.png?width=1816&height=566&name=brandmark-design%20(83).png "Tech Channels - IT News, Resources & Insights")
The Model Context Protocol (MCP) that connects Large Language Models (LLMs) to external data and tools in ecosystems brings more context to AI chats and improves the answers that those models put out. But like nearly everything AI, MCPs have proliferated, outpacing security.
Joshua Scott, CISO and vice president of security at Hydrolix, says the lack of visibility into MCPs is challenging for security teams who are essentially flying blind as they try to determine just what the MCPs are doing, what data they are querying and whether they are doing anything malicious. As the standard matures, Scott would like to see security and trust prioritized.
Q. Why MCPs are so important in any discussion of AI?
A. Pretty much anybody that's using AI is also leveraging MCPs to access other systems within their ecosystem. So now you're using AI and you want to query your tickets in your ticketing system, you're going to leverage an MCP server to query that. And the more context you bring into your AI chats, the better your answers can be. So that's why there's just, there's an explosion of different types of MCPs out there. And the whole idea is, how to get more context into our discussion with our AI chatbot.
Q. But doesn’t that open up a variety of security issues?
A. That’s exactly why there is no “S” in MCP, there’s no security in MCP.
Q. Is part of the problem that the standard is relatively new?
A. It’s maybe a little bit over a year old, so obviously there's going to be more changes. And it has come up quite a bit that there needs to be something more. But it's also that there are thousands of [MCPs] out there. And when you look at any individual kind of chat session, a user probably has maybe 10 to 20 of them if they're actually a power user, if not more. That can be connections to your databases, connections to your CRM systems, to your email, to your Slack and chat apps, all of which have potentially sensitive information, too.
Q. What are some of the security issues this confluence of factors creates?
A. Since it's a newer standard, there's a lack of understanding or lack of security built into it. One of the bigger issues is that most of the credentials—the access keys, the secrets, the passwords, are stored in just a plain text file that exists on end user workstations. There are some remote MCPs being developed that provide a little bit stronger authentication. But even then, most of it is still stored on each individual workstation in clear text. So, a compromise of a workstation means you get access to those keys. That’s definitely challenging. Then the other aspect of it is: do we really know what [MCPs] are doing? Because nobody understands what AI is truly doing, why it makes certain decisions. When it's calling out different tools or different MCPs, do you know that it's just going to query that data or is it querying more than you think? Is it going and obtaining additional data that maybe wasn't in scope of what your request was?
Q. Why are the security problems around MCPs so hard to solve?
A. From a security point, we lack the visibility to really see what's happening. So right now, we're kind of flying blind. You don't know what a tool could be doing. It’s like the open source ecosystem. So, if one is compromised, it can have a significant impact on kind of the entire ecosystem.
Q. How did we get here—is it just another problem caused by the quick adoption of AI?
A. I've been in this field for 30 years and, yes, it's exactly that—AI is just moving at such a blistering pace. It outpaces everything that I've seen in 30 years. I've seen entire security or tool markets appear and disappear that are AI-related within a three-to-six-month period. So, it's just crazy how fast it's moving. Security is always a few steps behind the bleeding edge adopters, who always adopt new technologies then we find out about it after [the fact]. But with AI, we're still just trying to catch up. Whatever we see today could be completely different in six months.
Q. And it doesn’t show any signs of slowing down to let security catch up. How is that hitting with defenders?
A. It's not that we want to slow down. I'm very bullish on AI. I think it's extremely powerful. And I've gotten to the point where I don't think I could live without it now; it's just become part of my normal workflow. But we need to have better visibility. That’s the biggest challenge that we face, is we don't really know what's happening underneath the hood. Are we protected? Do we know what data is being leaked? Then what if one of these big models has an issue and our data is leaked—suddenly, we'd be taking data from all these different disparate systems and feeding them into a chat session that could have sensitive information. It could have customer names, all types of data.
Q. So does that create questions about liability, too?
A. It definitely does. That’s one of the reasons we went with Anthropic [at Hydrolix] and made sure we signed an enterprise agreement with some of the legal protections and assurances around not training our data and some protections, indemnity classes, in case something does happen. You don't want to be able to see all the sensitive data that could be within a chat, but how do we know what's in there?
Q. How do you sort through all the data, the privacy and liability issues?
A. You find out where the biggest threats may be. This is where MCPs and the security around MCPs are paramount, because there's not an easy way to control them at all. That’s a big kind of gap in the industry. There is some protection within the MCP, within the chat clients, where they'll ask you, ‘Do you want to do this? Do you want to approve this type of call?’ But you get overloaded with all these different prompts and the average user [is going to select] the “allow always” prompt. And they don't realize what that does.
Q. It seems like that’s a good argument for raising awareness.
A. It’s security awareness, it's training, it's making sure that users understand the various types of things. Then there's also how to ensure that we have the right data controls. Do we have a right understanding, the right visibility into what's being used? And that’s something we don't have. Even if you have an enterprise contract with a company like Anthropic they're starting to provide some type of capability to see some of it, but you still don't still have full visibility. There could be a finance person who has an MCP connected to the backend finance system. And if you're a public company, and it's something related to financials, that could be a potential risk. You wouldn't know how that data is being used or where it is going, from a security standpoint. That’s just not something that's in our purview without querying every single individual endpoint workstation in some way to look for that. That's where it becomes challenging,
Q. How do you gain that visibility?
A. The answers are still developing. But the first thing that needs to be figured out, from kind of just an industry standpoint, is to have better visibility into what's being used. What are our organizations leveraging? What MCPs do they have? What are the individual tool calls that exist within each MCP so we have a better understanding of kind of the attack surface? That’s not a trivial item by any means. There are efforts to move to more of a remote model—Slack has a remote MCP. So those will provide a little bit more visibility, because you can see that through different mechanisms, but anything that's local, you don't necessarily see. You’ve got to figure out how to query your entire environment.
Q. Is that possible?
A. If you're a large company with 100,000 endpoints, that's a very challenging task to figure out how to take in all that data. Each system may have one to 100 different types of MCPs, and now you've got to analyze each of them, too. Step two is a better understanding of the MCPs that exist and a way to do validation of the security of that MCP, so you know that you can trust the tool calls that it's making, the access that it has, and that it's not doing anything malicious. Something similar to signing into Microsoft whenever there's a new installation—it’s generally signed by Microsoft or signed by a trusted publisher. We need something like that for MCPs. So at least there's a level of assurance that the one you install is legit, it's not something malicious.
Q. Is the fluidity with which we work between home and travel and the office, complicating MCPs security?
A. Yeah, if you're a traditional company where everybody has returned to the office, it's a little bit easier. We know everything's going through some kind of edge. What's a firewall? It's a router. We have some visibility there. But in a hybrid environment, or a full remote company, we don't really have visibility into every user's home, and that's kind of unrealistic, unless you're dropping in specialized hardware. And the cost of that would defeat the purpose of working from home if you're building out each home like your office. We don't have the visibility or that choke point to be able to say, “Let's inspect here.” Basically, the perimeter moves to the individual end user’s workstation, and even further down, potentially. The perimeter isn’t gone—it's just very different and redefines where the threats may be.
Q. What kind of skills are needed for the workforce to address these challenges?
A. We need just more general AI-type skills, not necessarily MCP-specific. Somebody's still going to create these workflows, these agents, and then they must be maintained because everything breaks and everything has issues. Then there are ways to optimize it—so that's a whole new set of tasks. We always have to manage risk, and a perfectly secure company [which doesn’t exist] basically would never be able to do anything, because there'd be so much bureaucracy. But if [security teams] can effectively reduce 100 things we have to do down to 75 because we used AI to eliminate entire classes of work, then that's great. That simplifies things quite a bit for us. That still means we still have our core things to do, though. AI is an accelerator. In the hands of people that are knowledgeable about their area, AI is a force multiplier.That's the advice I give to anybody: find ways to use AI, especially within security, because it can be a game changer.
While MCP is nascent, defenders don't have to wait for it to mature to add security best practices. They should start first with trying to understand how MCPs are being used and by whom in their organizations, identify the greatest risks, and ramp up awareness training so users understand what kind of data is potentially being shared as they engage in chats and other communications. There may not be an "S" in MCP, but security still must be priority and not an afterthought.
