Provided by the author(s) and University College Dublin Library in accordance with publisher
policies. Please cite the published version when available.
Title Survey on Multi-Access Edge Computing Security and Privacy
Authors(s) Ranaweera, Pasika; Jurcut, Anca Delia; Liyanage, Madhusanka
Publication date 2021-02-26
Publication information IEEE Communications Surveys & Tutorials, 23 (2): 1078-1124
Publisher IEEE
Item record/more information http://hdl.handle.net/10197/12082
Publisher's statement © 2021 IEEE. Personal use of this material is permitted. Permission from IEEE must be
obtained for all other uses, in any current or future media, including reprinting/republishing
this material for advertising or promotional purposes, creating new collective works, for
resale or redistribution to servers or lists, or reuse of any copyrighted component of this
work in other works.
Publisher's version (DOI) 10.1109/comst.2021.3062546
Downloaded 2022-08-10T08:30:37Z
The UCD community has made this article openly available. Please share how this access
benefits you. Your story matters! (@ucd_oa)
© Some rights reserved. For more information, please see the item record link above.
1
Survey on Multi-Access Edge Computing Security
and Privacy
Pasika Ranaweera*, Member, IEEE, Anca Delia Jurcut, Member, IEEE,
Madhusanka Liyanage, Senior Member, IEEE
Abstract—The European Telecommunications Standards Insti-
tute (ETSI) has introduced the paradigm of Multi-Access Edge
Computing (MEC) to enable efficient and fast data processing in
mobile networks. Among other technological requirements, secu-
rity and privacy are significant factors in the realization of MEC
deployments. In this paper, we analyse the security and privacy
of the MEC system. We introduce a thorough investigation of
the identification and the analysis of threat vectors in the ETSI
standardized MEC architecture. Furthermore, we analyse the
vulnerabilities leading to the identified threat vectors and propose
potential security solutions to overcome these vulnerabilities. The
privacy issues of MEC are also highlighted, and clear objectives
for preserving privacy are defined. Finally, we present future
directives to enhance the security and privacy of MEC services.
Index Terms—Multi-Access Edge Computing (MEC), Security,
Privacy, Internet of Things (IoT), 5G, Cloud Computing, Future
Networks
I. INTRODUCTION
Multi-Access Edge Computing (MEC) is a nascent
paradigm proposed by the European Telecommunications
Standards Institute (ETSI) to overcome the issues exerted from
intricacies in highly evolving mobile and wireless commu-
nication networks. The underlying principle of MEC is to
extend the cloud computing (CC) capabilities to the edge of the
mobile network to curtail the attributed constraints on existing
cloud infrastructure [1]. More anecdotally, MEC complements
the corporate data and processing centres, providing compute,
storage, networking, and data analytic resources at locations
in the proximity of the data source [2]. The impending fifth
generation (5G) mobile technology is one of the rationales for
the emergence of MEC. The guaranteed performance metrics
of 5G are: data rates up to 10 GB/s, service level latency below
1 ms, ultra-high reliability of 99.99999%, reduced energy
consumption of 90%, and support for 300,000 devices within
a single cell [1], [3]. In order to meet these requirements,
migrating the service infrastructure to a proximate location is
a critical approach. Thus, the MEC paradigm is formed and
designed with the above considerations.
