惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
The Last Watchdog
The Last Watchdog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
T
Troy Hunt's Blog
L
LINUX DO - 最新话题
C
Check Point Blog
T
Threat Research - Cisco Blogs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
罗磊的独立博客
V
Vulnerabilities – Threatpost
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
J
Java Code Geeks
Apple Machine Learning Research
Apple Machine Learning Research
大猫的无限游戏
大猫的无限游戏
S
Security @ Cisco Blogs
IT之家
IT之家
T
The Exploit Database - CXSecurity.com
The GitHub Blog
The GitHub Blog
D
Docker
Engineering at Meta
Engineering at Meta
AWS News Blog
AWS News Blog
S
Security Affairs
U
Unit 42
P
Palo Alto Networks Blog
V
Visual Studio Blog
Y
Y Combinator Blog
D
DataBreaches.Net
Forbes - Security
Forbes - Security
阮一峰的网络日志
阮一峰的网络日志
美团技术团队
Security Latest
Security Latest
aimingoo的专栏
aimingoo的专栏
Simon Willison's Weblog
Simon Willison's Weblog
A
Arctic Wolf
博客园_首页
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
H
Hacker News: Front Page
博客园 - 司徒正美
博客园 - Franky
宝玉的分享
宝玉的分享
TaoSecurity Blog
TaoSecurity Blog
Latest news
Latest news
Scott Helme
Scott Helme
MongoDB | Blog
MongoDB | Blog
量子位
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
Cisco Blogs
P
Privacy International News Feed
Application and Cybersecurity Blog
Application and Cybersecurity Blog

