Full Report
We share Cloudflare's internal strategy for governing MCP using Access, AI Gateway, and MCP server portals. We also launch Code Mode to slash token costs and recommend new rules for detecting Shadow MCP in Cloudflare Gateway.
Analysis Summary
# Best Practices: Governing Model Context Protocol (MCP)
## Overview
Model Context Protocol (MCP) is an open standard that allows LLMs to connect to external data sources and tools. While it enhances AI productivity, it creates new security risks including **Shadow MCP** (unauthorized servers), data exfiltration, and lack of visibility into what corporate data is being fed into AI models. These practices provide a framework for governing MCP using Zero Trust principles.
## Key Recommendations
### Immediate Actions
1. **Identify Shadow MCP:** Audit network traffic for common MCP server ports (e.g., local ports used by Claude Desktop) and block unauthorized outbound connections to known MCP registries.
2. **Implement AI Gateway:** Use an AI Gateway as a central proxy for all LLM traffic to log every request, response, and tool call.
3. **Restrict Local Execution:** Create a policy prohibiting the installation of unverified MCP servers on local workstations.
### Short-term Improvements (1-3 months)
1. **Deploy Hosted MCP Portals:** Shift from local MCP servers to "MCP Portals"—centralized servers hosted behind a Zero Trust tunnel (e.g., Cloudflare Access).
2. **Apply Granular RBAC:** Link MCP server access to Identity Provider (IdP) groups. Ensure only specific teams (e.g., Engineering) can access specific sensitive MCP tools (e.g., GitHub or Jira connectors).
3. **Enable Data Loss Prevention (DLP):** Configure AI Gateway to scan outgoing prompts and MCP tool outputs for PII, API keys, and sensitive internal identifiers.
### Long-term Strategy (3+ months)
1. **Standardize on "Code Mode":** Adopt architectural patterns that minimize token overhead by processing data locally or within the secure portal rather than sending massive context windows to the LLM provider.
2. **Automated Threat Detection:** Integrate Gateway logs with SIEM to detect anomalous patterns, such as an LLM making an unusual volume of document requests via a "Search" MCP tool.
3. **Formal Governance Framework:** Establish an "Approved MCP Registry" similar to an approved software list.
## Implementation Guidance
### For Small Organizations
- Use a single **AI Gateway** to gain visibility.
- Use built-in browser/gateway blocking to prevent users from downloading unauthorized MCP extensions.
### For Medium Organizations
- Centralize MCP servers on internal infrastructure.
- Use **Zero Trust tunnels** to expose these servers to AI clients without opening public ports.
- Implement basic DLP rules for common patterns like credit card numbers or "CONFIDENTIAL" tags.
### For Large Enterprises
- Deploy **MCP Portals** integrated with SSO (Okta/Entra ID).
- Use **Code Mode** optimization to manage high-volume token costs.
- Implement exhaustive logging for audit/compliance (SOC2/GDPR) to track what data was accessed by which model.
## Configuration Examples
### Cloudflare Gateway: Detecting Shadow MCP
To detect local MCP servers attempting to communicate with external agents, create an HTTP policy:
- **Selector:** `Destination Port`
- **Operator:** `in`
- **Value:** `[Common MCP Ports]`
- **Action:** `Isolate` or `Block`
### AI Gateway: Rate Limiting & Stealth
Enable a policy to prevent "Token Exhaustion" attacks:
- **Limit:** 1000 tokens per minute per user.
- **Action:** Reject request.
## Compliance Alignment
- **NIST AI RMF:** Aligns with the "Govern" and "Map" functions by identifying AI-to-data connections.
- **ISO/IEC 42001:** Supports AI management system requirements for data governance and risk assessment.
- **SOC 2 Type II:** Provides the necessary audit logs for unauthorized data access via automated tools.
## Common Pitfalls to Avoid
- **Implicit Trust:** Assuming that because an MCP server is "local," it is secure. Local servers can exfiltrate data to the developer’s specific LLM session.
- **Ignoring Tool-Call Logs:** Only monitoring the human prompt but failing to log the automated "tool call" response from the MCP server to the LLM.
- **Port Sprawl:** Allowing MCP servers to run on random high-number ports without egress filtering.
## Resources
- **MCP Documentation:** hxxps[://]modelcontextprotocol[.]io
- **Cloudflare AI Gateway:** hxxps[://]www[.]cloudflare[.]com/ai-gateway/
- **Cloudflare Zero Trust:** hxxps[://]one[.]dash[.]cloudflare[.]com/
- **Defanged MCP Registry:** hxxps[://]github[.]com/modelcontextprotocol/servers