A typical intelligent, autonomous application or service
executed on a smart device requires connectivity to the
Pasika Ranaweera is with School of Computer Science, University College
Dublin (UCD), Ireland. e-mail:pasika.ranaweera@ucdconnect.ie
Anca D. Jurcut is with University College Dublin (UCD), Ireland. e-
mail:anca.jurcut@ucd.ie
Madhusanka Liyanage is with the School of Computer Science, University
College Dublin (UCD), Ireland and the Centre for Wireless Communi-
cations, University of Oulu, Finland. e-mail:madhusanka@ucd.ie, madhu-
sanka.liyanage@oulu.fi
*Corresponding author
centralized cloud services for circulating control information
and authentication credentials in case of an authorization
mechanism. This connectivity is generally linked through the
Internet for facilitating a communication channel with strong
cryptic credentials. This ubiquitous and bandwidth-consuming
connectivity to out-of-proximity entities is restricting the
responsiveness of the applications, hindering the real-time
services guaranteed by forthcoming mobile technologies. The
resource availability in the in-proximity edge servers of MEC
deployments are elevating the feasibility of launching real-
time applications with improved autonomy. Thus, connectivity
to the centralized cloud infrastructure is not required for
multitudes of functions in applications hosted on current smart
devices. However, more hardware should be installed in the
Base Station (BS) by Mobile Network Operators (MNOs) for
realizing this technology. In spite of the initial investment
made by the MNO, the long-term revenue of the MNO could
be increased because of the MEC-enabled applications [4].
In the existing CC service architecture depicted in Fig. 1, all
the emanated service requests in the Radio Access Network
(RAN) are traversed to the cloud servers, which are located at
different global locations due to the non-existent storage and
processing platform at the BS. The subscribers are unaware
of the exact locations of the servers due to the outsourcing
process. This fact is raising security and privacy concerns, as
the personal data of the subscribers are handled by third parties
without any concrete assurances. The channel conveying the
elevated service requests and data to the cloud servers is bound
to form a bottleneck in the network traffic in addition to the
RAN access interface [4]. Therefore, CC-based services are
expected to endure latency issues, jitter, and unresponsive-
ness in addition to the security ramifications from service
interruption–based attacks perpetrated by adversaries. These
factors prove the improbability of successfully deploying im-
pending applications with 5G technology such as Ultra High
Definition (UHD) video streaming, Augmented Reality (AR),
Virtual Reality (VR), Mixed Reality (MR), Tactile internet,
Machine Type Communication (MTC), Machine-to-Machine
(M2M), Unmanned Aerial Vehicle (UAV), and Vehicle-to-
Everything (V2E). The storage and processing infrastructure
facilitated by MEC deployments, however, are ensuring the
benefits of ultra-low latency, locational awareness, proximate
data outsourcing, and improved capacity in the edge devices.
These features enable higher bandwidth and real-time respon-
siveness to the subscriber applications. Moreover, MEC-based
services within the RAN enhance computational processing
power to avoid bottlenecks with directed mobile traffic [5].
2
TABLE I: Summary of important acronyms.
Acronym Definition
3GPP Third Generation Partnership Project
4G Fourth Generation Telecommunication Networks
5G Fifth Generation Telecommunication Networks
AI Artificial Intelligence
AR Augmented Reality
BLE Bluetooth Low Energy
BS Base Station
CC Cloud Computing
CDN Content Delivery Network
CFS Customer Facing Service
CIA Confidentiality, Integrity, and Availability
CPS Cyber Physical System
D2D Device-to-Device
DDoS Distributed Denial of Service
DoS Denial of Service
E2E End-to-end
eMBB enhance Mobile Broadband
eNodeB Evolved Node B
ETSI European Telecommunications Standards Institute
GDPR General Data Protection Regulation
GSM Global System for Mobile Communication
GT Game Theory
ICN Information Centric Networking
IDS Intrusion Detection Scheme
IIoT Industrial Internet of Things
IoT Internet of Things
ISG Industry Specification Group
ITS Intelligent Transport System
LAN Local Area Network
LADN Local Area Data Network
LPWAN Low-power Wide Area Network
LTE Long Term Evolution
M2M Machine-to-Machine
MANET Mobile Ad-hoc Network
MANO Management and Network Orchestration
MCC Mobile Cloud Computing
ME Mobile Edge
MEC Multi-Access Edge Computing
MEH Mobile Edge Host
MEO Mobile Edge Orchestrator
MEN Mobile Edge Network
MEPM Mobile Edge Platform Manager
MES Mobile Edge Service
MitM Man-in-the-Middle
mmWave millimeter-Wave
MNO Mobile Network Operator
MR Mixed Reality
MTC Machine Type Communication
NB-IoT Narrow-band IoT
NFC Near Field Communication
NFV Network Function Virtualization
NS Network Slicing
OSS Operation Support System
PbD Privacy by Design
QoE Quality of Experience
RAN Radio Access Networks
RFID Radio-Frequency Identification
SDN Software-Defined Networking
SDP Software-Defined Privacy
TV Threat Vector
UALCMP User Application Life-Cycle Management Proxy
UAV Unmanned Aerial Vehicles
UE User Equipment
UHD Ultra High Definition
URLLC Ultra-reliable Low-latency Communication
V2E Vehicle to Everything
V2I Vehicle to Infrastructure
VIM Virtualization Infrastructure Manager
VM Virtual Machine
VNF Virtual Network Function
VR Virtual Reality
WAN Wide Area Networking
WLAN Wireless Local Area Network
These factors are making MEC the preeminent technology
behind 5G deployment.