VMware Blogs

Diagnostics for VMware Cloud Foundation (VCF) 9.1 with Old Versions of VCF Components Mastering Infrastructure Policies in VMware Cloud Foundation Automation 9.1 Modernizing the Private Cloud: Why VCF 9.1 Lifecycle Management is a Game Changer Announcing the VMware Cloud Foundation 9.1 Upgrade Planning Tool VCF Breakroom Chats Episode 86 – Containers Made Easy: The New “Container-as-a-Service” in VCF 9.1 Securing Your VCF 9.1 Infrastructure with the Symantec Identity Security Platform Virtually Speaking: The AI Reality Check with Dave Linthicum Zero Touch Provisioning: Activating Edge Sites with VMware Cloud Foundation Edge 9.1 VCF Breakroom Chats Episode 85 – Cloning Success at Scale: Inside VCF 9.1’s App Stack Formation VMware Cloud on AWS の使用状況を確認できる API Unlocking the Full Potential of Programmable Infrastructure with VMware Cloud Foundation 9.1 – New Features and Capabilities Smarter Patching at Scale: Vulnerability Assessment and Remediation with VMware Tanzu Platform Encrypted vMotion Offload to Intel QAT in VMware Cloud Foundation 9.1 Deepen Your Expertise: Four Key Benefits of Attending Increase Deployment Flexibility with VCF Edge Automation 1.0.3 Avi Advantage: Automating Certificate Management of VCF Workloads More Memory, Less Effort: Configuring Memory Tiering in VCF 9.1 VCF 9.1 Licensing: Programmatic, Centralized, and Built to Scale Why APJ Networking Professionals Need Private Cloud Expertise VCF 9.1 Networking: Simpler VPC Connectivity Control VCF 9.1 Networking: Exploring Network Services for Virtual Private Clouds VCF Networking 9.1: Seamless DDI Integration with Infoblox The Open Source Advantage: Building from Source for Ultimate Security Expand Shared VMDKs with Clustered Applications in VMware vSAN for VCF 9.1 Monetizing Zero-Trust Security with VCF 9.1 and VMware vDefend VMware vSAN Protection and Recovery Enhancements for VCF 9.1 Deliver Production SQL Server DBaaS with VMware Data Services Manager 9.1 Maximizing Profitability: VCF 9.1 Cost-Focused Approach for VMware Cloud Service Providers Modernizing Your Infrastructure: Introducing VMware Cloud Foundation 9.1 to VCSPs VCF 9.1 is Available: Explore the New Features in Hands-on Labs What’s New with vSphere in VMware Cloud Foundation 9.1? Resizing VMware vCenter in VMware Cloud Foundation 9 Non-Disruptive VMware vCenter Patching in VMware Cloud Foundation 9.1 VMware vCenter Virtual Hardware Gets an Upgrade in vSphere with VCF 9.1 AI Has Changed the Threat Landscape. Is Your Infrastructure Ready? Simplifying Storage with the New Effective Capacity View in VMware vSAN for VCF 9.1 Auto-RAID in VMware vSAN for VCF 9.1 – Comprehensive System-Managed Data Resilience Introducing VMmark 4.1: Enhanced Power Efficiency Benchmarking for Private Cloud Infrastructure Advanced Memory Tiering Enhancements in VMware Cloud Foundation 9.1 VCF 9.1 Is Here. See It in Action. 博通發布 VMware Cloud Foundation 9.1 How Broadcom Is Helping Enterprises Win the AI Security Sprint How to Prepare for the World of AI Driven Exploits Avi Innovations for VCF 9.1: Powering Kubernetes, Agentic AI and VPC Workloads VCF 9.1: The Secure, Cost-Effective Private Cloud Platform for Production AI Announcing VCF 9.1: Modern Private Cloud Built for Efficiency and Resilience Announcing VMware Cloud Foundation Edge 9.1: A Scalable, Autonomous Edge Platform Accelerate, Streamline, and Control Your Self-Service Private Cloud with VMware Cloud Foundation 9.1 Deploy Modern Apps Faster, Scale Smarter, and Lower Your TCO with VMware vSphere Kubernetes Service in VCF 9.1 Scale Smarter, Save More: Redefining Infrastructure Economics with VMware vSphere in VCF 9.1 AI with VCF 9.1 on AMD GPUs: Build with open frameworks and simplify management, at a lower TCO Streamline, Simplify and Protect all your AI workloads with VCF 9.1 Simplify Workload Connectivity and Enhance Network Scale and Performance with VCF 9.1 VMware and CrowdStrike Deliver New Integration for Cyber Recovery Workflows How Many Users Can Your LLM Server Really Handle? From Infrastructure to Agents: A Hands-On Guide to Secure Private AI with Broadcom – Part 2 The New Frontier: Leading the Cloud-Native Evolution Replicating VMware vSphere Configuration Profile Desired State Webinar Recap: Design and Architecture Considerations for VMware vSphere Kubernetes Service on VMware Cloud Foundation Kubernetes 1.36: What Actually Changed for Enterprise Platforms Enhance Lateral Security and Ingress Load Balancing for Kubernetes Workloads Avi Load Balancer Analytics: Root Cause Application Performance Issues in Minutes Analyst Insight Series #3: Policy-Driven Governance and Multi-Tenant Control Post-Quantum Readiness on VMware Cloud Foundation Registration Is Live for Las Vegas | $ave with Early-Bird May 21, 2026: What’s New in VMware Tanzu Data Intelligence 10.4 From Infrastructure to Agents: A Hands-On Guide to Secure Private AI with Broadcom – Part 1 Stop Guessing: Advanced Monitoring and Troubleshooting for Data Services CPU, Disk, Network, and Memory Workload Profiles for DVD Store Database Testing How VMware Salt Automates Compliance Across Private Cloud Analyst Insight Series #2: Operational Scalability and Lifecycle Management MCP vs. APIs: Why You Need Both for AI Applications The Real Constraint on Enterprise AI isn’t GPUs; It’s Power Deploying Harbor Service in Air-Gapped VMware Cloud Foundation 9.0 Why Enhanced DirectPath Wins for High-Performance Apps Bridging the (.Local) Gap: A Split-Domain Design for VMware Cloud Foundation Deployment Observability on VMware vSphere Kubernetes Service VMware Cloud on AWS: Introducing the Usage Report APIs Converging VMware vSphere to VMware Cloud Foundation 9.0: The Top 10 Questions Answered May 6, 2026: What’s New in Tanzu Platform 10.4: Powering Agentic Apps at Scale VMware Tanzu RabbitMQ Powers the Modern Data Lakehouse with New Spark Integration and Enterprise Tooling Tanzu Data Intelligence 10.4 Delivers AI-Driven Analytics, Unified Real-Time Operations, and Sovereign Resilience Enterprise-Ready Agents Made Simple & Safe with VMware Tanzu Platform Agent Foundations Introducing Tanzu Platform 10.4: Extending Platform as a Service to Agentic Applications How AI-Assisted Analytics in Tanzu Data Intelligence Can Help Remove the SQL Bottleneck The Compelling Case for a Private Cloud Data Intelligence Platform The Unification Dividend: Consolidating Database Operations on VMware Cloud Foundation The Modern Spring Workflow Is Enterprise-Ready and AI-Boosted [TAM Blog] セキュアブート証明書の有効期限切れに関する注意点と対応について Accelerate Lateral Security and Ingress Load Balancing for Kubernetes Workloads From Platform to Data: Building a Cloud-Native Developer Experience On-Prem with VMware Cloud Foundation How VMware Cloud Foundation (VCF) Training Helps Keep Top Tech Talent in APJ Build Your Case for Attending VMware Explore 2026 Spring 開発元が提供する商用サポート「VMware Tanzu® Spring Essentials」とは VMware Cloud on AWS より i7i.metal-24xl インスタンスの提供開始 VMware Advanced Memory Tiering Tips for Success VMware Cloud Foundation Edge 9.0: Two-Host Edge Site Deployment with Brownfield Import Your Database Is About to Become an AI Tool. Is It Ready? Applying GitOps Principles to Maintain Desired State Configuration using VMware vSphere Configuration Profile – Part 3 Webinar Recap: Converging VMware vSphere to VMware Cloud Foundation 9.0
From Prototype to Production: Securing Database MCP at Enterprise Scale
2026-04-15 · via VMware Blogs

