Where did I leave my keys?

I have a nasty feeling that more than one red faced CTIO will be asking this question in the not too distant future. It won’t be the house keys or the car keys that will be missing down the back of the sofa. This time it will be far more serious. Here is the scenario I see unfolding and it may be sooner than you think.

5G promises so much unless of course you are in the same camps as Eric Xu, Huawei’s rotating chairman when he said, “The entire industry and governments around the world have regarded 5G too highly, to the extent it will be the digital infrastructure for everything.” – he then added  “It is a just a natural evolution of the technology from 2G to 3G to 4G and now 5G.”

OK, Huawei realised this wasn’t the greatest sales pitch they have ever come up to promote sales of their products, so they have since modified this stance somewhat to say that “5G should have the performance advantages of 100 billion connections, 1ms latency, 10Gbps throughput to meet the requirement of “Fully Connected World”. That sounds like a better sales pitch.

I didn’t intend to explain the merits of 5G here but if this has whetted your appetite, why not go and take a look at our blog on 5G here.

Faster and higher performing radio access is not to be sniffed at but I don’t think that alone is the 5G game changer. Lower latency and faster data speeds are just part of the natural evolution of radio technology as Eric Wu rightly pointed out. These alone won’t underpin new services. The ability to really begin to integrate 5G architectures into other industry segments infrastructure is the real game changer. And here the philosophy of NFV (Network Functions Virtualization) is a big driver for new business models emerging, alongside network slicing and a new approach to customer data management.

It’s the customer data management piece I wanted to explore further here. Sorry for not using the more conventional nomenclature of subscriber data management but really, I do wish our industry would drop subscribers and talk about customers instead. Now that would be a game changer!

Those with a keen interest in these things will have noticed a radically different approach to authentication in the 5G standards. This change is to better support new concepts, new business models, IoT (which is both of the above) and NFV, as well as the vastly increased demand for network authentication that new 5G related services will bring about.

Let’s stop and think about NFV for a moment. Using standardised hardware platforms and deploying only the functions needed is a very attractive prospect for MNOs. It promises to change the cost of doing business quite dramatically. MNOs in smaller markets may even think about using managed services in the Cloud for hosting and operating the core. This is another game changer for the way they can do business in the future and give their customers access to 5G services much faster than was hitherto possible.

Now I move on to my worry point and I am glad to also say that there is a solution to my worries, but I am not yet seeing a groundswell towards adoption of the solution I have in mind. This is my concern. MNOs have traditionally taken great care to safeguard their keys, algorithms and sensitive business logic. The vital network credentials used during both SIM provisioning and then for network authentication have always been subject to strict security policies and processes. This is for a very good reason because the possibility of having network keys or algorithms compromised is probably the highest risk to business continuity that an MNO faces. So why would anyone risk having their crown jewels in a virtualised function which may even be part of a hosted Cloud solution? I know I wouldn’t. This seems like a deadly scenario which ends where I started and the CTIO asking ‘where exactly did I leave my keys?’ Too late to ask that question now!

There are solutions available and the one I favour most is creating a safe for the crown jewels. Yes, I know falling back on a hardware solution bucks the trend of NFV but there are some things I still really want to see kept safe and sound in a protected, tamper proof piece of hardware. The solution – at least in part – is available today and used in many adjacent industries. Using a Hardware Secure Module (HSM) to store Mobile algorithms such as Milenage, COMP-128 and remote SIM OTA custom key derivation algorithms safeguards crucial data. By also deploying Business logic such as HSS eKi decryption for use with Milenage, contained within the HSM, the Ki is never used in an unencrypted form externally. The HSM can also support the generation of SIM provisioning credentials and transport encryption, from Ki to PIN/PUKs generation, all in one request. Include SIM OTA secured payload assembly for both UICCs and eUICCs for example.

Having adopted this principle, MNOs can even consider the outsourcing support of internal systems used for SIM production containing sensitive material. Very many MNOs have already outsourced their SIM provisioning and in this situation, the use of the HSM provides them with a way of reclaiming control of their keys but still have the production facility outsourced. To put this another way, would you hand your keys to someone else to unlock your house or car on your behalf? Of course not, so having an HSM allows you to do it yourself without sharing your secrets!

Together, these are the security methods which are needed in the 5G NFV environment and maybe its just a matter of time before MNOs arrive at this same viewpoint, but for the current rate of adoption is still worryingly low. The need to secure business continuity is the main driver for the adoption of HSMs into the SIM provisioning and authentication processes but once done it also opens new business and revenue opportunities for MNOs. We all see that a lot of the news items about 5G focus on the emergence of new business models whereby MNOs forge new partnerships with players in other industry verticals to really make IoT happen.

Monetising the SIM as an asset is really important for MNOs in the 5G world and offering a heightened level of security over other wireless access technologies will be a major factor for those organisations developing industrialised IoT applications. Many of these new business partnerships will be deeper and more rewarding, as partners – call them external service providers – can have access to sensitive material but are in a position of elevated trust to do their own provisioning. In the world of remote SIM provisioning (RSP), I think this opens up limitless new possibilities for service delivery which allow MNOs to be serious players in the IoT market. Think of it this way: allowing new partners access to key material outsources trust without the MNO losing control. Smaller, specialist RSP partners, inherit this level of trust and the MNO will know that the integrity of the sensitive data is guaranteed by use of the HSM. Some MNOs are worried about the impact RSP may have on their business. More forward-thinking MNOs will see RSP as a major opportunity to expand their business relationships, just so long as they keep the commercially sensitive credentials safe and sound.

Making this happen isn’t simply just a case of buying a standards compliant HSM. It is firstly understanding how to apply the necessary business logic to the HSM and then to integrate this into current support systems that is more of the challenge. The rewards of doing this though are sufficiently high for it to be worth the challenge. At Azenby we would like to help MNOs and MVNOs of all sizes make the transition towards this new level of security for network credentials and to then exploit the new business opportunities this can open up.

If you would like to learn more about how we can help with this journey, why not get in touch with us today. The sooner the journey starts the less chance of those keys being lost!

Leave a Reply

Your email address will not be published. Required fields are marked *