Appearance
Benefits of ACRA
ACRA provides architectural controls that enforce isolation, access discipline, and operational containment at the platform layer.
Rather than relying on application-level security controls or network perimeter assumptions, ACRA embeds enforcement mechanisms directly into the runtime environment used to execute workloads.
Key Takeaways
- Workloads execute inside isolated enclaves with enforced network boundaries
- Communication paths require explicit policy configuration
- Identity and permissions are managed through the ACRA control plane
- Encryption and audit mechanisms are provided by the platform
- Legacy and modern workloads can operate within the same controlled execution model
Architecture Context
This page explains the advantages created by the ACRA platform architecture.
For details about how these mechanisms work, see:
- Core Concepts
- Enclave Architecture
- Control Plane
- Deployment Models
Security Improvements
ACRA enforces security through platform-level isolation and policy enforcement. These controls apply uniformly across all applications running inside the system.
Security Properties
| Property | Mechanism | Result |
|---|---|---|
| Isolation | Enclaves enforce compute, storage, and network separation | Prevents cross-workload data access |
| Network Control | Ingress and egress policy enforced at enclave boundary | Eliminates implicit east-west traffic |
| Identity | RBAC and ReBAC permission models | Explicit access control for users and services |
| Encryption | Service mesh and encrypted storage | Protects data in transit and at rest |
| Auditability | Centralised lifecycle and status management | Enables operational traceability |
Workload Isolation
Each enclave is an independent runtime environment containing one or more applications and supporting services.
Isolation boundaries exist across:
- compute
- networking
- storage
Applications cannot communicate with other enclaves unless policy explicitly permits the connection.
This prevents lateral movement and constrains the impact of compromise.
Explicit Communication Paths
Communication paths are not created automatically by the infrastructure.
All ingress and egress traffic must be explicitly authorised.
This ensures that:
- communication flows are intentional
- service relationships remain auditable
- network boundaries are enforced consistently
Operational Advantages
ACRA embeds infrastructure and operational controls directly into the platform.
This reduces the amount of bespoke infrastructure configuration required to run secure application environments.
Operational Properties
| Property | Platform Behaviour |
|---|---|
| Service Provisioning | Supporting services can be deployed within enclaves |
| Credential Handling | Secrets are injected through the platform rather than embedded in applications |
| Policy Enforcement | Access and network policy enforced at runtime |
| Infrastructure Independence | Platform runs across multiple infrastructure environments |
Integrated Service Deployment
Applications often require supporting services such as databases or messaging systems.
ACRA allows these services to run inside the same enclave as the application.
Examples include:
- PostgreSQL
- NATS
- application-specific services
Service configuration and credentials are managed by the platform rather than embedded in application code.
Clear Separation of Responsibilities
The ACRA architecture separates system responsibilities across defined layers.
| Layer | Responsibility |
|---|---|
| Control Plane | Enclave lifecycle management and policy configuration |
| Secure Enclaves | Isolation and runtime enforcement |
| Applications | Mission workloads executing inside enclave boundaries |
| Infrastructure | Compute, networking, and storage resources |
This separation enables clear architectural review and operational accountability.
Provider-Agnostic Deployment
ACRA is designed to operate across multiple infrastructure environments including:
- public cloud
- private cloud
- on-premise deployments
The control model remains consistent regardless of where the system runs.
This allows organisations to maintain operational control while avoiding dependency on a single infrastructure provider.
Operation in Constrained Environments
ACRA supports operation in environments where connectivity may be degraded or unavailable.
ACRA Edge extends the platform into portable deployments capable of running enclaves locally with encrypted storage and controlled communications.
Migration Advantages
Many organisations operate legacy systems alongside modern platforms.
ACRA provides a controlled execution environment that allows these systems to operate within the same security model.
Migration Properties
| Property | Platform Behaviour |
|---|---|
| Legacy Containment | Legacy systems run inside enclaves |
| Incremental Modernisation | New services can be introduced alongside existing systems |
| Platform Security | Applications inherit encryption and access control from the platform |
Legacy Workload Containment
Legacy applications often operate on flat networks with limited isolation.
Deploying these systems inside enclaves allows them to operate within a constrained execution boundary without requiring immediate application changes.
This reduces operational risk while enabling gradual modernisation.
Parallel System Evolution
Because enclaves host complete application environments, legacy systems and new services can run simultaneously.
Examples include:
- existing operational software
- new agentic AI workflows
- secure data processing pipelines
This allows organisations to modernise systems incrementally rather than through disruptive replacement.
ACRA Compared to Legacy Infrastructure
Conventional infrastructure models rely on shared services and perimeter security controls.
These approaches introduce several structural limitations.
Legacy Infrastructure Characteristics
| Characteristic | Limitation |
|---|---|
| Shared infrastructure | Implicit trust relationships between workloads |
| Perimeter security | Limited containment during compromise |
| Fragmented identity systems | Inconsistent access control enforcement |
| Application-level security | Security controls implemented inconsistently |
ACRA Architectural Model
ACRA replaces these patterns with platform-level enforcement.
| Property | Behaviour |
|---|---|
| Isolation | Enclave boundaries enforce workload separation |
| Communication | Explicit policy required for network access |
| Lifecycle Management | Centralised through the control plane |
| Encryption | Provided by platform infrastructure |
| Observability | Logs and metrics emitted within defined boundaries |
Containment, authorisation, and observability become enforced properties of the execution environment rather than optional application features.