Remote access sprawl: what app-scoped access changes for IAM teams

TL;DR: VPNs, jump hosts, scattered credentials, and patchwork logs are slowing remote work while widening exposure, and browser-based, app-scoped access with policy, vaulted credentials, and audit creates a tighter control layer for users and admins, according to Delinea. The governance question is not convenience versus security, but whether access is still being granted at the right boundary.

NHIMG editorial — based on content published by Delinea: Open the application, not the network

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: How should security teams scope remote access without exposing the broader network?

A: Security teams should broker access to the application, server, or portal itself rather than the surrounding network.

Q: Why do VPN-based remote access models still create privilege risk?

A: VPNs often turn identity decisions into network decisions, which makes it easier for users to reach more than they need.

Q: What breaks when privileged remote sessions are not time-bound?

A: Without time bounds, privileged access becomes standing privilege with a nicer interface.

Practitioner guidance

• Map remote access to application scope, not network scope. Inventory every privileged remote path that still depends on VPN access or jump hosts, then redesign those paths so users open only the server, application, or portal they actually need.
• Enforce vaulted credential injection for privileged sessions. Require credentials to remain in the vault and be injected into the session, rather than exposed on the endpoint or reused across tools.
• Group remote targets into governed collections. Use role-based collections for remote applications and private web apps so access reviews can be performed at the collection level instead of per ad hoc target.

What's in the full article

Delinea's full blog covers the operational detail this post intentionally leaves for the source:

• Browser launch flow details for server, RDP, SSH, and private web application access
• Credential injection and session streaming mechanics for privileged remote access
• Collection-level permissioning and role grouping for remote application catalogs
• Support for vendor tools, OT consoles, and custom launchers through the platform

👉 Read Delinea's analysis of browser-based privileged remote access →

Remote access sprawl: what app-scoped access changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →