Want to make a difference? Deliver capacity where your subscribers are!
July 27, 2015

No mobile operator has unlimited capital, time or resources. So, why should an operator prefer a scalable small cell system to provide 3G/LTE service in medium to large enterprises, rather than just offer femtocells to hundreds of thousands of small enterprises? Wouldn’t covering small enterprises have a bigger impact on subscribers and networks? We think not… here’s why.

1. The impact of enterprise small cells is not proportional to the number of enterprises (believe it or not!), but to the amount of floor-space they cover, because floor-space is proportional to subscribers. As data from the US Department of Energy shows, commercial buildings larger than 50,000 sq. ft., though they are just 5% of all commercial buildings, have more than 50% of commercial floor space (shall we call it the 5/50 rule?). Other studies show similar ratios in other major cellular markets.

2.  If small cells are going to reduce macro cap-ex and improve customer experience, they must deliver capacity where it is needed – in places where thousands of smartphone-toting subscribers congregate. Consider the following… Let’s say a US operator decided to purchase 100,000 small cells and installed these at 100,000 small enterprises spread over the United States, will it be able to reduce its macro network investment? Will millions of subscribers see a marked difference in network quality? We think this is unlikely, as it does not target the medium-large buildings where the most important enterprises reside.  Now, let’s say the same operator used 100,000 small cells to deliver capacity in 2,000 of its busiest buildings in New York, Washington DC, Los Angeles and San Francisco. By doing so, the operator would be adding capacity where it is needed most, in markets packed with high-ARPU subscribers, and where adding new cell sites is extremely expensive.

Perhaps, we are not saying anything that mobile operators do not already know. Every year, operators spend billions of dollars providing coverage inside large buildings using distributed antenna systems and dedicated macro cells. All that we are saying is that operators can leverage the lower price point of scalable small cells to open up a much larger building market that was previously unavailable. Conservatively, operators can triple the number of buildings covered, provide ten times the capacity, and do it all in less time and for less money than they did in the past!

- Amit Jain, Vice President of Marketing & Product Management
Twitter: @SpiderCloud_Inc

If You Can Scale…Cloud and Managed Services $ Will Come
June 01, 2015

Next week, the Small Cell community once again gathers in London at the annual Small Cells World Summit. This year is special for us! We are, for the first time, showcasing how edge and cloud computing enable new Smart Building and Unified Communications managed services for enterprise customers in collaboration with our new partner Cisco.

Game Changer #1: SpiderCloud + Cisco + enterprise installed base of Wi-Fi

At MWC this year, Cisco and SpiderCloud announced a strategic collaboration. Cisco is now reselling our entire (easy to install) small cell portfolio under the USC 8000 Series brand. The Cisco USC 8000 Series access points are available as standalone units, or as plug-in modules for the Cisco Aironet 3600/3700 Wi-Fi access points using SpiderCloud’s technology. The plug-in radio module is a game changer! Now, the entire installed base of Aironet 3600/3700, inside enterprises across the globe, can be 3G+4G enabled in seconds (the time it takes to plug in the module) – something no other vendor can do.

Game changer #2: Services Collaboration!

For many years we have showed how our Services Node is a catalyst for services. An on-premises controller (Services Node), with a services module, can enable managed cloud and application services beyond basic coverage and capacity.

We have been working with leading companies to show use-case examples:

  • IBM for handset-to-location video, and advertising “push” services for use at venues and shopping malls.
  • HP and Vodafone UK for in-building location (which won us all an award from the Small Cell Forum in 2014).
  • Intel/McAfee for policy enforcement and identify and prevent network security threats at the edge.
  • Saguna for backhaul savings and user experience benefits using a centralized content cache.
  • Druid and Tango for extension of enterprise UC, PBX and mobile call services inside and outside the enterprise network. See Druid’s hospital use case.

Ken Rehbehn (Principal Analyst, 451 Research/Mobile) puts this into context:

"Enterprises recognize the strategic importance of mobile communications as a tool for business agility and efficiency, but simple in-building coverage and capacity fixes may not be sufficient. By augmenting in-building small cell mobile services with flexible mobile edge computing capabilities, enterprises gain a potent toolkit to get the most value out of smart building and Unified Communications applications."

