AWS for Industries

Implementing a GSMA Compliant Remote SIM Provisioning Workload on AWS

A technology shift is underway in telecom as devices evolve beyond removable physical Subscriber Identity Module (SIM) cards in favor of embedded Universal Electronic Circuit Cards (eUICCs) and electronic SIMs (eSIMs). This shift is largely necessitated and driven by the rise of the Internet of Things (IoT), where devices are deployed and managed at scale. This makes manual processes associated with physical SIMs operationally infeasible. Equally applicable to consumer devices, eSIMs simplify subscription management, allow for more compact device form factors, ease distribution logistics, and enable remote device management. In 2023, the global eSIM market value is estimated at USD 4.7b and projected to grow to USD 16.3b by 20271.

The growth of eSIM has given rise to an environment of subscription management services that provision operator eSIM and manage them. In keeping with the rising trend of cloud usage for Information Technology (IT) applications, eSIM subscription management services are also transitioning to the cloud.

GSMA, a non-profit industry organization representing the interests of mobile network operators worldwide, has long defined the Security Accreditation Scheme (SAS), a security standard and audit-based certification scheme for various eSIM production and management aspects. The GSMA recently modernized this standard. Specifically, the SAS Subscription Management (SAS-SM) standard was expanded to allow Remote SIM Provisioning (RSP) applications to leverage the benefits of the public cloud for its infrastructure requirements and transition away from on-premises data centers. This has enabled eSIM solution providers to benefit from the elasticity, scalability, security, cost-optimization, and smaller carbon footprint that come with using the public cloud.

1oT is modernizing the IoT connectivity environment with its eSIM connectivity service that reduces vendor lock-in and prioritizes speed and flexibility for IoT deployments. They offer both embedded and plastic SIMs that can access several pre-negotiated telecom deals. In August 2022, 1oT launched its eSIM RSP infrastructure on Amazon Web Services (AWS), making it the first carrier-independent eSIM connectivity service provider with its infrastructure and connectivity management platform (CMP). The solution’s value simplifies the operational overhead for IoT device providers, Original Equipment Manufacturers (OEM), and enterprises that no longer have to negotiate separate connectivity agreements and contracts with multiple service providers worldwide, as well as keep track of multiple contracts and invoices each month. Instead, they have one eSIM for global deployments, one CMP, and one invoice. The new eSIM infrastructure, 1oT eSIM Core, is an end-to-end solution that enables eSIM for IoT and consumer devices. Since 1oT is also white labeling the 1oT eSIM Core and 1oT Terminal, Mobile (Virtual) Network Operators (M(V)NO) can have advanced eSIM connectivity for connected devices.

In this post co-authored by 1oT and AWS, we explore how 1oT implemented this solution on AWS in compliance with the GSMA SAS-SM security standard.

1oT eSIM Core is an RSP solution that has been designed in accordance with GSMA specifications for RSP architectures (M2M SGP.01/.02/.11 and Consumer SGP.21/.22/.23).

Figure 1 Scope of 1oTs eSIM core solution on AWSFigure 1: Scope of 1oT’s eSIM core solution on AWS

The 1oT eSIM core consists of four nodes, as shown in the preceding figure:

  • Subscription Manager – Data Preparation (SM-DP) – responsible for the creation, generation, management, and protection of profiles for M2M eSIMs.
  • Subscription Manager – Secure Routing (SM-SR) – manages the status of the profiles on the device and M2M eSIMs, including enabling, disabling, and deleting.
  • Subscription Manager – Data Preparation + (SM-DP+) – responsible for the creation, generation, management, and protection of profiles for Consumer eSIMs.
  • Subscription Manager – Discovery Services (SM-DS) – provides mechanisms that allow an SM-DP+ to inform device and Consumer eSIMs that the SM-DP+ wishes to communicate with it.

1oT’s eSIM Core is implemented in the AWS Paris Region, leveraging multiple Availability Zones (AZs) for high availability and reliability for its nodes (SM-DP, SM-SR, SM-DP+, and SM-DS). Supporting infrastructures (database servers, data transfer servers, management servers, and jump host servers) are based on Amazon Elastic Compute Cloud (Amazon EC2) instances created from preconfigured templates of Amazon Machine Images (AMI) and connected to Amazon Elastic Block Store (Amazon EBS) storage volumes. The deployed instances are protected with dedicated Security Groups and located in the Amazon Virtual Private Cloud (Amazon VPC) networks, further segregated into 1oT’s SAS-SM specified security zones within their respective subnets and Network Access Control List (NACL) settings.

