How to implement secure MCP patterns: Identity, authorization, and runtime protection
By Google Cloud Tech
Key Concepts
- MCP (Managed Cloud Proxy): A system for managing access to cloud resources for agents.
- Lease Privilege: Granting only the minimum necessary permissions for a specific task and duration.
- IM (Identity and Access Management): Google Cloud’s service for controlling access to cloud resources.
- PAB (Principal Access Boundary): A mechanism to limit the maximum resources an agent can access.
- VPCSC (VPC Service Controls): A security perimeter around Google Cloud resources.
- CMC (Customer Managed Encryption Keys): Encryption keys managed by the customer for data at rest.
- Model Armor: A Vertex AI integration providing AI guardrails for content inspection and security policies.
- Tool Call Request/Response: The communication between an LLM and external tools used by an agent.
Implementing Secure Agent Workloads with MCP
This video details a multi-layered approach to securing agent workloads utilizing Managed Cloud Proxy (MCP), focusing on mitigating risks like token theft and data exfiltration while adhering to the principle of least privilege. The strategy centers around identity, securing credentials, enforcing least privilege, and centralized authentication, complemented by robust deployment environment hardening and content inspection.
Identity and Least Privilege Foundation
The foundation of secure MCP implementation begins with establishing a unique, cryptographically attested identity for each agent, recognized by Google Cloud Identity and Access Management (IM). Utilizing agent identity, rather than a service account, provides stronger security as the agent principle is autoprovisioned with its runtime, preventing impersonation. Crucially, securing the credentials used to access MCP tools is paramount. MCP servers often aggregate high-value authentication tokens; therefore, API keys and other tool credentials should be stored securely in Secret Manager. A related video demonstrating securing ADK agents using Secret Manager is referenced (link in description).
Implementing lease privilege is achieved through IM conditions. Access to Secret Manager is granted to a dedicated service account, but strictly limited to the specific secret version required for the agent’s current task. Further containment is provided by Principal Access Boundary (PAB), allowing administrators to define an absolute ceiling on the resources an agent can access, preventing overprivileged access.
Centralized Authentication and Layered Security Controls
The MCP proxy functions as the central authentication point for MCP servers. It consistently validates agent identity using the Google Identity platform and passes the previously secured credentials. This centralized approach streamlines authentication and enhances security oversight.
Hardening the deployment environment involves deploying MCP servers on confined platforms like Cloud Run or Google Kubernetes Engine (GKE). This container-based approach minimizes the need for OS-level security management, reducing the risk of data exfiltration. VPC Service Controls (VPCSC) are then enforced, establishing a security perimeter around sensitive Google Cloud resources accessed by the MCP tools. Global load balancing, coupled with Cloud Armor, provides Distributed Denial of Service (DDoS) and Web Application Firewall (WAF) protection against common OWASP web threats at the proxy’s ingress point.
For data at rest, Customer Managed Encryption Keys (CMC) should be enforced for all sensitive Vertex AI assets, including models, datasets, and endpoints. This ensures the customer retains control over the encryption process.
Content Inspection with Model Armor
The final layer of defense involves inspecting all content flow at the platform level. The video highlights the integration of Model Armor with Vertex AI, providing AI guardrails without requiring code changes. Model Armor inspects content at three critical points: the user prompt, the tool call request, and the tool call response.
Specifically, Model Armor strictly filters tool call requests to prevent command injection or remote code execution, blocking malicious inputs before they reach downstream tools. It also utilizes a sensitive data protection filter on the tool call response, redacting unintentional leakage of Personally Identifiable Information (PII) or other sensitive data from tool results before they are returned to the Large Language Model (LLM). The video references other videos detailing how Security Tokenization Platform (STP) can be used with agents and AI workloads.
Logical Connections and Synthesis
The video presents a cohesive, layered security strategy. It begins with establishing a strong identity foundation and least privilege access, then moves to securing the deployment environment and finally implements content inspection. Each layer builds upon the previous one, creating a robust defense-in-depth approach. The logical flow emphasizes proactive prevention of threats rather than reactive mitigation.
As stated in the video, “By implementing this comprehensive defense strategy, your agent ecosystem is secured against core threats.” The key takeaway is that securing agent workloads requires a holistic approach encompassing identity management, credential security, access control, deployment hardening, and content inspection. The video encourages viewers to explore linked resources for further details on architecture, examples, and documentation, and previews a future video focusing on monitoring and automated detection for MCP-based workloads.
Chat with this Video
AI-PoweredHi! I can answer questions about this video "How to implement secure MCP patterns: Identity, authorization, and runtime protection". What would you like to know?