How eSIM, Zero Touch, and APIs have transformed enterprise cybersecurity

Modern mobile devices are more than just a sleek convenience in business. They are also the primary endpoint for an entire ecosystem of connectivity and sensitive corporate data. They facilitate critical communications and are at the heart of most enterprises’ business activity today.  

This technological shift to mobile devices marked not only the end of the traditional mid-century office and its Bakelite landlines, but the very notion of a ‘security perimeter’ keeping cyber threats at arms’ length.

The new cybersecurity paradigm that emerged with widespread mobile device use requires that the identity and integrity of each individual unit is paramount, transforming every smartphone and tablet into a critical security touchpoint that must be rigorously protected. 

For decades, the Subscriber Identity Module (SIM) card has served as the trusted ‘passport’ for mobile network authentication. Its primary role is to securely store a unique International Mobile Subscriber Identity (IMSI) and a secret cryptographic key, which together prove a device's legitimacy to the cellular network.  

However, the very physicality of the traditional SIM card – it is after all a removable piece of plastic – has become less viable under the combined pressure of scalability and cyber threats.    

In this article, we’ll take an overview of the security pressures that drove the market to shift from the physical, manually managed SIM card to the cryptographically secured, API-driven embedded SIM, or eSIM.  

The Vulnerabilities of the Physical SIM 

To fully appreciate the security advancements of eSIM technology, it’s useful to first examine the limitations of the traditional physical SIM.  

These are not architectural bugs or systemic failing of SIM cards, but issues arising from a dependence on human-mediated management processes, which is intrinsic to nearly all physical hardware. Physical SIMs are not flawed, but fundamentally misaligned with the needs of a digital, automated, and high-threat enterprise environment. 

Physical danger 

The most obvious security vulnerability comes from the very thing that made SIMs a key component for legacy devices in the first place – their removable design.  

If a corporate device is lost, stolen, or left unattended, its SIM card can be easily extracted and inserted into another device, potentially giving that new device full network access. By design, it requires no technical expertise to immediately compromise the associated phone number and any services tied to it, such as SMS-based two-factor authentication (2FA).    

Outright SIM theft is not the only danger in this scenario. This physical accessibility creates the risk of SIM cloning: a process where an attacker creates a fully functional duplicate of a legitimate SIM. With physical access to the card, an attacker can use a standard SIM card reader and easily available software to extract the IMSI and, more critically, the associated authentication key.  

This extracted data is then written on a blank, programmable SIM card, creating a clone that is indistinguishable from the original to the mobile network.    

While modern SIMs employ stronger encryption, older cards that use the COMP128-1 algorithm are particularly susceptible to cryptographic attacks that can brute-force the authentication key. Even with modern algorithms, the threat of cloning persists, especially in targeted attacks against high-value individuals like corporate executives and celebrities. 

The critical takeaway is that the secrecy of the authentication key is hardly ever guaranteed if the card itself is taken. A cloned SIM allows an attacker to make and receive calls and messages but, more dangerously, intercept one-time passcodes (OTPs) sent via SMS for accessing corporate VPNs, cloud services, or financial accounts.  

This capability effectively bypasses a widely used layer of security and can be the tip of the spear for total network compromise.    

Evidently, for a physical SIM to end up in the wrong hands doesn’t require a daring heist or sneaky theft. In fact, much of the misappropriation of business connectivity is simply handed over to ‘social engineering’ attackers.     

Using personal information harvested from data breaches, social media, or phishing campaigns, attackers impersonate targets and transfer access to a new SIM card under the attacker's control. For enterprises, this threat is particularly acute as very visible executives are prime targets, and a successful account takeover can be used to initiate fraudulent wire transfers, steal intellectual property, or launch further attacks against the corporate network.  

The 2019 hack of Twitter CEO Jack Dorsey's account was executed via a SIM swap, demonstrating the vulnerability of even the most tech-savvy organization.    

Legacy risks 

Just as physical SIMs are at risk because of their removability, they also present a vulnerability due to the longevity and extended lifecycle they were engineered for.  

