INTRODUCING ACRA – An Open Source Database Security Suite

If you are concerned about data security, this means confronting a threat landscape that requires vigilance and defence against a wide range of attacks. One of the prime targets for attack continues to be sensitive data that is stored in backend database storage. From simple discovery of unsecured databases, through classic SQL injection techniques, to compromised infrastructure that allows wholesale copying of database content, attacks focus on data assets with increasing precision.

Acra from Cossack Labs offers a range of novel and well established techniques designed to protect sensitive data stored in backend database systems. Acra provides these as a suite of database protection tools that are easy to use, deploy and automate.

Acra provides three key features enabling you to:

• selectively protect sensitive records with a strong, proven cryptographic scheme.
• monitor the request flow to the database to prevent malicious requests.
• deploy these security features in a well-compartmented infrastructure, where risks and attack surfaces are known and understood.

Acra can be deployed in both traditional database-frontend web services and large, microservice-rich infrastructures. Unlike many other database encryption tools, Acra integrates with your existing infrastructure without the need to rebuild components to add the security layer. Additionally, Acra’s selective encryption capabilities can integrate not just with your applications but also migration scripts, archival data dumps and indeed any procedure that involves database requests.
Acra is built using GoLang and currently supports PostgreSQL databases and Ruby, Python, PHP, Node.js or GoLang application development environments. Acra is licensed as Apache 2 open source software.

How does Acra work?

Acra enables front-end application code to selectively encrypt data with a set of encrypt-only keys. The encrypted data is then transmitted (via an AcraProxy service) to the database. Requests to access the data are routed through an AcraServer – a network service that contains the decryption keys, decrypts the data and forwards the response to the application over a secure connection. Additionally, the AcraServer can be configured to detect unexpected requests and take appropriate action.

To learn more about how Acra works please see the documentation sections – What is Acra and Architecture/Data flow.

Acra is available on Github where you can also learn about some of the more advanced features offered.

Current release

Version 0.75 marks the first open source release of Acra. The underlying Acra technology has already been used in a number of production environments. This public release represents most of the core feature set and is intended to open up these features for interested software developers and security engineers to use, and evaluate.