eSIM Series: Why eSIM Certification and interoperability Matters

Tags: eSIM
A picture of Rameez Sultan
Written by
Rameez Sultan

1oT is launching its eSIM (eUICC) at Mobile World Congress 2019 this February and as this launch has proven to be an educational journey for us we believe this knowledge should be shared. We would like to serialize this blog post as the second, following our previous post, "eSIM Series: Everything there is to know about eSIM". With this post, we would like to shed light on one of the main cornerstones for choosing the correct eSIM and the Remote Sim Provisioning platform.

Yes, you correctly guessed it, let's talk about the significance of certification, leading to a complaint, interoperable and secure solution. To achieve this, the GSMA has taken the responsibility and published a series of standards: 

The GSMA Embedded SIM Specification provides a single, effective standardized method for the “over the air” provisioning of an initial operator subscription, and the change of subscription from one operator to another. The end goal is to accelerate the market growth of M2M and make this revolution as secure as possible. Part of the core GSMA standards is the Security Accreditation Scheme (SAS) which aims to preserve the unification of Embedded SIMs with remote provisioning capabilities. There are two parts of GSMA SAS certification, firstly SAS-UP, which governs that the UICC and eUICC’s are produced in a secure location ensuring all the sensitive data is managed in the most secure manner. Secondly SAS-SM, a scheme through which SM-SR, SM-DP, SMDP+, and SM-DS platform providers subject their sites to a security audit. The purpose of the audit is to ensure that these providers have placed sufficient security measures to protect the interests of Operators. The difference between a certified and a non-certified solution cannot be ignored. A non-certified solution poses the threat of being exposed to numerous security concerns which in turn may result in Operator’s sensitive data ending up in the wrong hands. Developing a solution is not the biggest challenge here actually it is providing a fully secure and interoperable solution, which is only possible by certifying it through the GSMA.

Now that we have established that a certified solution is the only way forward, let's see how advantageous it is. From the operator's point of view, a fully tested and certified eSIM promotes the escalation of IoT growth and newer business opportunities. The eSIM standards minimize the impact on existing systems and network infrastructure, which ensures reliability, lowers costs and maintain security standards. There is a lot of talk about the billions of IoT devices out of which a significant number would be enabled by eSIMs with very long life cycles. So these standards also help device manufacturers test their devices, reducing the time to market significantly and ensuring the device works with any compliant eSIM and related RSP platform. All in all, without the practical implementation of interoperability, whether it is between different eSIM manufacturers, device makers or eSIM subscription management service providers, the whole architecture fails.

I guess we all can agree that building trust in new technology is the only way it can be successful, and this trust can only be achieved if it is accepted by all market players. There are three main areas that need to be tested. Firstly, testing the eUICC/eSIM based on the GSMA test specifications. Secondly, testing the eUICC in a device on a network. And lastly but most importantly, remote provisioning testing, which includes the changing of subscriptions. It is integral that the eUICCs and the device communicate with the RSP servers worldwide in order to facilitate the proper subscription management functions. For instance, if a problem occurs during downloading a profile, such a device won't work in the new network and becomes dead. This would include Profile Interoperability, meaning an Operator has their SIM vendor (SIM card manufacturer) create a SIM Profile that can be downloaded to any compliant eUICC (the physical part of the eSIM) regardless of who manufactured it. This would allow customers to avoid being locked with one eSIM manufacturer or a certain operator, as the whole idea of eSIM revolves around the freedom of changing operators on an as needed basis.

We @ 1oT strongly believe in delivering fully certified and compliant solutions. How you can do this as well is quite simple. First, select a fully SAS-Certified eSIM manufacturer and fully SAS-SM certified RSP solution. Some of the usual suspects here would be Gemalto, IDEMIA and GnD (there are more, visit the lists in the links), this will ensure all Tier 1 operators (T-Mobile, Vodafone, AT&T, etc) are on board and confident with the security of the solutions you chose. Then comes the Device testing which is as integral as choosing the correct solution. Once you are confident your eSIM solution is interoperable and certified you can focus on testing and deploying your IoT devices with full confidence.