Security Management System for Virtual Organizations

This master thesis in cooperation with Microsoft EMIC explains how to securely manage virtual organizations across domain boundaries using state-of-the-art federation technologies.

Virtual organizations are virtual teams spanning organizational boundaries, where people from different organizations (e.g. companies) collaborate on a particular purpose. The combination of existing products, standards and technologies allows forming a framework that supports the complete lifecycle of a virtual organization.
The infrastructure model of the developed framework relies on the claims-based access model, which is used to authenticate and authorize members within virtual organizations. The communication within the framework complies with common standards and protocols like WS-Transfer and WS-Federation, providing maximum interoperability with other technologies or products, allowing to easily adapt the framework to a company’s environment.
The introduction of naming schemas allows storing virtual organization-related information in the corporate user directory, such as an LDAP directory, avoiding additional resources for dedicated directories or storages. New modules for common products securely synchronize and provision that information across domain boundaries to other organizations based on the WS-Transfer specification. A small service, developed using the Windows Communication Foundation, validates incoming requests and stores the information in a dedicated attribute store, which provides a global view of all members within virtual organizations.
The developed management console, which is one of the main parts of the virtual organization framework, provides the managing capabilities to control the complete lifecycle of virtual organizations and allows administrators to quickly deploy new contracts, and to customize and report existing ones. The abstraction layer of the management console contains a PowerShell module, which provides a virtual organization capable scripting environment and controls the components of the virtual organization framework. A developed Microsoft Management Console snap-in, which implements the abstraction layer, provides a graphical user-experience.

Written 2009 in cooperation with
Microsoft EMIC
Aachen, Germany

Security Analysis of Web 2.0

This study in cooperation with the Federal Office for Information Security in Germany (Bundesamt für Sicherheit in der Informationstechnik, BSI Deutschland) covers the threats and risks as well as possible security methods and techniques, used within Web 2.0.

The study focuses mainly on JavaScript (Ajax) and provides a detailed description on how the trust relationship can be exploited. Attacks like cross-site scripting (XSS), cross-site request forgery (CSRF) or session hijacking against web applications are all covered and analyzed with and without JavaScript at the perspective of an attacker and the user.
The study is available at the official site of the BSI or here: web20_pdf (PDF).

Written 2008 for the
Federal Office for Information Security
Bundesamt für Sicherheit in der IT (BSI)

Bonn, Germany