VPN-less PAM and the governance gap teams are missing

TL;DR: Traditional VPNs still dominate privileged access in many environments, but they rely on implicit trust, broad network reach, and limited visibility once a session begins, according to JumpCloud. The security shift is toward identity-scoped, auditable access that better fits cloud-native, hybrid, and distributed operations.

NHIMG editorial — based on content published by JumpCloud: VPN-less Privileged Access Management for Modern Infrastructure

By the numbers:

• In one study, 80% of users said they use a VPN for increased security.
• Just 6% cited protecting their employer’s data.
• 16% use a VPN because it’s required by their employer.

Questions worth separating out

Q: How should security teams replace VPN access for privileged users?

A: Security teams should replace VPN access with identity-scoped, protocol-level access to specific systems, then layer just-in-time approval, session monitoring, and device checks on top.

Q: Why do VPNs create risk in modern privileged access environments?

A: VPNs create risk because they treat network presence as trust, which can expose more infrastructure than the task requires.

Q: What breaks when privileged access is granted through a flat network tunnel?

A: A flat network tunnel breaks the link between identity, intent, and resource scope.

Practitioner guidance

• Scope access to the target system, not the network Remove broad VPN entry for privileged workflows and replace it with protocol-level access to the exact server, database, or application required for the task.
• Make privileged access expire by default Use just-in-time approvals or policy triggers so elevated access ends automatically after the session or time window closes, even if the user remains authenticated.
• Turn on session evidence for every privileged connection Record commands, monitor sensitive actions, and retain session logs so investigators can reconstruct what happened without relying on network-only telemetry.

What's in the full article

JumpCloud's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step VPN-less access patterns for privileged users across remote teams and third-party vendors.
• Concrete examples of session recording, logging, and real-time monitoring in privileged workflows.
• Access control patterns tied to SSO, MFA, RBAC, and context-aware authorization.
• Practical comparisons between network tunnels, proxies, and browser-based access models.

👉 Read JumpCloud's analysis of VPN-less privileged access for modern PAM →

VPN-less PAM and the governance gap teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →