows text to be displayed immediately using fallback fonts and replaced when the preferred font becomes available.&lt;br /&gt;
&lt;br /&gt;
=== Progressive Enhancement ===&lt;br /&gt;
&lt;br /&gt;
A useful approach is:&lt;br /&gt;
&lt;br /&gt;
# Deliver readable content using fallback fonts.&lt;br /&gt;
# Detect enhanced browser capabilities.&lt;br /&gt;
# Apply enhancement classes when appropriate.&lt;br /&gt;
# Allow CSS to control presentation.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
document.documentElement.classList.add(&amp;#039;fonts-loaded&amp;#039;);&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
.fonts-loaded .brand {&lt;br /&gt;
    font-family: &amp;#039;Canela&amp;#039;, serif;&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This approach separates capability detection from presentation concerns.&lt;br /&gt;
&lt;br /&gt;
== Accessibility Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Prioritise Readability ===&lt;br /&gt;
&lt;br /&gt;
The primary purpose of text is communication.&lt;br /&gt;
&lt;br /&gt;
Fonts should remain readable across:&lt;br /&gt;
&lt;br /&gt;
* Desktop systems&lt;br /&gt;
* Mobile devices&lt;br /&gt;
* High-resolution displays&lt;br /&gt;
* Older hardware&lt;br /&gt;
&lt;br /&gt;
=== Avoid Decorative Body Fonts ===&lt;br /&gt;
&lt;br /&gt;
Many display and script fonts become difficult to read when used extensively.&lt;br /&gt;
&lt;br /&gt;
Decorative fonts should generally be reserved for:&lt;br /&gt;
&lt;br /&gt;
* Headers&lt;br /&gt;
* Pull quotes&lt;br /&gt;
* Branding elements&lt;br /&gt;
&lt;br /&gt;
=== Character Recognition ===&lt;br /&gt;
&lt;br /&gt;
Some typefaces make it difficult to distinguish between:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
I&lt;br /&gt;
l&lt;br /&gt;
1&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
or:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
O&lt;br /&gt;
0&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This is particularly important in technical documentation and software interfaces.&lt;br /&gt;
&lt;br /&gt;
=== Respect User Preferences ===&lt;br /&gt;
&lt;br /&gt;
Users may:&lt;br /&gt;
&lt;br /&gt;
* Increase font sizes&lt;br /&gt;
* Override fonts&lt;br /&gt;
* Apply high-contrast modes&lt;br /&gt;
* Use custom stylesheets&lt;br /&gt;
&lt;br /&gt;
Websites should continue to function correctly under these conditions.&lt;br /&gt;
&lt;br /&gt;
== Browser and Compatibility Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Older Browsers ===&lt;br /&gt;
&lt;br /&gt;
Not all browsers support:&lt;br /&gt;
&lt;br /&gt;
* WOFF2&lt;br /&gt;
* Variable fonts&lt;br /&gt;
* Advanced OpenType features&lt;br /&gt;
&lt;br /&gt;
Fallbacks should always be provided.&lt;br /&gt;
&lt;br /&gt;
=== Variable Fonts ===&lt;br /&gt;
&lt;br /&gt;
Variable fonts store multiple font weights and styles within a single file.&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* Reduced network requests&lt;br /&gt;
* Flexible typography&lt;br /&gt;
* Simplified management&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
&lt;br /&gt;
* Potential compatibility concerns on older platforms&lt;br /&gt;
&lt;br /&gt;
=== Graceful Degradation ===&lt;br /&gt;
&lt;br /&gt;
A website should remain readable when:&lt;br /&gt;
&lt;br /&gt;
* Fonts fail to load&lt;br /&gt;
* JavaScript is unavailable&lt;br /&gt;
* Network conditions are poor&lt;br /&gt;
&lt;br /&gt;
Typography should enhance content rather than become a requirement for accessing it.&lt;br /&gt;
&lt;br /&gt;
== Legal and Licensing Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Fonts Are Software ===&lt;br /&gt;
&lt;br /&gt;
Many developers overlook the fact that fonts are licensed software.&lt;br /&gt;
&lt;br /&gt;
A font licence may define:&lt;br /&gt;
&lt;br /&gt;
* Installation limits&lt;br /&gt;
* Distribution rights&lt;br /&gt;
* Modification rights&lt;br /&gt;
* Embedding permissions&lt;br /&gt;
* Web usage restrictions&lt;br /&gt;
&lt;br /&gt;
Failure to comply with licence terms may result in legal liability.&lt;br /&gt;
&lt;br /&gt;
=== Desktop Licences ===&lt;br /&gt;
&lt;br /&gt;
A desktop licence typically permits the installation of a font on a specified number of computers.&lt;br /&gt;
&lt;br /&gt;
Common uses include:&lt;br /&gt;
&lt;br /&gt;
* Business cards&lt;br /&gt;
* Stationery&lt;br /&gt;
* Printed brochures&lt;br /&gt;
* PDF generation&lt;br /&gt;
&lt;br /&gt;
=== Web Licences ===&lt;br /&gt;
&lt;br /&gt;
Many commercial foundries require a separate licence for website usage.&lt;br /&gt;
&lt;br /&gt;
Web licences may be based upon:&lt;br /&gt;
&lt;br /&gt;
* Monthly visitors&lt;br /&gt;
* Page views&lt;br /&gt;
* Domain names&lt;br /&gt;
* Organisation size&lt;br /&gt;
&lt;br /&gt;
It is common for a font to require both a desktop licence and a separate web font licence.&lt;br /&gt;
&lt;br /&gt;
=== Open Source Fonts ===&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* IBM Plex&lt;br /&gt;
* Inter&lt;br /&gt;
* Source Sans&lt;br /&gt;
* Source Serif&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* No visitor limits&lt;br /&gt;
* Easy self-hosting&lt;br /&gt;
* Flexible redistribution terms&lt;br /&gt;
&lt;br /&gt;
Developers should still review the relevant licence terms.&lt;br /&gt;
&lt;br /&gt;
=== Verify Font Sources ===&lt;br /&gt;
&lt;br /&gt;
Not every website offering &amp;quot;free fonts&amp;quot; distributes them legally.&lt;br /&gt;
&lt;br /&gt;
Before using a font:&lt;br /&gt;
&lt;br /&gt;
# Verify the source.&lt;br /&gt;
# Review the licence.&lt;br /&gt;
# Confirm commercial usage rights.&lt;br /&gt;
# Obtain fonts directly from the foundry whenever possible.&lt;br /&gt;
&lt;br /&gt;
== Design and Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Build a Typography System ===&lt;br /&gt;
&lt;br /&gt;
Rather than selecting fonts on a page-by-page basis, define clear roles.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brand Font&lt;br /&gt;
UI Font&lt;br /&gt;
Body Font&lt;br /&gt;
Code Font&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This approach improves consistency and maintainability.&lt;br /&gt;
&lt;br /&gt;
=== Use Typography to Reinforce Brand Identity ===&lt;br /&gt;
&lt;br /&gt;
Fonts communicate personality.&lt;br /&gt;
&lt;br /&gt;
A luxury brand may favour:&lt;br /&gt;
&lt;br /&gt;
* Canela&lt;br /&gt;
* Baskerville&lt;br /&gt;
