Do-It-Yourself eSIM RSP (part III)
If you want to decide whether hosting your own RSP will be beneficial to your business, you need to have a clear understanding of what this entails. Within this chapter we describe the core components required to establish an efficient RSP service that puts you in control.
Before Service Providers can offer eSIM RSP services they must perform an audit according to the GSMA's Security Accreditation Scheme (SAS-SM). This shall ensure that the service is
provided in accordance with the security expectations of GSMA’s members from the global Mobile Network Operator community. Compared to solutions that are outside GSMA’s accreditation scheme, SAS-SM adds a significant layer of complexity concerning infrastructure. Yes, you can build your own infrastructure, buying hardware for processing power, memory, data storage and the like, renting a secure site and hiring expert staff.
But even if you already have your own datacentre in place, chances are you have started to plan the migration to the cloud. Why? Because cloud focuses on delivering:
- Cost savings - eliminating capital expense of buying hardware and software and reducing operational expense of running an on-site datacentre
- Scalability - getting the right amount of resources when needed from the geographic location where needed
- Reliability - mirroring data at multiple redundant sites on the cloud provider’s secured network for data backup and disaster recovery
The following diagram shows the deployment options with respect to the three key components of an RSP solution:
- Ops: operations terminal for administrative access
- RSP-SW: eSIM management application
- HSM: High-Security-Module protecting key material in purpose-built hardware
Private Cloud maintains services and infrastructure on a private network and is exclusively used by a single organization. It can be located on-premise or hosted by a third-party service provider. SAS-SM security certification must be performed for both sites under the single responsibility of the RSP service owner.
Public Cloud is owned and operated by third-party service providers delivering their computing resources over the Internet to multiple tenants. IBM Cloud, Microsoft Azure, Amazon Web Services (AWS) and Google Cloud, are examples of public cloud. The latter three offer SAS-SM certified datacentres in specific regions and are therefore ideally positioned to host RSP solutions.
Hybrid Cloud allows data and applications to be split between private and public cloud, which might be required in specific cases to utilise existing infrastructure or to comply with data sovereignty regulation.
Applications were traditionally built as monolithic pieces of software. Monolithic applications have long life cycles, are updated infrequently and changes usually affect the entire application. Adding new features requires reconfiguring and updating the entire stack, from communications to security. This costly and cumbersome process delays time-to-market and updates in application development. Modern software, especially for high performance applications within the telco sphere, should be designed based on a microservices architecture and packaged in containers to avoid these pitfalls.
Microservices is an architectural concept for building a distributed application. They break an application into independent, loosely-coupled, individually deployable services. This architecture allows for each service to scale or update using the deployment of service proxies without disrupting other services in the application and enables the rapid, frequent and
reliable delivery of large, complex applications.
Containers are a lightweight and efficient way for applications to move between environments and run independently. Everything needed to run the application, except for the shared operating system on the server, is packaged inside the container object: code, run-time environment, system tools, libraries and dependencies.
There are substantial benefits of these two concepts that include:
- Resilience, so an application still functions if a part of it goes down because microservices allow for quickly deploying a replacement
- Scalability, by meeting demand more efficiently when microservices only scale the necessary components
- Lifecycle automation, with individual components of microservices that easily fit into continuous delivery pipelines
It’s not that long ago that open source was called into question for business environments but that has changed profoundly, instead transforming into a vital enabler of large scale systems. To host an efficient, light-weight RSP solution it is important to select tools that are well known throughout the industry and have strong communities.
Below are some of the tools we love to work with:
- Docker: a set of tools for building and running software in containers
- Kubernetes: an orchestration tool for managing your applications running in containers
- PostgreSQL: also known as Postgres, is a free and open-source relational database management system (RDBMS) emphasizing extensibility and SQL compliance
- Prometheus: a monitoring and alerting toolkit. It consists of a time-series database and some tools to collect metrics from applications or servers
- Grafana: a dashboarding tool. Grafana lets you create visual dashboards from data stored in different places, including Prometheus
- Elasticsearch: a search engine which to analyse log files and often combined with Logstash and Kibana to gather logs from servers and applications; when these three tools are combined it’s called the “ELK stack”
- Nginx: an open-source web application server targeting multi-language microservices-based applications
GSMA System Certificates
We mentioned this before but due to its significance, it’s worth repeating. Before a company that is hosting its own RSP system can offer the service, it must perform a security audit according to the GSMA's Security Accreditation Scheme (SAS-SM).
