Notifications
Clear all
Topic starter
07/06/2026 9:23 pm
TL;DR: Identity-aware proxies can simplify application access, but teams still need deeper controls for databases, servers, Kubernetes, audit logging, and offboarding across hybrid environments, according to StrongDM. The issue is not access convenience alone, but whether access layers actually hide credentials, enforce least privilege, and preserve revocation control.
NHIMG editorial — based on content published by StrongDM: Competitors and alternatives to Pomerium 2026
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: How should teams govern proxy-based access to databases and Kubernetes?
A: Treat the proxy as a policy layer, not the full control plane.
Q: Why do identity-aware proxies still leave NHI risk in place?
A: Because many infrastructure resources still depend on service credentials, tokens, or keys outside the proxy session.
Q: What do security teams get wrong about just-in-time access for privileged systems?
A: They often treat JIT as a login feature rather than a lifecycle control.
Practitioner guidance
- Separate application access from infrastructure access Inventory which paths are fronted by an identity-aware proxy and which still rely on SSH keys, database passwords, or kubectl permissions.
- Eliminate direct credential exposure for privileged resources Move database, server, and cluster access behind controls that hide backend credentials from end users and enforce short-lived access to the resource rather than to a static secret.
- Tie offboarding to central revocation events Require a single identity event to cut off all downstream access, including third-party vendor sessions, and verify that access ends when the relationship ends rather than when the proxy session times out.
What's in the full article
StrongDM's full compare article covers the operational detail this post intentionally leaves for the source:
- Feature-by-feature comparison of Pomerium alternatives for infrastructure access.
- Product-specific notes on database, server, and Kubernetes support that matter during implementation.
- Pricing and deployment considerations that help teams evaluate fit at purchase time.
- Vendor-level pros and cons that may affect shortlist decisions for security and DevOps teams.
👉 Read StrongDM's comparison of Pomerium alternatives for secure access →
Pomerium alternatives: where proxy-based access still falls short?
Explore further
08/06/2026 9:19 am
Proxy-based access is a control layer, not an identity governance model. Identity-aware proxies can centralise authentication, but they do not erase the governance problem of who can still reach the underlying resource and with what credentials. Once teams move from web apps into databases, SSH, and Kubernetes, the question becomes whether the proxy hides the entitlement or merely decorates it. Practitioners should treat proxy-first access as a front door, not a complete access architecture.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Should organisations replace VPNs with an identity-aware proxy for all access?
A: Not automatically. Proxies can improve app access and reduce exposure for some use cases, but databases, servers, and Kubernetes usually need stronger privilege controls, hidden credentials, and deeper auditing. The decision should be based on whether the control actually reaches the resource boundary.
👉 Read our full editorial: Pomerium alternatives expose the limits of access proxy models
