Every Aramco third-party vendor handles some form of data that belongs to or relates to Aramco. Whether it is engineering drawings, financial reports, project documentation, or operational data, the way you store, access, and manage these files is directly governed by SACS-002. The Cybersecurity Compliance Certificate framework does not simply require that files are "protected." It mandates specific technical and procedural controls that cover the entire data lifecycle, from the moment a file enters your systems to the moment it is permanently destroyed.
This guide explains each SACS-002 data security requirement as it applies to file hosting, shows you how to implement compliant storage practices, and maps every requirement to the specific MassiveGRID file hosting capabilities that satisfy them.
Data Classification: The Foundation of File Security
Before you can protect Aramco data appropriately, you must classify it. SACS-002 requires vendors to implement a data classification scheme that categorizes all information assets based on their sensitivity and the impact of unauthorized disclosure. This is not merely an administrative exercise. Your classification determines the minimum security controls required for each category of data.
SACS-002 Requirement: Vendors must establish and maintain a data classification policy that categorizes Aramco-related data according to its sensitivity level, and must apply protection controls proportional to the classification level.
A practical classification scheme for Aramco vendor data typically includes three or four tiers:
- Confidential: Data whose disclosure would cause significant harm to Aramco's operations, competitive position, or reputation. Examples include proprietary engineering specifications, financial projections, and strategic planning documents.
- Internal: Data intended for use within the vendor's organization and not meant for public disclosure. Examples include project schedules, internal communications about Aramco projects, and operational procedures.
- Restricted Distribution: Data shared between Aramco and the vendor under specific access limitations. Examples include contract terms, pricing schedules, and compliance documentation.
- Public: Information that has been approved for public release. This classification rarely applies to Aramco-related data.
Each file in your hosting environment should carry a classification tag, either through metadata, folder-based organization, or a combination of both. Your file hosting platform must support this classification at a system level, not just through informal naming conventions.
Role-Based Access Controls for File Storage
Need-to-know access is a core principle of SACS-002. Not every employee at your organization should have access to all Aramco-related files. Access must be granted based on job function and project assignment, with regular reviews to ensure access rights remain appropriate as roles change.
Your file hosting system must implement role-based access controls (RBAC) that support:
- Granular permissions: Read, write, delete, and share permissions must be assignable independently. A project member who needs to view engineering documents should not automatically have the ability to modify or delete them.
- Group-based access: Access should be managed through security groups aligned with project teams or departments, rather than individual user assignments, which become unmanageable as teams grow.
- Hierarchical folder permissions: Permissions on parent folders should propagate to sub-folders with the ability to override at any level. This enables broad project-level access with restricted sub-folders for sensitive documents.
- External sharing controls: If files need to be shared with Aramco or other authorized parties, the sharing mechanism must enforce authentication, expiration, and access tracking. Anonymous or link-based sharing without authentication is not compliant.
For a complete understanding of how access controls and multi-factor authentication work together under SACS-002, see our access control and MFA compliance guide.
Encryption at Rest and in Transit
SACS-002 mandates encryption for Aramco data in both states: when it is stored on disk (at rest) and when it is being transferred between systems (in transit). Your file hosting infrastructure must implement both, and the encryption must meet minimum algorithm and key-length requirements.
Encryption at Rest
All storage volumes containing Aramco-classified data must be encrypted using AES-256 or equivalent. This encryption must be:
- Transparent to applications: Encryption and decryption happen at the storage layer, so applications reading and writing files do not need modification.
- Key-managed securely: Encryption keys must be stored separately from the encrypted data, ideally in a hardware security module (HSM) or dedicated key management service. Keys stored on the same disk as the encrypted data provide no meaningful protection.
- Full-volume: File-level encryption is acceptable as an additional layer, but the underlying storage volume must be fully encrypted to protect against physical media theft or improper decommissioning.
Encryption in Transit
All file transfers must use encrypted protocols. Specifically:
- SFTP or SCP for command-line or automated file transfers (FTP is explicitly prohibited)
- HTTPS (TLS 1.2+) for web-based file access interfaces
- SMB 3.0 with encryption for Windows-based network file shares
- IPSec VPN tunnel for any file access traversing public networks
For the complete encryption requirements under SACS-002, including VPN and email encryption, refer to our data encryption compliance guide.
Audit Logging on File Access
Every access to files classified as Aramco data must be logged. This is not a best practice recommendation; it is a compliance requirement. The audit logs serve two purposes: they enable detection of unauthorized access attempts in real time, and they provide forensic evidence in the event of a security incident.
File access logs must capture:
- User identity: The authenticated user who accessed the file, not just an IP address or session ID
- Action type: Whether the access was a read, write, delete, rename, permission change, or share action
- Timestamp: Precise date and time of the access event, synchronized to a reliable time source (NTP)
- File identifier: The full path and name of the file accessed
- Access result: Whether the access was granted or denied, which is critical for identifying unauthorized access attempts
- Source information: The IP address, device identifier, and access method (web interface, SFTP client, API) used for the access
Logs must be retained for the period specified in your log retention policy (which must meet SACS-002 minimums) and must be protected against tampering. Write-once storage or centralized SIEM ingestion with integrity verification are the standard approaches to log protection.
