Objectives

PAROMA-MED will develop, validate and evaluate a platform – based hybrid-cloud delivery framework for privacy- and security- assured services and applications in federative cross-border environments.
To this purpose, the project will develop new architectures, technologies, tools and services to support:

• automatic attestation of federation partners;
• privacy- and security – by-design, integrating standard compliance and performance / QoS requirements into a policy framework;
• consumers with their rights for opt-in / opt-out consent, portability and right to be forgotten requests, as well as transparency in access to their private-data;
• federative Identity and Access Management, based on Zero Trust principles, continuous risk assessment and on confidentiality, integrity and authenticity insurance;
• privacy-preserving and trusted data – storage and – processing in federative environments;
• flexible and secure access over the Internet to private-data and service resources;
• AI / ML by-design, integrating platform services to be used by application developers for data-intensive applications;
• Zero Touch deployment and automatic life-cycle management of services and applications;
• managed Privacy and Security operations for automated policy enforcement and cyber-threat detection and mitigation

Concept

The growing adoption of cloud native architectures for data analytics such as machine learning (ML) based analysis of data over federated data sources brings benefits in terms of speed, efficiency and adaptability compared to legacy data pipeline architectures. However, immediate challenges arise in terms of privacy and security for the data, the distributed infrastructure and virtualised services/applications.

For this purpose, PAROMA-MED adopts a hybrid cloud architecture that allows workload portability, orchestration, and management across multiple environments. PAROMA spans a hybrid cloud across a central cloud and multiple edge cloud environments, that allows the operation of central and distributed services (e.g.AIOps, Data Access, Identity & Access Management) and enables mobile edge computing. Edge computing is computing that takes place at or near the physical location of either the user or the source of the data, in order to comply with latency or data-residency constraints.

The central cloud offers PAROMA – specific security and privacy services (Security-as-a-Service/SECaaS andData-Privacy-as-a-Service/DPaas) that are implemented as microservices and follow a sidecar deployment pattern. Theses PAROMA microservices are smart agents that are deployed along platform application/services (application layer),federation partners and connected devices (device layer). The PAROMA microservices ensure “by design” privacy and security and are embedded automatically in the application / services graphs, thus enabling the application developers to deal only with the business-logic of their application. The application provider / operator specifies specific privacy and security requirements at a high-level by means of policies that are then translated automatically by the SECaaS and DPaaS into specific configurations and deployments of the PAROMA smart agents.

Utilizing microservices in this context requires a service and event mesh architecture. A service mesh (overlay network) provides connection-level routing and traffic management for synchronous request/reply communications through sidecar microservices. An event mesh handles the asynchronous event-driven routing of information through event brokers (aka Context Brokers, where an event is a context update).

Platform APIs are exposed via API gateways towards the application layer (northbound APIs) and towards the access & interconnect and device layers (southbound APIs). An API gateway (not shown in the Figure 1is a centralized access and security policy enforcement point to a microservice deployment and the entry point that screens all incoming request-messages for security and QoS features.

PAROMA offers a variety of APIs for users/developers at the application layer, e.g. domain specific APIs (healthcare API) with regulatory compliance, data APIs for data services (e.g.analytics, visualisation) and control APIs, that allow the orchestration/deployment and integration of platform applications (e.g. AIOps, dashboard, CI/CD). APIs follow the OpenAPI standard, a programming language-agnostic interface description for HTTP APIs.

Connectivity APIs are exposed towards the device layer to connect and integrate different devices (e.g. mobile user devices, medical devices, sensors). Devices can connect via e.g. 5G or LoRaWAN or Bluteooth to the PAROMA platform and access data and services.

PAROMA utilizes a data lake storage concept to store the large amounts of data that are produced in the medical domain (e.g. medical images, long time-series of sensor data). A data lake is a repository that holds a large amount of structured and unstructured data, providing unique identifiers and metadata tags. Unlike most data warehouses and databases, data lakes can handle all types of data, including unstructured and semi-structured data such as images, video, and audio, that are required for machine learning use cases.

Additionally, via its north- and southbound APIs, PAROMA offers access to federation partners, in order to integrate with their Platform-as-a-Service/PaaS, Software-as-a-Service/SaaS or Anything-as-a-Service/XaaS solutions. This offers flexibility for the distribution of the data-sourcing / storage and data-processing tasks among partners in the application provisioning / value-chain federation and enables integration of further ecosystem stakeholders and actors.