About

Currently

I am currently working as a Senior IT Security Engineer at ConnectedCare GmbH (Berlin / Telgte, Germany, formerly Bewatec GmbH), where I significantly contribute to the IT security of the ConnectedCare platform and serve as the contact person for all topics related to IT security & data protection.

My activities address two important areas: a) technical security and b) regulatory activities. Both areas interact closely (e.g. fulfilling vulnerability management for the Cyber Resilience Act or risk management for NIS-2) and must always be planned together. They fundamentally include data protection topics as well as constant communication with various stakeholders (internal teams in technology / marketing / sales, management, data protection officers, legal counsel, supervisory authorities, etc.)

Activities: Technical Security

In the area of technical security, I am responsible for the design and implementation of measures to enhance the IT security of the ConnectedCare platform. This includes general roadmap planning, technology evaluations, as well as the conduction of projects / measures and in-house software developments (Terraform, Python, GoLang). Examples of relevant activities are:

  • Project AWS CloudSec Suite: Development of Infrastructure as Code (Terraform, Python) for the configuration and deployment of AWS Cloud Security services (including intrusion detection, firewall, vulnerability scanner, notifications to Slack / Teams).
  • Project Vulnerability Management: Implementation of DefectDojo as a central system for vulnerability management with graphs / metrics to visualize temporal trends. Self-developed scripts (Python as Terraform / AWS Lambda) realize data import (e.g. findings ofAWS SecurityHub, SonarCloud, GitHub) and “back-sync” (e.g. marking as “false-positive” in DefectDojo updates the vulnerability as “suppressed” in AWS).
  • Project Supply Chain Security: Implementation of DependencyTrack for tracking all used software libraries as a Software Bill of Materials (SBOM), including vulnerability scanning and DefectDojo integration.
  • Planning and coordination of penetration tests, independent conduction of simple penetration tests (“surface scans”).
  • Various individual measures, e.g.:
    • Web Application Firewall: a) ModSecurity with custom rules and OWASP CRS on reverse proxy in Kubernetes pod and (as a successor) b) AWS WAFv2 with AWS managed core rule set (CRS).
    • Installation of security scanners like SonarCloud, GitHub / Dependabot security alerts, AWS Inspector, Aquasec Trivy (IaC), etc.
    • Grafana Dashboard as a central visualization of vulnerabilities (was replaced by DefectDojo)

Activities: Regulatory Aspects

In the area of regulatory aspects, I am responsible for analyzing regulatory requirements, planning and implementing them including technical realisations. Examples of relevant activities are:

  • Ensure compliance to EU and national regulations and directives such as NIS-2, Cyber Resilience Act (CRA) or GDPR by analyzing and implementing their requirements
  • Accompanying introduction of ISO27001
  • The above tasks comprise a wide set of organisational measures, examples are the following:
    • Development of relevant policies, e.g. incident management, risk management, secure development, access control, cryptographic algorithms and key lengths (according to BSI TR-02102)
    • Conducting risk management with regular risk assessments and coordination with the management
    • Threat modeling (with IriusRisk and focus on STRIDE risk model)
    • Various individual measures such as technical documentation, interaction with third parties (e.g. specific customer inquiries, specialized attorneys, supervisory authorities)

Before

I was involved as IT Security Analyst at Verimi GmbH (digital identity and trust platform) in the areas of security, risk & workflow analysis as well as technology & architecture security (e.g. vulnerability scans, coordination of pentests). Before my position at Verimi GmbH, I worked as researcher at the INSA de Lyon in applied research projects with international industrial partners. My work focused on research & development activities (particularly the architectural design & development of a distributed infrastructures, data traceability, security and reputation) as well as fostering relations with international IT partners.

Previously, I was involved in an R&D project with big industrial partners where I developed a blockchain system based on a fully new “democratic consensus” approach, where a set of trusted consortium nodes vote for block storage validity. The development was conducted in the context of data traceability, data anonymization & privacy-preserving analytics and for the realization I only used modern & free technologies, some of them are Java / Maven / Gitlab (+ CI) / Spring (Boot, Data etc.) / Apache Cassandra / Apache Kafka / Swagger REST) / Angular2 / TypeScript. The R&D activity comprised the whole software development lifecycle starting from research, vision, specification and software development up to the deployment with modern technologies such as Docker / Kubernetes / AWS.

In Science

My research activities after the PhD combine efforts at WHO, applied research in industrial projects and EU projects.

