Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 4-2-2 – The cybersecurity requirements related to the use of hosting and cloud computing services must be implemented.
Understanding the Requirement
This control — part of the Essential Cybersecurity Controls (ECC – 2 : 2024) framework — requires organizations to treat cloud and hosting services as an extension of their trusted environment. Practically, it means contracting and configuring cloud services so data residency is controlled (within the Kingdom), event logging is enabled, data can be returned and irrecoverably deleted at contract end, tenant environments are logically isolated, encryption is applied for data-in-transit and at-rest according to applicable laws, and backups are performed and protected in line with your backup policy. The organization should document an action plan and maintain continuous compliance monitoring.
Technical Implementation
- Contract and data residency clauses: Add clear contract terms requiring the provider to store and process organizational data within the Kingdom, to provide data export in a usable format on termination, and to demonstrate secure deletion (e.g., crypto-shredding or certified wipe procedures). Ensure SLAs include evidence delivery timelines for export and deletion.
- Enable and centralize logging: Turn on audit/event logging for all hosted assets (compute, storage, databases, network gateways). Ship logs to a centralized collector or SIEM you control (or a trusted managed service) with immutable storage and retention settings mapped to your compliance needs. Monitor key events (access, configuration changes, admin actions) and set alerting for anomalous behavior.
- Enforce tenant isolation and network segmentation: Use provider features (VPCs, resource groups, dedicated subnets) and strict IAM roles/policies to separate your environment from other tenants. Apply host and network-level controls (security groups, NSGs, private endpoints) to limit lateral movement and ensure virtual servers and databases are not publicly exposed by default.
- Encryption and key management: Require encryption for data-in-transit (TLS 1.2+ or stronger) and at-rest using provider-managed or customer-managed keys. For sensitive data, prefer customer-managed keys stored in a hardware-backed key store (HSM). Ensure key rotation, access controls, and key destruction policies meet relevant laws and organizational requirements.
- Backups and restore testing: Mandate periodic backups by the provider (or perform them yourself) and require the provider to protect backups with encryption and access controls. Define backup frequency, retention, and restore time objectives in policy and validate restores through periodic testing. Store at least one backup copy under your direct control or in a separately controlled account.
- Termination and verification: Define a shutdown checklist: export data in a documented format, verify checksum/record counts, request a signed deletion certificate, and validate that no recoverable snapshots remain. Maintain evidence of data return and deletion in your compliance records.
Example in a Small or Medium Business
Imagine a seven-person professional services firm that uses a cloud provider for email, document storage, and a small internal application. During procurement, the firm inserts contract terms requiring all client and internal data to be hosted within the Kingdom and requests proof of data export and deletion procedures. IT configures the cloud accounts with isolated VPCs, strict IAM roles, and private endpoints so resources are not publicly accessible. They enable audit logging for storage buckets, virtual machines, and databases, and forward logs to a centralized logging account that the firm controls. The firm requires encryption at-rest using customer-managed keys in the provider's HSM and enforces TLS for all application endpoints. Backups are scheduled nightly with encrypted storage, and quarterly restore tests are performed to validate the recovery process. When terminating any service, the firm follows its shutdown checklist: exports data, verifies completeness, and obtains a deletion certificate from the provider before removing service access and closing accounts. Regular quarterly reviews ensure the provider's practices and the firm's configurations remain aligned with the organization's policy.
Summary
By combining clear contractual requirements (data residency, export, and deletion), platform configuration (logging, isolation, encryption, backups), and operational practices (testing, evidence collection, and continuous monitoring), SMBs can implement Control 4-2-2 effectively. A documented action plan and periodic compliance checks close the loop, ensuring cloud and hosting services are managed to meet both legal requirements and the organization's security posture.