How the VMware Tanzu Greenplum MCP Server Puts puts security patterns into practice (Part 2: The enterprise implementation)

In Part 1 of this blog series, I laid out why database access is the hardest MCP problem and explored the security patterns every implementation needs to get right. I used gp-mcp-server, an open source prototype I built for Greenplum and PostgreSQL, to make those patterns concrete. (If you haven’t read it yet, start there.)

This article picks up where that one left off. The prototype proved the patterns. Now I want to show you what those patterns look like at enterprise scale.

The VMware Tanzu Greenplum MCP Server is a production-grade implementation designed for the Greenplum ecosystem. It takes the same security principles I explored in gp-mcp-server and delivers them with enterprise authentication, policy-driven access controls, and a purpose-built tool surface that fundamentally changes how AI agents interact with databases.

It’s the same threat model with the same non-negotiables, but in a completely different weight class.

The threats haven’t changed

Before we look at what the Greenplum MCP Server does differently, let’s revisit the attacks you’re facing. The threat model doesn’t care whether your implementation is a prototype or a product. These are the scenarios every database MCP server needs to survive.

The transaction wrapper bypass

Anthropic’s original PostgreSQL MCP server wrapped queries in a read-only transaction and rolled them back. Datadog Security Labs found that an attacker could send semicolon-delimited multi-statement queries like COMMIT; DROP SCHEMA public CASCADE;. The COMMIT exits the wrapper, and the DROP executes unprotected. (Part 1 covers this in detail.)

The Greenplum MCP Server enforces read-only mode by default and uses policy-based controls to restrict which SQL statement types are permitted per role. The DROP fails against the read-only database user at the connection level. The attack never reaches the database because the policy layer rejects it before the connection pool even sees it.

The prompt injection via untrusted content

In Part 1, I described what I call the Snap Conditions: three stones that have to be in the gauntlet for a prompt injection attack to succeed. The agent can reach private data (Access Stone). Untrusted content enters the agent’s context (Exposure Stone). The agent has a path to send data out (Exfiltration Stone). Remove any one of them and the snap fails.

The Greenplum MCP Server removes the stones systematically:

  • Policy controls – The server’s policy.yaml defines allowed and denied SQL statement types per role, restricting what an agent can reach. This is the Access Stone, neutralized through declarative configuration rather than application code.
  • PII redaction – The server’s architecture supports role-based column-level masking as the platform matures. Sensitive data never enters the LLM’s context. That’s the Exposure Stone.
  • Credential scoping – OAuth 2.1 integration maps IDP roles directly to database users. A read-only role gets readonly_user credentials. An analyst gets analyst_user. The agent’s blast radius is constrained by identity, not by trust. That’s the Exfiltration Stone.