* Garamond&lt;br /&gt;
&lt;br /&gt;
A technical platform may favour:&lt;br /&gt;
&lt;br /&gt;
* IBM Plex Sans&lt;br /&gt;
* Inter&lt;br /&gt;
* Source Sans&lt;br /&gt;
&lt;br /&gt;
The chosen typography should support the message and audience.&lt;br /&gt;
&lt;br /&gt;
=== Separation of Concerns ===&lt;br /&gt;
&lt;br /&gt;
A useful architectural principle is:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;blockquote&amp;gt;&lt;br /&gt;
JavaScript determines capability. CSS determines presentation.&lt;br /&gt;
&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript may identify browser capabilities and apply a CSS class, while CSS determines how the page should be rendered.&lt;br /&gt;
&lt;br /&gt;
This creates a clean separation between behaviour and presentation.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
* Loading too many fonts&lt;br /&gt;
* Using display fonts as body text&lt;br /&gt;
* Failing to provide fallbacks&lt;br /&gt;
* Ignoring licensing requirements&lt;br /&gt;
* Relying entirely on third-party font services&lt;br /&gt;
* Blocking page rendering with font downloads&lt;br /&gt;
* Prioritising aesthetics over readability&lt;br /&gt;
&lt;br /&gt;
== Design Philosophy ==&lt;br /&gt;
&lt;br /&gt;
The primary objective of a website is to deliver information and functionality. Typography should enhance that experience rather than obstruct it.&lt;br /&gt;
&lt;br /&gt;
A well-designed website:&lt;br /&gt;
&lt;br /&gt;
* Remains usable without custom fonts&lt;br /&gt;
* Loads quickly&lt;br /&gt;
* Provides meaningful fallbacks&lt;br /&gt;
* Respects accessibility requirements&lt;br /&gt;
* Uses typography consistently&lt;br /&gt;
* Enhances capable browsers through progressive improvement&lt;br /&gt;
&lt;br /&gt;
Good typography is not merely decoration; it is a component of information architecture.&lt;br /&gt;
&lt;br /&gt;
== Conclusion ==&lt;br /&gt;
&lt;br /&gt;
Fonts affect far more than visual appearance. They influence readability, accessibility, branding, performance, compatibility, and legal compliance.&lt;br /&gt;
&lt;br /&gt;
Successful web typography balances aesthetics with practicality by selecting appropriate typefaces, implementing fallbacks, respecting user preferences, optimising performance, and complying with licensing requirements.&lt;br /&gt;
&lt;br /&gt;
By treating custom fonts as enhancements rather than dependencies, developers can create websites that remain both attractive and resilient across a wide range of devices and environments.&lt;/div&gt;</description>
			<pubDate>Sun, 05 Jul 2026 14:02:21 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Fonts_on_the_Web</comments>
		</item>
		<item>
			<title>Windows Control Panel Applets</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Windows_Control_Panel_Applets&amp;diff=404&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Windows_Control_Panel_Applets&amp;diff=404&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;  Windows Control Panel Applets are the administrative utilities used to configure and manage Microsoft Windows. Traditionally these utilities were exposed through the Control Panel, although many remain accessible directly through command-line shortcuts, Microsoft Management Console (MMC) snap-ins, and shell commands.  While modern versions of Windows increasingly favour the Settings application, many advanced configuration options continue to reside withi...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Windows Control Panel Applets are the administrative utilities used to configure and manage Microsoft Windows. Traditionally these utilities were exposed through the Control Panel, although many remain accessible directly through command-line shortcuts, Microsoft Management Console (MMC) snap-ins, and shell commands.&lt;br /&gt;
&lt;br /&gt;
While modern versions of Windows increasingly favour the Settings application, many advanced configuration options continue to reside within traditional Control Panel applets and administrative consoles. Knowing how to launch these tools directly can significantly improve troubleshooting efficiency and day-to-day system administration.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
For many years, the Control Panel served as the primary management interface for Windows operating systems.&lt;br /&gt;
&lt;br /&gt;
Most Control Panel icons are implemented as one of the following:&lt;br /&gt;
&lt;br /&gt;
* CPL (Control Panel) files&lt;br /&gt;
* Microsoft Management Console (MMC) snap-ins&lt;br /&gt;
* Shell extensions&lt;br /&gt;
* Administrative executables&lt;br /&gt;
* Settings application redirectors&lt;br /&gt;
&lt;br /&gt;
Although Microsoft has gradually migrated functionality into the modern Settings application, experienced administrators still frequently rely on traditional applets because they often expose more advanced options and provide direct access to diagnostic tools.&lt;br /&gt;
&lt;br /&gt;
== How Control Panel Applets Work ==&lt;br /&gt;
&lt;br /&gt;
Most traditional applets are stored within:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
C:\Windows\System32&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Many are implemented as files with the extension:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
.cpl&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
These can typically be launched from:&lt;br /&gt;
&lt;br /&gt;
* Run (Win+R)&lt;br /&gt;
* Command Prompt&lt;br /&gt;
* PowerShell&lt;br /&gt;
* Scripts&lt;br /&gt;
* Application shortcuts&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
appwiz.cpl&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
or&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
control appwiz.cpl&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Both open the &amp;#039;&amp;#039;Programs and Features&amp;#039;&amp;#039; applet.&lt;br /&gt;
&lt;br /&gt;
== Administrative Categories ==&lt;br /&gt;
&lt;br /&gt;
=== System Administration ===&lt;br /&gt;
&lt;br /&gt;
==== System Properties ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sysdm.cpl&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Provides access to:&lt;br /&gt;
&lt;br /&gt;
* Computer Name&lt;br /&gt;
* Domain and Workgroup configuration&lt;br /&gt;
* User Profiles&lt;br /&gt;
* Environment Variables&lt;br /&gt;
* Performance Settings&lt;br /&gt;
