Encryption is not a nice-to-have in the Aramco CCC framework -- it is a hard requirement with specific protocols named in the standard. SACS-002 TPC-52 mandates that all data transmitted across networks must be encrypted, and it explicitly lists the acceptable protocols. If your organization still transfers files via plain FTP, accesses systems over unencrypted RDP, or runs internal web tools over HTTP, this article explains exactly what needs to change and how each encryption requirement maps to a practical infrastructure component.
TPC-52: The Core Encryption Mandate
SACS-002 TPC-52: Data in transit must be protected using encryption technologies including but not limited to SSH, FTPS, HTTPS, TLS, or IPSec.
TPC-52 is one of the most technically demanding general controls in SACS-002 because it affects every system, every connection, and every data flow in your organization. It is not limited to internet-facing systems -- any data moving between two systems, including internal transfers between servers on your own network, must be encrypted using one of the approved protocols.
The standard names five specific protocols. In practice, these cover virtually every data transfer scenario a vendor encounters:
- SSH (Secure Shell) -- For remote server administration and secure command-line access
- FTPS / SFTP -- For encrypted file transfers (FTPS uses TLS over FTP; SFTP runs over SSH)
- HTTPS -- For all web interfaces, admin panels, web applications, and APIs
- TLS (Transport Layer Security) -- The underlying encryption protocol for HTTPS, encrypted email transport (STARTTLS), and database connections
- IPSec -- For VPN tunnels, site-to-site connections, and encrypted network-layer communication
What This Means in Practice
Let us walk through the common data transfer scenarios in a typical Aramco vendor's environment and identify what TPC-52 requires for each.
Remote Access to Servers and Desktops
If your employees access servers remotely -- whether for system administration, application maintenance, or daily work -- the connection must be encrypted. This means:
- Linux servers: SSH only. Telnet, rsh, and any other unencrypted remote access protocols must be disabled.
- Windows servers and desktops: RDP must be configured with TLS encryption (Network Level Authentication). Better yet, RDP should be accessed through a VPN tunnel (IPSec), adding a second layer of encryption and preventing direct exposure to the internet.
- Web-based admin panels: HTTPS with a valid TLS certificate. Self-signed certificates may trigger auditor concerns -- use a certificate from a trusted CA.
File Transfers
Transferring files between systems -- whether uploading documents, exchanging data with Aramco, or backing up files to remote storage -- must use encrypted protocols:
- SFTP (SSH File Transfer Protocol) is the preferred method. It tunnels file transfers over SSH, providing both encryption and authentication.
- FTPS (FTP Secure) adds TLS encryption to the traditional FTP protocol. It is acceptable under TPC-52 but requires proper certificate configuration.
- Plain FTP is prohibited. FTP transmits credentials and data in cleartext. If your organization uses FTP, it must be replaced with SFTP or FTPS before the audit.
- SCP (Secure Copy) runs over SSH and is also compliant, though less commonly used for business file sharing.
Common audit failure: Vendors often have legacy systems or scripts that use plain FTP for automated file transfers. These are easily overlooked during compliance preparation but will be flagged during the technical review. Audit every automated process and cron job for unencrypted protocols.
VPN and Network Encryption
If your employees work remotely or access company systems from outside the office, a VPN with IPSec encryption is the standard approach for TPC-52 compliance. The VPN creates an encrypted tunnel between the employee's device and your company network, protecting all data that flows through it.
Key VPN requirements for SACS-002 compliance:
- IPSec or SSL/TLS-based VPN (IKEv2/IPSec is preferred for its security and performance)
- Strong encryption algorithms (AES-256 for data encryption, SHA-256 or higher for integrity)
- Certificate-based or MFA-based authentication (simple password-only VPN authentication is weak)
- Split tunneling should be avoided for Aramco-related work -- all traffic should route through the VPN
- VPN access logs must be retained for audit evidence
Web Interfaces and Applications
Every web-based system in your environment must use HTTPS:
- Company website and client portals
- Email webmail interface
- File hosting web interface
- Internal admin panels and dashboards
- API endpoints
HTTPS requires a valid TLS certificate. The certificate should be from a recognized Certificate Authority (CA), use TLS 1.2 or higher (TLS 1.0 and 1.1 are deprecated), and the server should be configured to disable weak cipher suites.
Email Transport Encryption
While email security has its own dedicated TPC controls, email transport also falls under TPC-52. Email servers must support STARTTLS for encrypting SMTP connections between mail servers. This ensures that emails are encrypted in transit between your mail server and the recipient's mail server.
Data-at-Rest Encryption
While TPC-52 focuses specifically on data in transit, CCC+ vendors (Outsourced Infrastructure, Customized Software, and Critical Data Processor classifications) face additional requirements for encrypting data at rest. This means:
- Disk encryption: Storage volumes containing Aramco data must be encrypted. Full-disk encryption (FDE) using AES-256 is the standard approach.
- Database encryption: Transparent Data Encryption (TDE) or application-level encryption for databases storing Aramco data.
- Backup encryption: Backup files and archives must be encrypted both in storage and during transfer to offsite locations.
