MCP Security - Thinking in Zones

The New Perimeter is Behavioral

MCP keeps gaining adoption, but security is an exercise left to the implementer. Many teams launch their approach to securing MCP calls with OAuth. This is a fine opening move, but just like moving a pawn as your first move in a chess match, there is a lot more to consider - both the changing structure of the board itself and how opponents choose to move against you.

There are two fundamental design challenges for security architects:

• Lack of access control: To sum up my previous post on MCP and identity, if you want access control in your MCP app, you need to add it yourself.

• Inversion of control: Beyond this, there is a second security design challenge that MCP presents, Alexis summarized this, “MCP follows a client-server architecture but the reality is the data sources, remote services and behavioral attributes undermine traditional, linear architectures.”

The combination of these two challenges make for a gnarly, multi-layered design challenge. One of the main layers to solve for is the identity layer.

Most security protocols are predicated on a DMZ-like model, untrusted stuff outside that must pass through checkpoints to access trusted environments. The DMZ (and/or other access control services) form a structural perimeter.

Conversely, when we combine the different ways that LLMs and AI tools interact over MCP and where they do it, then the security perimeter is not a fixed structural point that lives at a network or app address. Instead, the perimeter is behavioral, based on what is happening and where. This has far ranging implications to the security and identity stack.

In the case on the old identity battlehorse, OAuth, security designers are starting with a useful way to package up and move identity attribute claims in a system. An important building block, but far from a comprehensive solution.

With so many moving parts in MCP apps it can be difficult for security architects to figure out where to start. Chunking the system into smaller zones is a useful way to make progress on these identity design challenge.

Since AI generates new types of structures and decisions drive unexpected data handling, a fixed structure like a DMZ is unlikely to address the new challenges. Zones (note - plural) map a bit better to the security challenges in MCP apps. The second piece here is that the zones interact, so security in general and identity in particular becomes a From-To problem.

The below is not a complete list, but is an illustrative example to start a checklist that separates concerns for some things to solve for and which zone.

Zone 1 - First Mile Identity

The first mile client is responsible for issues like:

• initial identity provisioning, deployment, and setup

• strong initial authentication

• credential and secrets lifecycle management, including rotation

• mapping authentication to app, device/endpoint, and user

• client discovery and registration

• defining app scope

Zone 2 - MCP Identity with OAuth

The MCP layer is about moving the protocol, the IETF published a useful guide here.

Zone 3 - Last Mile Identity

The last mile looks at

• enforcing scoped resource requests

• route, credential validation

• replay, velocity checking

• device/app/user/client authentication

• session verification

• authorization based on attributes, roles, events, actions, or semantics

• attack surface reduction - allowlisting ports, protocols, apps

Zone 4 - Proxy Identity

If MCP was just a client/server that may be the main zones, but really the proxy will find and build wholly new structures and behaviors at runtime. This means the way that identity is propagated will change as events are proxied. The zone looks at:

• limiting asset discovery

• setup for additional identity protocols through federation, delegated authentication, SSO, or impersonation (who will the 2nd-N calls run as?)

Zone 5 - Monitoring Inter Zone and All Zones

This zone is about establishing visibility across all zones.

• Monitor access by loading identity server logs into SOC/SIEM and writing alerts and monitoring code

• Detection of stolen credential use

• Behavioral monitoring via identity graph

Security perimeters are changing like never before, the differences are not just a matter change of degree, but a change in kind. Previous tech changes like Cloud and Mobile still relied on old standbys like DMZ and edge patterns. MCP flips the script, the calls are coming fro inside the house, and the structures are not what they once were. This list of identity zones is not a complete list, but it is the start of one way to chop up the problem into chunks to make forward progress.