* Remote Desktop configuration&lt;br /&gt;
&lt;br /&gt;
A commonly used tool for joining systems to Active Directory domains and configuring advanced system settings.&lt;br /&gt;
&lt;br /&gt;
==== Computer Management ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
compmgmt.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
A consolidated management console providing access to:&lt;br /&gt;
&lt;br /&gt;
* Event Viewer&lt;br /&gt;
* Shared Folders&lt;br /&gt;
* Local Users and Groups&lt;br /&gt;
* Device Manager&lt;br /&gt;
* Disk Management&lt;br /&gt;
* Services&lt;br /&gt;
&lt;br /&gt;
Often serves as a central starting point for system administration.&lt;br /&gt;
&lt;br /&gt;
==== Services ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
services.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Allows administrators to:&lt;br /&gt;
&lt;br /&gt;
* Start services&lt;br /&gt;
* Stop services&lt;br /&gt;
* Configure startup types&lt;br /&gt;
* Review service dependencies&lt;br /&gt;
* Configure recovery actions&lt;br /&gt;
&lt;br /&gt;
One of the most frequently used troubleshooting tools in Windows.&lt;br /&gt;
&lt;br /&gt;
=== Networking and Connectivity ===&lt;br /&gt;
&lt;br /&gt;
==== Internet Properties ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
inetcpl.cpl&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Despite its historical association with Internet Explorer, this applet remains important for:&lt;br /&gt;
&lt;br /&gt;
* Proxy configuration&lt;br /&gt;
* Security Zones&lt;br /&gt;
* TLS/SSL settings&lt;br /&gt;
* Certificate management&lt;br /&gt;
* Auto-Configuration Scripts (PAC files)&lt;br /&gt;
* Temporary Internet Files&lt;br /&gt;
&lt;br /&gt;
Many enterprise applications still utilise these settings.&lt;br /&gt;
&lt;br /&gt;
==== Network Connections ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
ncpa.cpl&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Provides direct access to:&lt;br /&gt;
&lt;br /&gt;
* Ethernet adapters&lt;br /&gt;
* Wireless adapters&lt;br /&gt;
* VPN connections&lt;br /&gt;
* Dial-up connections&lt;br /&gt;
* Network bridges&lt;br /&gt;
&lt;br /&gt;
Useful when troubleshooting network connectivity issues.&lt;br /&gt;
&lt;br /&gt;
==== Remote Access Phonebook ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
rasphone&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Opens the classic Remote Access interface for:&lt;br /&gt;
&lt;br /&gt;
* VPN configuration&lt;br /&gt;
* Dial-up networking&lt;br /&gt;
* Connection profile management&lt;br /&gt;
* Authentication settings&lt;br /&gt;
&lt;br /&gt;
Particularly useful when managing legacy VPN technologies.&lt;br /&gt;
&lt;br /&gt;
==== Windows Firewall ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
firewall.cpl&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Provides access to:&lt;br /&gt;
&lt;br /&gt;
* Firewall status&lt;br /&gt;
* Allowed applications&lt;br /&gt;
* Inbound and outbound rules&lt;br /&gt;
* Network profiles&lt;br /&gt;
&lt;br /&gt;
An essential tool when investigating connectivity issues.&lt;br /&gt;
&lt;br /&gt;
==== Advanced Firewall ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
wf.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Provides advanced firewall management including:&lt;br /&gt;
&lt;br /&gt;
* Detailed firewall rules&lt;br /&gt;
* Connection Security Rules&lt;br /&gt;
* IPSec configuration&lt;br /&gt;
* Monitoring&lt;br /&gt;
&lt;br /&gt;
Generally preferred by administrators over the simplified firewall interface.&lt;br /&gt;
&lt;br /&gt;
=== User and Security Management ===&lt;br /&gt;
&lt;br /&gt;
==== User Accounts ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
netplwiz&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
or&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
control userpasswords2&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Provides advanced local account management including:&lt;br /&gt;
&lt;br /&gt;
* User account administration&lt;br /&gt;
* Group membership&lt;br /&gt;
* Automatic logon configuration&lt;br /&gt;
&lt;br /&gt;
Often overlooked despite its usefulness.&lt;br /&gt;
&lt;br /&gt;
==== Local Users and Groups ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
lusrmgr.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Provides management of:&lt;br /&gt;
&lt;br /&gt;
* Local Users&lt;br /&gt;
* Local Groups&lt;br /&gt;
* Account properties&lt;br /&gt;
* Group membership&lt;br /&gt;
&lt;br /&gt;
Available on Professional and Server editions.&lt;br /&gt;
&lt;br /&gt;
==== Credential Manager ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
control /name Microsoft.CredentialManager&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Used to manage stored credentials for:&lt;br /&gt;
&lt;br /&gt;
* Windows authentication&lt;br /&gt;
* Mapped drives&lt;br /&gt;
* SharePoint&lt;br /&gt;
* Microsoft 365&lt;br /&gt;
* Remote Desktop&lt;br /&gt;
&lt;br /&gt;
Worth checking whenever authentication behaves unexpectedly.&lt;br /&gt;
&lt;br /&gt;
==== Local Security Policy ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
secpol.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Provides access to:&lt;br /&gt;
&lt;br /&gt;
* Password policies&lt;br /&gt;
* Audit policies&lt;br /&gt;
* User rights assignments&lt;br /&gt;
* Security options&lt;br /&gt;
&lt;br /&gt;
Frequently used in enterprise environments.&lt;br /&gt;
&lt;br /&gt;
=== Hardware Management ===&lt;br /&gt;
&lt;br /&gt;
==== Device Manager ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
devmgmt.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Provides:&lt;br /&gt;
&lt;br /&gt;
* Hardware management&lt;br /&gt;
* Driver installation&lt;br /&gt;
* Driver updates&lt;br /&gt;
* Device diagnostics&lt;br /&gt;
&lt;br /&gt;
An essential troubleshooting tool.&lt;br /&gt;
&lt;br /&gt;
==== Mouse Properties ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
main.cpl&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Used to configure:&lt;br /&gt;
&lt;br /&gt;
* Pointer speed&lt;br /&gt;
* Button configuration&lt;br /&gt;
* Wheel behaviour&lt;br /&gt;
* Pointer schemes&lt;br /&gt;
&lt;br /&gt;
==== Game Controllers ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
joy.cpl&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Allows testing and calibration of:&lt;br /&gt;
&lt;br /&gt;
