Appearance
Introduction to ACRA
1. What ACRA Is
ACRA is a provider-agnostic execution platform for running complete application environments inside isolated virtual enclaves.
The platform enforces containment, identity, and network policy at the system level. Isolation is default. Communication requires explicit policy. Permissions are enforced by the platform rather than delegated to individual applications.
ACRA follows a Zero Trust model. No service, workload, or user is implicitly trusted. Access requires authentication, authorisation, and policy validation at each boundary.
Security controls are implemented as platform guarantees:
- Encryption in transit and encryption at rest are enforced by default
- Network ingress and egress are explicitly controlled
- Identity and access controls restrict access to authorised actors only
- System activity generates auditable logs and operational telemetry
- Workflows and data movement remain traceable across platform services
The platform is structured across clear layers:
- System and infrastructure: Underlying compute, storage, networking, and baseline hardening.
- ACRA control plane: Enclave lifecycle management, permissions, updates, and status visibility.
- Secure virtual enclaves: Isolated runtime environments with controlled ingress and egress.
- Applications inside enclaves: Mission workloads operating within defined resource and policy boundaries.
Each layer has a defined responsibility and a defined boundary.
Core properties
- Isolation is default.
- Communication requires explicit policy.
- Permissions are enforced at the platform layer.
ACRA is not a hosting abstraction. It is an enforced execution boundary.
2. The Problem It Solves
Modern operational systems are commonly assembled from shared cloud services, flat internal networks, and externally managed control planes.
This model introduces structural risk:
- Infrastructure dependency that weakens data sovereignty.
- Implicit east-west trust between workloads.
- Security controls applied after deployment rather than enforced by architecture.
- Reduced assurance in degraded or disconnected environments.
In these environments, isolation is partial and audit visibility is fragmented. ACRA addresses these conditions by moving enforcement into the platform itself.
How ACRA responds
- Enclaves restrict ingress and egress at the boundary.
- Inter-service communication requires explicit authorisation.
- Workloads execute within defined resource and policy constraints.
Control is structural, not procedural.
3. Target Users
ACRA is designed for organisations operating under sustained regulatory, operational, or geopolitical risk.
- Defence and national security programmes.
- Sovereign and government operators.
- Regulated industries handling sensitive or classified data.
- Organisations deploying AI or data processing systems on high-impact datasets.
These environments require:
- Explicit trust boundaries.
- Verifiable enforcement of access controls.
- Contained workload execution.
- Auditability at the system level.
ACRA is built for those requirements.
4. High-Level Architecture
ACRA follows a layered control model.
Layer summary
| Layer | Role |
|---|---|
| ACRA Control Plane | Creates, updates, suspends, and observes enclaves. Manages permissions and configuration state. |
| Secure Enclaves | Enforce ingress and egress controls. Isolate workloads. Apply resource limits and policy constraints. |
| Applications | Implement logic within enclave boundaries. Emit logs, metrics, and audit artefacts. |
| ACRA Core (System and Infrastructure) | Provides compute, networking, storage, and baseline security controls required for enclave execution. |
Separation between these layers is architectural. Policy enforcement occurs at the enclave boundary, lifecycle management is handled by the control plane, and underlying infrastructure does not implicitly grant workload trust. This structure enables consistent enforcement regardless of deployment location.