Notifications
Clear all
Topic starter
08/06/2026 4:58 pm
TL;DR: Replacing VPN and LDAP access with gateway-based PAM changes how engineers reach servers and databases, reducing exposure to private keys on laptops and improving session auditability, according to StrongDM. The governance shift matters because access is being re-assembled around roles, least privilege, and traceable sessions rather than broad network reach.
NHIMG editorial — based on content published by StrongDM: Replacing Your VPN with strongDM
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
A: Security teams should treat the gateway as a privileged access broker, not a network convenience layer.
A: Broad network reach breaks least-privilege enforcement because users can often reach more systems than they actually need.
Q: When should organisations replace shared infrastructure access with role-based session controls?
A: Organisations should do it when engineers, contractors, or platform teams share access paths that are difficult to audit or revoke individually.
Practitioner guidance
- Map privileged access paths to a governed control plane Document which servers, databases, and administrative functions are reachable through the gateway and who approves those paths.
- Review role inheritance before scaling access Check whether composite roles or group-based provisioning are granting more access than engineers actually need.
- Reduce long-lived secret distribution Remove private keys, database passwords, and relay tokens from uncontrolled endpoints where possible, and keep any remaining credentials in a managed lifecycle process with clear ownership.
What's in the full article
StrongDM's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step gateway setup and relay installation for Linux environments
- Exact server and database inventory fields used during enrolment
- CSV-based user provisioning workflow for larger teams
- Role and permission breakdowns for account administrators, database administrators, team leaders, and users
👉 Read StrongDM's guide to replacing VPN access with gateway-based PAM →
VPN replacement for infrastructure access: what IAM teams need to know?
Explore further
08/06/2026 6:53 pm
PAM over VPN is really a control-plane shift, not just a connectivity change. The article frames gateway access as a simpler alternative to network tunnelling, but the deeper governance issue is that privileged access is being re-brokered through a session layer. That matters because auditability, entitlement scope, and revocation all become resource-specific rather than network-wide. The practitioner conclusion is to evaluate the access plane as a governance boundary, not a transport substitute.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: What is the difference between network access and privileged session accountability?
A: Network access answers whether a user can reach a system. Privileged session accountability answers who accessed which resource, under what authority, and with what traceable session record. The first is about connectivity, while the second is about governance, attribution, and evidence for review or investigation.
👉 Read our full editorial: Replacing VPN access with PAM controls for servers and databases