Next week, at the Small Cells World Summit, we will provide further insight to how the Services Node drives services revenue beyond coverage and capacity:

  • How - the mobile device IMSI can be paired to the enterprise active directory for authentication, as well as provide broadcast alerts within the building where the controller is deployed.
  • How - Smart building operations benefit from mobile devices to improve zone heating and air-conditioning usage by monitoring the number of mobile devices and location within the building or campus.
  • How – you can improve building security access by using mobile devices as secondary identification and verification to building badge access.
  • How - the small cell system can enable location and context aware services and execute building-wide alerts to all mobile devices connected to the LAN.
  • How - compliance services can be enabled with policy filtering and identify and prevent mobile LAN network access to non-compliant web sites.
  • How – you can improve network security by blocking malicious packets sent by a mobile device within the LAN, and protect a device from malicious packets sent by a server on the Internet.

Game Changer #3 Services Revenue

The great majority of large businesses would pay over 30% more per-employee for an indoor cellular solution with managed services (iGR survey).

With our eco system partners, and now Cisco, a scalable small cell system deployed over a basic Cat5e LAN (or VLAN), can indeed open up a $100B services market with smart building and Unified Communications (Exact Ventures report).

SpiderCloud’s scalable small cell system provides real-time coordination and distributed SON capability up to 100 dual-band 3G+4G or 4G+4G access points (up to 200 sectors of capacity), enough to effectively offer reliable managed services for buildings and offices up to 1.5 million square feet.

DAS is no-go on Services

Unless you have IT funds like Google and Apple, managed cloud and applications services is a no-go. As we pointed out in the “DAS is D.E.A.D (as we knew it)” blog, and our blog about Ericsson Radio Dot (a year later), enabling services beyond coverage and capacity for DAS-based systems is simply a non-starter.

Our scalable small cell system technology is in use with América Móvil/Telcel, Avea, Verizon, Vodafone UK and Netherlands and Warid Telecom, among others.

See us at Small Cells World Summit next week (June 9-11 in London), or look for us at these upcoming events:

Keep in mind that if you have an IT-friendly and scalable small cell system, you can enable cloud and managed services to increase ARPU.

Ronny Haraldsvik
SpiderCloud Wireless
Twitter: @haraldsvik

A Scalable and Secure Small Cell System – Built In from the Get-Go!
May 13, 2015

Security cannot be an after thought. Years before we commercially deployed the first scalable small cell system, we addressed any security concerns with mobile operators AND enterprise IT teams.

Security must be an integrated part of the design process. Just “adding security on later” can be impossible where a software technique has a dependency on hardware subsystems that were not designed into the system.

SpiderCloud’s small cell system consists of Radio Nodes (RN) small cells and a Services Node (SN).  The SN provides central configuration, able to control over 100 self-organizing and multi-access 3G/4G and 4G/4G RNs. The Radio Nodes securely connect over enterprise-Ethernet Local Area Network (LAN) and/or a Virtual LAN (VLAN) to the SN. The SN then originates a single secure connection to Security Gateway infrastructure at the edge of the mobile operator’s core network over high speed IP transport.

Think of the SN as a “black box” that implements 3GPP standard encryption between the UE’s and it’s RNs, and IP/IPSec between it’s SN and the Security Gateway(s) at the perimeter of the mobile operator’s core network. Besides 3GPP defined Kasumi and Snow 3G air link protocols used between UEs and E-RAN, we have also implemented IETF defined family of IPSec protocols used to connect the E-RAN to the mobile core.  

The fundamental security design assumption made early on was the scalable small cell system could operate in an untrusted environment with non-telecom employees having physical access to it. Therefore, the system should not be vulnerable to physical or local/remote digital attacks.