Hundreds of servers, zero authentication

Security scans in 2025 found hundreds of public MCP servers exposed to the internet with no authentication or encryption. These weren’t edge cases or hobby projects. They were production-grade servers with direct database access and no audit trail.

Authentication is a first-class feature of the Greenplum MCP Server, not an afterthought. Three auth modes: no-auth (development only), Basic Auth, and OAuth 2.1 with enterprise IDP integration via Keycloak. TLS and mTLS are fully supported. There is no configuration path that accidentally exposes a production database without credentials.

From patterns to product

My first blog post in this series established the non-negotiables: read-only connections, SQL validation, result constraints, PII redaction, credential isolation, and mandatory authentication. Those are the controls every database MCP server needs. Here’s how the Greenplum MCP Server delivers each one as a product feature rather than a custom build:

  • Read-only connections – Enforced by default at the database level. The server ships read-only. You have to explicitly opt into write access, and the policy layer governs what write operations are permitted.
  • SQL validation – Policy-based filtering defines which SQL statement types are allowed per role. The policy.yaml configuration gives database teams declarative control over what the agent can and cannot do.
  • Result constraints – Built-in row limits, byte caps, and timeouts. Token-aware truncation ensures the LLM gets useful context without flooding the context window.
  • PII redaction – Role-based column-level masking architecture. Sensitive data is handled before it reaches the LLM’s context.
  • Credential isolation – OAuth 2.1 with PKCE and enterprise IDP integration via Keycloak. Database credentials never appear in an MCP payload. Identity flows through the auth layer, not through the transport.
  • Authentication – Mandatory in production. Three modes cover the full spectrum from development to enterprise deployment.

Tool design at scale

In Part 1, I argued that tool design is a security decision. The temptation is to expose a single execute_query tool and let the LLM figure it out. That’s a security failure disguised as simplicity. In gp-mcp-server, I applied this principle with 12 focused tools.

The Greenplum MCP Server takes the same principle to a different scale, with more than 30 purpose-built tools organized around a deliberate workflow: Discover the Schema. Constrain the Query. Contain the Data. Instrument the System.

Discovery tools let the agent understand the schema before it writes SQL. Diagnostic tools return pre-computed, structured results instead of raw query output. The GPExtensions team reports that this cuts token usage by 90%–98%. That’s more than a cost win, because fewer tokens in the context window means less surface area for hallucination and less room for injected content to hide.

That decomposition is itself a security pattern. An agent with separate discovery, query, and diagnostic tools will naturally explore the schema before attempting ad hoc SQL. An agent with built-in analytics tools has less reason to craft complex queries that push against policy boundaries. Tool design is prompt engineering by another name, and most teams aren’t pulling that lever yet.

The most underappreciated security feature

The Greenplum MCP Server supports user-defined tools via configuration. Custom SQL-backed tools, defined at runtime, no code changes required.

Think about what that means. A database team can define precisely scoped, tools—specific queries against specific tables with specific parameters. They hand those to AI agent users instead of open-ended query access. The agent gets the capability it needs, and the database team retains full control over what SQL actually executes.

That’s the intersection of flexibility and governance that most MCP implementations are missing entirely. It shifts the security conversation from “What can we prevent?” to “What do we explicitly allow?” That’s a fundamentally stronger posture.

The assembled team

In Part 1, I said each security control alone is like a solo Avenger: capable, but vulnerable. Stack them together and you get the assembled team. The threat has to beat all of them simultaneously.

The Greenplum MCP Server is that assembled team. Read-only defaults, policy-based access controls, enterprise authentication, purpose-built tools that constrain agent behavior from the ground up, and user-defined tools that give database teams governance without sacrificing flexibility. Every control from Part 1’s non-negotiable list is a product feature, not a custom integration.

The broader MCP database space is still new and ranges from “interesting experiment” to “actively dangerous.” But the patterns exist, the spec is ready, and the implementations are open source and testable. The question isn’t whether AI agents will connect to your databases. It’s whether the security boundary will be in place when they do.

Discover the Schema. Constrain the Query. Contain the Data. Instrument the System.

That’s the blueprint. And now it’s a product.

Resources