Healthcare providers world-wide are developing electronic solutions to improve patient care and reduce costs. This is a complex and challenging endeavour: such systems need to integrate many distributed and heterogeneous applications and coordinate widely distributed operations as events occur, without compromising patient safety and privacy. Middleware software is the plumbing that interconnects these various applications, however commercial off-the-shelf middleware is unable to adapt to the special requirements of the medical domain: e.g. a healthcare system must audit all access to a patient's records as they flow through the network and yet the audit data must not itself compromise confidentiality. This kind of confidential audit is not currently supported, yet would be best performed within middleware.Similarly, a haematology department would need to detect patterns of events: abnormal blood results sent to the electronic patient notes but with no timely confirmation of receipt would signal a network failure or other delay, and haematology would warn the ward. Middleware support for this does not exist, yet would be vital for an efficient solution. A major challenge in supporting such novel middleware functionality is that there is no single set of services that covers all application requirements. Instead, middleware functionality must evolve as new applications are added.The focus of this proposal is to address this challenge with research into an extendable, event-based middleware architecture, Smart Flow, which can integrate heterogeneous systems and provide a framework for dynamically managing middleware extensions. It will cover common requirements from medical domains, such as privacy, auditing and event pattern detection, without sacrificing efficiency.Applications coordinate all activity by sending and receiving messages using an event-driven approach. Messages are handled by Smart Flow nodes, as dictated by a set of extensions. Extensions may be responsible for intelligently routing messages between hospital departments, auditing message flow, applying access control checks to patient data and encrypting patient data to preserve confidentiality. By pushing this functionality into an intelligent middleware layer, all applications in a medical system can use these services, thus simplifying application design and deployment and improving performance. As new departments with new applications (and requirements) join the system, extensions can be added dynamically to Smart Flow nodes in a safe and consistent manner.Medical systems are loosely coupled, with a mixture of direct, synchronous interactions (e.g. looking up a patient's blood results), and indirect, asynchronous connections (e.g. a monthly batch of pathology reports, sent electronically to a cancer registry). To describe a middleware and its configurations, we will devise a formalism that can capture high-level middleware features, their decomposition into lower-level Smart Flow extensions, and the dependencies and exclusion relationships between extensions. This will let each application specify which extensions it needs. Dynamic reconfiguration will allow Smart Flow to support requirements that change over time.We will also extend the event-driven approach to the inner workings of the middleware itself. Each Smart Flow node will use an event-based kernel to drive the flow of information between extensions, in the form of explicit messages. The advantage of this approach is that existing middleware systems can be integrated with Smart Flow by treating them as particularly rich extensions. This means that Smart Flow can enhance existing middleware with extra features in a way that is straightforward, consistent and easily configured. Making information flow explicit will also enhance security, by identifying and regulating the use of internal messages.

Healthcare providers world-wide are developing electronic solutions to improve patient care and reduce costs. This is a complex and challenging endeavour: such systems need to integrate many distributed and heterogeneous applications and coordinate widely distributed operations as events occur, without compromising patient safety and privacy. Middleware software is the plumbing that interconnects these various applications, however commercial off-the-shelf middleware is unable to adapt to the special requirements of the medical domain: e.g. a healthcare system must audit all access to a patient's records as they flow through the network and yet the audit data must not itself compromise confidentiality. This kind of confidential audit is not currently supported, yet would be best performed within middleware.Similarly, a haematology department would need to detect patterns of events: abnormal blood results sent to the electronic patient notes but with no timely confirmation of receipt would signal a network failure or other delay, and haematology would warn the ward. Middleware support for this does not exist, yet would be vital for an efficient solution. A major challenge in supporting such novel middleware functionality is that there is no single set of services that covers all application requirements. Instead, middleware functionality must evolve as new applications are added.The focus of this proposal is to address this challenge with research into an extendable, event-based middleware architecture, Smart Flow, which can integrate heterogeneous systems and provide a framework for dynamically managing middleware extensions. It will cover common requirements from medical domains, such as privacy, auditing and event pattern detection, without sacrificing efficiency.Applications coordinate all activity by sending and receiving messages using an event-driven approach. Messages are handled by Smart Flow nodes, as dictated by a set of extensions. Extensions may