Zero Trust MCP Server Control

Welcome to Cloudflare TV. Today's session, we're going to go over a new feature that we just announced in Cloudflare Zero Trust, Cloudflare MCP Server Portals. My name is Kenny Johnson. I'm a product manager on the Zero Trust team. I'm joined by Dina Kozlov. Dina, do you want to take a moment to introduce yourself? Sure. Hi, everybody. So excited to be here. Happy AI Week. I am a product manager on our developer platform team. I actually had the very exciting opportunity to work with our engineering team when MCP first came out, and we were figuring out how to make it as easy as possible for anybody to build MCP servers. So super excited to see where we are today in adding these new controls for it. Awesome. Thank you so much, Dina. Dina is very much our MCP queen internally, and I'm very excited to have her here to get to talk through this feature. I think before I dive into the demo of what we've shipped, Dina, I'm wondering if you could help demystify MCPs for the audience a little bit. I know it's an acronym that gets thrown out a lot. I see it on X all the time. I see it on LinkedIn even. But what's it all about? What are people using it for? And what are kind of where do you think things are headed? Sure. MCP stands for the Model Context Protocol. The way that I like to think about it is if we go back in time to six months ago before it existed, if I were to use an AI agent like chat GPT or Claude, it is really good at answering, answering questions, giving me information. If I want to build an app, it can give me all the code. But it can't necessarily, it couldn't necessarily take an action for you. So if I wanted it to deploy that code, it wasn't able to do that. Or for example, let's say I'm asking it a bunch of questions. I'm asking it to create a meal plan for me. What if I wanted to now order groceries on my behalf? It couldn't do that before. But that's what MCP unlocked. MCP, I think of it as an integration layer between AI agents and different services. And MCP just defines this standard language that the two can talk. And it now allows a user to talk to an AI agent and chat with it and tell it that it wants to do something. And then as long as that AI agent has an has a connection to an MCP server, for example, for Instacart or for Cloudflare, then it can take an action on the user's behalf and leverage that integration so that it can make a tool call to order groceries for you or make a tool call to tell you when they're coming or make a tool call to deploy code. So really cool technology because it lowers the barrier of entry significantly for a lot of services where before you had to read through documentation or you had to go through a dashboard or make API integrations. Now you can just in chat, in natural language, say what you need and leave it to the LLM to figure out what tool calls it needs to make to be able to get you to that end result that you're looking for. Awesome. That's great. Definitely something we're really excited about. You said you were going to ask me this, but I'll start with what's your favorite MCP server that you've seen out there so far? There is an MCP server or service, I guess, called get MCP dot IO. And my favorite thing about it is you can take any GitHub repo and change the github .com to get MCP dot IO and it will create an MCP server for that GitHub repo. It's public. And so it's really good at querying through the repo. And so I've been using it a lot that if I see an open source project out there. So a lot of MCP servers are open source. I'll connect a cloud to it and be like, hey, go look at what they did over there and help me figure out how to do something similar. So I have been loving it. But now, Kenny, let me ask you, what is your favorite MCP server? I like yours a lot more than I like mine. Mine is not a very exciting one, but it has been a very pragmatic one as a product manager. I, like many product managers, do not have the cleanest JIRA backlog out there in the world. And I have been really loving our internal JIRA MCP because I've been able to basically point it at my team's project and say, hey, what looks like it's still legitimate, what's poorly formed and what should just be closed out. And I have been loving the results of that. That has been a huge time savings. And we've been able to do loads of spring cleaning, me and my engineering manager in a much, much happier state. Amazing. Love it. The other thing about MCP that I think is really great is it does create this integration layer where your client, for example, Claude or Chachi Petit, you can connect it to multiple MCP servers and it can make tool calls across all of them. And so instead of building out an integration across, let's say, JIRA and maybe your email and something else, and maybe your CRM, you can now connect your agent to all of these MCP servers and have it, you know, go pull data from one, go take an action in another and continue to use it that way, which might be a good way to talk about MCP portals. So MCP came out and, of course, super exciting, definitely boosts productivity. But I know very quickly one thing that I started to hear from customers was, you know, now we're being concerned around what data is now being shared with different LLMs. You know, a lot of it is company data. It's sensitive. And so a lot of CISOs, a lot of security admins have been asking what security controls and guardrails can we start putting in place around MCP? But Kenny, we'd love to hear about, you know, what have you been hearing from customers? What are the main concerns? What should people be paying attention to? Yeah, that is an excellent tip, Dina. Thank you so much. And I think your point about being able to plug in and use multiple MCP servers at once is a really compelling thing, but it gets out of hand really quickly. So we built MCP server portals for two things, or for two reasons. One is the actual underlying user experience for using MCP servers. If I even, I actually have an example of my windsurf config here. If I go in and configure an MCP client or an MCP server and I want to add multiple, this JSON list gets huge. If I want to use 15 tools, I have to put 15 things in here. So that's the first step is with portals, you get one URL that can have multiple MCP servers pointed at it. So then that takes us into the broader and probably more compelling thing are the security controls that we're able to enforce with this. Like you said, the MCP protocol along with other AI tools are very focused on broad connectivity and broad efficiency gains. However, they don't have a lot of the security guardrails that you'd expect as a security leader or IT leader. So what we did with MCP portals, I'll jump into this actual demo here, is we added the ability to on -ramp your MCP servers. So I have a number of MCP servers in here configured. You'll see that I've been able to synchronize my tools and prompts for those MCP servers. And then the individual MCP servers are then able to have specific policies assigned. So I'm able to come in here and I can say, okay, I want to only allow users that belong to the Cloudflare domain to access that particular server. So then I'm able to set up and configure