In the age of AI agents, security isn’t optional. It’s architectural, meaning that it has to be built in. This is especially true as AI agents become integral to daily workflows. These intelligent agents promise leaps in enterprise efficiency and innovation, but their integration also introduces complex security challenges.
At the heart of this discussion: Model Context Protocol (MCP) servers, a standardized way for AI agents to communicate and interact with various systems. MCP servers are the connective tissue powering modern AI agents, but they can also be the biggest security blind spot in your stack.
Within that context, Meena Ganesh, Senior Product Marketing Manager for AI at Box, and Ben Kus, CTO of Box, delved into the intricacies of MCP servers and their associated security risks on an episode of AI Explainer. Their insights shed light on why, despite their utility, these servers are not always as secure as they need to be, especially in an enterprise context.
Key takeaways:
- MCP servers standardize AI communication but create security risks when developed without enterprise-grade practices
- Major vulnerabilities include poor authentication, excessive permissions, and AI-specific attacks like prompt injection
- Robust security is essential as MCP servers often access an organization’s most valuable data
What exactly is an MCP Server?
To understand the risks, it's crucial to first grasp what an MCP server is. As Kus explains, "MCP was a standard put forth by Anthropic, one of the major model vendors. It’s meant as a way to standardize the approach by which agents or AI models can access APIs."
MCP servers are meant as a way to standardize the approach by which agents or AI models can access APIs.
Essentially, APIs (application programming interfaces) are sets of rules that allow different software applications to communicate with each other. Traditionally, programmers would write code to interact with these APIs, understanding their descriptions and arguments. However, with the advent of AI agents, the need for a more automated and standardized approach became apparent.
MCP servers act as a universal translator, allowing AI agents to seamlessly integrate and perform tasks across diverse platforms.
"What MCP does," Kus continues, "is puts it in a format so that AI agents, which naturally know how to program, are able to more easily and efficiently call upon a different system."
In essence, MCP servers act as a universal translator, allowing AI agents to seamlessly integrate and perform tasks across diverse platforms. This standardization is a powerful enabler for complex AI-driven workflows, facilitating communication between various agents and systems.
The security question
Given the clear benefits of standardized communication, Ganesh poses a critical question: "If MCP servers are such a great standardized manner for agents to talk to each other, how come we keep hearing that there are security risks involved with MCP — and they're not generally safe to use?"
Kus broke it down: "I think there are some very real concerns with MCP, especially if you don't use them appropriately — or if the people who build the MCP servers are not building them effectively."
He outlined three major categories of risks that can compromise the security of MCP servers.
1. Lack of enterprise-grade development and deployment
The first significant risk stems from the rapid and widespread use of MCP servers. Kus notes, "One of the things that's really awesome about MCP has been how quickly it's been adopted by basically the whole world."
This rapid proliferation means that many different kinds of organizations are building and deploying MCP servers. But this speed often comes at the cost of robust security practices. "Sometimes, when they are created quickly, they come with some sort of flaws," Kus explained.
These flaws often manifest in critical areas like authentication. Many early or non-enterprise-grade MCP servers either lack proper authentication mechanisms entirely or implement them poorly, making them highly vulnerable to unauthorized access.
The way these servers are built and hosted can also be a source of weakness. If they’re not secured according to the rigorous standards expected of any enterprise-class software, they can introduce vulnerabilities that attackers can exploit. This includes ensuring that the underlying systems and dependencies are also secure.
2. Overly broad permissions
The second major risk identified by Kus is the issue of overly broad permissions. In the pursuit of functionality and ease of integration, some MCP servers are designed with excessive access rights. "Some of them are given too many permissions," he explains. "They’re overly broad in terms of either access to data or access to tools."
Granting an AI agent or an MCP server more permissions than it strictly needs to perform its function creates a significant attack surface. If an attacker gains control of such a server, they can leverage these broad permissions to access, modify, or exfiltrate sensitive data far beyond what would be possible with a more granular, least-privilege approach. This principle of "least privilege" is a cornerstone of cybersecurity, dictating that any entity (user, program, or process) should have only the minimum necessary permissions to perform its legitimate activities.
Granting an AI agent or an MCP server more permissions than it strictly needs to perform its function creates a significant attack surface
3. Exposure to new attack surfaces
Finally, MCP servers can expose organizations to entirely new types of attacks. Kus highlighted, "They expose new attack surfaces, things like prompt injection and data poisoning."
Prompt injection is a novel type of attack vector specific to large language models (LLMs) and AI agents. An attacker can craft malicious input (a "prompt") that manipulates the AI agent into performing unintended actions, overriding its original instructions or security safeguards. For an MCP server, this could mean tricking an agent into revealing sensitive information or executing unauthorized commands through the tools it has access to.
Data poisoning involves corrupting the data that an AI model is trained on or relies upon. If an MCP server is interacting with a system that has been subjected to data poisoning, the agent might make incorrect decisions or provide biased outputs, potentially leading to operational disruptions or compromised data integrity.
These types of attacks are particularly insidious because they exploit the very nature of how AI agents learn and operate, making traditional security measures less effective.
The criticality of data access
If MCP servers are a "toolbox," the gravity of this toolbox in an enterprise setting is key. As Kus says, "These tools inherently access some critical things. Either they're able to change things that you would often consider critical in terms of the state of the world, or they're accessing data in different ways."
He emphasizes the immense value of the data involved, particularly for businesses: "At Box, we have an MCP server that accesses unstructured data. Some of this is the most valuable data that people have."
Compromised MCP servers could lead to data breaches, intellectual property theft, operational sabotage, and severe reputational damage.
"We need to make sure that when we're putting out and maintaining these MCP servers, that they're incredibly trusted," Kus concludes. The level of trust required is directly proportional to the criticality of the data and systems they interact with. Therefore, any MCP server, especially those handling sensitive enterprise data, must adhere to the highest standards of enterprise-grade security.
A leap forward, with a caveat
MCP servers represent a significant leap forward in AI integration, offering a standardized and efficient way for AI agents to interact with the digital world. However, their widespread adoption and the inherent power they wield over critical data and systems necessitate an unwavering focus on security.
Organizations must prioritize building and deploying MCP servers with robust authentication, adhering to the principle of least privilege, and actively defending against emerging AI-specific attack vectors like prompt injection and data poisoning. Only through such diligent efforts can the full potential of AI agents be realized without compromising the integrity and security of valuable enterprise assets.
Read about the Box MCP server, which provides AI tools with secure access to content, connecting third party agents to your enterprise knowledge in Box. Or watch the full AI Explainer episode Securing the MCP Server: What You Need to Know to discover how multimodal AI is transforming the enterprise.