* Joysticks&lt;br /&gt;
* Gamepads&lt;br /&gt;
* Flight controls&lt;br /&gt;
* Other input devices&lt;br /&gt;
&lt;br /&gt;
==== Sound ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mmsys.cpl&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Provides management of:&lt;br /&gt;
&lt;br /&gt;
* Playback devices&lt;br /&gt;
* Recording devices&lt;br /&gt;
* Communications devices&lt;br /&gt;
* Audio formats&lt;br /&gt;
&lt;br /&gt;
Commonly used during Teams, Zoom and VoIP troubleshooting.&lt;br /&gt;
&lt;br /&gt;
=== Storage and Disk Management ===&lt;br /&gt;
&lt;br /&gt;
==== Disk Management ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
diskmgmt.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Provides management of:&lt;br /&gt;
&lt;br /&gt;
* Partitions&lt;br /&gt;
* Volumes&lt;br /&gt;
* Drive letters&lt;br /&gt;
* Storage devices&lt;br /&gt;
&lt;br /&gt;
One of the most useful storage management tools in Windows.&lt;br /&gt;
&lt;br /&gt;
==== Disk Cleanup ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
cleanmgr&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Used to remove:&lt;br /&gt;
&lt;br /&gt;
* Temporary files&lt;br /&gt;
* Update cache files&lt;br /&gt;
* Recycle Bin contents&lt;br /&gt;
* System-generated temporary data&lt;br /&gt;
&lt;br /&gt;
=== Diagnostics and Troubleshooting ===&lt;br /&gt;
&lt;br /&gt;
==== Event Viewer ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
eventvwr.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Provides access to:&lt;br /&gt;
&lt;br /&gt;
* System logs&lt;br /&gt;
* Application logs&lt;br /&gt;
* Security logs&lt;br /&gt;
* Custom logs&lt;br /&gt;
&lt;br /&gt;
Often the first place to investigate unexpected behaviour.&lt;br /&gt;
&lt;br /&gt;
==== Performance Monitor ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
perfmon.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Used to monitor:&lt;br /&gt;
&lt;br /&gt;
* CPU usage&lt;br /&gt;
* Memory usage&lt;br /&gt;
* Disk performance&lt;br /&gt;
* Network activity&lt;br /&gt;
&lt;br /&gt;
Useful for performance diagnostics and capacity planning.&lt;br /&gt;
&lt;br /&gt;
==== Resource Monitor ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
resmon.exe&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Provides real-time visibility into:&lt;br /&gt;
&lt;br /&gt;
* CPU activity&lt;br /&gt;
* Memory usage&lt;br /&gt;
* Disk activity&lt;br /&gt;
* Network activity&lt;br /&gt;
&lt;br /&gt;
Frequently used alongside Task Manager.&lt;br /&gt;
&lt;br /&gt;
=== Regional and Accessibility Settings ===&lt;br /&gt;
&lt;br /&gt;
==== Region ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
intl.cpl&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Provides configuration for:&lt;br /&gt;
&lt;br /&gt;
* Date formats&lt;br /&gt;
* Time formats&lt;br /&gt;
* Number formats&lt;br /&gt;
* Language preferences&lt;br /&gt;
&lt;br /&gt;
Particularly useful when testing internationalisation and localisation.&lt;br /&gt;
&lt;br /&gt;
==== Ease of Access Centre ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
control access.cpl&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Provides accessibility features including:&lt;br /&gt;
&lt;br /&gt;
* Screen magnification&lt;br /&gt;
* Narrator&lt;br /&gt;
* High contrast themes&lt;br /&gt;
* Keyboard accessibility&lt;br /&gt;
&lt;br /&gt;
== Practical Administrative Toolkit ==&lt;br /&gt;
&lt;br /&gt;
Many administrators maintain a personal list of frequently used shortcuts.&lt;br /&gt;
&lt;br /&gt;
A practical starter set might include:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
appwiz.cpl&lt;br /&gt;
sysdm.cpl&lt;br /&gt;
inetcpl.cpl&lt;br /&gt;
ncpa.cpl&lt;br /&gt;
services.msc&lt;br /&gt;
eventvwr.msc&lt;br /&gt;
devmgmt.msc&lt;br /&gt;
diskmgmt.msc&lt;br /&gt;
compmgmt.msc&lt;br /&gt;
wf.msc&lt;br /&gt;
netplwiz&lt;br /&gt;
rasphone&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Keeping these commands close to hand can significantly reduce the time required to navigate Windows administrative interfaces.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Settings Does Not Expose Everything ===&lt;br /&gt;
&lt;br /&gt;
Many advanced settings continue to reside within:&lt;br /&gt;
&lt;br /&gt;
* Control Panel&lt;br /&gt;
* MMC consoles&lt;br /&gt;
* Administrative tools&lt;br /&gt;
* Legacy interfaces&lt;br /&gt;
&lt;br /&gt;
Administrators may need to use traditional tools even on modern Windows versions.&lt;br /&gt;
&lt;br /&gt;
=== VPN Configuration Can Be Split Across Multiple Interfaces ===&lt;br /&gt;
&lt;br /&gt;
VPN settings may be accessible from:&lt;br /&gt;
&lt;br /&gt;
* Settings&lt;br /&gt;
* Network Connections&lt;br /&gt;
* RasPhone&lt;br /&gt;
* Third-party VPN software&lt;br /&gt;
&lt;br /&gt;
This can sometimes make troubleshooting confusing.&lt;br /&gt;
&lt;br /&gt;
=== ODBC Administrator Confusion ===&lt;br /&gt;
&lt;br /&gt;
Windows contains both 32-bit and 64-bit ODBC administrators.&lt;br /&gt;
&lt;br /&gt;
64-bit:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
C:\Windows\System32\odbcad32.exe&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
32-bit:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
C:\Windows\SysWOW64\odbcad32.exe&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Using the wrong version frequently causes administrators to believe a DSN is missing.&lt;br /&gt;
&lt;br /&gt;
=== Modern Redirects ===&lt;br /&gt;
&lt;br /&gt;
Some legacy applets now redirect to the Settings application.&lt;br /&gt;
&lt;br /&gt;
The behaviour may differ depending upon Windows version and installed updates.&lt;br /&gt;
&lt;br /&gt;
== Design Considerations ==&lt;br /&gt;
&lt;br /&gt;
Microsoft continues to migrate functionality from Control Panel into the Settings application.&lt;br /&gt;
&lt;br /&gt;
However, traditional administrative tools remain important because:&lt;br /&gt;
&lt;br /&gt;
* Many enterprise features still depend on them&lt;br /&gt;
* Documentation frequently references them&lt;br /&gt;
* Scripts and automation often launch them directly&lt;br /&gt;
* They commonly expose more advanced functionality&lt;br /&gt;
&lt;br /&gt;
For this reason, knowledge of Control Panel applets remains a valuable skill for system administrators, support engineers, and power users.&lt;br /&gt;
&lt;br /&gt;
== Quick Reference ==&lt;br /&gt;
