esim card

Navigating securely in the Cloud: Ensuring Security and Compliance for eSIM Cloud Adoption

Subscription Managers play a pivotal role in the eSIM ecosystem - providing the infrastructure for remote management of eSIM enabled devices. Their significance, however, now extends beyond traditional boundaries as they direct their focus towards cloud-based deployments to host and optimize eSIM environments. 

This evolution propels the eSIM landscape into a new era of efficiency and scalability However, in this age of cloud migration, a critical requirement becomes paramount-the need for robust security measures to protect the integrity of the sensitive data at stake.

In this blog post, we embark on a journey to explore the requirements for securely hosting eSIM environments in the cloud, outlining GSMA requirements, with a strong focus on cryptography and the role of Hardware Security Modules.

To learn more about eSIM technology and how it relates to Hardware Security Modules, read the first part of this blog series: eSIM security concerns and how to solve them with Hardware Security Modules

The eSIM uprise – 3.4 billion reasons to move to the Cloud

eSIM is moving from trend to standard: While there were 1.2 billion eSIM-enabled devices in 2021, that number is expected to nearly triple to 3.4 billion eSIM devices by 2025.1

To accommodate this growing number of eSIM-related connections, the move to cloud deployment seems inevitable, promising greater scalability, flexibility, with minimal effort, while also being cost-effective.

Reasons why Mobile Network Operators (MNOs) are moving to the cloud:

  • Flexibility - Cloud environments are readily available, offer flexibility, and can be scaled up or down.
  • Scalability - Cloud service expansion can be incremental and adapted as new requirements progress.
  • Costs - Obtaining compliance for each asset in an on-site installation is unlikely to be cost effective. There are also numerous regulation to comply with and must be verified for each on-premises installation.

Moving your eSIM environment to the Cloud – The requirements

The journey to the cloud requires navigating through a number of regulatory checkboxes. Whenever eSIM management is involved, adherence to platforms certified by the GSMA becomes an essential requirement.

GSMA stands for Global System for Mobile Communications. The organization represents the interests of stakeholders of the mobile ecosystem and defines regulations and policy frameworks for a secure, interoperable, and future-proof environment.

For cloud environments, the security accreditation scheme (SAS) for subscription management applies: GSMA SAS-SM.

The GSMA defines certain requirements for cloud deployments as detailed in GSMA FS.18 SAS Consolidated Security Requirements and Guidelines (CSRG). The following are the areas that the GSMA will audit:

  1. Policy, Strategy, and Documentation
  2. Organization and Responsibility
  3. Information
  4. Personnel Security
  5. Physical Security
  6. Certificate and Key Management
  7. Sensitive Process data management
  8. SM-DP, SM-SR, SM-DP+ and SM-DS Service Management
  9. Computer and Network management

For more detailed information, we recommend to refer to the document “SAS for Subscription Management (SAS-SM) Scope Definitions” and “Cloud Deployment of Subscription Management Solutions - Guidance for SAS-SM Auditees”.

The role of Hardware Security Modules in the GSMA SAS-SM certification

In eSIM environments, a large amount of sensitive data is involved: Not only the subscriber profile and data is stored on the eSIM, but also certain sensitive data of the MNO, such as credentials and certificates.

To protect this sensitive information, the GSMA requires the use of a hardware security module (HSM) for the storage and usage of cryptographic keys and certificates. The HSM also has to be FIPS 140-2 level 3 certified.

The GSMA distinguishes between two responsible actors that it will need to be audited in relation to a secure eSIM environment in the cloud:

  • a CSP providing Data Centre Operations and Management (DCOM) services to an SM service provider, and
  • an SM service provider that is hosting its SM solution on a CSP’s infrastructure.

The HSM is deployed by the Subscription management provider or the Cloud Service Provider (CSP). If the CSP offers hardware security modules (HSM) as a managed service, then this service and associated hardware assets will be within the CSP audit scope.

Discover the best of both worlds: HSM as a Service hosted in a GSMA SAS-SM accredited data center

The CryptoServer Cloud is the Hardware Security Module as a Service that integrates seamlessly with Cloud Service Providers. It offers the same level of security as an on-premise HSM and alleviates concerns about setting up the infrastructure.

It is hosted in a GSMA SAS-SM accredited data center – making it the perfect solution for subscription managers hosting eSIM environments in the cloud.


The Author

Lena Backes es una experta en marketing de TI con más de 10 años de experiencia trabajando en el sector B2B. En su carrera profesional, ha adquirido amplios conocimientos en diversas áreas, como la ciberseguridad, la gestión de redes, el streaming empresarial y la gestión de activos de software. En su puesto actual es responsable del posicionamiento de los productos y soluciones de ciberseguridad de Utimaco, con especial atención a la protección de datos, la tecnología Blockchain y la criptografía post cuántica.

Productos relacionados

Productos relacionados

¿En qué podemos ayudarle?

Hable con uno de nuestros especialistas y descubra cómo Utimaco puede ayudarle hoy mismo.
Ha seleccionado dos tipos diferentes de Download, por lo que necesita presentar formularios diferentes que puede seleccionar a través de las dos pestañas.

Su(s) solicitud(es) de Download:

    Al enviar el siguiente formulario, recibirá enlaces a las descargas seleccionadas.

    Su(s) solicitud(es) de Download:

      Para este tipo de documentos, es necesario verificar su dirección de correo electrónico. Recibirá los enlaces a las Download seleccionadas por correo electrónico después de enviar el siguiente formulario.

      Su colección de solicitudes de Download está vacía. Visite nuestra sección Download y seleccione recursos como fichas técnicas, White Paper, grabaciones de seminarios web y mucho más.