The Open Source PAM Landscape: A Critical Evaluation

The Open Source PAM Landscape: A Critical Evaluation
Photo by Claudio Schwarz / Unsplash

After sharing my frustration with the security divide between enterprise solutions and what's accessible to smaller teams in my previous post, I want to walk you through what I discovered when evaluating the current state of open-source PAM tools.

This isn't just an academic exercise for me. I needed a solution that would actually work for a real security audit, and what I found left me both disappointed and motivated to build something better.

What I Was Actually Looking For

Before diving into specific solutions, let me share what I was really searching for. I needed a database PAM system that could:

  • Eliminate standing privileges through just-in-time access
  • Support approval workflows for sensitive operations
  • Provide comprehensive session recording and auditing
  • Enforce time-based access limitations
  • Minimize friction for developers (because security that gets bypassed isn't security)
  • Deploy without requiring a security engineering team

via GIPHY

Simple enough, right? Yet finding an open-source solution that checked these boxes proved surprisingly difficult.

JumpServer: So Close, Yet So Far

I started with JumpServer, which initially seemed promising. The platform offered impressive contextual access controls - you could limit access by time, day of week, and even IP address. The session recording worked reliably, and the web-based access to databases created a seamless experience.

Installation was quick too - under 30 minutes from start to finish with clear feedback along the way. Database connections were straightforward to set up without requiring doctoral-level studies of documentation.

But then I hit the wall that defines so many "open-source" security tools: all the features I actually needed for compliance were locked behind the enterprise version. Just-in-Time access provisioning? Paid. Request and approval workflows? Paid. Advanced role-based controls? You guessed it - paid.

The platform was also surprisingly resource-hungry. While this wasn't a dealbreaker, it did mean we couldn't deploy it on minimal infrastructure, increasing the total cost beyond just licensing.

Despite these limitations, JumpServer actually emerged as the best option, which says more about the state of alternatives than about JumpServer itself.

Teleport: The Documentation Dead End

My next stop was Teleport, which promises unified access management across infrastructure. The marketing materials looked promising - identity-based access, certificate-based authentication, multi-protocol support.

What the website didn't mention was that I'd need to become a part-time Teleport specialist just to get it running. The documentation felt incomplete, installation scripts lacked verbose information, and confirming successful deployment felt like guesswork.

The real dealbreaker came with database integration. Teleport required shell scripts to run directly on database instances - a non-starter for cloud databases like AWS RDS. I spent hours trying different approaches, digging through sparse documentation, and ultimately failed to get a working proof-of-concept.

Even if I had gotten it working, the licensing was problematic - usage restricted to companies with fewer than 100 employees and under $10 million in revenue under their AGPL license.

HashiCorp Boundary: Desktop-Only Disappointment

Boundary presented a modern architecture with identity integration and dynamic resource discovery. The resource consumption was minimal, and documentation was relatively clear.

However, the limitations quickly became apparent. No web-based access meant desktop clients only - creating adoption friction. No Multi-Factor Authentication support in an access management tool felt like a strange omission. And once again, the critical workflows for just-in-time access and approval processes were missing.

During testing, the desktop client exhibited frustrating stability issues. Sessions would fail to initiate, the overall experience felt unfinished.

The Newer Contenders

More recently, solutions like Hoop.dev and Kviklet have entered the scene. Hoop.dev caught my attention with its just-in-time provisioning and multi-tenancy architecture, but advanced features were (predictably) locked behind the paid version. The desktop client was so unreliable during testing that I couldn't even complete a proper evaluation.

Kviklet offered the most complete open-source feature set, implementing JIT access and approval workflows without paywalling them. But it lacked MFA support and showed significant stability issues during testing. The high resource consumption during startup also made it unsuitable for smaller deployments.

The Hard Truth About "Free" Solutions

via GIPHY

This evaluation process revealed some uncomfortable realities:

  1. End-to-End Workflows Matter: Solutions focusing on individual security components without addressing the complete access lifecycle create dangerous fragmentation. Patching together half-solutions creates more security gaps than it solves.
  2. Free ≠ No Cost: While open-source tools avoid licensing fees, the operational overhead of maintaining cobbled-together solutions often exceeds what you'd pay for commercial options. My time spent troubleshooting deployment issues and writing integration scripts came with its own cost.
  3. Security vs. Usability: Tools that create significant friction for developers inevitably lead to workarounds. I've seen firsthand how overly restrictive systems push teams toward shadow IT with shared credentials and unauthorized access patterns.
  4. AI Integration Gap: None of the evaluated solutions leverage AI/ML for intelligent security analysis - a missed opportunity to enhance threat detection and automate routine decisions.
  5. The Enterprise Advantage: Commercial solutions excel at workflow integration, user experience, and comprehensive coverage - areas where open-source options currently fall short.

The Cobbled-Together Solution

Facing a security audit deadline and no perfect solution, I built a hybrid approach:

  • Used JumpServer for basic access management and session recording
  • Implemented JIRA for access request workflow with custom issue types
  • Created scripts to match JIRA approvals with JumpServer access grants
  • Configured JumpServer's time-based restrictions to enforce approved timeframes
  • Built custom reports to demonstrate compliance

This approach passed our audit, but it was far from elegant. It created operational overhead, introduced potential for human error, and produced a fragmented user experience that developers complained about constantly.

via GIPHY

Most frustratingly, I found myself implementing manual processes to replicate features that should have been fundamental to any PAM solution.

Why I'm Building Something Better

This experience uncovered five critical gaps that no existing open-source solution adequately addresses:

  1. Zero Standing Privilege: Few tools implement true ZSP where all access is temporary and contextually granted.
  2. Workflow Automation: End-to-end processes from request through approval to revocation remain fragmented.
  3. Intelligent Security Analysis: AI/ML capabilities for enhancing security decisions are completely absent.
  4. Multi-Tenancy: Organizations with multiple teams or environments need proper isolation capabilities.
  5. Developer Experience: Friction-filled interfaces push developers toward insecure workarounds.

These gaps directly informed the design of my final year project. I'm not building a PAM system because I think it's an interesting academic exercise. I'm building it because I've felt the pain of trying to secure database access without proper tools, and I know countless others face the same challenge every day.

When security tools remain exclusive to those with enterprise budgets, we create a two-tier system where only the well-resourced are properly protected. That's not just a business problem - it's an ethical one.

In my next post, I'll walk through the architecture I'm developing to address these gaps. But the core mission remains the same: democratizing security by building tools that deliver enterprise-grade protection without the enterprise price tag.

Because at the end of the day, data security shouldn't depend on the size of your budget.

Stay tuned for the next post in this series, where I'll explore the design principles of a modern Zero Standing Privilege system for database operations.