A. General Background on Security and Privacy
Security is a broader concept that extends to the notions
of information security, cyber-security, forensic security, and
network security. Information security was defined as the
preservation of confidentiality, integrity, and availability (also
referred as the CIA triad) of information under the stan-
dard ISO/IEC 27002 in 2005 [6]. The information under
this definition is applicable to physical or electronic/digital
forms of data that are subject to be documented, stored, in
transit, or conversed. Forensic security covers acts committed
against the laws and statutes in the governing domain. In
the IT domain however, digital forensic methods are used
for ensuring security. A more nascent definition for cyber-
security is presented in [7] as the approaches and actions
associated with security management processes followed by
organizations and states for protecting CIA of data and assets
in cyber-space—though latest requirements of cyber-security
are going beyond CIA aspects. Factors such as traceability,
authentication, authorization, anonymization, granularity, lo-
calization, and trust are novel requirements for systems where
cyber-security is applicable.
Initially, network security was defined as the means to
secure the communication networks from possible intrusions
and vulnerabilities. Those attacks and threats were limited to
the intervening and masquerading attacks such as Man-in-the-
Middle (MitM), Relay, and spoofing. With adequate levels of
encryption and cryptography primitives, probable attacks were
plausibly mitigated. However, novel communication services
are prioritizing the data rate of the network to serve more
subscribers. Thus, cumbersome cryptographic primitives are
imprudent. Moreover, softwarized approaches of Software
Defined Networking (SDN), Network Function Virtualization
(NFV), and Network Slicing demand more requirements for
security assurance as presented in [8]. Most of the emerg-
ing systems are Cyber-Physical Systems (CPS) that integrate
computation, networking, and physical processes to create an
environment extending to cyber and physical spaces. Thus,
security for a CPS represents an extensive domain for cyber,
information, forensic, and network security contexts.
Privacy is an individual’s right to act or behave independent
of any records or surveillance activity conducted without
their consent. In the digital context, personal data cannot be
mishandled by service providers without their consent, and
measures should be taken to keep safe a user’s identity, while
the user actions should be untraceable. Irresponsible entities
possessing personal data of their consumers, might opt to
outsource them to an external institution for deriving personal
intents, behaviours, or interests to expand their commercial
market. Furthermore, adversaries are capable of extracting per-
sonal credentials from weakly protected system to violate their
privacy. These acts are recognized as unlawful practices, and
novel legislations are focused on mitigating these occurrences.
Advancement of sensory devices appended to both human and
non-human entities are increasing the possibility of privacy
leakages [9].
3
Cloud ComputingDrawbacks
Latency
Jitter
LocationalUnawareness
InsecureData Outsourcing
Limited Access
Bottlenecks
Big Data
IoT
Conventional Cloud Computing
Multi-Access Edge Computing (MEC)
Single point of access
leading to bottlenecks
Geo-distributedlocationally
unaware servers
MEC Benefits
Ultra-low latency
Locational awareness
In proximity data outsourcing
Improved capacity at the edge
Higher bandwidth
Real-time responsiveness
X
No storing/ processing
at the edge
Storing/ processing at
the edge
Social Internet
Impending Applications
UHD video streaming
AR/ VR/ MR
Tactile Internet
MTC
M2M
V2E
z
Deployment Improbable
X
Fig. 1: MEC Paradigm and its requirement.