Beyond direct attacks on the SIM card, legacy mobile network protocols present additional risks. Older and since-patched vulnerabilities in the Signaling System 7 protocol, a global mobile networks backbone, can be exploited by sophisticated attackers with network access to older hardware. These exploits allow for the interception of calls and SMS messages – and the tracking of a device's location – without needing to compromise the SIM card itself, but by simply exploiting outdated security protocols.    

eSIM security architecture 

The transition to eSIM technology addresses the limitations of physical SIMs by replacing a simple, easily alienable token with a multi-layered security architecture built on certified hardware, updating global standards, and dynamic cryptography.  

The security of an eSIM is not a single isolated feature, but the sum of a globally enforced, multi-layered, and cryptographically automated ecosystem. This is an essentially different paradigm from the physical model, which relies on static security measures and fallible human interaction.  

In an enterprise cybersecurity context, understanding the concept of static systems as compared to dynamic ecosystems is crucial, as this is fundamental to why eSIMs provide a level of auditable, standards-based assurance that physical SIMs simply are not equipped for. 

Tamperproof 

The heart of eSIM technology is the embedded Universal Integrated Circuit Card (eUICC), a dedicated, programmable chip soldered directly into a device's components. This physical integration is the first and simplest layer of security, as it means the threats related to SIM removal, theft, and unauthorized swapping that afflicts its physical counterpart are negated.    

The eUICC functions as a Secure Element (SE), which is essentially a tamper-resistant microprocessor designed as a ‘digital vault’ for identifying information. It stores operator profiles, credentials, and cryptographic keys, ensuring that this critical data is protected from both physical tampering attempts and software-based attacks targeting the OS. These secure elements are continuously certified against international standards, such as Common Criteria EAL5+, which signifies a high degree of confidence in their ability to withstand sophisticated, well-funded attacks.    

GSMA Standards 

For a global technology like eSIM to function securely and reliably, all participants in the ecosystem – from device manufacturers and chipmakers through to mobile network operators – must adhere to a common set of rules. Without a unifying standard, the market would fragment into a mess of proprietary, insecure, and non-interoperable solutions.     

The Global System for Mobile Communications Association (GSMA) is the trade body representing mobile operators worldwide, having established a comprehensive framework of specifications and compliance processes that govern the entire eSIM ecosystem. Their framework ensures that any certified eSIM component will work securely with any other.  

The GSMA provides key specifications, most notably:    

• SGP.22 
  The technical specification for Remote SIM Provisioning (RSP) in consumer and IoT devices, which defines the architecture, security protocols, and data structures for the ‘pull’ model of connectivity profile downloads.    

• SGP.02 
  The original specification for Machine-to-Machine (M2M) applications, which uses a server-driven ‘push’ model for managing profiles on unattended devices.

• SGP.32 
  The newest IoT-focused standard, released in 2023. SGP.32 combines the flexibility of the consumer model with the remote management capabilities required for large-scale IoT deployments, creating a more scalable and efficient solution.    

To enforce these standards, the GSMA operates the Security Accreditation Scheme (SAS). This program involves rigorous security audits of the facilities involved in the eSIM lifecycle.  

The sites where eUICC hardware are manufactured have their own certification, as do the secure data centers where providers manage their eSIM profiles and operate SM-DP+ and SM-SR servers. This end-to-end certification ensures that every link in the global supply chain, from fabrication to over-the-air (OTA) profile delivery, meets stringent shared security standards.    

Over-the-Air Security 

The GSMA framework is built on a foundation of strong and dynamic cryptography to protect the entire Remote SIM Provisioning (RSP) lifecycle. 

All communications between a device and the RSP servers for downloading or managing an eSIM profile are protected by end-to-end encryption. This is typically achieved using Transport Layer Security (TLS) to create a secure channel, with advanced algorithms like the Advanced Encryption Standard (AES) used to encrypt the profile data itself during transmission.  

The entire ecosystem's security is anchored by a Public Key Infrastructure (PKI), a tried-and-tested cryptographic model for verifying credentials, for which the GSMA acts as the certifying authority. Every legitimate entity in the provisioning chain, such as a network operator’s SM-DP+ server, must possess a digital certificate issued and verified by the GSMA.    

