MCP’s biggest security loophole is identity fragmentation
Each time a new technology appears, it is generally two steps forward, one step back. The rear step is generally linked to safety. This is history with AI, and more precisely, the model context protocol (MCP). Innovation continues to run before security.
On the one hand, MCP servers were a boon for engineers. LLMs can now speak in the “common language” to each other, data sources, tools and even people. They can connect to the data to which they would not have access, beyond training data or what is public online.
Usually this means data in private systems belonging to companies. It is so useful in fact for an AI better better, that the adoption of MCP can be much more widespread than most people think, with more than 15,000 MCP servers in the world depending on the safety of Backslash.
Teleport co-founder and CEO.
But like any technology, MCP can be used. Hundreds of MCP servers have recently disclosed sensitive data and facilitate distant code execution attacks due to incomplete or inadequate access controls. Trend Micro even says that threat actors could target the coded references in hard in MCP servers. Any veteran engineer could have seen this coming from a distance mile.
“How to secure MCP” is therefore a question that many companies and security teams will ask. But the pirates do not directly attack the protocols, which makes the best question: how do you make your underlying infrastructure, of which MCP is a part, more resilient against common attack vectors like phishing?
The pirates do not attack the protocols – they attack errors
Almost every attack, with the exception of the strange-day feat, begins with an error, such as exposing a password or giving a junior employee access to privileged data. This is why phishing via identification abuses is such a common attack vector.
This is also why the risk of exploiting the protocols to vioder the infrastructure does not come from the protocol itself, but the identities interacting with the protocol.
Any human or machine user depends on static identification information or standing privileges is vulnerable to phishing. This makes any AI or Protocol (MCP) interacting with this vulnerable user also.
It is the greatest dead point in MCP. Although MCP authorizes the AI systems to request only the relevant context of data benchmarks or tools, it does not prevent AI from submitting sensitive data to identities that have been unclean via stolen identification information.
It is a large escape when it is easier than ever to identify other unnoticed users by obtaining valid static identification information (for example passwords, API keys). MCP also lacks inherent access control features.
So, to secure MCP really consists in ensuring that only authorized identities interact with AI. But knowing who or what is an authorized user is difficult in the current landscape of fragmented identities.
Welcome to hell, alias Identity fragmentation
Modern complex IT environments have made more difficult than ever for engineers to manage and protect infrastructure. You can see a symptom of this complexity in the way companies manage roles -based access controls: many have more roles than employees.
Think of the management of identity today as a large interconnected islands. Each island represents parts of your IT infrastructure – cloud platforms, on -site servers, SaaS, inherited systems, etc. Everyone has their own office and passport systems, with the exception of your passport (identity) on an island does not work the next.
Sometimes you need a passport, other times a visa. Some islands have strict guards, others barely check your identification information, and still others, let’s just say that they have completely lost your files.
If you are the customs agent, it is impossible to follow easily who goes and crosses the islands. Some have outdated or false passports, which could take centuries to make customs come true.
It’s quite difficult if the “customs officer” is a security team, but let’s say that the officer is an AI model. He will not say it at the CEO of a company outside of an imposter CEO. It only cares that “the CEO” requests access to financial files.
Again, this is a dead point for MCP, just like the fact that a hacker might pretend to be a database, a microservice or an AI agent. They could do it trivially because many machines rely on static and too privileged references that can be stolen.
MCP will not alleviate it unless a security model that allows teams to manage humans, machines and AI in a more coherent manner.
Make identities burnt down
If you deploy MCP and AI, you should combine it with a cybersecurity approach that is not based on partitioned secrets and identities.
If you want to eliminate secrets, support all your identities, including AI, with cryptographic authentication (trust module, biometrics). Even MCP deployments must get on board with this, because if an API key, any attacker can pretend to be anyone or anything.
Thus, replace these standing secrets for the agents with strong ephemeral authentication, combined with access just in time.
Speaking of access, the access controls of the chosen LLM must be linked to the same identity system as the rest of your business. Otherwise, there is not much to prevent it from disclosing sensitive data to the trainee asking the highest paid employees.
You need a single source of truth for identity and access that applies to all identities. Without this, it becomes impossible to apply significant railings.
Some startups will inevitably try to resolve the security of AI with solutions that manage the identities of AI in a vacuum, but this would further worsen the fragmentation of identity. The AI does not belong to an island, but in a setting where it is aware of wider access policies for other users of your infrastructure.
However, you get this with the tools, you should be able to apply a policy on your identities in a single place, whether for AI, cloud services, servers, remote offices, databases, kubernetes, etc. These identities should only have privileges when you actively need, which means no standard access to the idle.
It would be irresponsible to say that the eradicated unifying identity any complexity of cybersecurity. That said, a large part of the complexity disappears when you store your space. The more complex a system, the more likely it is that someone make a mistake. And errors are fundamentally what we need to prevent.
We have listed the best computer management tools.
This article was produced as part of the Techradarpro expert Insights channel where we present the best brightest minds in the technology industry today. The opinions expressed here are those of the author and are not necessarily those of Techradarpro or future PLC. If you are interested in contributing to know more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
