Navigating securely in the Cloud: Ensuring Security and Compliance for eSIM Cloud Adoption

Subscription Managers play a pivotal role in the eSIM ecosystem - providing the infrastructure for remote management of eSIM enabled devices. Their significance, however, now extends beyond traditional boundaries as they direct their focus towards cloud-based deployments to host and optimize eSIM environments. 

This evolution propels the eSIM landscape into a new era of efficiency and scalability However, in this age of cloud migration, a critical requirement becomes paramount-the need for robust security measures to protect the integrity of the sensitive data at stake.

In this blog post, we embark on a journey to explore the requirements for securely hosting eSIM environments in the cloud, outlining GSMA requirements, with a strong focus on cryptography and the role of Hardware Security Modules.

To learn more about eSIM technology and how it relates to Hardware Security Modules, read the first part of this blog series: eSIM security concerns and how to solve them with Hardware Security Modules

The eSIM uprise – 3.4 billion reasons to move to the Cloud

eSIM is moving from trend to standard: While there were 1.2 billion eSIM-enabled devices in 2021, that number is expected to nearly triple to 3.4 billion eSIM devices by 2025.¹

To accommodate this growing number of eSIM-related connections, the move to cloud deployment seems inevitable, promising greater scalability, flexibility, with minimal effort, while also being cost-effective.

Reasons why Mobile Network Operators (MNOs) are moving to the cloud:

• Flexibility - Cloud environments are readily available, offer flexibility, and can be scaled up or down.
• Scalability - Cloud service expansion can be incremental and adapted as new requirements progress.
• Costs - Obtaining compliance for each asset in an on-site installation is unlikely to be cost effective. There are also numerous regulation to comply with and must be verified for each on-premises installation.

Moving your eSIM environment to the Cloud – The requirements

The journey to the cloud requires navigating through a number of regulatory checkboxes. Whenever eSIM management is involved, adherence to platforms certified by the GSMA becomes an essential requirement.

GSMA stands for Global System for Mobile Communications. The organization represents the interests of stakeholders of the mobile ecosystem and defines regulations and policy frameworks for a secure, interoperable, and future-proof environment.

For cloud environments, the security accreditation scheme (SAS) for subscription management applies: GSMA SAS-SM.

The GSMA defines certain requirements for cloud deployments as detailed in GSMA FS.18 SAS Consolidated Security Requirements and Guidelines (CSRG). The following are the areas that the GSMA will audit:

1. Policy, Strategy, and Documentation
2. Organization and Responsibility
3. Information
4. Personnel Security
5. Physical Security
6. Certificate and Key Management
7. Sensitive Process data management
8. SM-DP, SM-SR, SM-DP+ and SM-DS Service Management
9. Computer and Network management

For more detailed information, we recommend to refer to the document “SAS for Subscription Management (SAS-SM) Scope Definitions” and “Cloud Deployment of Subscription Management Solutions - Guidance for SAS-SM Auditees”.
 

The role of Hardware Security Modules in the GSMA SAS-SM certification

In eSIM environments, a large amount of sensitive data is involved: Not only the subscriber profile and data is stored on the eSIM, but also certain sensitive data of the MNO, such as credentials and certificates.

To protect this sensitive information, the GSMA requires the use of a hardware security module (HSM) for the storage and usage of cryptographic keys and certificates. The HSM also has to be FIPS 140-2 level 3 certified.

The GSMA distinguishes between two responsible actors that it will need to be audited in relation to a secure eSIM environment in the cloud:

• a CSP providing Data Centre Operations and Management (DCOM) services to an SM service provider, and
• an SM service provider that is hosting its SM solution on a CSP’s infrastructure.

The HSM is deployed by the Subscription management provider or the Cloud Service Provider (CSP). If the CSP offers hardware security modules (HSM) as a managed service, then this service and associated hardware assets will be within the CSP audit scope.

Discover the best of both worlds: HSM as a Service hosted in a GSMA SAS-SM accredited data center

The CryptoServer Cloud is the Hardware Security Module as a Service that integrates seamlessly with Cloud Service Providers. It offers the same level of security as an on-premise HSM and alleviates concerns about setting up the infrastructure.

It is hosted in a GSMA SAS-SM accredited data center – making it the perfect solution for subscription managers hosting eSIM environments in the cloud.
 

^{1. https://www.mobiliseglobal.com/50-esim-statistics-in-2023/}