Generated by: STRIDER (STRIDE Threat Modeling for CALM Architectures)
Architecture: Paul's MCP Architecture
Version: 1.0
Date: 4 December 2025
Status: Draft - For Discussion
This architecture implements an MCP (Model Context Protocol) system with comprehensive security controls already in place. Claude (MCP client) connects to an MCP Server to query operational reports via a Reports API, all deployed on Kubernetes. The architecture demonstrates mature security posture with FINOS AI Governance Framework mitigations applied at node, relationship, and flow levels.
Key Findings:
- π΄ Critical: 2 unmitigated threats remaining
- π High: 4 threats with partial mitigations
- π‘ Medium: 6 threats with adequate controls
- π’ Low: 8 threats fully mitigated
Notable: This architecture has significantly better security posture than typical MCP deployments due to pre-applied FINOS AI Governance Framework controls.
- System Overview
- Data Flow Diagram
- Trust Boundary Inventory
- STRIDE Threat Analysis
- AI Governance Analysis
- Recommendations
- Appendix: CALM Controls
This MCP-based architecture provides secure access to operational reports. An AI client (Claude) connects to an MCP Server with tool chain validation and credential protection. The MCP Server communicates with a Reports API using mTLS with certificate rotation. A Secret API is network-isolated using micro-segmentation. The architecture includes a documented flow for report queries with end-to-end security controls.
| Component | Type | Description | Controls Applied |
|---|---|---|---|
| Claude | mcp-client | MCP Client for querying reports | N/A (external) |
| Reports MCP Server | service | MCP Server with tools for operational reports | β MCP Security Governance, Tool Chain Validation, Credential Protection |
| Reports API | service | API for accessing operational reports | N/A |
| Secret API | service | API isolated from MCP Server | β Micro-segmentation |
| Kubernetes Cluster | system | K8s with network policy rules | N/A |
| Layer | Technology | Security Controls |
|---|---|---|
| AI/ML | Claude (MCP Client) | TLS 1.3+ communication |
| MCP Server | Quarkus/JVM | Tool chain validation, credential protection |
| Backend | Reports API | mTLS with 30-day cert rotation |
| Infrastructure | Kubernetes | Network policies, micro-segmentation |
| Flow | Description | Controls |
|---|---|---|
| Report Query Flow | End-to-end query from Claude β MCP Server β Reports API | End-to-end encryption, authentication, audit logging |
flowchart TB
subgraph External["π΄ Trust Boundary: External AI Client"]
style External fill:#ffeeee,stroke:#cc0000,stroke-width:2px
Claude{{"π€ Claude<br/>MCP Client"}}
end
subgraph K8s["π Trust Boundary: Kubernetes Cluster (conference namespace)"]
style K8s fill:#fff5ee,stroke:#cc6600,stroke-width:2px
subgraph Secured["π’ Secured MCP Components"]
style Secured fill:#eeffee,stroke:#00cc00,stroke-width:2px
MCP["π§ Reports MCP Server<br/>Port: 8080<br/>βββββββββββββ<br/>β
MCP Security Governance<br/>β
Tool Chain Validation<br/>β
Credential Protection"]
Reports["βοΈ Reports API<br/>Port: 8080"]
end
subgraph Isolated["π Network Isolated"]
style Isolated fill:#ffe6e6,stroke:#990000,stroke-dasharray: 5 5
Secret["π« Secret API<br/>β
Micro-segmentation"]
end
end
Claude -->|"HTTPS/TLS 1.3+ π<br/>β
Secure MCP Communication"| MCP
MCP -->|"mTLS π<br/>β
API Auth + Audit"| Reports
MCP -.-x|"β Blocked"| Secret
linkStyle 0 stroke:#00cc00,stroke-width:3px
linkStyle 1 stroke:#0066cc,stroke-width:3px
linkStyle 2 stroke:#cc0000,stroke-width:2px,stroke-dasharray: 5 5
Legend:
- π΄ Critical trust boundary (external AI client)
- π High trust boundary (Kubernetes cluster)
