Page 151 - Kaleidoscope Academic Conference Proceedings 2021
P. 151
Connecting physical and virtual worlds
assurance. Specifically, security hardening needs to be deployed on a VM or container, the virtualization
performed on the host OS, virtualization software, and infrastructure should be able to isolate the vCPU, virtual
guest OS, and virtual network isolation and data security memory, and I/O resources used by the MEC applications
mechanisms need to be provided inside the MEP. The from those used by other VMs or containers. It should also
MEP provides application discovery and notification ensure the integrity and confidentiality of application images
interfaces to external systems, and therefore interface and image repositories, as well as performing access control.
and API invocation security are essential. Access to the For details, see the security requirements of the virtualization
MEP should be authenticated and authorized to prevent layer and containers.
unauthorized access by malicious applications.
• MEC service authorization: Mobile network operators 4.2.6 Capability exposure security
need to authorize UEs to use MEC services, and only
authorized users can use MEC services. If operators are MEC applications should be able to invoke operators'
not the ones to deploy 5G MEC services, the MEC network capabilities, such as user location and quality of
service provider should also adopt a similar service information, to achieve business values. In response,
authorization mechanism to prevent unauthorized access. operators' networks need to expose network capabilities to
• Service authentication and authorization during applications, thereby providing better services to MEC
application switching: Applications may select different applications. However, despite its benefits, this network
EASs due to factors such as UE mobility or load exposure also leads to new security threats. As such, it is
balancing. Necessary context needs to be securely essential to securely manage, publish, and expose APIs.
transferred from the source EAS to another server (EAS MEC applications that function as API invokers should be
or cloud application server) to ensure user service authenticated and authorized to ensure the security of MEC
continuity. Application switching can be triggered by the network capability exposure.
EAS, edge enabler server, UE-side application client, or
UE-side enabler client. 4.2.7 Management security
• UE access security: UE access security is the process of
identifying UEs that are trying to access the operators' Management security includes security event management,
core networks and MEC to determine whether UEs user behavior management, important data management,
should be permitted or denied access based on preset platform baseline management, life cycle management,
policies. A large number of heterogeneous UEs may situational awareness capability building.
access MEC. These UEs communicate through various
protocols, and their computing capabilities and • Security event management: Traces security events in
architectures vary greatly. the MEC system, improves the utilization of alarm logs,
and generates warnings for security events. Security
4.2.5 Application security event management collects alarm logs of physical,
virtual, application-layer security devices and reports
MEC applications have different service types, such as them to the situational awareness system for analysis
operators' value-added services and third-party vertical and security warning.
industry services. Different types of services have different • User behavior management: Traces users' operations
security requirements and capabilities. Third-party vertical and issues warnings of risks caused by manual
industry applications impose particularly high security risks operations. Approval procedures are established and
to the MEC environment. It is essential to isolate applications implemented for system changes, importance operations,
with different service types and monitor security during physical access, system access, and other activities. A
inter-application access. Besides, security management is universal access portal allows us to centrally manage the
required for applications throughout their life cycle. hosts, VMs, cloud management platforms, MEC
platform managers and users of third-party applications.
• Important data management: Traces important data flow
paths to prevent data leakage. The transfer of important
data, such as information about users, configurations,
images and software packages, is recorded to form a data
flow path. In the case of a data breach, evidence can be
provided for incident tracing.
• Platform baseline management: Ensures the reliability
and security protection capabilities of the MEP. A
baseline check is performed on hosts, VMs, physical and
software packages, ensuring the security of the platform
and upper-layer applications, reducing security risks,
Figure 6 – MEC application security
and improving the level of security protection.
MEC applications are deployed on the NFV infrastructure as • Life cycle management: Manages the life cycle of
virtualized network functions. When MEC applications are devices that access MEC, periodically updates all MEC
nodes over remote connections, maintains and manages
– 89 –
