Skip to main content

MCP and external connectors

The Model Context Protocol (MCP) pattern exposes tools, resources, and prompts via external servers that models can call. Architecturally, an MCP server is a privileged integration layer—treat it like a microservice with secrets and network access.

Threat model

  • Credential theft — Server holds API keys to SaaS; compromise equals broad access.
  • Confused deputy — Model tricks server into using wrong tenant context.
  • Data exfiltration — Resources stream sensitive files into model context, then into user chat or external tools.

Controls

  1. Authentication — Mutual TLS or signed tokens between host and MCP server; no anonymous LAN exposure.
  2. Least privilege — One server per domain (CRM, tickets) with minimal scopes.
  3. Network — Bind to localhost or private interfaces; reverse proxy with auth at edge.
  4. Audit — Log which resource URIs were read and which tools invoked.
  5. Versioning — Pin server versions; review updates like any dependency (supply-chain hygiene for MCP servers and their images).