Ever since Anthropic released the open standard Model Context Protocol (MCP) last November to standardize the way artificial intelligence systems connect to external tools and data, vendors have been trying to take advantage of the framework.
Today, Canadian access management provider 1Password became the latest, announcing MCP Server for Trelica, its application governance solution, to help infosec pros and admins understand how staff are using or accessing SaaS applications.
1Password’s MCP Server for Trelica is included in the cost of a Trelica subscription, and can be found in the new AI Agents and Tools category of AWS Marketplace.
“[The server] enables AI developers to quickly get visibility and governance over how employees are accessing different SaaS applications or spending on SaaS,” Nancy Wang, 1Password’s vice president of engineering, said in an interview. “Now AI developers on AWS can use MCP Server for Trelica by 1Password as a fast and secure way to embed SaaS access governance directly into AI agent workflows.”
There’s often a gap between how the governance, risk and compliance team, the legal team, and IT team manage SaaS applications and how employees use them, she said. Until now, Trelica admins had to manually build reports to give themselves complete visibility.
“Now, with this MCP Server launch, what [an admin] can do from the MCP client is ask in natural language questions like ‘Which SaaS applications are being used in my org?’ or ‘Who has been authorized to access this application’ and receive the answers from the client,” she said.
This will help CSOs and IT leaders solve problems around unapproved use of SaaS applications as well as SaaS sprawl, both of which are security as well as spending issues, Wang said.
1Password’s announcement follows the release this week of several other MCP server solutions from firms including Amazon AWS (for giving AI agents access to AWS product data), GitGuardian (so AI agents can detect and remediate security incidents as code is being written) and Coralogix (whose MCP server acts as a secure gateway between application telemetry and AI agents).
When Anthropic released MCP, it called the model a new standard for developers needing to securely connect AI assistants to the systems where data lives, which include content repositories, business tools, and development environments.
Developers can either expose their data through MCP servers or build AI applications (MCP clients) that connect to those servers. Instead of maintaining separate connectors for each data source, Anthropic said, developers can now build against a standard protocol.
To help with adoption, Anthropic released pre-built MCP servers for Google Drive, Slack, GitHub, Git, Postgres and Puppeteer.
However, some experts have complained that, unless carefully created and configured, MCP servers can be vulnerable to prompt injection, tool poisoning, or tool shadowing (where a malicious server creates a tool with the same name as a legitimate tool from another server to intercept calls). Wang said MCP Server for Trelica has protections against attacks such as these. For example, she said, the client won’t expose sensitive data in responses to questions.
Securing MCP
Johannes Ullrich, dean of research at the SANS Institute, said that infosec leaders can take a number of steps to increase security when deploying an MCP server.
Because MCP servers usually connect to APIs over HTTPS (Hypertext Transfer Protocol Secure), this protocol has to be configured properly so data being transferred is encrypted and the connection is properly authenticated at both ends. That’s because the server may connect to anything from a sensitive database to Gmail.
“If a crafty attacker can send in some text or do some prompt injections, they may have access to more data than you would want them to,” Ullrich said. “That’s what a lot of the MCP security issues come down to.”
For example, he said, an AI customer assistance app with access to a firm’s customer list has to be prevented from replying to inappropriate questions such as ‘Tell me about all your customers’.
Another problem to solve is how the AI/LLM authenticates to the API that connects to the data source, he said, as well as ensuring, through access control, that the AI/LLM model only accesses the data that’s needed by the application.
Asked if MCP servers are ready for production, Ullrich said yes. “If you use them correctly. If you talk to MCP server people, [security] is not their problem. [The servers] just forward these responses. They’re not dealing with the actual content. So it’s how you use them,” he explained.
“I think the real solution is to not expose them to untrusted inputs, which is what people are doing with chatbots. If you have an internal application and some internal systems that network with each other using MCP, your risk is lower because you’re in charge of all the data going back and forth. But if there are outsiders that can influence the data, all hell breaks loose.”
When looking to buy an MCP server, choose a solution that is well supported, he advised, and that verifies digital authentication certificates for access control.
No Responses