Working from the ground up, the system hardware incorporates both tamper resistance and secure repositories that anchor secure software elements:

  • All the normal disabling/fuse blowing (manufacturing/diagnostic interfaces - JTAG) is done to many of the critical semiconductors. This prevents abuse of development and manufacturing test equipment to exploit them. 
  • All hardware can make use of tamper resistant screws to make sure that only a special screwdriver they possess can open the SN. Tamper detection, with operator action choice, is available.
  • TPM vault on all hardware to store PKI certificates. TPM vaults are used extensively to protect PKI private keys from export from the hardware. This is critical to maintain trust that attackers cannot quietly develop eavesdropping capabilities by compromising IPSec security. 
  • IPSec hardware acceleration is performed in the SN and not in its general purpose processor.
  • Encryption of all data at rest in SN storage prevents any attacker from recovering data from the SSD drive.
  • The craft interface on the SN is scope-limited to be a bootstrap mechanism that is remotely disabled after commissioning a SpiderCloud system.

Building upon these hardware features, the system OS leverages them to protect itself and the privacy and integrity of the traffic flows between the UE’s and the mobile core.

  • SpiderCloud’s hardware will only load signed code images that must successfully validate against the PKI key resident in the RN or SN TPM vault.
  • All PKI certificate public/private keys are secured from export via storage in TPM.
  • Support is available to use default factory provisioned certs or operator certificates.
  • OSCP or CRL methods are available to determine revocation status of the certificates in the hardware.

The small cell system Radio Node (RN) is a very sophisticated part of the overall system and has a broad range of protections built into it.

  • An RN has no resident operating system and fetches it, at power up, from the SN. Stolen RN’s don’t have an operating system, thus they cannot do anything.    
  • The SN and RN mutually authenticate each other as part of building their IPSec connection. This is a protective measure that prevents a man-in-the-middle attack. RN’s operating system is signed and must validate against the hardware during boot process or it will not load.
  • There is no craft interface on an RN. It only has an Ethernet port on it that expects to be connected to a PoE+ port on an enterprise LAN/VLAN.

In SpiderCloud’s system, IPSec and 3GPP features for path protection and integrity are key to insure service availability and subscriber data privacy.

  • IPSec is utilized between SN and its RNs, and between SN and Security Gateway (SeGW). Even when private transport is being utilized by an operator, IPSec is used to preserve privacy of subscriber payload.
    • An SN can connect to multiple SeGW for fault tolerance – UMTS Iu-Flex & LTE S1-Flex. These SeGW can also be geo-redundant to protect from cable cuts and power problems that can affect data centers.
    • Extensive QoS policy controls over all backhaul access inside the IPSec path and DSCP marking for MPLS CoS handling enable the SN to protect critical traffic when the backhaul experiences congestion.

Security auditing is the final step in insuring that the system is capable of operating delivering both confidentiality and integrity of subscriber traffic traversing the system.   

  • System has been, and is consistently audited, and penetration tested routinely by a third party specialist security vendor as part of QA processes. Any issues found are remediated.
  • System is routinely audited/explored by our mobile operator’s technology security team as part of due diligence.
  • SpiderCloud’s OEM partners have conducted further audits to make sure they can safely promote SpiderCloud as part of their solutions portfolio.
  • System hardware and RAN protocol use standards to connect to both UE’s over air link and the mobile core via Security Gateway. This means SpiderCloud has done a significant amount of IOT with UE’s (of many varieties), SeGW, Iuh, and EPC vendors.

“Bolt-on” security is an after thought. Security can NEVER be an after thought. SpiderCloud’s scalable small cell system makes use of a “built in security” approach in its system design, from the get-go. Without the underlying investment in systems hardware features, the software security would have no foundation to build upon.

- Art King, SpiderCloud Wireless, Director of Enterprise Services & Technologies

Twitter: @EMobilityInside
Visit our Enterprise IT site @

DAS (As We Knew It) is D.E.A.D.
April 28, 2015

Almost 20 months ago the world’s largest RAN company proclaimed the arrival of the Ericsson small cell, except for it was, and is, a DAS (distributed antenna system).  Since then, many of the world’s largest DAS vendors have followed suit and have started to position existing distributed antenna systems or Wi-Fi as “small cells.”  Why is that you may ask?

Very simply, this is “marketing 101” sort of speak. If you’re late to market, or if you do not have a competitive product, you mirror the momentum marketing messages and re-position existing product lines to gain or retain the interest of your customers, Wall Street and media.