Data Isolation and Partitioning
Aramco data must be logically or physically isolated from non-Aramco data within your file hosting infrastructure. This isolation requirement serves two purposes: it limits the blast radius if a non-Aramco system is compromised, and it simplifies the application of classification-specific security controls.
Acceptable isolation approaches include:
- Dedicated storage volumes: Aramco data resides on separate storage volumes with independent access controls and encryption keys
- Virtual partitioning: Logical separation within a shared storage platform using tenant isolation, separate namespaces, and independent access control lists
- Network segmentation: File servers handling Aramco data reside in a dedicated network segment with firewall rules controlling inbound and outbound traffic
The key requirement is that a compromise of a non-Aramco system cannot provide access to Aramco data. The specific isolation method is less important than the effectiveness of the boundary.
Backup and Recovery Requirements
SACS-002 requires that all Aramco data is backed up according to a documented schedule and that backups are tested regularly through restoration exercises. For file hosting, this means:
- Regular backup schedule: Daily incremental backups and weekly full backups, at minimum, for all file storage volumes containing Aramco data
- Encrypted backups: Backup data must be encrypted with the same strength as production data (AES-256). Unencrypted backup tapes or volumes are a compliance failure.
- Off-site backup storage: At least one copy of backup data must be stored at a geographically separate location from the primary data center
- Tested restoration: Backup restoration must be tested at least quarterly, with documented results showing successful recovery of files from backup media
- Backup access controls: Access to backup storage and restoration capabilities must be restricted to authorized administrators with the same RBAC and MFA requirements as production access
Data Sanitization When Decommissioning
When storage media that held Aramco data reaches end of life, or when a project concludes and data must be removed, SACS-002 requires verified data sanitization. Simply deleting files or formatting drives does not satisfy this requirement because data remains recoverable through forensic techniques.
SACS-002 Requirement: Vendors must implement documented data sanitization procedures that render Aramco data irrecoverable when storage media is decommissioned, repurposed, or transferred. Sanitization methods must be appropriate to the media type and classification level.
Acceptable sanitization methods include:
- Cryptographic erasure: For encrypted volumes, destroying the encryption keys renders the data permanently inaccessible. This is the fastest method for large storage volumes.
- Secure overwrite: Multiple-pass overwriting of the entire storage media using approved patterns (NIST SP 800-88 guidelines)
- Physical destruction: Shredding, degaussing, or incineration of storage media for the highest assurance level
All sanitization events must be documented with a certificate of destruction or sanitization record that includes the media identifier, sanitization method used, date performed, and the personnel who performed and verified the sanitization.
Data Security Requirements Mapped to MassiveGRID
The following table maps each SACS-002 data security requirement to the specific TPC control and the corresponding MassiveGRID file hosting feature that addresses it:
| Data Security Requirement | TPC Control | MassiveGRID File Hosting Feature |
|---|---|---|
| Data classification tagging | TPC-1 | Metadata-based classification labels with folder-level inheritance and classification-driven policy enforcement |
| Role-based access controls | TPC-2, TPC-3 | Granular RBAC with group-based permissions, hierarchical inheritance, and authenticated external sharing |
| Encryption at rest (AES-256) | TPC-52 | Full-volume AES-256 encryption on all storage with HSM-managed key storage |
| Encryption in transit (TLS/SFTP) | TPC-52 | SFTP, HTTPS (TLS 1.2+), and SMB 3.0 encryption enforced; FTP blocked at firewall level |
| File access audit logging | TPC-2 | Comprehensive access logging with user identity, action type, timestamp, and result; SIEM integration |
| Data isolation/partitioning | TPC-1 | Dedicated storage volumes in segmented network zones with independent access controls |
| Encrypted daily backups | TPC-52 | Automated daily incremental + weekly full backups with AES-256 encryption and off-site replication |
| Backup restoration testing | TPC-52 | Quarterly automated restoration tests with documented results and compliance reporting |
| Data sanitization on decommission | TPC-1 | Cryptographic erasure with documented sanitization certificates; physical destruction available on request |
| Need-to-know access enforcement | TPC-2 | Quarterly access reviews with automated reports showing current permissions vs. active project assignments |
Secure Your Aramco Data with Compliant File Hosting
File hosting is where compliance meets daily operations. Every time a team member uploads a document, shares a file, or accesses project data, the security controls around that action must satisfy SACS-002 requirements. Piecemeal solutions that address encryption but miss access controls, or log access but do not enforce classification, create compliance gaps that auditors will identify.
MassiveGRID's CCC-compliant infrastructure package delivers file hosting that addresses every data security requirement in an integrated platform. From classification-driven policies to cryptographic erasure at decommission, every aspect of the data lifecycle is managed within a single compliant environment.
Explore the full compliance package to see how MassiveGRID's file hosting maps to your SACS-002 data security obligations, or contact our compliance team for a data security assessment tailored to your specific Aramco vendor classification.