The last research activity was conducted alongside my work and targeted on the creation of a secure digital voting system based on homomorphic encryption (published in Springer Nature, 2024). At the WHO, I applied my experiences as IT specialist at the Dietary Exposure Assessment (DEX) group of the International Research Agency for Research on Cancer (IARC), Lyon, France, to design a new secure and privacy-preserving data analytics infrastructure for worldwide use. Right after the PhD, I was implied in several European projects (e.g. Nathcare, Sphera) as postdoctoral researcher at the INSA de Lyon where I assessed hospital information systems in the alpine space in Europe.

The PhD thesis was conducted in a bi-national supervision (cotutelle de thèse) at the University of Passau (Prof. Kosch) and INSA de Lyon (Prof. Brunie) within the MDPS doctoral college, which evolved to the International Research and Innovation Center in Intelligent Digital Systems (IRIXYS). During the PhD, I adopted a game theoretic approach to communication systems in order to ensure a secure collaborative operation of complex distributed system. In more detail it enables the analysis of the strategic choices of rational selfish individuals. During the PhD in the French-German doctoral college I got the wonderful possibility to combine my scientific curiosity and interest in other cultures and languages.

Expertise

Certifications

EC-Council

                    Ethical Hacker                   Encryption Specialist                   SOC Analyst

Other

  • Datenschutzbeauftrager (TÜV) gemäß DSGVO und BDSG-neu (TUEV-NORD) [Certificate]
    Professional training as data protection officer according to GDPR and the ‘BDSG-neu’ (a German national law for data protection), more info see course description (German-only)

Professional Experience

My experience encompasses many years of work as an IT Security Professional in the corporate sector, as well as applied research at national (DE / FR) and international (IARC / WHO) institutes, typically trilingual (EN / FR / DE) and in an international / multicultural context:

  • Since 07/2020: Senior IT Security Engineer ConnectedCare GmbH, Berlin, Germany
    Comprehensive planning of the IT security of the ConnectedCare platform, identification and implementation of technical and organizational measures, as well as regulatory activities (all in the context of information security management systems, ISMS). See section About for details.
  • 2019 – 2020: IT Security Analyst Verimi GmbH, Berlin, Germany
    Security & risk analyses, product security improvements (including vulnerability scanner, pentests coordination), security-relevant certifications & audits (e.g. eIDAS substantial part 2/3), raising awareness for IT security safety.
  • 2018 – 2019: Head of IT Architecture Verimi GmbH, Berlin, Germany
    Establishing a tech-team, insourcing of dev & ops activities, IT / cloud architecture decisions, security & risk analyses.
  • 2016 – 2018: Software architect & engineer (R&D, “Blockchain” specialization) LIRIS Lab, INSA de Lyon, France
    R&D project(s) to develop a blockchain based platform for data traceability (of particularly big data and machine learning models)
  • 2014 – 2015: Digital infrastructure coordinator, post-doc International Agency for Research on Cancer (IARC / WHO), Lyon, France
    Assessment & coordination of the IT infrastructure at the DEX group
  • 2013 – 2014: European project coordinator, post-doc LIRIS Lab, INSA de Lyon, Lyon, France
    Management of INSA activities within European research projects
  • 2011 – 2013: Research associate DIMIS Lab, University of Passau, Passau, Germany
    Prototype development & reliability evaluation of mobile & dynamic communication systems
  • 2006 – 2008: Freelance work IT consulting at a consulting agency for law and finances, Herne, Germany
    Replacement and reorganization of the whole IT infrastructure (15 employees)
  • 2004 – 2008: Research assistant FLW Lab, Dortmund University of Technology, Dortmund, Germany
    Development (Java / C++) of an embedded real-­‐time control system for material flow systems in logistics

Education

  • 09 / 2013: Doctoral degree (conducted as French-German “cotutelle de these”) [manuscript]
    University of Passau (Germany) & INSA de Lyon (France)
    Award of Excellence 2013 (categorie: natural sciences) [press release (de)] [press release (fr)]
    Research domain: Reliable and secure peer-to-peer (P2P) systems; complex system analysis; game theory
    Title: Achieving collaboration in distributed systems deployed over selfish nodes - a Publish/Subscribe case study
    The PhD was conducted in the cotutelle de thèse program, a binational supervision between the Grande École INSA de Lyon (France) and the University of Passau (Germany), financed by a 3-year grant, currently also working as research associate at the University of Passau.
  • 10 / 2008: “Diplom” in computer science (equivalent to ‘Master’) [manuscript] [os software]
    Dortmund University of Technology, Germany
    Research domain: reliability and security of service-oriented IT-architectures in logistics
    Title: Analysis and performance evaluation of a decentral material flow control using a distributed data acquisition system.