&lt;br /&gt;
=== Programs and Features ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
appwiz.cpl&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== System Properties ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
sysdm.cpl&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Internet Properties ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
inetcpl.cpl&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Network Connections ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
ncpa.cpl&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Remote Access Phonebook ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
rasphone&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Windows Firewall ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
firewall.cpl&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Advanced Firewall ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
wf.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Services ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
services.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Device Manager ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
devmgmt.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Event Viewer ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
eventvwr.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Computer Management ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
compmgmt.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Disk Management ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
diskmgmt.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Performance Monitor ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
perfmon.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Local Users and Groups ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
lusrmgr.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Local Security Policy ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
secpol.msc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Registry Editor ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
regedit&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Credential Manager ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
control /name Microsoft.CredentialManager&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Microsoft Management Console]]&lt;br /&gt;
* [[Windows Administrative Tools]]&lt;br /&gt;
* [[Windows Services]]&lt;br /&gt;
* [[Windows Event Viewer]]&lt;br /&gt;
* [[Windows Troubleshooting Toolkit]]&lt;br /&gt;
* [[Essential Windows Run Commands]]&lt;br /&gt;
* [[Windows Networking Fundamentals]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* Microsoft Windows Documentation&lt;br /&gt;
* Microsoft Management Console Documentation&lt;br /&gt;
* Windows Control Panel Documentation&lt;br /&gt;
* Windows Management Tools Documentation&lt;/div&gt;</description>
			<pubDate>Fri, 03 Jul 2026 17:32:25 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Windows_Control_Panel_Applets</comments>
		</item>
		<item>
			<title>Schema: The Art of Describing Abstract Data</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Schema:_The_Art_of_Describing_Abstract_Data&amp;diff=403&amp;oldid=398</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Schema:_The_Art_of_Describing_Abstract_Data&amp;diff=403&amp;oldid=398</guid>
			<description>&lt;p&gt;&lt;span class=&quot;autocomment&quot;&gt;A Small Problem&lt;/span&gt;&lt;/p&gt;
&lt;table style=&quot;background-color: #fff; color: #202122;&quot; data-mw=&quot;interface&quot;&gt;
				&lt;col class=&quot;diff-marker&quot; /&gt;
				&lt;col class=&quot;diff-content&quot; /&gt;
				&lt;col class=&quot;diff-marker&quot; /&gt;
				&lt;col class=&quot;diff-content&quot; /&gt;
				&lt;tr class=&quot;diff-title&quot; lang=&quot;en-GB&quot;&gt;
				&lt;td colspan=&quot;2&quot; style=&quot;background-color: #fff; color: #202122; text-align: center;&quot;&gt;← Older revision&lt;/td&gt;
				&lt;td colspan=&quot;2&quot; style=&quot;background-color: #fff; color: #202122; text-align: center;&quot;&gt;Revision as of 12:52, 3 July 2026&lt;/td&gt;
				&lt;/tr&gt;&lt;tr&gt;&lt;td colspan=&quot;4&quot; class=&quot;diff-multi&quot; lang=&quot;en-GB&quot;&gt;(4 intermediate revisions by the same user not shown)&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot; id=&quot;mw-diff-left-l1&quot;&gt;Line 1:&lt;/td&gt;
&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot;&gt;Line 1:&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;= Schema: The Art of Describing Abstract Data =&lt;/del&gt;&lt;/div&gt;&lt;/td&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-added&quot;&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&lt;/del&gt;&lt;/div&gt;&lt;/td&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-added&quot;&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;== Summary ==&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;== Summary ==&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot; id=&quot;mw-diff-left-l17&quot;&gt;Line 17:&lt;/td&gt;
&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot;&gt;Line 15:&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;Consider the following JSON document:&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;Consider the following JSON document:&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;syntaxhighlight lang=&quot;json&quot;&lt;/del&gt;&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;pre&lt;/ins&gt;&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;{&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;{&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;     &amp;quot;A&amp;quot;: 52,&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;     &amp;quot;A&amp;quot;: 52,&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot; id=&quot;mw-diff-left-l23&quot;&gt;Line 23:&lt;/td&gt;
&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot;&gt;Line 21:&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;     &amp;quot;C&amp;quot;: 3&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;     &amp;quot;C&amp;quot;: 3&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;}&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;}&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;/&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;syntaxhighlight&lt;/del&gt;&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;/&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;pre&lt;/ins&gt;&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;It is valid JSON.&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;It is valid JSON.&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot; id=&quot;mw-diff-left-l211&quot;&gt;Line 211:&lt;/td&gt;
