If your organization is an Aramco third-party vendor with distributed teams, remote access to systems handling Aramco data is a daily operational necessity. Field engineers connecting from project sites, finance teams accessing ERP systems from regional offices, and IT administrators managing infrastructure remotely all need reliable, secure connectivity. Under Aramco's SACS-002 Cybersecurity Compliance Certificate (CCC) framework, the way you provide that remote access is subject to strict technical requirements that go well beyond what most organizations have in place.
This guide explains exactly what SACS-002 demands for remote access, why standard VPN solutions often fall short, and how to implement a compliant remote access architecture that satisfies auditors without disrupting your workforce.
Why Remote Access Is a High-Risk Control Area
Remote access represents one of the largest attack surfaces in any vendor's IT environment. Every remote session is a potential entry point for credential theft, man-in-the-middle attacks, and lateral movement into systems containing Aramco-classified data. Aramco recognizes this explicitly in SACS-002 by dedicating multiple Third-Party Cybersecurity (TPC) controls specifically to remote connectivity.
SACS-002 Requirement: All remote access to systems processing, storing, or transmitting Aramco data must use encrypted tunnels with strong authentication, comprehensive session logging, and network segmentation that isolates Aramco-related systems from general corporate traffic.
Unlike internal network access where perimeter defenses provide some layer of protection, remote connections traverse public networks where traffic interception is a real and documented threat. SACS-002 addresses this by mandating specific encryption protocols, authentication mechanisms, and monitoring capabilities that collectively ensure remote sessions are as secure as on-premises access.
IPSec VPN: The Required Encryption Standard
TPC-52 within SACS-002 specifically requires IPSec (Internet Protocol Security) encryption for remote access tunnels. This is not a generic "use a VPN" requirement. IPSec is explicitly named because it operates at the network layer (Layer 3 of the OSI model), providing encryption and authentication for all IP traffic passing through the tunnel, not just specific application protocols.
How IPSec VPN Works
IPSec establishes a secure tunnel between the remote user's device and the corporate network gateway through a two-phase process:
- IKE Phase 1 (Authentication): The client and server negotiate encryption algorithms, authenticate each other using pre-shared keys or digital certificates, and establish a secure channel for further negotiation. This phase uses Diffie-Hellman key exchange to create shared secret keys without transmitting them over the network.
- IKE Phase 2 (Tunnel Establishment): Using the secure channel from Phase 1, both sides negotiate the parameters for the actual data tunnel, including the encryption algorithm (AES-256 is the standard for CCC compliance), the integrity algorithm (SHA-256 or higher), and the traffic selectors defining which network traffic should be encrypted.
Once established, all traffic between the remote device and the corporate network is encrypted using ESP (Encapsulating Security Payload), which encrypts the packet payload and optionally authenticates the entire packet, including the header.
Why IPSec Over Other VPN Protocols
Many organizations use SSL/TLS-based VPNs (such as OpenVPN or WireGuard) for their convenience and ease of deployment. While these are strong protocols for general use, SACS-002's specification of IPSec reflects several critical advantages for compliance scenarios:
- Full network-layer encryption: IPSec encrypts all traffic between endpoints, not just specific application streams. This prevents data leakage through non-standard ports or protocols.
- Mutual authentication: Both the client and the gateway authenticate each other, preventing rogue gateway attacks that SSL VPNs can be vulnerable to without additional certificate pinning.
- Hardware acceleration: IPSec is widely supported in dedicated hardware (firewalls, routers), enabling high-throughput encrypted connections without the CPU overhead of software-based SSL VPN solutions.
- Standards-based interoperability: IPSec is defined by IETF standards (RFC 4301-4309), making it auditable against a published specification rather than a vendor-specific implementation.
VPN Access Controls Required by SACS-002
Deploying an IPSec VPN alone does not satisfy the compliance requirements. SACS-002 mandates a comprehensive set of access controls around the VPN infrastructure itself. These controls ensure that only authorized users can establish VPN connections, and that those connections are appropriately restricted.
Authentication Requirements
VPN authentication must implement multi-factor authentication (MFA) as specified under TPC-2 and TPC-3. A username and password alone are not sufficient. The authentication chain must include at least two of the following factors:
- Something you know: Password meeting the SACS-002 complexity requirements (minimum 12 characters, mixed case, numbers, special characters)
- Something you have: Hardware token, authenticator app (TOTP), or smart card certificate
- Something you are: Biometric verification (fingerprint, facial recognition) on the endpoint device
For a deeper understanding of how MFA and access controls map to SACS-002, see our detailed guide on access control and multi-factor authentication for CCC compliance.
Network Segmentation
VPN connections must terminate in a segmented network zone that isolates Aramco-related systems from the general corporate network. This means your VPN infrastructure must support:
- Dedicated VPN profiles for users accessing Aramco data, with routing rules that direct traffic only to authorized network segments
- Firewall policies between the VPN termination zone and Aramco data systems, enforcing least-privilege access at the network level
- Split tunneling restrictions that prevent VPN users from simultaneously accessing the public internet and the Aramco network segment, eliminating the risk of bridging attacks
Remote Desktop Compliance Requirements
Many Aramco vendors use Remote Desktop Protocol (RDP) or similar technologies to provide staff with access to centralized workstations or servers. SACS-002 has specific requirements for remote desktop sessions that go beyond simply tunneling RDP through a VPN.
