The GSMA have created two Security Accreditation Schemes (SAS) to enable mobile operators to assess the security of their SIM and eSIM suppliers, as well as their eSIM subscription management service providers.
#1: SAS for UICC Production (SAS-UP), a scheme through which SIM and eSIM manufacturers subject their production sites and processes to a comprehensive security audit.
#2: SAS for Subscription Management (SAS-SM), the scheme for the providers of eSIM subscription management services to ensure industry confidence in the security of remote eSIM provisioning. This covers all defined system components and does not distinguish between M2M and consumer application.
In the scope of this article we are focussing on the SAS-SM scheme and its central terms asset, threat and security objective as well as providing a brief overview of the actual audit procedure.
The SAS-SM is defined only for activities within eSIM Remote Provisioning and Management:
- eSIM life-cycle and processes in the scope of SM-SR
- Profile life-cycle and processes in the scope of SM-DP and SM-DP+
- SM-DS processes
Each system component involves specific assets that need to be protected.
These assets can be of the following types:
- Information (files, metadata, keys,...)
- Processes
- Systems
Within SM-DP, SM-SR, SM-DP+ or SM-DS the processes, information assets and system assets must be controlled and closely supervised so that they are secure.
Beside a precise definition of assets it is important to define the threats against which protection shall be achieved.
These are in general loss of availability, confidentiality and integrity.
The following list, though not exhaustive, provides a view of the threat landscape when mapped against the defined assets:
- Loss or theft or unrequested or unauthorized removal
- Accidental or deliberate cross-contamination of assets
- Disclosure of classified information
- Unauthorised modification of classified information causing loss of integrity through error or malevolence
- Fake Actor accepted as an authorized entity
- Unauthorized Platform Management requests sent to remote entities for example, SM-SR
- Unauthorized Profile Management commands sent to remote entities for example, SM-SR and eSIM
- Accidental or deliberate loss of availability of SM-DP, SM-SR, SM-DP+ and SM-DS functionality
- Accidental or deliberate security failure
By defining assets and threats the context for the core of the scheme is established: the definition of security objectives that must be met to protect all assets from security risks.
The security objectives can be summarized as follows:
- Process-Control: control processes to prevent clone, mismatch and anomalies of processes and any non-conforming actions due to use of non-compliant components
- Data-Protection: control, manage and protect data against loss of integrity and confidentiality
- Secure-Process-Flow: guarantee a secure process flow to prevent theft, loss and misappropriation of assets
- Audible: manage elements that are specified as auditable to look for possible or real security violations
- Separation: independence of different customer data is always achieved to prevent one customer’s data being disclosed to another customer
- Fake-Authentication: guarantee that fake remote entity authentication is discovered to prevent illegitimate action from fake entities
- Availability: availability is within defined SLAs to prevent loss of service availability and maintain business continuity
- Functionality: guarantee secure SM-DP, SM-SR, SM-DP+ or SM-DS functionality to prevent theft, loss or misappropriation of assets
In order to consider processes as being secure certain requirements must be met which apply across the different GSMA SAS schemes.
These requirements are specified in the SAS Consolidated Security Requirements (CSR) document and cover the following areas:
- Policy, strategy and documentation (including business continuity planning)
- Organisation and responsibility
- Information
- Personnel security
- Physical security
- Certificate and key management
- Sensitive process data management
- SM-DP, SM-SR, SM-DP+ and SM-DS service management (SAS-SM only)
- Computer and network management
These requirements are considered as minimum-security requirements for the environment in which the service is used.
As part of the audit the Service Provider has to show that the requirements are met by established processes for which evidence of correct operation exists.
Once an organisation has completed the preparation it can proceed with the audit procedure, which is described in the SAS-SM Methodology document.
The process involves the following main steps:
- Dry Audit: to obtain SAS-SM provisional certification valid for 9 months using test data
- Wet Audit: to upgrade the provisional certification to full certification using live data
- Renewal Audit: to maintain certification at the end of the full certification period
If the required security standard at an audit is not met, an on-site repeat audit may be necessary.
However, depending on the nature and number of non-compliant areas it may be possible for the auditors to review evidence of the necessary improvements off-site.
Audits for SAS-SM are conducted on behalf of the GSMA by NCC Group and SRC Security Research & Consulting GmbH.
Conclusion:
When an organisation wants to operate eSIM Subscription Management services it must perform an audit according to the GSMA's Security Accreditation Scheme (SAS-SM).
It's without a doubt a significant task. On the other hand the benefits of in-house eSIM Management are substantial and many of the concerned areas are most likely covered by existing Information Security Management Systems.
This is especially true for mobile network operators, which were the driving force behind SAS certification in the first place to ensure suppliers provide similar security levels as their own.
It places MNOs at a rather unique position to take full control of the eSIM profile provisioning process by building and operating their own independent Subscription Management service.
We can enable your service with our complete suite of SM solutions that are ready for SAS-SM certification and that already have been successfully deployed in certified environments.
Relevant GSMA documents:
- FS.08 SAS SM Standard 3.0
- FS.09 SAS SM Methodology 7.0
- FS.17 SAS Consolidated Security Requirements 6.0