&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot;&gt;Line 209:&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;A schema transforms values into knowledge.&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;A schema transforms values into knowledge.&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;== &lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;The Map Legend &lt;/del&gt;==&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;== &lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Schema as a Form Template &lt;/ins&gt;==&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt; &lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Another useful way to think about a schema is as a form.&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt; &lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Consider the following paper form:&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt; &lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&amp;lt;pre&amp;gt;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;First Name:    ____________&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt; &lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Last Name:     ____________&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt; &lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Date of Birth: ____________&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt; &lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Email Address: ____________&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&amp;lt;/pre&amp;gt;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt; &lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Although the form contains no data, it already tells us a great deal.&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt; &lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;It tells us:&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt; &lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;* What information is expected&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;* Where that information belongs&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;* How the information is organised&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;* What each value represents&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Perhaps the simplest way to think about a schema &lt;/del&gt;is as a &lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;map legend&lt;/del&gt;.&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;The form &lt;/ins&gt;is &lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;acting &lt;/ins&gt;as a &lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;schema&lt;/ins&gt;.&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Without &lt;/del&gt;the &lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;legend&lt;/del&gt;:&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Now imagine somebody completes &lt;/ins&gt;the &lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;form&lt;/ins&gt;:&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;pre&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;pre&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;▲ ● ■ ★&lt;/del&gt;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;First Name:    Dex&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt; &lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Last Name:     White&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt; &lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Date of Birth: ____________&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt; &lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Email Address: dex@example.com&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;/pre&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;/pre&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;the &lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;symbols are meaningless&lt;/del&gt;.&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;The values have been added, but &lt;/ins&gt;the &lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;structure has not changed.&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt; &lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;The form already defined the meaning of each field before any data was entered&lt;/ins&gt;.&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;With the legend&lt;/del&gt;:&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;If we look closely, every completed field contains two parts&lt;/ins&gt;:&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;pre&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;pre&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;▲ Mountain&lt;/del&gt;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;First Name: Dex&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;● Town&lt;/del&gt;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;^^^^^^^^^^  ^^^&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;■ Railway Station&lt;/del&gt;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Schema      Data&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;★ Capital City&lt;/del&gt;&lt;/div&gt;&lt;/td&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-added&quot;&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;/pre&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;/pre&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;an entire landscape appears&lt;/del&gt;.&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;The label on the left describes the value on the right.&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt; &lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;This is exactly what a schema does.&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt; &lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Without the label, the value is merely text.&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt; &lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;With the label, the value becomes information.