be responsible for intelligently routing messages between hospital departments, auditing message flow, applying access control checks to patient data and encrypting patient data to preserve confidentiality. By pushing this functionality into an intelligent middleware layer, all applications in a medical system can use these services, thus simplifying application design and deployment and improving performance. As new departments with new applications (and requirements) join the system, extensions can be added dynamically to Smart Flow nodes in a safe and consistent manner.Medical systems are loosely coupled, with a mixture of direct, synchronous interactions (e.g. looking up a patient's blood results), and indirect, asynchronous connections (e.g. a monthly batch of pathology reports, sent electronically to a cancer registry). To describe a middleware and its configurations, we will devise a formalism that can capture high-level middleware features, their decomposition into lower-level Smart Flow extensions, and the dependencies and exclusion relationships between extensions. This will let each application specify which extensions it needs. Dynamic reconfiguration will allow Smart Flow to support requirements that change over time.We will also extend the event-driven approach to the inner workings of the middleware itself. Each Smart Flow node will use an event-based kernel to drive the flow of information between extensions, in the form of explicit messages. The advantage of this approach is that existing middleware systems can be integrated with Smart Flow by treating them as particularly rich extensions. This means that Smart Flow can enhance existing middleware with extra features in a way that is straightforward, consistent and easily configured. Making information flow explicit will also enhance security, by identifying and regulating the use of internal messages.

Cloud computing promises to revolutionise how companies, research institutions and government organisations, including the National Health Service (NHS), offer applications and services to users in the digital economy. By consolidating many services as part of a shared ICT infrastructure operated by cloud providers, cloud computing can reduce management costs, shorten the deployment cycle of new services and improve energy efficiency. For example, the UK government's G-Cloud initiative aims to create a cloud ecosystem that will enable government organisations to deploy new applications rapidly, and to share and reuse existing services. Citizens will benefit from increased access to services, while public-sector ICT costs will be reduced. Security considerations, however, are a major issue holding back the widespread adoption of cloud computing: many organisations are concerned about the confidentiality and integrity of their users' data when hosted in third-party public clouds. Today's cloud providers struggle to give strong security guarantees that user data belonging to cloud tenants will be protected "end-to-end", i.e. across the entire workflow of a complex cloud-hosted distributed application. This is a challenging problem because data protection policies associated with applications usually require the strict isolation of certain data while permitting the sharing of other data. As an example, consider a local council with two applications on the G-Cloud: one for calculating unemployment benefits and one for receiving parking ticket fines, with both applications relying on a shared electoral roll database. How can the local council guarantee that data related to unemployment benefits will never be exposed to the parking fine application, even though both applications share a database and the cloud platform? The focus of the CloudSafetNet project is to rethink fundamentally how platform-as-a-service (PaaS) clouds should handle security requirements of applications. The overall goal is to provide the CloudSafetyNet middleware, a novel PaaS platform that acts as a "safety net", protecting against security violations caused by implementation flaws in applications ("intra-tenant security") or vulnerabilities in the cloud platform itself ("inter-tenant security"). CloudSafetyNet follows a "data-centric" security model: the integrity and confidentiality of application data is protected according to data flow policies -- agreements between cloud tenants and the provider specifying the permitted and prohibited exchanges of data between application components. It will enforce data flow policies through multiple levels of security mechanisms following a "defence-in-depth" strategy: based on policies, it creates "data compartments" that contain one or more components and isolate user data. A small privileged kernel, which is part of the middleware and constitutes a trusted computing base (TCB), tracks the flow of data between compartments and prevents flows that would violate policies. Previously such information flow control (IFC) models have been used successfully to enhance programming language, operating system and web application security. To make such a secure PaaS platform a reality, we plan to overcome a set of research challenges. We will explore how cloud application developers can express data-centric security policies that can be translated automatically into a set of data flow constraints in a distributed system. An open problem is how these constraints can be tied in with trusted enforcement mechanisms that exist in today's PaaS clouds. Addressing this will involve research into new lightweight isolation and sand-boxing techniques that allow the controlled execution of software components. In addition, we will advance software engineering methodology for secure cloud applications by developing new software architectures and design patterns that are compatible with compartmentalised data flow enforcement.