Architecture#

The Data Safe Haven is designed to be deployed on the Microsoft Azure platform taking advantage of its cloud-computing infrastructure.

Each deployment of the Data Safe Haven consists of two components:

  • one Safe Haven Management (SHM) component

  • one or more Secure Research Environments (SREs).

High-level architecture

The SHM controls the authentication process for the infrastructure. The identity provider is Microsoft Active Directory, which is synchronised with AzureAD to provide cloud and multifactor authentication into the individual project Secure Research Environment (SRE).

The SHM is connected to each SRE through virtual network peering, which allows authentication requests from the SRE servers to be resolved by the SHM Active Directory. Although all SREs are peered with the SHM, they are not able to connect directly to one another, ensuring the isolation of each project.

Safe Haven Management (SHM)

details about the design of the SHM component

Secure Research Environment (SRE)

details about the design of the SRE component