&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt; &lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;The same principle applies to databases, APIs, XML documents, JSON documents and paper forms&lt;/ins&gt;.&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;The &lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;symbols have not changed&lt;/del&gt;.&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;The &lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;schema defines what information can exist&lt;/ins&gt;.&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Your understanding has&lt;/del&gt;.&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;The data provides the values&lt;/ins&gt;.&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Schemas perform exactly the same role for data&lt;/del&gt;.&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Together they create meaning&lt;/ins&gt;.&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;== More Than Validation ==&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;== More Than Validation ==&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot; id=&quot;mw-diff-left-l255&quot;&gt;Line 255:&lt;/td&gt;
&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot;&gt;Line 291:&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;In other words, a schema documents the language spoken by the data.&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;In other words, a schema documents the language spoken by the data.&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;== The Map Legend ==&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Perhaps the simplest way to think about a schema is as a map legend.&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Without the legend:&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&amp;lt;pre&amp;gt;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;▲ ● ■ ★&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&amp;lt;/pre&amp;gt;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;the symbols are meaningless.&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;With the legend:&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&amp;lt;pre&amp;gt;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;▲ Mountain&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;● Town&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;■ Railway Station&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;★ Capital City&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&amp;lt;/pre&amp;gt;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;an entire landscape appears.&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;The symbols have not changed.&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Your understanding has.&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Schemas perform exactly the same role for data.&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;== The Real Lesson ==&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;== The Real Lesson ==&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;/table&gt;</description>
			<pubDate>Fri, 03 Jul 2026 12:52:33 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Schema:_The_Art_of_Describing_Abstract_Data</comments>
		</item>
		<item>
			<title>Schema: The Art of Describing Abstract Data</title>
			<link>https://knowledgebase.pirho.net/index.php?title=Schema:_The_Art_of_Describing_Abstract_Data&amp;diff=398&amp;oldid=0</link>
			<guid isPermaLink="false">https://knowledgebase.pirho.net/index.php?title=Schema:_The_Art_of_Describing_Abstract_Data&amp;diff=398&amp;oldid=0</guid>
			<description>&lt;p&gt;Created page with &amp;quot;= Schema: The Art of Describing Abstract Data =  == Summary ==  Data is easy to store, transmit and process. Understanding what that data means is much harder.  A schema is more than a validation mechanism. It is a description of meaning. It provides a shared vocabulary that allows humans and systems to interpret abstract data consistently.  Whether expressed through XML Schema, JSON Schema, database definitions, API specifications or even paper forms, a schema exists to...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;= Schema: The Art of Describing Abstract Data =&lt;br /&gt;
&lt;br /&gt;
== Summary ==&lt;br /&gt;
&lt;br /&gt;
Data is easy to store, transmit and process. Understanding what that data means is much harder.&lt;br /&gt;
&lt;br /&gt;
A schema is more than a validation mechanism. It is a description of meaning. It provides a shared vocabulary that allows humans and systems to interpret abstract data consistently.&lt;br /&gt;
&lt;br /&gt;
Whether expressed through XML Schema, JSON Schema, database definitions, API specifications or even paper forms, a schema exists to answer a simple question:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;What does this data actually represent?&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== A Small Problem ==&lt;br /&gt;
&lt;br /&gt;
Consider the following JSON document:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;json&amp;quot;&amp;gt;&lt;br /&gt;
{&lt;br /&gt;
    &amp;quot;A&amp;quot;: 52,&lt;br /&gt;
    &amp;quot;B&amp;quot;: 1,&lt;br /&gt;
    &amp;quot;C&amp;quot;: 3&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
It is valid JSON.&lt;br /&gt;
&lt;br /&gt;
A parser can read it.&lt;br /&gt;
&lt;br /&gt;
A computer can store it.&lt;br /&gt;
&lt;br /&gt;
But what does it mean?&lt;br /&gt;
&lt;br /&gt;
Nothing in the document tells us.&lt;br /&gt;
&lt;br /&gt;
The computer knows:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
A is a number.&lt;br /&gt;
B is a number.&lt;br /&gt;
C is a number.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
But it does not know what those numbers represent.&lt;br /&gt;
&lt;br /&gt;
Neither do we.&lt;br /&gt;
&lt;br /&gt;
Without context, the data is almost meaningless.&lt;br /&gt;
&lt;br /&gt;
== Schema Version 1 - Playing Cards ==&lt;br /&gt;
&lt;br /&gt;
A schema tells us:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
A = Card Value&lt;br /&gt;
B = Suit&lt;br /&gt;
C = Number of Cards&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
and:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Suit:&lt;br /&gt;
1 = Hearts&lt;br /&gt;