AWS Network Firewall and its intrusion detection and prevention service (IDS/IPS) are the primary points for filtering inbound and outbound traffic for each VPC environment. With auto-scaling, 1oT can meet compute utilization with demands without overprovisioning and optimizing cost while still adhering to customers’ expected service levels. The following figure shows the deployed architecture.

In addition, the following AWS services have been deployed at 1oT workflows, serving security, reliability, performance, and operations purposes.

Figure 2 Implementation architectureFigure 2: Implementation architecture

Since 2021, AWS has worked with GSMA auditors to certify two of its AWS Regions (EU-West-3 Paris and US-East-2 Ohio) and the services in these AWS Regions as compliant with the Data Center Operations and Management (DCOM) requirements subset of the SAS-SM standards. This can reduce the compliance burden on eSIM RSP solution providers that inherit these GSMA-certified AWS data center controls. AWS certification allowed 1oT to focus on the compliance of its own RSP application built to run on top of the AWS cloud.

eSIM RSP application involves handling sensitive cryptographic key materials, which provide the basis of authentication and authorization between networks and devices. The key materials are stored in a secure Hardware Security Module (HSM). Currently, GSMA’s modernization of the SAS-SM standard for cloud deployment is still evolving and does not accommodate the use of advanced cloud-based HSM service. 1oT implemented their HSM on-premises in a highly secure data center in Estonia, powered by 100% renewable energy to overcome this limitation. The eSIM core infrastructure in the AWS Cloud redundantly integrates with the on-premises HSM, as shown in the following figure. Data is protected in transit through a secure TLS1.2-encrypted interface with mutual authentication between the RSP workload on AWS and the on-premises HSM. The interconnection is established over the public internet, traverses the Internet Gateway (IGW), and an AWS Network Firewall where traffic policies are enforced. AWS Direct Connect is an option for future deployments.

Figure 3 Interaction with an on-premises HSM

Figure 3: Interaction with an on-premises HSM

In addition, 1oT deploys AWS Key Management Service (AWS KMS) managed service based on AWS CloudHSM modules that are certified for compliance with the FIPS 140-2 Level 3 standard. This service is responsible for creating and managing AWS encryption keys that are used for data protection purposes, such as securing Amazon EC2 storage encryption or encryption of data stored in the various AWS-managed services used throughout the entire architecture of the SM solution.

Conclusion

1oT’s eSIM subscription management solution provides a powerful, flexible, complete, and secure eSIM solution that reduces operational complexities associated with connectivity for IoT and consumer device providers.

By using AWS, 1oT was able to implement a cloud-native architecture without the constraints and technical debt of legacy systems. Additionally, 1oT leveraged the GSMA Certified AWS cloud infrastructure to launch a security-certified solution in under six months.

Disclaimer

This document is provided for the purposes of information only; it is not legal advice, and should not be relied on as legal advice. Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current AWS product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from AWS and its affiliates, suppliers or licensors. AWS products or services are provided “as is” without warranties, representations, or conditions of any kind, whether express or implied. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

AWS encourages its customers to obtain appropriate advice on their implementation of privacy and data protection environments, and more generally, applicable laws and other obligations relevant to their business.

1 https://www.statista.com/topics/9909/esim/#topicOverview

Kal Krishnan

Kal Krishnan

Kal Krishnan is a telecom industry specialist with AWS Security. Since 2019, he leads a global program focused on helping AWS’s telecom customers achieve their security and compliance goals on their cloud journey. He has over 25 years of experience working on multiple generations of mobile network technologies. Prior to joining AWS, he was a Technical Fellow in the field of emergency calling and wireless location.

Marcin Kulczycki

Marcin Kulczycki

Marcin Kulczycki is currently the eSIM Product Manager at 1oT. His primary responsibility is overseeing the launch and maintenance of 1oT's Subscription Management (RSP) environments, including M2M and Consumer variants. Before joining the team at 1oT, Marcin worked with various players in the telecommunications industry, including SIM vendors, BSS/OSS systems providers, MVNO operators, and mobile industry associations.