- π’ Secured components with FINOS controls
- π TLS 1.3+ encrypted
- π mTLS mutual authentication
- β Blocked by network policy
- β Control applied
| ID | Boundary Name | From | To | Protocol | Controls | Criticality |
|---|---|---|---|---|---|---|
| TB-1 | AI Tool Invocation | Claude | MCP Server | HTTPS/TLS 1.3+ | Secure MCP Communication | π High |
| TB-2 | Internal Service Mesh | MCP Server | Reports API | mTLS | API Authentication + Audit | π‘ Medium |
| TB-3 | Network Isolation | Any | Secret API | Blocked | Micro-segmentation | π’ Low |
Boundary Details:
- From: Claude (MCP Client)
- To: Reports MCP Server
- Protocol: HTTPS with TLS 1.3+
- Criticality: π High (reduced from Critical due to controls)
Controls Applied:
- β
secure-mcp-communication- TLS 1.3+, certificate validation, protocol monitoring - β
mcp-security-governance- Tier-1 centralized proxy, pre-approved servers - β
tool-chain-validation- Strict input validation, tool allowlist, injection prevention - β
credential-protection- Vault-backed storage, least privilege
| STRIDE | Threat | Risk | Existing Control | Mitigation Status |
|---|---|---|---|---|
| π Spoofing | Malicious client impersonates Claude | M | TLS 1.3+ with cert validation | |
| π Spoofing | Rogue MCP Server presents malicious tools | L | Pre-approved servers, centralized proxy | β |
| π§ Tampering | Prompt injection causes unintended actions | M | Tool chain validation, injection prevention (sql, command, prompt) | β |
| π§ Tampering | Man-in-the-middle modifies requests | L | TLS 1.3+ encryption | β |
| π Repudiation | Tool invocations cannot be audited | M | Protocol monitoring, basic logging | |
| π€ Info Disclosure | Sensitive data leaked to AI model | M | None identified | β |
| π€ Info Disclosure | Logs expose operational data | L | Basic connection logging | |
| π« DoS | Excessive tool calls exhaust resources | M | None identified | β |
| π« DoS | Denial of Wallet - token exhaustion | M | None identified | β |
| β¬οΈ Elevation | Claude gains unauthorized tool access | L | Tool allowlist (get-reports, get-report-details) | β |
| β¬οΈ Elevation | Tool chain manipulation | L | Tool chain validation, parameter sanitization | β |
Discussion Points:
- Is TLS client certificate authentication needed for Claude?
- Should comprehensive audit logging replace basic connection logging?
- What data filtering should be applied before returning data to Claude?
- Are rate limits needed on tool invocations?
Boundary Details:
- From: Reports MCP Server
- To: Reports API
- Protocol: mTLS
- Criticality: π‘ Medium (well-controlled)
Controls Applied:
- β
api-authentication- mTLS, 30-day cert rotation, least privilege, audit all requests - β
credential-protection- Vault-backed, no hardcoded secrets
| STRIDE | Threat | Risk | Existing Control | Mitigation Status |
|---|---|---|---|---|
| π Spoofing | Attacker impersonates MCP Server | L | mTLS mutual authentication | β |
| π Spoofing | Rogue service pretends to be Reports API | L | mTLS certificate validation | β |
| π§ Tampering | Payloads modified in transit | L | mTLS encryption | β |
| π§ Tampering | Malicious input exploits Reports API | M | Tool chain validation (upstream) | |
| π Repudiation | API calls not logged | L | Audit all requests enabled | β |
| π€ Info Disclosure | API returns excessive data | M | None identified | β |
| π€ Info Disclosure | Error messages reveal internals | L | None identified | |
| π« DoS | MCP Server overwhelms Reports API | M | None identified | β |
| β¬οΈ Elevation | MCP Server exceeds API permissions | L | Least privilege access | β |
Discussion Points:
- Should response filtering be added to the Reports API?
