The Model Context Protocol (MCP) has taken the AI world by storm. The security community has been abuzz with understanding its risks and thinking about potential solutions. This was amply evident in the multiple meetings I had with identity and security practitioners and decision makers, where AI and MCP was a top concern. Recent additions to MCP standardize some aspects of authorization, but the security concerns MCP creates go well beyond what is addressed currently within the protocol.

Although MCP is not widely deployed today in enterprises, its benefits are enormous, and there is a groundswell of demand at many large organizations. So it is prudent to define a security architecture and be prepared to address the need before the data floodgates open.

A quick background

Large language models (LLMs), are a popular machine learning technology, and pre-trained LLMs generate text or other multimedia output (called Generative Pretrained Transformers - or GPTs). An example of a GPT would be the older ChatGPT model 3.0. Reasoning models - the latest additions in this stack such as Claude 3.7 Sonnet - are trained to break down problems into multiple steps, apply specialized reasoning based on different domains, perform web searches or invoke independent services as required.

Enter MCP

This ability of agents to communicate with independent services as a part of the reasoning to solve the current task is where MCP comes in. The user uses an MCP Host on their end, which can use multiple MCP clients, each to communicate with a different MCP server. MCP clients can reside on end-user devices (which is a popular model today) or in the cloud. Clients can make requests to the MCP servers, and MCP servers can notify clients when they have updated results.

The most important component of an MCP server is the tools it provides. A “list tools” method enables an MCP client to discover the tools available in an MCP server. The tools themselves are also invoked like API methods by the MCP client. MCP servers can also support resources and prompts, but those are less commonly used. The diagram below shows the flow diagrammatically:

In the above diagram the “Service” is the actual component hosted by the service provider that does the work of completing the user’s request. The MCP box is the MCP Server, which acts as a front-end to the service.

Authorization in MCP

The recent updates to MCP specification (informally called “3-26” for the date when it was updated) adds an Authorization section. While authorization is optional, when it is used, it provides best practices around the use of OAuth 2.1 draft specification (and related standards). Using this capability:

• An MCP client discovers required “scopes” and location of the authorization server from the MCP server, and requests authorization from the Authorization Server (AS). The AS is typically your identity provider (IdP).

• The AS provides a familiar interface to users that requests their consent to use specific scopes that the MCP Server accepts. The AS should translate the scope into terms you can understand (like when a social media app asks you whether an event booking site can use your profile photo). The example below shows a typical OAuth consent screen (not specific to MCP).

  

• The AS conveys the authorization token (which can include your user identity) to the MCP server

As a result of this, the MCP server knows that the user is OK to use the specific feature of the MCP server for this purpose.

Enterprise security concerns

As you can see above, MCP provides a baseline for security. In an enterprise scenario, the AS can determine whether or not the user is permitted to have a token with the requested scope and deny it if the user does not have access to that functionality. However, there are many limitations:

1. Since Reasoning Models have the ability to dynamically plan their execution, they will try multiple ways of obtaining the information if one path fails. Here’s an example: A customer service representative wants to obtain a celebrity customer’s home address, because their employer is a large consumer facing company, and most celebrities are their customers. The rep asks the LLM: “What is Taylor Swift’s home address?”. The LLM takes the following steps:
   1. It discovers there is a “deliveries” MCP server that can answer this question.
   2. It tries to get an authorization for the “get customer address” tool within the MCP server.
   3. The AS determines the “customer address” scope is not permitted for the rep, and denies this request.
   4. The model then tries to solve this problem differently. It invokes the MCP server’s “get dropoff locations” tool, and provides the context “near Taylor Swift’s home”.
   5. The authorization server determines the “get dropoff locations” scope is permitted for the rep and issues the authorization token.
   6. The LLM then shows the rep the 5 dropoff locations that are near the celebrity’s home, revealing an approximation of the address to the rep.
2. In the example above, invoking a tool may heavily depend on the context. This is similar to the “broken object-level access” (BOLA) vulnerability in API servers. The MCP server must verify at the object level whether the requesting user has permission to access the information. It follows that every authorization provided to the MCP server has to be ephemeral because the context can change with every query between the MCP client and server.
3. Also in the example above, controlling the list of tools on a per-user basis can provide assurance that the LLM will not attempt calling a tool of the MCP server which the user should not have access to.
4. Any downstream processing in an MCP server must be able to preserve the context - the user identity and the parameters of the request.
5. If the user permissions change over time, the MCP server must be notified of those changes, so that they do not alert the client with updated results that are no longer available to the user.

Achieving enterprise-grade security

SGNL recently announced an MCP gateway that addresses these security concerns. All you need to do is insert the SGNL MCP gateway between your MCP server and clients that use it. Read the SGNL press release here: With MCP, AI agents now have power. SGNL makes sure they use it responsibly.