This PKI enables a secure handshake that prevents any third parties covertly inserting themselves into the connection, known as a Man-in-the-Middle (MitM) attack. When a device needs to download a new profile, its onboard Local Profile Assistant (LPA) initiates a connection to the MNO's server.   

The first step in this process is for the LPA to demand and verify the server's digital certificate. The LPA checks that the certificate is valid and has been signed by the GSMA. If not, the connection is immediately terminated. This ensures that a device will only ever communicate with a legitimate, GSMA-certified server to receive a profile.  

Automating security at scale 

Businesses have a choice of how they want to provision their devices with connectivity. While eSIM technology was still gaining traction, distributing QR codes to employees was a popular option.   

This method of provision streamlines the process by embedding all necessary connectivity and enrollment information into an easily distributed visual file, drastically reducing the manual setup time and minimizing human error. This method ensures devices are automatically configured with the correct policies and settings from the moment of activation, and it remains the method of choice for many businesses.  

However, while QR codes offer undoubted convenience, they can also expose corporate environments to specific risks.  

QR risks 

eSIM activation by scanning a QR code provided by their carrier, either on paper or screen, remains the most popular eSIM provisioning method for consumers. It’s neat and convenient and contains the network address of the carrier's SM-DP+ server, which the device then contacts to download the eSIM profile.  

While simple for an individual, this method has drawbacks when applied at enterprise scale.   
If a system contains a physical key that can be taken by the wrong person, then it’s an attack surface. Attackers can easily send out phishing emails or distribute fake QR codes, and then the sheer user-convenience of the QR code becomes a liability, as recent waves of scams featuring fake parking meter codes have proven. 

QR codes are also an easy way for an attacker to circumnavigate firewalls and URL filtering that many organizations and end users rely on to protect them. 

An employee who scans a fraudulent code could inadvertently install a malicious profile that routes their data traffic through an attacker's server, or they could be directed to a convincing phishing site designed to harvest their corporate credentials.    

The QR code method is inherently decentralized and requires individual action, which makes it ideal for consumers and smaller-scale organizations. However, for an IT department tasked with deploying and managing potentially thousands of corporate devices, this is operationally untenable. There’s no way to monitor the installation, prevent the installation of personal eSIMs, check the hardware, ensure the correct corporate plan is activated, or even check that the user knows where to point the camera. Even a small operational hitch becomes a major incident when it’s multiplied thousands of times across regions.    

Zero Touch  

For enterprises, the current gold standard is Zero Touch provisioning. Fully automated by a business’s own Mobile Device Management (MDM) platform, Zero Touch elevates eSIM deployment from a manual and therefore risk-generative activity into a secure, scalable, and automated process.  

Complementing Zero Touch provisioning is the so-called Zero Trust security model, which works by treating every device as untrusted and uses automated, policy-based controls to establish a secure, verifiable identity. A popular analogy is comparing Zero Trust to establishing checkpoints throughout a secure base, rather than just a single gatekeeper checking everyone once upon entry.  

Zero Trust is more of a design ethos than a specific product, but a typical secure provisioning would look like this:  

• Device Registration 
  An enterprise purchases corporate devices in bulk, and the seller registers the unique identifiers of these devices (e.g., serial number, EID) on the enterprise's dedicated portal, such as Apple Business Manager. 

• MDM Integration 

  The IT admin links this portal to the company's MDM, such as Jamf Pro, and creates an enrollment profile that specifies all the required configs, security policies, and applications for the devices.

• Automated Enrolment 

  When a box-fresh device is powered on by the user for the first time and connects to the internet, it contacts Apple or Google's activation servers. These servers identify the device as corporate-owned and automatically redirect it to enrol in the designated MDM platform.  

• Automated eSIM Provisioning 

  Once enrolled, the MDM server takes control and pushes all the pre-defined configurations to the device. Critically, this includes a command to securely download and install the corporate eSIM profile, completely bypassing the need for a QR code or any user action.  

This entire process is completely automated, takes seconds, and entirely removes the ever-fallible human element from the secure provisioning loop.  