all my different servers that I want. And then where I'm able to do then is I can establish MCP server portals, which a portal is basically just a collection of MCP servers. So that MCP portal will then have multiple MCP servers assigned. Another powerful thing that we added is the ability to turn specific tools and prompts on and off. So the MCP server developer, they want to give you the kitchen sink. They want to give you everything possible that you could potentially do, which can represent a security problem. My Jira MCP server might have the ability to create tickets and read tickets. Maybe I don't want to give everybody at my organization the ability to write tickets immediately with the MCP server. Maybe I want to try it out in read -only mode. The server portal allows me to do that at a higher level layer instead of having to go server by server and actually configure that one by one in my organization. Similarly to that, we also have centralized logging of tool calls and invocations for each of the individual servers. So similarly to setting which tools and prompts I want to make available, instead of having to go server by server to look at logs at what's happening and piece together kind of why something catastrophic happened or a potential investigative potential security event, I'm able to see that in one place through my MCP server portal. And then additionally, I can set a baseline policy for the portal. So I can say who should and should not have access to this particular portal. And then the cool part about that is that a combination of these server policies, plus the portal policy, works out exactly what the end user should receive in their underlying MCP client. So instead of having to think about, well, my developers get these three servers and my HR people get this one server, I can give everybody the same portal URL or a set of URLs. And then the portal itself will work out which servers that particular user should get access to. And then what this actually looks like in practice, it's very simple. We generate a Cloudflare hosted domain. It's going to have an access policy in front of it. And we've got some basic how to's for the AI Playground and Cloud, but you can use this with any MCP client. And I'll go ahead and drop this in and hopefully the demo gods are in my favor. You never know when you're doing a live demo. Let's see. Yeah, there we go. Hold on. Let me do a quick refresh. I think I know why this happened, but let's see. Yeah, there we go. It's because I tried it once before. So in this case, oh, look, I actually am not allowed that particular server. Let's double check what's going on with that. Let's see if I can get this to work. OK. There's also people trying my product out under the hood, so they could have could have messed with things. So, you know, you never know with this stuff. Let me see real quick if I can get a good one of these. This is always fun when you're doing something live. Oh, sorry. No, go ahead. You go. I just wanted to say while you're looking into it, it's actually interesting. When we first started talking to different companies about MCP servers, it was very much around exposing your own service that's available through a dashboard or API endpoints to end customers to be able to use through AI agents. But now I'd actually say the much more common use case that we're hearing, the thing that's top of mind is every company is starting to build their own internal MCP servers so that their own employees can have much better access to information to be able to do their job. So be able to ask questions around, yeah, JIRA, CRM data. You know, we have built our own internal tooling. I'm sure every company out there has as well. And so I think especially with a portal like this, it's very helpful for this internal MCP server use case where, you know, let's say we have 10 different internal services. Those are all MCP servers. It's nice to be able to put them behind one portal and then employees can just connect to that one as we add, as we create more MCP servers for internal services, they can automatically be added to the cohort and the user can automatically get access to them. And a lot of companies are also building their own MCP clients that are internal. We actually, a few months ago, we open sourced use MCP that allows you to, in three lines of code, essentially add a whole, a whole interface to your React application that allows you to connect to any remote MCP servers. So really easy for you to build that out. Awesome. Thank you so much. And the demo gods have now been on my side. I was able to authenticate to a different MCP portal that I configured that allows me to list out my various MCP servers that are attached to my Cloudflare account. And then the nice thing about that is I'll get centralized logging for any usage against that particular app. And then similarly in access logs, I'll also see this login event. So you can see the actual authentication of my user to that particular service. So you get similar access logs that you'd get with normal Cloudflare access, but for your MCP server portals, and then you get the actual activity logs as well for the MCP portal itself. Awesome. So we're really excited to put this out into the world. This is live in everybody's Cloudflare Zero Trust dashboard. It's available across any plan. So as long as you have, even the Zero Trust free tier has this available. So I definitely recommend giving this a try. Some of the things that we've got coming next are deeper policy controls or the actual tools and prompts. Right now you can turn them on and off at the portal level. We're going to be moving user level policies and controls to those tools. We're also thinking about things like better capabilities around the logging, like adding them to Cloudflare log push. This is going to hit the Terraform provider really soon. And this is going to be a great workflow where your developers can basically open a PR when they want to publish a new MCP server internally, your security team can review and then merge it into your portal. That's going to be a big piece that we're looking forward to adding, as well as more plug and play ability with popular MCP servers when we want to make it really easy to plug those in and get those on ramped into Cloudflare really easily. That is amazing. I think it's been really cool to watch the industry move forward in this and then put things like that out there. And then there's still a lot going on the standard side that's moving forward in MCP. And I think, you know, very typical fashion of the Internet, something is put out there and then we patch the security holes and then we learn from it and then we make it even better. So, yeah, excited to see customers using this. Awesome. Yeah. And like you said, I think we're very excited to see the protocol move forward. We're definitely a committed user of it, excited to work with the folks in charge to push the limits on what we can do from a security standpoint. Awesome. Well, Dina, thank you so much for the time. I appreciate you joining me. To everybody out there watching, thank you. And we're looking forward to hearing feedback and success stories with this product. Thank you so much.