In the words of GSMA, “the Security Accreditation Scheme (SAS) enables mobile operators, regardless of their resources or experience, to assess the security of their SIM and eSIM suppliers, and of their eSIM subscription management service providers”.
Only after the successful audit a company will be able to request the signed system certificates that are required for the RSP service to interact with the open eSIM ecosystem. This setup reflects the belief that eSIM services will always be provided by established manufacturers to the MNO community in a continuation of the existing SIM business model. However, this is far from a certainty. With infrastructure moving to the cloud and large-scale adoption of eSIM as the preferred subscription lifecycle management mechanism, the case to host an RSP service is getting continuously stronger not only for Infrastructure and Service Providers, but for Mobile Network Operators themselves as well.
While the SAS-SM audit - by definition a supplier accreditation procedure - is a reasonable requirement for external providers that are offering their products and services to MNOs, it is less clear what its benefit would be for Mobile Network Operators that want to host the RSP service in-network. This makes it in our view likely that those Mobile Network Operators will be able to receive the RSP system certificates either without or a light version of the SAS-SM audit.
The MNO Profile
The core functionality of the operator profile, from inception of the first digital mobile standard GSM to the current 5G releases, is the storage of subscriber credentials and the implementation of algorithms and applications used for network access authentication. Its role in the 3GPP Authentication and Key Agreement (AKA) remains a key feature of cellular mobile network security and has not changed with the introduction of eSIM, other than adding the capability to load several profiles onto a single chip and manage them remotely.
To accomplish remote profile provisioning and management in a high-security manner, on par with existing SIM manufacturing processes, three new types of Security Domains have been introduced to the eSIM architecture:
- ISD-R: root security domain managing the state of all profiles
- ISD-P: profile security domain created for each profile during provisioning
- ECASD: crypto security domain for key establishment and authentication services
The MNO profile, that is provisioned into eSIM, includes the following components:
- MNO-SD (MNO Security Domain): managing applications in the profile on behalf of the MNO, performing the same function as ISD (Issuer Security Domain) on SIM
- NAA (Network Access Application): such as SIM and USIM, which are selected by the device to access the related mobile network
- File System: containing data files that store subscriber and network information
- Applets (optional): programs for additional functions the MNO may want to execute within the profile, for example steering of preferred roaming partners
To guarantee that MNO profiles can work across various provider systems, the industry agreed to use a standardised description of its content. MNO profiles for eSIM have to comply with the format defined in the “Interoperable Profile Package Description” specification of the Trusted Connectivity Alliance (TCA), formerly known as SIM Alliance.
Because the profile was an indivisible element of the plastic SIM it usually was developed by SIM manufacturers as part of the SIM contract. Few companies were able to insert themselves into the value-chain and offer independent profile development capabilities. This inefficiency came at a price - with the ubiquitous use of smartphones a great deal of functionality moved to the device, especially related to personal subscriber data. Consequently, there are now few applications which add substantial value when placed within the profile, rather than the device. Just one example is the complex phonebook structure often defined within MNO profiles, taking up half its memory, even though smartphones manage this function anyway much more conveniently.
eSIM is changing the landscape by breaking the plastic SIM’s bond between digital profile and chip hardware and with it the deep-rooted incentives for the inclusion of avoidable, but memory demanding functions. A new breed of specialised companies with expert domain knowledge in telecom embedded technology is coming to market, that offer MNO profile development, either as a service or through open-market tools. It is not only much more efficient but also provides the Mobile Network Operator the complete ownership of its own profiles.
In the next post we guide you through the process of building an efficient, scalable and reliable eSIM RSP Management service.