TL;DR: VPNs, shared credentials, and manual policies cannot keep pace with database access across cloud, on-premises, and containerised environments, according to JumpCloud, while citing a $4.9M average breach cost and multiple access-sprawl indicators. The governance problem is no longer theoretical: privileged access must be brokered, auditable, and lifecycle-aware or databases remain overexposed.
At a glance
What this is: This is a JumpCloud analysis of why database access security breaks down without PAM, especially across hybrid and cloud-native environments.
Why it matters: It matters because database access sits at the centre of human admin, NHI, and third-party privilege, so weak controls expand blast radius across identity programmes.
By the numbers:
- Over 70% of companies report that employees have been granted inappropriate access to sensitive data, or that former employees have retained access after their departure.
- 51% of companies reported that non-employees still had access to business data even after their projects were finished.
👉 Read JumpCloud's analysis of PAM for securing database access
Context
Database access security is a governance problem first and a tooling problem second. When credentials are shared, VPNs act as broad trust tunnels, and access persists after roles change, the control model no longer matches how hybrid infrastructure actually operates. PAM becomes relevant because it adds policy, session control, and revocation to an area where static access has become structurally unsafe.
The primary identity issue here is not just who can log in, but what they can reach after they do. Databases now sit behind cloud services, containerised workloads, contractors, and mixed admin populations, which means access lifecycle, auditability, and least privilege all matter at once. That makes database access one of the clearest tests of whether an identity programme can govern both human and non-human privilege.
Key questions
Q: How should security teams secure database access without relying on VPN trust?
A: Security teams should separate connectivity from authorisation. VPN access may get a user onto the network, but database privilege should be brokered, time-bound, and recorded at the session layer. The practical goal is to eliminate broad reach, prevent raw credential exposure, and ensure every privileged action is tied to a clear identity and approved task.
Q: Why do shared database credentials create so much risk in hybrid environments?
A: Shared credentials create risk because they outlive the task, the person, and often the environment that originally justified them. In hybrid estates, that means the same secret can be reused across cloud, on-premises, and third-party access paths, making attribution and revocation much harder. The result is a larger attack surface and a weaker audit trail.
Q: How can organisations tell whether PAM is actually improving database governance?
A: Look for three signals: fewer standing privileges, stronger session evidence, and faster revocation after role or project changes. If users still keep broad access after they no longer need it, PAM is only partially deployed. Effective PAM should make access narrower, more auditable, and easier to remove when the business need ends.
Q: Who should own database access accountability when contractors or service teams are involved?
A: Accountability should sit with the identity and security function that can enforce lifecycle control, session oversight, and revocation. Contractors and service teams should not be treated as exceptions to the governance model. If they can access databases, they must be included in the same approval, monitoring, and offboarding discipline as employees.
Technical breakdown
Why VPNs fail as a database access control plane
A VPN provides network reachability, not privilege governance. Once a user is inside the tunnel, the model often assumes trust at the network layer even when the identity should only reach one database, one role, or one operation. That gap is especially dangerous in hybrid environments because the same tunnel can expose multiple systems, and the access decision is no longer tied to the database context. Modern Zero Trust design rejects that assumption by separating connectivity from authorisation.
Practical implication: stop treating VPN access as a substitute for database-level authorisation and session control.
Credential vaulting and just-in-time access for databases
PAM changes database access by removing long-lived secrets from the hands of users and applications. Credentials are vaulted, injected when needed, and rotated after use, which narrows the exposure window and limits credential reuse. JIT access adds an additional layer by issuing rights only for the approved task window, rather than keeping them active permanently. This is particularly important for DevOps pipelines and contractor workflows, where hardcoded or manually shared secrets often persist long after the task ends.
Practical implication: replace shared or hardcoded database credentials with vaulted, time-bound access paths tied to identity lifecycle.
Session recording gives databases an audit layer VPNs cannot
Traditional logging usually captures the fact that a connection happened, but not what the privileged user actually did. PAM session recording fills that gap by capturing keystrokes, queries, and screen interactions, creating a record that supports forensics, compliance, and anomaly detection. For database environments, that matters because privileged errors and malicious actions often look identical at the connection layer. Without session evidence, response teams are forced to infer intent from incomplete telemetry.
Practical implication: require command-level visibility for privileged database sessions, not just authentication logs.
Threat narrative
Attacker objective: The attacker seeks durable, high-value access to databases and the ability to exfiltrate, alter, or destroy sensitive records without early detection.