Multi-Factor Authentication for Remote Desktop
Every remote desktop session must require MFA at the session level, independent of VPN-level authentication. This means that even after a user has authenticated to the VPN, they must authenticate again with a second factor before establishing a remote desktop connection. This defense-in-depth approach ensures that a compromised VPN credential cannot be used to access desktop sessions without the additional authentication factor.
Session Logging and Recording
SACS-002 requires comprehensive logging of all remote desktop sessions, including:
- Session metadata: User identity, source IP, destination system, session start and end times
- Activity logging: Commands executed, files accessed, applications launched during the session
- Session recording: Video recording of privileged sessions (administrator access) for forensic review capability
- Log retention: All session logs must be retained for a minimum period and protected against tampering or deletion
Idle Timeout and Session Controls
Remote desktop sessions must enforce automatic disconnection after a defined period of inactivity. SACS-002 specifies that idle sessions must be terminated or locked within 15 minutes of inactivity. Additionally, maximum session duration limits should be configured to prevent indefinitely open connections, and concurrent session restrictions should be in place to prevent credential sharing.
Remote Access Requirements Mapped to SACS-002
The following table maps each remote access requirement to the specific SACS-002 control reference and the corresponding MassiveGRID solution component:
| Remote Access Requirement | SACS-002 Reference | MassiveGRID Solution |
|---|---|---|
| IPSec VPN encrypted tunnel | TPC-52 | Pre-configured IPSec VPN gateway with AES-256 encryption and IKEv2 negotiation |
| Multi-factor authentication on VPN | TPC-2, TPC-3 | Integrated TOTP/hardware token MFA on VPN gateway with per-user enforcement |
| VPN access logging | TPC-2 | Automated VPN connection logs with user identity, timestamps, and source IP retention |
| Network segmentation for VPN zone | TPC-52 | Dedicated VLAN with firewall rules isolating Aramco data systems from general traffic |
| Remote Desktop MFA | TPC-2, TPC-3 | Session-level MFA for RDP with independent second-factor verification |
| Session activity logging | TPC-2 | Comprehensive session metadata and activity logging with tamper-proof storage |
| Privileged session recording | TPC-2 | Video recording of admin sessions with indexed search and playback capability |
| Idle session timeout (15 min) | TPC-2 | Enforced idle timeout with automatic session lock and configurable thresholds |
| Split tunneling prevention | TPC-52 | Full-tunnel VPN profiles with enforced routing policies blocking split tunneling |
| Password complexity on remote access | TPC-3 | Enforced password policy: 12+ characters, complexity requirements, rotation schedule |
Common Remote Access Compliance Failures
During CCC assessments, several remote access misconfigurations appear repeatedly. Understanding these common failure points helps you avoid them before your audit:
- Using SSL VPN instead of IPSec: While SSL VPNs are secure for many purposes, SACS-002 specifically requires IPSec. Auditors will check the VPN protocol configuration and reject non-IPSec implementations regardless of their encryption strength.
- VPN-only MFA without session-level MFA: Authenticating once at the VPN level and then having unrestricted access to remote desktop sessions is a compliance gap. Each access layer must have independent authentication.
- Incomplete logging: Having VPN connection logs but lacking session activity logs, or having logs that do not capture the required metadata fields, will result in audit findings.
- No network segmentation: VPN users landing in the same network segment as all other corporate systems means a compromised VPN connection can reach non-Aramco systems, violating the isolation principle.
- Disabled idle timeouts: Convenience-driven decisions to extend or disable session timeouts create persistent, unattended connections that represent a significant security risk.
MassiveGRID's Turnkey Remote Access Solution
MassiveGRID's CCC-compliant infrastructure package includes a fully configured remote access stack that addresses every SACS-002 remote access requirement out of the box. Rather than piecing together separate VPN appliances, MFA providers, and logging systems, the MassiveGRID solution delivers:
- IPSec VPN gateway pre-configured with AES-256 encryption, IKEv2 key exchange, and certificate-based mutual authentication
- Integrated MFA at both the VPN and remote desktop session levels, supporting TOTP authenticator apps and hardware security keys
- Audit-trail logging that captures all required session metadata, activity events, and privileged session recordings in tamper-proof storage with configurable retention periods
- Network segmentation with pre-configured VLANs and firewall policies that isolate Aramco data environments from general infrastructure
- Centralized management for user provisioning, policy enforcement, and log review through a single administrative interface
The entire remote access infrastructure is deployed, configured, and maintained by MassiveGRID's managed services team, ensuring that encryption standards, authentication policies, and logging configurations remain compliant between audit cycles. This is particularly valuable because remote access configurations tend to drift over time as new users are added or access requirements change.
For a comprehensive overview of how encryption requirements extend beyond VPN to cover data at rest and email communications, see our guide on data encryption compliance for SACS-002.
Get Started with Compliant Remote Access
Remote access compliance is one of the most operationally visible aspects of SACS-002, directly affecting how your team works every day. Getting it right means implementing controls that are secure enough to satisfy auditors and practical enough that your employees actually use them instead of finding workarounds.
MassiveGRID's CCC-compliant infrastructure package delivers remote access that meets both criteria. Explore the full compliance package to see how IPSec VPN, multi-factor authentication, session logging, and network segmentation are integrated into a single managed solution, or contact our compliance team for a personalized assessment of your remote access requirements.