Supervised Students

  • 02 / 2018: Bachelor thesis (German manuscript) - T. Dallmeir, Fachhochschule Kufstein, Austria
    Diskussion von Möglichkeiten und Herausforderungen von Dashboards in Webseiten am Beispiel der Blockchain-Plattform DTP
    Objective: Proof-of-concept of a status quo dashboard being integrated in industry-standard technology landscapes.
  • 02 / 2018: Bachelor thesis (German manuscript) - C. Glatzel, Fachhochschule Kufstein, Austria
    Analyse von modernen Admin-Oberflächen und Möglichkeit zur Verbesserung dieser anhand der Blockchain Plattform DTP
    Objective: Implementation of admin interfaces suitable for complex dynamic data.
  • 10 / 2017: Master thesis - M. Schiedermeier, INSA de Lyon, France
    Design proposal on privacy preserving ledger applications - An architectural case study on e-voting
    Objective: Proof-of-concept development of distributed data analytics over encrypted data with Shamir’s Shared Secrets, being applied on-top of blockchain for secure traceable computing.
  • 01 / 2017: 4IF Practical Project - B. Renault, INSA de Lyon, France
    Tabular-based data visualisation with modern web technologies [screenshot]
    Objective: Complex data visualization with modern web technologies at the example of blockchain data models in tabular form using Angular2/TS.
  • 01 / 2017: 4IF Practical Project - A. Sultan, INSA de Lyon, France
    Graph-based data visualisation with modern web technologies [screenshot]
    Objective: Complex data visualization with modern web technologies at the example of graph-visualized blockchain data models.
  • 07 / 2016: Master thesis (German manuscript) - H. Wilhelmer, Fachhochschule Kufstein, Austria
    Real-Time Big Data Verarbeitung: Entwicklung und Evaluierung eines Vergleichsschemas der Technologien
    Objective: Comparison of current technologies and efficiency for Big Data processing.
  • 05 / 2016: Bachelor thesis (German manuscript) - A Adadouc, University of Passau, Germany
    Verwaltung komplexer multimedialer Inhalte im internationalen Kontext
    Objective: Evaluation & prototype development of modern user interfaces for multimedia content.
  • 04 / 2016: 4IF Practical Project (French presentation) - N. Bonfante, INSA de Lyon, France
    Calcul multi-partite sécurisé
    Objective: Proof-of-concept and simple performance assessment of analytics over encrypted data with Shamir’s Shared Secret scheme.
  • 10 / 2015: Master thesis - M.Schipflinger, Fachhochschule Kufstein, Austria
    Large Scale Data-Retrieval in E-Health Applications
    Objective: Analysis of essential performance aspects for large-scale data retrieval at the example of the IARC-WHO GloboDiet research infrastructure (former ‘e-smp’).
  • 01 / 2014: Master thesis - M. Vielsmaier, Universität Passau, Germany
    Open Shop Scheduling with Transfer Operations
    Objective: Comparison of optimization algorithms and use case study with an intralogistics scenario.
  • 03 / 2012: Bachelor thesis (German manuscript) - T. Kronschnabl, Universität Passau, Germany
    Publish/Subscribe Algorithmen für P2P Applikationen - Twitter as P2P system
    Objective: Analyis of technical characteristics for P2P system deployment with Twitter as application use case.
  • 12 / 2011: Master thesis (German manuscript) - C. Schoernich, Universität Passau, Germany
    Untersuchung der Robustheit von Gossiping-basierten Publish/Subscribe Systemen
    Objective: Robustness assessment of available Publish/Subscribe algorithms and implementation of an individual algorithm focused on robustness