- Entry occurs through broad remote connectivity or shared database credentials that are reused across teams, vendors, or environments.
- Escalation follows when the same access grants more database reach than the user or workload actually needs, allowing privilege misuse or lateral movement.
- Impact lands as unauthorised data access, destructive database actions, or delayed detection because the session lacked usable forensic evidence.
Breaches seen in the wild
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
- IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
PAM is now the control layer that makes database access governable in hybrid estates. VPNs were built for connectivity, not for proving that a person or workload should reach a specific database operation. Once databases span cloud, on-premises, containers, and third parties, the governance problem becomes access brokerage, session accountability, and revocation. The implication is that database privilege can no longer be managed as a network exception.
Standing database access is the failure mode that modern PAM is meant to expose. The article’s core warning is that manual access and shared credentials allow privilege to outlive need, role, or project. That is a lifecycle failure, not just a configuration issue, because access persists after the business reason disappears. The practitioner conclusion is that offboarding and access reviews must be tied to database privilege state, not only to human employment status.
Session evidence matters because database abuse often happens after authentication has already succeeded. A login event tells you almost nothing about the safety of a privileged database action. Full session recording, command-level monitoring, and audit trails create accountability where VPNs and raw logs do not. The implication is that detection, compliance, and incident response all depend on observability at the session layer.
Third-party database access without brokering creates an unnecessary trust extension. When vendors, contractors, or CI/CD systems can reach a database directly, the organisation inherits their lifecycle risk without a clear containment boundary. PAM narrows that boundary by mediating the session and removing direct credential exposure. The practitioner conclusion is that external access should be treated as a governed exception, not a standing pathway.
From our research:
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- That governance gap is already visible in infrastructure identity programmes, and Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs helps frame the lifecycle controls that database access programmes still need.
What this signals
Database PAM is becoming a lifecycle control, not just a privileged access tool. As infrastructure gets more distributed, the real test is whether access can be brokered, reviewed, and revoked without leaving residual privilege behind. Teams that already align database access with lifecycle discipline will find it easier to govern contractors, CI/CD systems, and legacy admin accounts under one model.
The next programme pressure point is observability. Organisations that can record privileged database sessions and tie them to identity state will be better positioned to answer audit, incident response, and compliance questions without relying on network-level logs alone. That is where PAM shifts from convenience to governance infrastructure.
For practitioners
- Remove direct database exposure for privileged users Route admin and contractor access through a brokered control path so users never need raw database credentials or open network reachability. This reduces uncontrolled lateral movement and makes every privileged session subject to policy and inspection.
- Replace shared credentials with vaulted, time-bound access Store database secrets in a controlled vault, inject them only when a task is approved, and rotate them immediately after use. This is especially important for CI/CD scripts, contractors, and short-lived operational work.
- Bind access reviews to actual database privilege state Re-certify who can reach which database roles, not just who remains on the payroll or in the directory. Include contractors, service teams, and legacy admin accounts in the same review cycle so dormant access is removed.
- Require session recording for high-risk database actions Capture keystrokes, queries, and operator interactions for privileged database work so investigations can reconstruct exactly what happened. Use that evidence to support policy enforcement, training, and incident response.
Key takeaways
- Database access becomes materially safer only when connectivity, privilege, and session activity are governed separately.
- Shared credentials and persistent access create a lifecycle problem that VPNs cannot fix, regardless of how secure the tunnel appears.
- PAM earns its place when it narrows privilege, records behaviour, and makes revocation reliable across hybrid environments.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential vaulting and rotation are central to the article's database access model. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access management map directly to database privilege control. |
| NIST Zero Trust (SP 800-207) | SC-7 | The article rejects implicit trust from VPN tunnels in favour of mediated access. |
Separate network reachability from authorisation and broker privileged database sessions.
Key terms
- Privileged Access Management: Privileged Access Management is the set of controls used to govern high-risk access to systems and data. In practice, it centralises credentials, enforces approval and session policy, and limits what privileged users can do once access is granted.
- Just-in-Time Access: Just-in-Time access is a provisioning pattern that grants access only when a task requires it and removes it when the task ends. For database environments, that means less standing privilege, smaller exposure windows, and better alignment between access and actual work.
- Session Recording: Session recording captures what a privileged user actually does during an active connection, not just that they logged in. For database governance, it provides evidence for investigations, audit, and policy enforcement when logs alone do not explain behaviour.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by JumpCloud: securing database access with PAM in modern environments. Read the original.
Published by the NHIMG editorial team on 2025-09-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
