Data Security & Data Protection for MCP Explained
Model Context Protocol (MCP) servers connect LLMs and AI agents to applications, databases, internal systems, and other resources, enabling them to do genuinely valuable work for people and organizations.
However, using MCP servers introduces significant risks because the resources they provide access to typically contain sensitive information, including personally identifiable information (PII), financial data that could facilitate fraud, and even proprietary or competitively valuable information.
In their default state, MCP servers and MCP traffic are vulnerable to data loss, data exfiltration, the introduction of inaccuracies, and unauthorized access to sensitive data.
In this article, I’ll explain why using MCP servers poses risks to data security and protection, and then explain how organizations like yours can use MCP servers while preserving data security and protection.
What are Data Protection, Security, and Privacy?
Data protection, data security, and data privacy are different, but closely related concepts.
Data protection is all about ensuring that data is:
- Accurate and up-to-date
- Available to legitimate and authorized users
- Protected from unauthorized access and use
- Protected against damage or misuse
- Protected against loss and leakage
Data security is a subset of data protection. It specifically focuses on measures taken to control how data is accessed, used, and stored to protect it, maintain its integrity, and ensure compliance with relevant regulations.
Data privacy is a slightly different, but related area. Data privacy concerns how personal and sensitive data is collected, used, stored, and accessed, in accordance with regulations such as GDPR, HIPAA, and CPRA.Data privacy is a slightly different, but related area. Data privacy concerns how personal and sensitive data is collected, used, stored, and accessed, in accordance with regulations such as GDPR, HIPAA, and CPRA.
Why MCP Servers Create Data Protection and Security Challenges
Using MCP servers without adequate security measures can lead to:
- Data leaks
- Unauthorized access to data
- Data corruption/damage
- Data exfiltration
- No oversight or visibility over data access and use
The sections below explain specifically how the very nature of MCP communications and MCP servers creates these risks.
Data Exfiltration
MCP servers introduce a range of attack vectors that malicious actors can use to manipulate AI agents into accessing and exfiltrating sensitive data.
For example, in a prompt injection attack, your AI consumes a document, webpage, support ticket, or even MCP metadata, which contains hidden prompts to send a specific set of sensitive data (such as financial information or PII) to the attacker’s email or endpoint.
Once the agent is compromised or manipulated – which, as multiple attacks and proof-of-concept research have demonstrated, is surprisingly easy to do – it can access sensitive information via connected MCP servers and send this data to the attacker.
Often, the agent will helpfully package the data into a CSV file for the attacker, all without users or IT teams having any indication that a successful attack has ever occurred.
Attackers can also exfiltrate environment variables, access tokens, and credentials to remotely compromise systems and data, creating a more significant compromise of data protection and security.
No Visibility or Logging
Without an intermediary layer such as an MCP proxy or gateway, communication between MCP clients and MCP servers is generally unseen to users. There is no built-in mechanism that mandates the client/LLM/agent to notify, alert, or request approval from users when it accesses sensitive data.
By default, MCP servers do not provide logs of activity, including events such as data updates or attempts to access data, with contextual metadata such as unique user identifiers and cross-server session IDs.
This lack of observability for MCP traffic means that AI agents connected to MCP servers can access, use, and share sensitive data without you or your team ever knowing. Without logs, it is also extremely challenging to discover, diagnose, and remediate data security breaches or risks.
Overprivileged Access
MCP servers typically provide far more access than users or agents need, or should have. MCP servers don’t all come with a built-in capability and permission management system. Agents will typically, by default, have access to all capabilities (provided as “tools”)offered by the MCP server.
Without an MCP management platform, there’s no structure around which users can turn these capabilities on or off, either, so you’re reliant upon users to turn off permissions and access in line with their access levels, which obviously is miles away from best practices for data protection.
Poor Identity Management
MCP servers are increasingly using OAuth 2.1 to allow users to grant access to resources via MCP. However, this raises an additional concern about the storage and security of OAuth’s access tokens.
Typically, OAuth with MCP uses long-lived tokens stored on a user’s machine. If attackers can access local files where these tokens are stored, they can access secure data. Token rotation is not built in either, so attackers can use a stolen token to access sensitive data indefinitely.
Does using MCP Servers create additional data privacy risks?
Yes, in addition to data privacy compromises through security breaches, there are specific concerns around whether and how AI can use people’s personal data, and what level of consent is required to do so.
Several regional authorities and regulatory bodies are drafting legislation and regulations that specifically govern individuals’ rights to control how AI uses their personal information.