- Key management: Encryption keys must be stored separately from the encrypted data and managed through a documented key management process.
Note: Even for CCC (non-plus) vendors, encrypting data at rest is a strong best practice that auditors view favorably. If you store any Aramco-related documents, contracts, or correspondence, encrypting the storage volume protects you in the event of physical media theft or unauthorized access.
Wireless Network Encryption
SACS-002 also addresses wireless network security. If your office uses Wi-Fi, the wireless network must be encrypted using WPA2 or WPA2 Enterprise (WPA3 is also acceptable). Open Wi-Fi networks and WEP encryption are prohibited.
For environments handling Aramco data:
- WPA2 Enterprise with RADIUS authentication is recommended because it provides individual user authentication rather than a shared password
- Guest Wi-Fi must be segregated from the corporate network
- Wireless access points should be documented in the asset inventory
- Wi-Fi configuration screenshots are part of the audit evidence package
Encryption Requirements Mapped to Infrastructure
The following table maps each encryption scenario to the protocol required by SACS-002 and the corresponding MassiveGRID package component that satisfies it.
| Protocol | Use Case | Package Component | TPC Reference |
|---|---|---|---|
| IPSec (IKEv2) | Remote access VPN for employees working outside the office | Managed VPN with IPSec encryption, MFA-integrated authentication | TPC-52 |
| SSH | Remote server administration (Linux) | Cloud server with SSH-only access, key-based authentication enforced | TPC-52 |
| SFTP / FTPS | Encrypted file uploads, document exchange, automated transfers | Encrypted file hosting with SFTP/FTPS endpoints, web interface over HTTPS | TPC-52 |
| HTTPS (TLS 1.2+) | Web interfaces, admin panels, email webmail, API endpoints | All web services delivered over HTTPS with managed TLS certificates | TPC-52 |
| TLS (STARTTLS) | Email transport encryption between mail servers | Email hosting with STARTTLS enforced on all SMTP connections | TPC-52, TPC-8 |
| RDP over TLS | Remote desktop access to Windows systems | Managed RDP with NLA and TLS encryption, accessed through VPN | TPC-52 |
| AES-256 (at rest) | Disk encryption for stored data, backups, databases | Encrypted storage volumes on cloud servers, encrypted backup service | CCC+ specific controls |
| WPA2/WPA3 | Office wireless network encryption | On-premise requirement (configuration guidance provided) | TPC-52 |
Producing Audit Evidence for Encryption Controls
Implementing encryption is only half the requirement -- you must also prove it to the auditor. For each encryption control, expect to provide:
- VPN: VPN server configuration export showing IPSec settings, encryption algorithms, and authentication method. VPN access logs showing encrypted sessions.
- SSH: SSH server configuration file (
sshd_config) showing protocol version, key exchange algorithms, and disabled password authentication (if using key-based auth). - SFTP/FTPS: File server configuration showing SFTP or FTPS enabled and plain FTP disabled. Transfer logs showing encrypted sessions.
- HTTPS: TLS certificate details for each web service, SSL test results (e.g., from SSL Labs) showing TLS 1.2+ and strong cipher suites.
- Email: Mail server configuration showing STARTTLS enabled. Email headers showing TLS negotiation between servers.
- Disk encryption: Screenshot of disk encryption status (BitLocker, LUKS, or provider-level encryption), key management documentation.
Common Encryption Gaps That Cause Audit Failures
These are the most frequently encountered encryption-related findings during CCC audits:
- Plain FTP still in use -- Often in legacy systems or automated scripts that were set up years ago and forgotten
- HTTP admin panels -- Internal tools accessed without HTTPS because "they are only on the internal network" (SACS-002 does not distinguish between internal and external)
- Outdated TLS versions -- Systems still supporting TLS 1.0 or 1.1, or using weak cipher suites like RC4 or 3DES
- VPN without IPSec -- Using PPTP (which is broken) or L2TP without IPSec encryption
- Unencrypted database connections -- Application servers connecting to databases over unencrypted TCP
- RDP exposed to the internet without VPN -- Even with TLS on RDP, direct internet exposure adds unnecessary risk
- Open Wi-Fi or WEP -- Surprising in 2026, but some offices still run legacy wireless configurations
Build Encryption Into Your Infrastructure From Day One
The most efficient way to satisfy TPC-52 and the broader encryption requirements is to start with infrastructure that is encrypted by default. Retrofitting encryption onto existing systems is error-prone -- you must audit every service, every port, every automated process. Starting with a platform where encryption is the baseline eliminates this risk.
MassiveGRID's Aramco CCC-Compliant Infrastructure Package delivers every component with encryption pre-configured. The VPN uses IKEv2/IPSec with AES-256 encryption. File hosting runs on SFTP with plain FTP disabled at the server level. All web interfaces use HTTPS with TLS 1.2+ and modern cipher suites. RDP is tunneled through the VPN, adding network-layer encryption on top of TLS. And every encryption configuration is documented with evidence ready for your auditor.
See how the CCC-compliant package handles encryption across every component →