Database access without PAM: where VPNs and policies break down

TL;DR: VPNs, shared credentials, and manual policies cannot keep pace with database access across cloud, on-premises, and containerised environments, according to JumpCloud, while citing a $4.9M average breach cost and multiple access-sprawl indicators. The governance problem is no longer theoretical: privileged access must be brokered, auditable, and lifecycle-aware or databases remain overexposed.

NHIMG editorial — based on content published by JumpCloud: securing database access with PAM in modern environments

By the numbers:

• Over 70% of companies report that employees have been granted inappropriate access to sensitive data, or that former employees have retained access after their departure.
• 51% of companies reported that non-employees still had access to business data even after their projects were finished.

Questions worth separating out

Q: How should security teams secure database access without relying on VPN trust?

A: Security teams should separate connectivity from authorisation.

Q: Why do shared database credentials create so much risk in hybrid environments?

A: Shared credentials create risk because they outlive the task, the person, and often the environment that originally justified them.

Q: How can organisations tell whether PAM is actually improving database governance?

A: Look for three signals: fewer standing privileges, stronger session evidence, and faster revocation after role or project changes.

Practitioner guidance

• Remove direct database exposure for privileged users Route admin and contractor access through a brokered control path so users never need raw database credentials or open network reachability.
• Replace shared credentials with vaulted, time-bound access Store database secrets in a controlled vault, inject them only when a task is approved, and rotate them immediately after use.
• Bind access reviews to actual database privilege state Re-certify who can reach which database roles, not just who remains on the payroll or in the directory.

What's in the full article

JumpCloud's full blog post covers the operational detail this post intentionally leaves for the source:

• The vendor's comparison table for access with and without PAM, including the operational differences in credential handling and deprovisioning
• Step-by-step examples for database credential vaulting and automatic rotation in CI/CD and admin workflows
• Session recording and monitoring specifics, including how keystrokes, queries, and audit trails are captured for investigation
• Brokered access patterns for third-party vendors and direct database connections without exposed credentials

👉 Read JumpCloud's analysis of PAM for securing database access →

Database access without PAM: where VPNs and policies break down?

Explore further

View Full Forum →  |  NHI Foundation Course →