2 = Diamonds&lt;br /&gt;
3 = Clubs&lt;br /&gt;
4 = Spades&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Suddenly:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;json&amp;quot;&amp;gt;&lt;br /&gt;
{&lt;br /&gt;
    &amp;quot;A&amp;quot;: 52,&lt;br /&gt;
    &amp;quot;B&amp;quot;: 1,&lt;br /&gt;
    &amp;quot;C&amp;quot;: 3&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
becomes:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Three cards from the Hearts suit.&lt;br /&gt;
Highest card value 52.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Not especially exciting, but meaningful.&lt;br /&gt;
&lt;br /&gt;
The values have not changed.&lt;br /&gt;
&lt;br /&gt;
Only our understanding has changed.&lt;br /&gt;
&lt;br /&gt;
== Schema Version 2 - Aircraft ==&lt;br /&gt;
&lt;br /&gt;
Now imagine a different schema:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
A = Altitude (Thousands of Feet)&lt;br /&gt;
B = Aircraft Status&lt;br /&gt;
C = Engine Count&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
and:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Aircraft Status:&lt;br /&gt;
1 = In Flight&lt;br /&gt;
2 = Grounded&lt;br /&gt;
3 = Taxiing&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The exact same JSON now becomes:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Aircraft flying at 52,000 feet&lt;br /&gt;
with three engines.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The data is identical.&lt;br /&gt;
&lt;br /&gt;
The meaning is completely different.&lt;br /&gt;
&lt;br /&gt;
== Schema Version 3 - A Hospital ==&lt;br /&gt;
&lt;br /&gt;
Now consider a hospital system.&lt;br /&gt;
&lt;br /&gt;
The schema defines:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
A = Patient Age&lt;br /&gt;
B = Priority&lt;br /&gt;
C = Ward&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
and:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Priority:&lt;br /&gt;
1 = Critical&lt;br /&gt;
2 = Urgent&lt;br /&gt;
3 = Routine&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The same data becomes:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
52-year-old patient.&lt;br /&gt;
Critical priority.&lt;br /&gt;
Ward 3.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Once again, nothing in the JSON changed.&lt;br /&gt;
&lt;br /&gt;
Only the schema changed.&lt;br /&gt;
&lt;br /&gt;
== Beyond Simple Definitions ==&lt;br /&gt;
&lt;br /&gt;
Modern systems rarely stop at simple field definitions.&lt;br /&gt;
&lt;br /&gt;
A schema may define:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Field Names&lt;br /&gt;
Data Types&lt;br /&gt;
Relationships&lt;br /&gt;
Constraints&lt;br /&gt;
Documentation&lt;br /&gt;
Validation Rules&lt;br /&gt;
Units&lt;br /&gt;
Permitted Values&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
So the same data might expand into:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Patient Record&lt;br /&gt;
├── Age: 52 Years&lt;br /&gt;
├── Priority: Critical&lt;br /&gt;
└── Ward: Cardiology&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
or:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Aircraft Telemetry&lt;br /&gt;
├── Altitude: 52,000 Feet&lt;br /&gt;
├── Status: In Flight&lt;br /&gt;
└── Engines: 3&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
or:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Inventory Item&lt;br /&gt;
├── Quantity: 52&lt;br /&gt;
├── Warehouse: London&lt;br /&gt;
└── Shelf: 3&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The schema transforms simple values into structured information.&lt;br /&gt;
&lt;br /&gt;
== The Schema Does Not Hold Data ==&lt;br /&gt;
&lt;br /&gt;
A common misconception is that schemas describe data.&lt;br /&gt;
&lt;br /&gt;
In reality, the data already exists.&lt;br /&gt;
&lt;br /&gt;
The schema describes how the data should be interpreted.&lt;br /&gt;
&lt;br /&gt;
A schema transforms values into knowledge.&lt;br /&gt;
&lt;br /&gt;
== The Map Legend ==&lt;br /&gt;
&lt;br /&gt;
Perhaps the simplest way to think about a schema is as a map legend.&lt;br /&gt;
&lt;br /&gt;
Without the legend:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
▲ ● ■ ★&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
the symbols are meaningless.&lt;br /&gt;
&lt;br /&gt;
With the legend:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
▲ Mountain&lt;br /&gt;
● Town&lt;br /&gt;
■ Railway Station&lt;br /&gt;
★ Capital City&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
an entire landscape appears.&lt;br /&gt;
&lt;br /&gt;
The symbols have not changed.&lt;br /&gt;
&lt;br /&gt;
Your understanding has.&lt;br /&gt;
&lt;br /&gt;
Schemas perform exactly the same role for data.&lt;br /&gt;
&lt;br /&gt;
== More Than Validation ==&lt;br /&gt;
&lt;br /&gt;
Many technologies use schemas to validate documents.&lt;br /&gt;
&lt;br /&gt;
A good schema also explains:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
What fields exist&lt;br /&gt;
What those fields represent&lt;br /&gt;
How they relate&lt;br /&gt;
What values are permitted&lt;br /&gt;
What assumptions are being made&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In other words, a schema documents the language spoken by the data.&lt;br /&gt;
&lt;br /&gt;
== The Real Lesson ==&lt;br /&gt;
&lt;br /&gt;
Whether using XML, JSON, YAML, CSV, relational databases or paper forms, the underlying problem is unchanged.&lt;br /&gt;
&lt;br /&gt;
The data itself rarely explains its own meaning.&lt;br /&gt;
&lt;br /&gt;
Meaning emerges from shared understanding.&lt;br /&gt;
&lt;br /&gt;
A schema records that understanding.&lt;br /&gt;
&lt;br /&gt;
It defines the vocabulary, the relationships and the assumptions that allow abstract values to become useful information.&lt;br /&gt;
&lt;br /&gt;
A schema is not merely a validation tool.&lt;br /&gt;
&lt;br /&gt;
It is a way of describing the world represented by the data.&lt;br /&gt;
&lt;br /&gt;
Perhaps the most important lesson XML ever taught us is this:&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;Data tells us the value. A schema tells us what the value means.&amp;#039;&amp;#039;&lt;/div&gt;</description>
			<pubDate>Fri, 03 Jul 2026 12:30:45 GMT</pubDate>
			<dc:creator>Dex</dc:creator>
			<comments>https://knowledgebase.pirho.net/wiki/Talk:Schema:_The_Art_of_Describing_Abstract_Data</comments>
		</item>
</channel></rss>