B. Importance of MEC Security and Privacy
The edge of the mobile network is the access point to all the
services emanated in the RAN. This critical juncture is one of
the weakest points in the entire network in terms of security.
The majority of Internet of Things (IoT) devices in the market
are produced with economically manufactured circuitry that
employs weak encryption/encoding schemes and other security
measures for maintaining an affordable price range in order
to compete. Most such devices are vulnerable to cloning and
physical tampering, imperilling the entire mobile network for
countless attacks. Verifying the credibility of these devices
at the edge is a major concern. In addition, the distributed
nature of the MEC paradigm is broadening the avenues for
adversaries, due to the migration of storage and processing
service infrastructure to a proximate radio access range. Even
a service impeding attempt intimidates the purpose of MEC,
for attaining ultra-low latency to provision real-time 5G based
services.
Impending applications and services are demanding the
handling of personal credentials/information at the edge of the
network for realizing the service requisites. Privacy, integrity,
and trust management assurances are prime requirements
with MEC deployments, despite the attributed locational and
contextual awareness facilitated for the users. It is evident
that virtualization technologies are vital for realizing the MEC
paradigm and for creating a serviceable platform with dy-
namic resource allocation capability. Security of the virtualized
platforms are still a gray area, due to lesser deployments.
The vulnerabilities and attacks plausible on Virtual Machines
(VMs) are unique and cause significant consequences to the
MEC system.
Similar to CC, outsourcing MEC subscriber data to a remote
storage and processing environment creates a predicament in
terms of privacy rights. Establishing boundaries regarding the
extent of authorized conduct on service providers capabilities
is imperative for guaranteeing the trust of MEC consumers.
Considering all these facts, security and privacy are important
for realizing a pragmatic MEC paradigm deployment.
C. Classification of MEC Security
Confidentiality
Conventional Security
Aspects
MEC Specific Security Issues
Integrity
Availability
Authentication
Authorization
Access Network
Mobile Edge Network
Mobile Core Network
Traffic Steering
Network Slicing
Categorized Under Different Threat Vectors
Locational Threat
Vectors
Architectural Threat
Vectors
Other Threat Vectors
Service Migration
Mobility Management
Charging and Billing
Service Impeding
Mobile Offloading
Virtualization
Security Classification of MEC
Fig. 2: Classification of MEC security.
Since security is a vast concept, a proper classification is
required to simplify the various aspects that apply to the
MEC context. In this paper, security is mainly classified under
conventional security aspects and MEC specific security issues
as depicted in the Fig. 2. Under conventional or classical
security aspects (in Section III), the Confidentiality, Integrity,
Availability, Authentication, and Authorization aspects are
considered. The MEC specific security issues specified in Sec-
tion IV, are derived based on their threat applicability. Threat
4
Vectors (TVs) are formed to identify the vulnerabilities/flows
associated with MEC deployments. These TVs are further
categorized into locational, architectural, and other aspects for
better clarity.
D. Paper Motivation
MEC is a paradigm that depends entirely on mobile network
deployment. Due to this dependency, integrating upcoming 5G
technology to MEC should be approached with caution. Thus,
materials available for the MEC paradigm are limited and more
generic in terms of certain aspects. Security is one such aspect
that has not been addressed by existing research, specifically
in relation to standardization, due to the heterogeneous de-
ployment scenarios applicable in the radio access network.
Therefore, the prime motivation of this paper is to identify
the threat vectors of the MEC system in accordance to the
ETSI standards and to investigate the integration technologies
for proposing solutions for the security issues.