MDM and eSIM security 

The MDM's role extends beyond the initial deployment, continuing as the central policy enforcement point for the eSIM's entire lifecycle. After remotely conducting the installation, the MDM will continuously monitor the device for unauthorized user modifications to the corporate eSIM profile and prevent it from being transferred to another external device.  

It will also make sure that the eSIM is preserved in the event of a remote wipe. This ensures the device can immediately reconnect to the cellular network to be re-provisioned for a new user, maintaining a securely closed-loop management cycle. 

eSIMs and the 1GLOBAL API 

Secure deployment is only the beginning. A truly robust enterprise connectivity strategy requires the ability to manage the entire lifecycle of a device. The integration of a connectivity provider's Application Programming Interface (API) with an MDM platform fundamentally changes how a business manages and controls its connectivity ecosystem.  

It elevates connectivity from a static, manually managed asset to a dynamic, policy-driven service that is delivered securely and on-demand.  

An Application Programming Interface (API) are software solutions that allow different applications to communicate with each other, and when combined with eSIM technology they become a transformative tool for enterprise connectivity.  

This combination allows businesses to manage the entire lifecycle of their mobile connectivity on a massive scale. Instead of manually configuring each device, companies use APIs to instantly activate, deactivate, or change cellular plans on thousands of eSIM-enabled devices at once, integrating connectivity management directly into their own business software and workflows for unprecedented automation and control. 

1GLOBAL has introduced groundbreaking mobile technology, featuring industry-first API integrations designed specifically for enterprise control and automation. These integrations and key workflow automations allow for granular management of every aspect of corporate connectivity, all intuitively accessible via a user-friendly dashboard.  

Next steps 

The transition from physical SIMs to a fully automated eSIM ecosystem is imperative for any enterprise serious about scaling. Adopting this tech requires a deliberate, phased approach and a forward-looking perspective on the evolution of secure mobile telco. For a smooth and secure transition, decision makers should consider these strategic touchpoints: 

1. Audit physical SIM use 
   The first step is to consider if your organization’s physical SIM use really does represent a security risk. Smaller organizations may still find value in the simplicity of physical SIMs, which remain the backbone of many IoT sectors. Enterprises should conduct a thorough audit to identify all active physical SIMs within their fleet and develop a clear roadmap for migrating these lines to a managed eSIM solution. 

2. Invest in MDM and Zero Touch provisioning 
   Secure provisioning is the cornerstone of eSIM security. Enterprises looking to transform will need to ensure that all new devices are compatible with a ZTP framework (Apple Business Manager for iOS, Android Zero-Touch for Android) and are enrolled in a capable MDM solution upon activation. This establishes the foundational layer of control necessary for a secure mobile environment. 

3. Find an API-First Partner 
   Engage with a truly global connectivity partner, such as 1GLOBAL, that has a proven track record of deep integration with leading MDM platforms and offers a robust, well-documented API.  

4. Integrate into Core IT and HR Workflows 
   The ultimate security and efficiency goal is full automation. Enterprises should leverage the telco partner’s API to integrate eSIM lifecycle management directly into existing HR systems. For example, the employee onboarding process should automatically trigger the creation of a user in the MDM and their assignment to the correct Smart Group, initiating eSIM deployment. Conversely, the offboarding process should automatically trigger the removal and deactivation of the eSIM. 

Conclusions 

The migration to eSIM technology, when executed through a framework of Zero Touch Provisioning and API automation, is far more than a matter of convenience or incremental cost savings. It’s a full digital transformation, empowering a new level of cybersecurity that directly addresses the fundamental flaws of physical hardware. 

This transformation replaces physical vulnerability, fragmented security, and dependence on fallible human processes with a system that is cryptographically secure, globally standardized, policy-driven, and fully auditable.  

By providing each corporate device with a tamper-resistant, verifiable identity that can be provisioned and managed dynamically based on centrally defined policy, the eSIM becomes a foundational pillar of modern Zero Trust cybersecurity.  

It allows the enterprise to secure its most widespread, critical and hardest-to-monitor endpoint, ensuring that as the workforce becomes more mobile and distributed, its data and communications remain protected by a robust, automated, and defensible security posture.  

To discuss how eSIM technology can be incorporated into your business’s cybersecure digital roadmap, get in touch with 1GLOBAL today.