Publications

  • Anonymous voting using distributed ledger-assisted secure multi-party computation, M. Schiedermeier, O. Hasan, T. Mayer, L. Brunie, H. Kosch. In: Applied Network Sciences Vol. 9, Springer Nature, 2024. [link]
  • A transparent referendum protocol with immutable proceedings and verifiable outcome for trustless networks, M. Schiedermeier, O. Hasan, T.R. Mayer, L.- Brunie, H. Kosch. In: Proceedings of the 8th International Conference on Complex Networks and Their Applications, Springer International Publishing, 2019, 647—658. [link]
    See also pre-publication at arXiv (open access): [arXiv:1909.06462]
  • Deliverable D2.2: Incremental report on provenance, trust and reputation models – Technical Realization (network & storage layer), T. R. Mayer. Project Report (WP1 Value Assessment), Project “Linked Data for Prescriptive Analytics: Application to Fraud Detection, Value Assessment” with Atos/Worldline industrial partner, Lyon, France, 03/2018 (confidential, not publicly accessible).
  • Credit-based Reputations for Identity Management with Blockchain and Flow Networks, T. R. Mayer, O. Hasan, and L. Brunie. Whitepaper proposal, 4th Rebooting-the-Web-of-Trust Workshop, Paris, 04/2017. [link]
  • Deliverable D2.1: Incremental report on provenance, trust and reputation models – Concepts & Models, T. R. Mayer. Project Report (WP1 Value Assessment), Project “Linked Data for Prescriptive Analytics: Application to Fraud Detection, Value Assessment” with Atos/Worldline industrial partner, Lyon, France, 03/2017 (confidential, not publicly accessible).
  • Deliverable D1: Report on the requirements and scenarios for the usage of data, T. R. Mayer. Project Report (WP1 Value Assessment), Project “Linked Data for Prescriptive Analytics: Application to Fraud Detection, Value Assessment” with Atos/Worldline industrial partner, Lyon, France, 09/2016 (confidential, not publicly accessible).
  • Digital care in the Alpine Space, M. Amiel, L. Brunie, A. Flory, T. R. Mayer, and M. Said. Urbani issiv, vol. 1, no. Thematic issue (Spatial planning, health systems and Ageing in the alps), pp. 21–24, 2015. [link]
  • Evaluation of the NATHCARE model and policy guidelines, M. Amiel, L. Brunie, A. Flory, T. R. Mayer, and M. Said. Project Report 4, Alpine Space Programme 2007-2013, June 2015.
  • Many-player Inspection Games in Networked Environments, G. Gianini, E. Damiani, T. R. Mayer, D. Coquil, H. Kosch, and L. Brunie. In: Proceedings of the 7th 2013 International Conference on Digital Ecosystems and Technologies, 2013, pp. 1–6. [link]
  • Inspection Games for Selfish Network Environments, G. Gianini, T. R. Mayer, D. Coquil, H. Kosch, and L. Brunie. Technical Report MIP-1203, University of Passau, Germany, 2012. [link]
  • RCourse: A robustness benchmarking suite for publish/subscribe overlay simulations with Peersim, T. R. Mayer, D. Coquil, C. Schoernich, and H. Kosch. In: Proceedings of the 1st EDCC Workshop on P2P and Dependability, 2012. [link] [project]
  • On reliability in Publish/Subscribe systems: a survey, T. R. Mayer, D. Coquil, H. Kosch, and L. Brunie. International Journal of Parallel, Emergent Distributed Systems, vol. 27, no. 5, pp. 369–386, 2012. [link]
  • Evaluating the Robustness of Publish/Subscribe Systems, T. R. Mayer, L. Brunie, D. Coquil, and H. Kosch. In: Proceedings of the Sixth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 2011. [link]
  • Live-Ticker Supported Sports Video Annotation, T. R. Mayer, D. Coquil, and M. Döller. In: Workshop on Interoperable Social Multimedia Applications, 2010. [link]
  • Contribution to the performance evaluation of decentralized material flow controls on the example of a control prototype, T. R. Mayer, S. Libert, and M. ten Hompel. Logistics Journal, 2010. [link]
  • Ein Beitrag zur Bewertung der Leistung dezentraler Materialflusssteuerungssysteme am Beispiel eines Steuerungsprototyps, T. R. Mayer, S. Libert, and M. ten Hompel. Logistics Journal, 2010. [link]
  • Standardized Mobile Multimedia Query Composer, M. Döller, T. Mayer, K. L. Fong, S. Beck, H. Kosch, and D. Coquil. In: New Diections of Intelligent Interactive Multimedia Systems Services, vol. 2, pp. 87–101, 2009. [link]

Contact

You want to contact me? That’s great! Write me an email and I come back to you as soon as possible.

Deutsch