Security Best Practices for Agent Mesh Networks
Essential security considerations when deploying AMCP in production environments.
Table of Contents
Overview
Security in agent mesh networks requires a multi-layered approach:
┌─────────────────────────────────────────┐
│ Application Layer │
│ (Business Logic Security) │
├─────────────────────────────────────────┤
│ Authorization Layer │
│ (RBAC, ABAC, Policies) │
├─────────────────────────────────────────┤
│ Encryption Layer │
│ (TLS, mTLS, Data Encryption) │
├─────────────────────────────────────────┤
│ Network Layer │
│ (Firewall, VPN, Network Policies) │
├─────────────────────────────────────────┤
│ Infrastructure Layer │
│ (Kubernetes, Container Security) │
└─────────────────────────────────────────┘
Authentication
1. mTLS (Mutual TLS)
Enable mutual authentication between agents:
# application.properties
amcp.security.mtls.enabled=true
amcp.security.mtls.cert-path=/etc/amcp/certs/agent.crt
amcp.security.mtls.key-path=/etc/amcp/certs/agent.key
amcp.security.mtls.ca-path=/etc/amcp/certs/ca.crt
2. Certificate Management
# Generate certificates
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
# Rotate certificates regularly
# Use cert-manager for automation
kubectl apply -f cert-manager.yaml
3. Service Accounts
# Kubernetes service account
apiVersion: v1
kind: ServiceAccount
metadata:
name: amcp-agent
namespace: default
Encryption
1. Data in Transit
// Enable TLS for all communications
@Configuration
public class SecurityConfig {
@Bean
public RestClientBuilder configureRestClient(RestClientBuilder builder) {
return builder
.trustStore(new File("/etc/amcp/truststore.jks"), "password")
.keyStore(new File("/etc/amcp/keystore.jks"), "password");
}
}
2. Data at Rest
// Encrypt sensitive data
@Entity
public class Agent {
@Encrypted
private String apiKey;
@Encrypted
private String credentials;
}
3. Kafka Encryption
# Kafka SSL/TLS
security.protocol=SSL
ssl.truststore.location=/etc/amcp/kafka-truststore.jks
ssl.truststore.password=password
ssl.keystore.location=/etc/amcp/kafka-keystore.jks
ssl.keystore.password=password
Authorization
1. RBAC (Role-Based Access Control)
@Agent
public class SecureAgent extends Agent {
@Authorize(roles = {"admin", "operator"})
public void criticalOperation() {
// Only admin and operator can execute
}
@Authorize(roles = {"viewer"})
public void readOperation() {
// Viewers can read
}
}
2. ABAC (Attribute-Based Access Control)
@Authorize(attributes = {
"department=engineering",
"clearance=high",
"region=us"
})
public void sensitiveOperation() {
// Only users with all attributes can execute
}
3. Policy Enforcement
# Kubernetes network policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: amcp-network-policy
spec:
podSelector:
matchLabels:
app: amcp-agent
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: amcp-agent
egress:
- to:
- podSelector:
matchLabels:
app: kafka
Monitoring & Auditing
1. Audit Logging
# Enable audit logging
amcp.security.audit.enabled=true
amcp.security.audit.log-path=/var/log/amcp/audit.log
amcp.security.audit.log-level=INFO
2. Security Events
// Log security events
logger.info("Agent {} authenticated successfully", agentId);
logger.warn("Failed authentication attempt for agent {}", agentId);
logger.error("Unauthorized access attempt: {} tried to access {}",
userId, resource);
3. Metrics & Monitoring
// Monitor security metrics
@Gauge(name = "security.failed_auth_attempts")
public long getFailedAuthAttempts() {
return failedAttempts.get();
}
@Gauge(name = "security.active_sessions")
public long getActiveSessions() {
return activeSessions.size();
}
Compliance
1. GDPR Compliance
// Data minimization
@Entity
public class User {
@Redacted // Automatically redacted in logs
private String email;
@Encrypted // Encrypted at rest
private String personalData;
}
// Right to be forgotten
public void deleteUserData(String userId) {
// Securely delete all user data
userRepository.deleteById(userId);
auditLog.log("User data deleted: " + userId);
}
2. HIPAA Compliance
# HIPAA requirements
amcp.security.encryption.algorithm=AES-256
amcp.security.audit.retention=7years
amcp.security.access.mfa=true
amcp.security.network.isolation=true
3. SOC 2 Compliance
✅ Access controls
✅ Encryption
✅ Audit logging
✅ Incident response
✅ Vulnerability management
✅ Change management
Security Checklist
Before Deployment
- Enable mTLS
- Configure RBAC
- Enable audit logging
- Set up monitoring
- Configure firewalls
- Enable encryption
- Rotate credentials
- Security testing
During Operation
- Monitor logs
- Review access patterns
- Update certificates
- Patch vulnerabilities
- Conduct audits
- Test incident response
- Review policies
Incident Response
1. Detect: Monitor for anomalies
2. Contain: Isolate affected agents
3. Investigate: Analyze logs
4. Remediate: Fix vulnerabilities
5. Recover: Restore service
6. Learn: Update policies
Common Vulnerabilities
1. Unencrypted Communication
❌ Bad:
// Unencrypted HTTP
RestClient client = new RestClient("http://agent:8080");
✅ Good:
// Encrypted HTTPS with mTLS
RestClient client = new RestClient("https://agent:8080")
.withClientCertificate(cert)
.withTrustStore(trustStore);
2. Hardcoded Credentials
❌ Bad:
String apiKey = "sk-1234567890";
✅ Good:
String apiKey = System.getenv("API_KEY");
// Or use secrets management
String apiKey = secretsManager.getSecret("api-key");
3. Missing Input Validation
❌ Bad:
public void processMessage(String message) {
// No validation
execute(message);
}
✅ Good:
public void processMessage(String message) {
if (message == null || message.isEmpty()) {
throw new IllegalArgumentException("Invalid message");
}
if (!isValidFormat(message)) {
throw new IllegalArgumentException("Invalid format");
}
execute(message);
}
Resources
Stay secure! 🔒