Data Center Design in Saudi Arabia — Tier-Ready Architecture, Redundancy, and the Mistakes That Cost Millions

In Saudi Arabia, cybersecurity is not "nice to have." The National Cybersecurity Authority (NCA) issued the Essential Cybersecurity Controls (ECC 2-2024) as a baseline to strengthen national cybersecurity and safeguard information and technology assets.

If your organization is within scope, ECC compliance becomes a structured program—not a one-time project. And even if you're not strictly in scope, many Saudi organizations adopt ECC to align with national expectations and reduce risk.

How Compliance Is Evaluated (What Teams Often Miss)

ECC is designed for ongoing compliance. The NCA notes that compliance can be evaluated through multiple means, including self-assessment, periodic reports (from the compliance tool), and/or field auditing visits.

The ECC document also references that the NCA will issue an ECC-2:2024 Assessment and Compliance Tool to organize assessment and compliance measurement. That means your evidence, logs, policies, and operational routines matter just as much as the initial implementation.

ECC 2-2024 Structure (Simple View)

ECC 2-2024 is organized into main domains and subdomains. At a high level, the ECC document shows domains including:

• Cybersecurity Governance
• Cybersecurity Defense
• Cybersecurity Resilience
• Third-Party and Cloud Computing Cybersecurity

This structure is helpful because it naturally maps to how organizations operate: leadership & policy, technical controls, resilience/BC, and the vendor/cloud reality.

The 10-Step ECC Roadmap (What to Do First, Second, Third)

This is a practical sequence that works for most organizations. It avoids the common trap of buying tools before you have clarity.

1) Confirm Scope, Systems, and "What Counts"

Start with:

• Your business services (what must stay running)
• Your critical systems and data
• Your external dependencies (vendors, cloud, managed services)

Deliverable: ECC scope statement + asset inventory baseline

2) Establish Governance That Actually Runs (Not Shelf Policies)

ECC includes governance subdomains such as cybersecurity strategy, management, policies/procedures, roles/responsibilities, risk management, awareness/training, and audit/review.

Minimum governance package:

• Cybersecurity policy framework (top-level + standards)
• Clear RACI (who owns what)
• Risk register + exception process
• Audit and review calendar

3) Identity & Access Management (IAM): Fix the "Silent Breaches"

Most preventable incidents start here:

• MFA for admins and remote access
• Privileged access management (even if lightweight)
• Joiner/mover/leaver process tied to HR
• Service accounts review

Deliverable: Access control matrix + privileged account inventory

4) Network Security and Segmentation

Segmentation is not only for "big enterprises." It's the fastest way to reduce blast radius.

Minimum viable segmentation:

• User network vs servers
• Guest/IoT/CCTV separated
• Admin access only from controlled segments
• Secure remote access (VPN / ZTNA approach)

5) Endpoint and Server Hardening (Get Rid of Easy Wins)

• Baseline hardening for OS images
• Patch process and emergency patching
• EDR rollout plan (phased if needed)

6) Logging & Monitoring: Log What You Can Actually Act On

ECC includes monitoring/log management under defense. Start small and useful:

• Identity events (logins, MFA, privilege changes)
• Firewall/VPN events
• Critical server logs
• Alert triage workflow (who responds, how fast, what evidence is stored)

7) Backup & Recovery: Prove It Works (Not "We Have Backups")

ECC includes backup and recovery management. Minimum requirements most orgs should implement:

• 3-2-1 rule mindset (including immutable/offline component where feasible)
• Restore testing schedule
• RTO/RPO defined per critical system

8) Vulnerability Management + Penetration Testing (Done the Right Way)

ECC includes vulnerability management and penetration testing subdomains. A strong approach:

• Continuous vuln scanning (internal + external)
• Risk-based remediation SLAs
• Pen test used to validate defenses and detect logic flaws

9) Third-Party & Cloud: Contract + Technical Controls

ECC includes third-party cybersecurity and cloud computing/hosting cybersecurity. Minimum:

• Vendor risk assessments for critical suppliers
• Clear contract clauses (incident notification, access control, logs, data location)
• Cloud configuration baseline (IAM, logging, encryption, backups)

10) Evidence Pack: Build It as You Go

Do not leave evidence to the end. Create a simple evidence structure:

• Policies and approvals
• System configs (screenshots / exports)
• Logs samples
• Test reports (restore tests, pen tests, tabletop IR)

Deliverable: ECC evidence pack aligned by domain/subdomain

"Common ECC Gaps" Checklist (Quick Self-Audit)

If you want a fast internal temperature check, these are frequent gaps:

• No documented asset ownership and classification
• MFA missing on privileged accounts
• Flat network where IoT/CCTV shares paths with business systems
• Logs exist, but there is no triage process and no retention plan
• Backups exist, but restore tests are rare
• Vendor access is unmanaged or shared accounts are used
• Policies are present but not reviewed or enforced operationally

How Sanam Supports ECC Readiness (Practical Services)

Sanam typically supports ECC programs in four layers:

• Assessment & Roadmap: Gap analysis + prioritized plan
• Architecture & Implementation: IAM, network segmentation, hardening, monitoring
• Operationalization: Incident response workflow, audit readiness, evidence pack
• Managed Improvement: Monthly governance cadence + technical tuning

If you already have tools, we focus on making them "audit-credible"—proper scope, configuration, evidence, and operational routines.