Last week I got a ‘chuckle’ when I read an industry blog written by a DAS infrastructure vendor’s marketing strategist, positioning DAS as “the original small cell”, and today’s small cells as a capacity supplement, only while describing “four viable small cell paths for wireless operators…”. Except, of the four deployment options, the “right” answer for three of the scenarios was DAS.  Seriously?

Yes, seriously.  And furthermore, the author proclaimed to know the definition of a small cell by defining it so that an antenna could be a small cell.  Coverage does not constitute access to needed capacity. 

The Small Cell Forum defines a small cell as “an umbrella term for operator-controlled, low-powered radio access nodes” and “small cells can be based on ‘femtocell technology’ – i.e. the collection of standards, software, open interfaces, chips and know-how that have powered the growth of femtocells.” Thus, small cells are nothing like “spatially separated antenna nodes connected to a common source via a transport medium that provides wireless service within a geographic area or structure.” (…gotta love Wikipedia).

Why the urgency to position DAS as a Small Cell, or to deposition small cells vs. DAS? Very simply, DAS as we knew it is D.E.A.D.

D is for DAS (or Duck)

“If it looks like a duck and smells like a duck, it’s a duck.” Distributed Antenna Systems is just that. An antenna connected to Coax, Fiber or other special cabling that requires cable pulls through the risers, and racks and racks of equipment in the basement or the telco closet. See our DAS review blog for details, and if you have time, read a 100-page DAS installation manual or the 10-page long price list with necessary equipment to power the “small cell” antenna.

E is for End of Life

Yes, the DAS market will continue to grow as predicted by leading analyst firms. No right-minded person would dispute that. However, DAS as we knew it last year or the year before, is done and over with.  Why are 100s of system integrators working hard to get up-to-speed on small cells, and how to install them?  Mobile operators, enterprise, venue or building owner customers do not care if it’s DAS, Wi-Fi and/or small cells that are fixing their problem with in-building coverage and capacity. They just want the problem fixed, and for the business case (payback) to work.  Long-gone are the days of 7-10 year payback periods, or securing rights to a location, only to charge-back Opex fees to mobile operators, even after they have deployed their own $150k baseband.  Easy to install single or multi-operator Small Cells and Small Cell systems over Ethernet, with pay-back periods measured in weeks or months, made the old DAS obsolete.  Yes, there I said it. Obsolete.  But, there’s reason to celebrate.

A is for Acknowledgement

Because of the rise in tide for small cell vendors, DAS and RAN vendors alike went back to the drawing board to simplify single operator and multi-operator DAS systems, making them easier and cheaper to deploy. Is this enough?  Time will tell, but for now, the in-building coverage and capacity market is smoking hot and the DAS vendors do not want to be pushed outside in the cold. Big venues and buildings need any and all spectrum and capacity. The pragmatic solution, where DAS already exists, is to supplement with Wi-Fi and Small Cells. After all, adding LTE DAS is just like adding an entire new DAS system installation at $4-6 a square foot.

D is for Demarcation

New DAS systems find their place where old DAS once were deployed, but in competition with scalable small cell systems that add capacity wherever a small cell is mounted. Whereas DAS systems for big venues and buildings would deploy capacity for 40 sectors with hundreds of special antenna pulls, a small cell system could easily add 200 sectors of 3G/4G capacity for 25% of the cost, as compared to DAS (not counting yearly Opex which is closer to 50-100x difference). The DAS business case makes good sense for 1m-10M square feet. Below a million, the business case now favors small cell systems.

At PCIA’s Wireless Infrastructure conference, Alan Tantillo, national director for development and siting policy at T-Mobile USA, pointed out on a panel that “It is not cost-effective to put in a neutral host DAS system.” See RCR Wireless’s article and video from the panel.

It’s a brave new world out there, and the winners are the end-customers.  Mobile operators, enterprise, building and venue customers are the beneficiaries of free-market competition where the best solution deployed in the shortest amount of time, for best price – wins!

Let’s not confuse the customers. If they want a duck, they’ll buy one.

Ronny Haraldsvik
SpiderCloud Wireless
Twitter: @haraldsvik