In Table II, a summary of the existing surveys on MEC
are presented, emphasizing their contribution and significance
to security. The content is categorized as interdisciplinary,
offloading, service migration, communication, MEC based IoT
and security aspects. Moreover, the content indicates the time
frame of the referred literature to understand the novelty of the
presented facts. In [3], different orchestrator deployments are
investigated for successful MEC integration. Further, the table
shows the key enabling technologies and use cases for MEC.
The MEC service orchestration directives presented with con-
tainer and VM aspects are vital for realizing a functioning
edge platform. Different aspects of MEC are addressed in the
surveys in [5], [11], [13] and [14] that cover emerging MEC
based applications, research directions, research challenges,
latency requirements and game theory adaptable MEC use
cases. Security and privacy issues on MEC levels are addressed
in [5], that proposes already existing security mechanisms for
those issues.
The comprehensive investigation in [10] is related to fog
TABLE II: Summary of important surveys on MEC
Aspect Ref. Referred
Time
Frame
Main contribution Relevance to MEC Security
Interdisciplinary
[3] 1996-2017 A survey on MEC orchestration deployments that ad-
dress MEC fundamental enablers and standardization
Minor and generic consideration on security and pri-
vacy
[5] 2001-2017 Presents a comprehensive overview of MEC with
emerging applications and novel research directions
Security and privacy issues on network, core network,
MEC server, virtualization, and end devices are dis-
cussed
[10]
1994-2018 Conducted a comprehensive survey on fog computing
and its relation to other paradigms
No emphasis on MEC security despite the fog security
considerations presented
[11]
2013-2016 Discuss the applications, technological opportunities,
and research challenges of MEC
A mere discussion on the effect of security on trans-
mission delay is presented
[12]
2009-2017 Facts about MEC, fog, and cloudlets are concisely
presented comparatively
MEC security is not significantly addressed
[13]
1976-2018 Latency requirements on 5G technologies focusing on
RAN, core network, and caching
MEC security is not addressed
[14]
1986-2018 Discusses the game theory deployments on MEC use
cases
Security in Game Theory adaptations are emphasized.
No clear context related to MEC
[15]
2001-2017 An overview of MEC architecture, standards, and ap-
plications
Security is not addressed
Offloading
[16]
1997-2017 A comprehensive study on computation offloading use
cases of MEC is conducted
MEC security in not addressed
[17]
1999-2018 A survey on MEC service adoption and provisioning is
presented with different offloading schemes
No relation to the MEC deployments
[9] 2003-2019 A survey on orchestration of cloud and end connectivity
through edge comparing MEC, TC, fog, and cloudlets
Security and Privacy factors on system-level and
service-level are discussed. Not specific to MEC
Service Migration
[18]
1994-2018 A comprehensive survey on service migration ap-
proaches in MEC is conducted
Blockchain is proposed as a solution for security in
the service migration processes
[19]
1987-2017 A survey on VM migration approaches is conducted
identifying migration optimization techniques for MEC
Minor consideration on security for VM migration
Communication
[20]
1974-2017 A comprehensive survey on radio and computational
resource management in MEC
A section on security and privacy issues in MEC
focused on trust, authentication, and network security
[21]
2013-2018 mobile VR application based MEC deployments are
studied
MEC security is not addressed
[22]
1994-2017 A detailed survey of issues on computing, caching and
communication techniques in MEC
Addressed security issues in edge computing. Not
specific to MEC security
IoT Integration
[1] 2009-2018 A survey on realizing the potential of MEC for IoT
deployments with various use case considerations
Security in potential MEC enabled IoT systems are
discussed. No relation to MEC architecture
[23]
2015-2016 MEC based IoT use cases of V2I, data analytics,
computational offloading and surveillance are discussed
MEC security is not addressed
[24]
1992-2018 A survey on the performance affects of IoT based edge
computing deployments. MEC considered as a use case
Security and privacy issues edge computing and IoT
are discussed. No relation to MEC Security
Security
[25]
2006-2016 A comparison of edge paradigms are presented forming
threat models for proposing security solutions
Security is discussed generic to all edge paradigms
focused on UE, network and service infrastructure. Not
specific to MEC
