Introducing Acra

If you are concerned about data security, this means confronting a threat landscape that requires vigilance and defence against a wide range of attacks. One of the prime targets for attack continues to be sensitive data that is stored in backend database storage. From simple discovery of unsecured databases, through classic SQL injection techniques, to compromised infrastructure that allows wholesale copying of database content, attacks focus on data assets with increasing precision.



Your app, your defences, your adversaries

Acra from Cossack Labs offers a range of novel and well established techniques designed to protect sensitive data stored in backend database systems. Acra provides these as a suite of database protection tools that are easy to use, deploy and automate.

Acra provides three key features enabling you to:

selectively protect sensitive records with a strong, proven cryptographic scheme.

monitor the request flow to the database to prevent malicious requests.

deploy these security features in a well-compartmented infrastructure, where risks and attack surfaces are known and understood.

Acra can be deployed in both traditional database-frontend web services and large, microservice-rich infrastructures. Unlike many other database encryption tools, Acra integrates with your existing infrastructure without the need to rebuild components to add the security layer. Additionally, Acra’s selective encryption capabilities can integrate not just with your applications but also migration scripts, archival data dumps and indeed any procedure that involves database requests.

Acra is built using GoLang and currently supports PostgreSQL databases and Ruby, Python, PHP, Node.js or GoLang application development environments. Acra is licensed as Apache 2 open source software. To get going right away you can follow this section of official documentation.

How does Acra work?



Role architecture (L->R): backend, middleware, front-end

Acra enables front-end application code to selectively encrypt data with a set of encrypt-only keys. The encrypted data is then transmitted (via an AcraProxy service) to the database. Requests to access the data are routed through an AcraServer - a network service that contains the decryption keys, decrypts the data and forwards the response to the application over a secure connection. Additionally, the AcraServer can be configured to detect unexpected requests and take appropriate action.



Role architecture with Acra components

To learn more about how Acra works please see the documentation sections - What is Acra and Architecture/Data flow.

Getting started

Getting started is easy. We know from experience that deploying security systems can be onerous, so we’ve aimed to make this as straightforward as possible with Acra. In summary you’ll need to:

Download and build all Acra components (AcraProxy, AcraServer and utilities) with a single command. Deploy AcraProxy to a server to run alongside your application: just create a separate user/container to compartment it from main running app. Deploy AcraServer to a separate server or virtual machine (typically this would be alongside your database). Generate and distribute keys for data encryption and secure communication across AcraProxy, AcraServer and your application (for use by AcraWriter). Integrate the AcraWriter library/component into your application. Now the choice is yours - whenever its right to secure some element of data, you simply call the appropriate AcraWriter function. Finally, launch and connect all the components by providing each with the appropriate ip address and port number connection information. You application connects to an AcraProxy (instead of directly to the backend database), AcraProxy connects its associated AcraServer and AcraServer connects to the backend database.

Acra is available on Github where you can also learn about some of the more advanced features offered.

Current release

Version 0.75 marks the first open source release of Acra. The underlying Acra technology has already been used in a number of production environments. This public release represents most of the core feature set and is intended to open up these features for interested software developers and security engineers to use, and evaluate.

Your feedback is crucial to us, so don’t hesitate to let us know what works for you and what doesn’t.

Looking ahead

Over the coming months, we’ll be building out Acra by adding support for further databases, application development languages and additional features that are still in development - in particular: configurable query filtering/analysis, further infrastructural tooling and, potentially, highly performant intrusion detection technologies.