- Are rate limits needed between MCP Server and API?
- Is 30-day certificate rotation frequent enough?
Boundary Details:
- From: Any cluster component (especially MCP Server)
- To: Secret API
- Protocol: N/A (blocked)
- Criticality: π’ Low (fully mitigated)
Controls Applied:
- β
security(micro-segmentation) - Network policy blocks all access
| STRIDE | Threat | Risk | Existing Control | Mitigation Status |
|---|---|---|---|---|
| π Spoofing | Network access to Secret API | L | Micro-segmentation | β |
| π§ Tampering | Container escape to reach API | L | Network policy + pod isolation | β |
| π Repudiation | Access attempts not logged | L | K8s audit logs (assumed) | |
| π€ Info Disclosure | Policy misconfiguration | L | Explicit deny policy | β |
| π« DoS | Resource starvation | L | K8s resource limits (assumed) | |
| β¬οΈ Elevation | Privilege escalation bypasses policy | L | Network policy + RBAC | β |
| Trust Boundary | π | π§ | π | π€ | π« | β¬οΈ | Overall |
|---|---|---|---|---|---|---|---|
| TB-1: AI Tool Invocation | β | β | β | β | π High | ||
| TB-2: Internal Service Mesh | β | β | β | β | π‘ Medium | ||
| TB-3: Network Isolation | β | β | β | β | π’ Low |
Legend: β
Mitigated |
β This architecture demonstrates mature AI governance with FINOS AI Governance Framework mitigations pre-applied.
Refer to the FINOS AI Governance Framework for detailed guidance.
| Component | Type | Description | AIGF Mitigations |
|---|---|---|---|
| Claude | MCP Client | External AI querying reports | Secure communication |
| Reports MCP Server | MCP Server | Exposes tools with security controls | MI-19, MI-20, MI-23 |
| Mitigation ID | Mitigation Name | Applied To | Configuration |
|---|---|---|---|
| MI-20 | MCP Server Security Governance | MCP Server | Tier-1, centralized proxy, pre-approved servers |
| MI-19 | Tool Chain Validation | MCP Server | Strict input validation, tool allowlist, prompt injection prevention |
| MI-23 | Credential Protection | MCP Server, API relationship | Vault-backed, 30-day rotation, least privilege |
| Risk ID | Risk Name | Status | Control |
|---|---|---|---|
| RI-26 | MCP Server Supply Chain Compromise | β Mitigated | MI-20: Pre-approved servers |
| RI-25 | Tool Chain Manipulation | β Mitigated | MI-19: Tool allowlist, validation |
| RI-29 | Agent Credential Harvesting | β Mitigated | MI-23: Vault-backed credentials |
| AIR-SEC-024 | Prompt Injection | β Mitigated | MI-19: Prompt injection prevention |
| AIR-SEC-025 | Agent Authorization Bypass | β Mitigated | Tool allowlist + least privilege |
| Risk ID | Risk Name | Impact | Gap |
|---|---|---|---|
| AIR-RC-001 | Information Leaked to Hosted Model | π Medium | No data filtering before AI response |
| AIR-OP-014 | Availability / Denial of Wallet | π Medium | No rate limiting |
| AIR-OP-005 | Hallucination | π‘ Low | Human review recommended |
| Boundary | Mitigations Applied | Status |
|---|---|---|
| MCP Client-Server Boundary | MI-20, TLS 1.3+ | β Secured |
| MCP Server-API Boundary | MI-23, mTLS | β Secured |
| # | Recommendation | Trust Boundary | Threat Addressed | Gap |
|---|---|---|---|---|
| 1 | Add data filtering before returning reports to AI | TB-1 | π€ Info Disclosure | AIR-RC-001 |
| 2 | Implement rate limiting on MCP Server endpoints | TB-1, TB-2 | π« DoS | AIR-OP-014 |
| # | Recommendation | Trust Boundary | Threat Addressed |
|---|---|---|---|
| 1 | Upgrade from basic logging to comprehensive audit logging | TB-1 | π Repudiation |
