Oracle provides assurance for eSIM workloads in the cloud with new GSMA SAS-SM accreditation

February 23, 2024 | 4 minute read
Sveta Shandilya
Senior Principal Technical Program Manager
Alex Cruft
Principal Program Manager
Text Size 100%:

In today’s hyper-connected world, the telecommunications (telco) industry stands at the crossroads of innovation and transformation. Amid this transformation, the industry must rapidly deliver solutions to customers while enabling the highest levels of security and reliability for the technology and services it provides. 

The shift towards embedded Universal Integrated Circuit Cards (eUICC), embedded Subscriber Identity Module (eSIM), and integrated Subscriber Identity Module (iSIM) technology now underpins the management of subscriber identities and data. eUICC refers to the physical embedded chip on a device’s circuit board that’s not removable and can store multiple profiles. eSIM is a virtual SIM that is integrated into a device’s hardware, not a physical card. It can be reprogrammed over the air. iSIM is a virtual SIM that’s included as part of the system on a chip (SOC) installed inside a mobile device. With this technological advancement, more safeguards are required to help ensure the security and integrity of subscriber data and the provisioning process.

To protect the integrity of this vital infrastructure, the GSM Association (GSMA) has established the Security Accreditation Scheme for Subscription Management (SAS-SM), a rigorous certification program. Oracle Cloud Infrastructure (OCI) is pleased to announce that it is certified by GSMA under SAS-SM to provide Data Center Operations and Management (DCOM) services for 124 OCI services in 36 Oracle Cloud regions. This certification demonstrates that OCI customers can confidently rely on these OCI services for their subscription management hosting solutions.

The OCI GSMA SAS-SM certificate is available on the GSMA website under the SAS Accredited Sites.


The GSMA SAS-SM standard defines a comprehensive set of protocols and security measures for securely provisioning and managing subscriber profiles on embedded SIM technologies, including eUICC and eSIM. GSMA developed the SAS-SM standard in response to the evolving mobile telco landscape, where embedded SIM technologies are becoming increasingly prevalent in various electronic devices, including smartphones and internet of things (IoT) devices.

Remote provisioning of SIMs is especially important for IoT and machine-to-machine (M2M) devices, where eUICCs are commonly used. It helps ensure that profiles for multiple carriers can be securely loaded onto the eUICC and managed remotely. It allows users to switch between mobile network operators without physically changing SIM cards. This flexibility is crucial for devices moving across different network service providers.

GSMA SAS-SM provides assurance around the security and controls for subscription management services and secure remote provisioning. For example, the GSMA SAS-SM standard specifies secure communication and authentication between the Subscription Activation Server (SAS) and the Secure Module (SM) within the eUICC or eSIM.

OCI engaged a GSMA-approved independent auditor to evaluate its practices and controls against the GSMA SAS-SM framework requirements across the following security domains:

  • Security policy, strategy, and documentation

  • Security organization and responsibility

  • Information security

  • Personnel security

  • Physical security

  • Certificate and key management

  • Sensitive process data management

  • Logistics and production management

  • Computer and network management

All customers running workloads on OCI can appreciate the added assurance of OCI’s GSMA SAS-SM certification. However, vendors and communication service providers (CSPs) that need to host SIM management platforms and remote SIM provisioning (RSP) systems in the cloud require explicit assurance that the underlying infrastructure and services fully adhere to the GSMA SAS-SM standards support their software. With this announcement, customers can now confidently migrate these mission-critical eSIM workloads to OCI while also unlocking the scalability, agility, and cloud economics offered by OCI.

Cloud-based virtual secure module for eSIM, iSIM, and eUICC security

With a cloud-based secure module or virtual secure module (VSM), you can manage eSIM, iSIM, and eUICC profiles’ cryptographic operations remotely over the air, just like with physical SMs. In a cloud-based or VSM scenario, sensitive subscriber information, including authentication keys and SIM profiles, is securely stored in the cloud or a remote data center. The device is provisioned to access the cloud-based SM or VSM, typically over the air.

During this process, the necessary SIM profiles and cryptographic keys are downloaded securely from the cloud. A device,  such as a cell phone, interacts with the cloud-based SM or VSM for authentication, data encryption, and communication with the mobile network. The VSM in the cloud should be hosted in a highly secure data center with robust security measures to protect against unauthorized access or tampering, which is where GSMA SAS-SM comes in.

GSMA SAS-SM validates Oracle’s ongoing commitment to security and resiliency

The GSMA SAS-SM certification offers the following benefits to providers of subscription management services and CSPs running on OCI:

  • Enhanced network security: GSMA certification attests that the cloud platform complies with stringent security standards, enhancing the security of the entire network. Customers can rely on the robust security measures of OCI when integrating with their solutions.

  • Enables data integrity: GSMA certification demonstrates that OCI offers a reliable and trusted solution for managing subscriber identities and data.

  • Risk mitigation: A GSMA-certified cloud platform can significantly reduce the risks associated with security breaches, data leaks, and regulatory compliance issues. This risk mitigation not only safeguards a customer's reputation, but also helps build trust with their end customers.

  • Global recognition: The GSMA certification is globally recognized, giving customers a competitive edge and access to a wider market.

Getting started with OCI for telco

Oracle continues to invest heavily in its cloud infrastructure as the leading solution for enterprise customers and CSPs deploying telco workloads in the cloud. Part of this investment includes an ongoing commitment to safeguarding the integrity and security of the data and workloads running on the platform. As the industry transitions to eSIM and iSIM technology and virtualized cloud-based subscriber management, OCI’s GSMA SAS-SM certification provides its telco customers with assurance that OCI can deliver the highest standards of security and reliability.

To learn more about how OCI supports global telecommunications providers, visit the Telco Cloud Infrastructure webpage or contact an Oracle representative. For more information about other Oracle Cloud Infrastructure compliance programs, visit the Oracle Cloud Compliance webpage.

Sveta Shandilya

Senior Principal Technical Program Manager

Alex Cruft

Principal Program Manager

Previous Post

Seven times in a row: Oracle named a Leader in 2024 Gartner Magic Quadrant for Integration Platform as a Service

Deepak Arora | 4 min read

Next Post

From HQ to the edge: Enabling tactical 4G/5G for military operations

Kashif Mahmood | 4 min read