Cloudflare launches an eSIM to secure mobile devices

Are smartphones ever entirely secure? It depends on one’s definition of “secure,” particularly when dealing with corporate environments. Most companies with bring-your-own-device policies install apps or agents on workers’ smartphones to help secure them, leveraging the management capabilities built into operating systems like Android and iOS. But those might not be sufficient.

That’s what Cloudflare argues, anyway, in the pitch for the new services it’s launching this week. Today, the company announced Zero Trust SIM and Zero Trust for Mobile Operators, two product offerings targeting smartphone users, the companies securing corporate phones and the carriers selling data services.

Let’s start with Zero Trust SIM. Designed to secure all data packets leaving a smartphone, Zero Trust SIM — once launched in the U.S. (to start) — will be available as an eSIM deployable via existing mobile device management platforms to both iOS and Android devices. It’ll be locked to a specific device, mitigating the risk of SIM-swapping attacks, and usable either in a standalone configuration or in tandem with Cloudflare’s mobile agent, WARP.

In a recent email interview, Cloudflare CTO John Graham-Cumming made the case that Zero Trust SIM can accomplish what VPNs and other secure layers can’t: cell-level protection. A SIM card can act as another security factor, and — in combination with hardware keys — make it nearly impossible to impersonate an employee, he argued.

“Zero Trust SIM provides defense in depth. A VPN layer is one of those components, but doesn’t remove the need to still deploy cellular connectivity across all of your mobile devices today, and traditional ‘AnyConnect-style’ VPNs do nothing to stop attackers moving laterally once they’re inside the VPN,” Graham-Cumming said. “We continue to see organizations breached due to challenges securing their applications and networks, and what was once a real-estate budget is quickly becoming a ‘secure my remote and distributed workforce’ budget from an IT security perspective.”

Specifically, Graham-Cumming said that Zero Trust SIM will enable Cloudflare to rewrite DNS requests leaving a device to instead use Cloudflare Gateway for DNS filtering. It’ll also support validating every host and IP address before it reaches the internet and identity-based connectivity to services and other devices, and it can be used as a second factor for authentication, he added.

While pricing hasn’t been decided, Zero Trust SIM — which will launch in the next few months — will be treated as a part of Cloudflare’s Zero Trust platform from a billing perspective — Graham-Cumming says it’ll be an extension of the per-seat pricing Zero Trust customers have today. He expects that most devices will be compatible, and even more once Cloudflare begins providing physical SIM cards for the service, which it plans to do in the near future.

“Our intent is to start in the U.S., but quickly work to make this a global service — running a global network is a core part of what we do,” Graham-Cumming said. “Although we’re early in development here, we’re already working on parallel initiative in the industrial internet of things (IoT) space (e.g., vehicles, payment terminals, shipping containers, vending machines). The Zero Trust SIM is, itself, a foundational piece of technology that unlocks a lot of new use cases.”

On the subject of IoT, Cloudflare today previewed a platform for IoT devices — aptly called IoT Platform — with the goal of providing a single pane-of-glass view over a fleet of connected devices. Meant to compete with IoT management services from Microsoft Azure, Amazon Web Services and Google Cloud, Cloudflare’s offering handles ordering, provisioning and managing cellular connectivity and security for IoT.

Every packet that leaves each IoT device can be inspected, approved or rejected by policies customers create before it reaches the Internet, cloud, or other devices, according to Cloudflare. Moreover, devices can be locked to a specific geography to ensure that sensitive traffic doesn’t reach public channels.

More information will be available in the coming months as the formal launch of IoT Platform approaches, Cloudflare says.

Cloudflare had less to share on the Zero Trust for Mobile Operators front. A carrier partner program, Zero Trust for Mobile Operators will allow service providers to offer subscriptions to mobile security tools from Cloudflare’s Zero Trust platform, Graham-Cumming said. Interested operators can sign up starting today for more information.

One presumes that Zero Trust for Mobile Operators — and, for that matter, the new Zero Trust SIM — is pilot in what could become a lucrative line of business for Cloudflare beyond WARP, which the company launched on a freemium model three years ago. According to Allied Market Research, the global mobile security market was valued at $3.3 billion in 2020 and could reach $22.1 billion by 2030.

IoT Platform makes sense for Cloudflare, too, given the robustness of the IoT market. According to one source, enterprise IoT spending grew 22.4% in 2021 to $158 billion as tailwinds like supply chain challenges strengthened. The segment’s rife with incumbents, but Cloudflare’s evidently betting it can throw around enough weight to make a sizeable dent.

Cloudflare launches an eSIM to secure mobile devices by Kyle Wiggers originally published on TechCrunch