| 2 | Add response filtering on Reports API | TB-2 | π€ Info Disclosure |
| 3 | Consider mTLS for Claude β MCP Server connection | TB-1 | π Spoofing |
| 4 | Add spend/usage monitoring and alerts | TB-1 | π« DoS (Denial of Wallet) |
| # | Recommendation | Trust Boundary | Threat Addressed |
|---|---|---|---|
| 1 | Implement human-in-the-loop for sensitive operations | TB-1 | AI governance |
| 2 | Add network policy change alerting | TB-3 | π§ Tampering |
| 3 | Consider AI output validation/review process | TB-1 | AIR-OP-005 |
The following controls are defined in the CALM architecture:
{
"mcp-security-governance": {
"description": "MCP Server Security Governance - Establishes comprehensive security controls...",
"requirements": [{
"requirement-url": "https://air-governance-framework.finos.org/mitigations/mi-20",
"config": {
"tier": "tier-1",
"architecture": "centralized-proxy",
"pre-approved-servers": true,
"tls-encryption": "required",
"logging": "basic-connection-logging",
"mitigates-risks": ["RI-26"]
}
}]
}
}Mitigates: π Spoofing (rogue servers), RI-26 MCP Server Supply Chain
{
"tool-chain-validation": {
"description": "Tool Chain Validation and Sanitization...",
"requirements": [{
"requirement-url": "https://air-governance-framework.finos.org/mitigations/mi-19",
"config": {
"input-validation": "strict",
"parameter-sanitization": true,
"tool-allowlist": ["get-reports", "get-report-details"],
"injection-prevention": ["sql", "command", "prompt"],
"mitigates-risks": ["RI-25"]
}
}]
}
}Mitigates: π§ Tampering (prompt injection), β¬οΈ Elevation (unauthorized tools), RI-25 Tool Chain Manipulation
{
"credential-protection": {
"description": "Agentic System Credential Protection...",
"requirements": [{
"requirement-url": "https://air-governance-framework.finos.org/mitigations/mi-23",
"config": {
"credential-storage": "vault-backed",
"credential-scoping": "least-privilege",
"rotation-frequency": "30-days",
"no-hardcoded-secrets": true,
"mitigates-risks": ["RI-29"]
}
}]
}
}Mitigates: π Spoofing (credential theft), RI-29 Agent Credential Harvesting
{
"secure-mcp-communication": {
"config": {
"tls-version": "1.3+",
"certificate-validation": "required",
"mutual-authentication": false,
"protocol-monitoring": true
}
}
}Mitigates: π§ Tampering (MITM), π€ Info Disclosure (eavesdropping)
{
"api-authentication": {
"config": {
"authentication-method": "mtls",
"certificate-rotation": "30-days",
"least-privilege": true,
"audit-all-requests": true
}
}
}Mitigates: π Spoofing, π Repudiation, β¬οΈ Elevation
{
"security": {
"description": "Lock down an individual POD workload",
"requirements": [{
"requirement-url": "https://calm.finos.org/workshop/controls/micro-segmentation.requirement.json",
"config-url": "https://calm.finos.org/workshop/controls/micro-segmentation.config.json"
}]
}
}Mitigates: π Spoofing, π€ Info Disclosure, β¬οΈ Elevation
| Aspect | Segmented MCP Architecture | Paul's MCP Architecture |
|---|---|---|
| MCP Server Controls | β None | β MI-19, MI-20, MI-23 |
| Tool Allowlist | β None | β get-reports, get-report-details |
| Prompt Injection Prevention | β None | β Configured |
| Credential Management | β Unknown | β Vault-backed |
| Relationship Controls | β None | β TLS 1.3+, mTLS, audit |
| Documented Flows | β None | β Report Query Flow |
| Overall Posture | π΄ Critical gaps | π‘ Mostly secured |
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 4 December 2025 | STRIDER | Initial threat model |