At MCP Manager, we were leaders in recognizing the problems around regulatory compliance and AI/MCP use. I’ll be writing an article explaining these issues in more depth soon, along with what organizations can do to stay on the right side of regulations when using AI and MCP servers.
How does MCP handle data privacy and security?
In short, MCP does not handle data privacy and security. It is up to individuals and organizations that use MCP servers to add necessary guardrails and measures to ensure that whenever they or their teams use MCP servers, all sensitive data is protected, secured, and privacy policies are followed.
Read the sections below, and watch the accompanying videos, to understand how you can use MCP while maintaining data protection, security, and privacy.
How to Secure Data When Using MCP Servers
To protect your data when using MCP servers, you need to use an MCP gateway, such as MCP Manager. An MCP gateway sits between your MCP clients and MCP servers and intercepts and mediates the data flows between your MCP clients and MCP servers.
The gateway protects your system against MCP-based attacks. Still, it should also provide overarching monitoring of sensitive data access and exfiltration by identifying any sensitive data passing from your MCP servers to clients, and applying specific measures to specific data types, including:
- Block the entire message containing sensitive data
- Redact the sensitive information
- Replace the sensitive information with an appropriate number of asterisks
- “Hash” the sensitive information
MCP Manager allows you to create your own rules to determine which sensitive data you want to detect, how to handle each type of information, and, if desired, to fire alerts to admin teams when it discovers sensitive data in MCP messages. Watch the video below to see this in action.
Regex-Based Detection and Sensitive Data/PII Redaction For MCP Servers:
MCP Manager also integrates with other tools that make up a Data Loss Prevention (DLP) solution, such as Microsoft Presidio and Amazon Bedrock, to identify data that is less reliably matched using regex, such as home addresses.
Watch the video below to see how MCP Manager works with tools such as Microsoft Presidio to identify PII and other sensitive data.
MCP Manager’s Microsoft Presidio Integration For MCP Servers To Detect PII:
The diagram below shows how, even in the case of a “successful” attack, MCP Manager thwarts the attacker’s objective by blocking or redacting sensitive data before it reaches the attacker and alerting your security team to investigate:
Identity and Permission Management
MCP gateways also enable you to determine and enforce how users and agents access MCP servers and connected resources.
Some MCP gateways and MCP server management platforms, such as MCP Manager, include sophisticated capabilities to securely store and rotate access tokens, minimizing the risk of token theft and resulting unauthorized access to data.
MCP gateways also allow admin users to determine which “tools” each user has access to within each MCP server. Tools on MCP servers provide different capabilities; for example, one tool may enable an LLM to read data, while another enables it to edit data.
Therefore, control over access to tools serves as a robust means of controlling permissions and capabilities for different users, the LLMs they use, and even headless agents.
Logging and Traceability
A key principle in data protection is the ability to track back and see who accessed data and what they did with or to it. MCP introduces a challenge, as it doesn’t come pre-equipped with the traceable logging required for data protection, security, and privacy processes and audits.
Your logs of MCP traffic need user, agent, and session identifiers, so that you can precisely determine which user or agent accessed – or attempted to access – which data, as part of which flow of events (i.e., the session), and what happened to the data next.
Of course, this also requires proper identity management to ensure that users access data using distinct identities, enabling traceability.
The good news is that MCP proxies and MCP gateways are an ideal solution for verbose, traceable logs of MCP traffic, too.
All MCP traffic flows through your proxy or gateway, enabling it to generate end-to-end logs, opening up the black box of AI and MCP activity, and giving you the information you need to identify potential data security breaches or failed unauthorized access attempts.
You can use the data in these logs for data security audits to determine the causes and consequences of any breach, respond appropriately to any incidents, and power relevant alerts and reports.
You don’t need to compromise on security to use MCP.
Using MCP servers creates risks, challenges, and complications for teams tasked with data protection and data security.
However, as we can all see, the drive to incorporate AI and MCP servers across organizational workflows is only going to increase.
Therefore, to make enterprise use of MCP work, we need to find solutions that allow us to use MCP servers without compromising the security of our data.
Fortunately, just as the drive to use MCP servers is accelerating, so too is the tooling to manage and secure MCP servers and MCP-based traffic.
MCP security tools all vary in their capabilities. MCP Manager provides the guardrails against data exfiltration, permissions and identity controls, and observability that you need to use MCP servers without compromising data protection, security, or privacy.
Learn more about how MCP Manager can help you use MCP securely by trying it for free. Book your quick introduction call to get started, and we’ll set up your free account.
