For decades, database administrators have been the quiet gatekeepers of enterprise infrastructure — and one of its most persistent vulnerabilities. They hold the keys to production databases containing customer records, financial data, intellectual property, and regulated health information. When those keys get shared over Slack, stored in plaintext config files, or passed around on sticky notes, the consequences can be catastrophic.
Keeper Security is betting it can fix that.
The Chicago-based cybersecurity firm this week launched KeeperDB, a zero-trust database access product designed to eliminate the need for database administrators, developers, and DevOps engineers to ever directly handle database credentials. The product, announced on June 25, 2025, slots into Keeper’s existing privileged access management platform and represents a significant expansion of the company’s ambitions beyond password management into the broader infrastructure security market.
The pitch is straightforward. Instead of distributing database credentials to individual users — who then store them in various insecure ways — KeeperDB acts as an encrypted gateway. Users authenticate through Keeper’s platform, and the system brokers a connection to the target database without ever exposing the underlying credentials. No passwords in environment variables. No shared service accounts. No credentials sitting in a developer’s .bashrc file waiting to be exfiltrated.
Why Database Access Has Become a Critical Blind Spot
The timing isn’t accidental. Enterprise security teams have spent the last five years locking down endpoints, deploying zero-trust network access, and implementing identity governance across SaaS applications. But database access — particularly for administrative and development purposes — has remained stubbornly resistant to modernization.
Part of the problem is cultural. Database administrators have traditionally operated with broad, persistent access to production systems. They need it to do their jobs. Query optimization, schema migrations, incident response — all require direct database connectivity, often at odd hours and under pressure. Security controls that add friction to these workflows get circumvented or disabled. It’s a pattern that security teams know well but have struggled to address without breaking critical operations.
And the threat models have evolved. Credential theft remains the most common initial access vector in data breaches, according to multiple industry reports. Attackers who compromise a DBA’s workstation or intercept database credentials gain direct access to the most valuable data an organization holds. No need to move laterally through the network. No need to escalate privileges. The credentials themselves are the prize.
According to The Next Web’s reporting, KeeperDB supports connections to MySQL, PostgreSQL, Microsoft SQL Server, and MongoDB — covering the vast majority of enterprise database deployments. The product uses Keeper’s zero-knowledge encryption architecture, meaning Keeper itself cannot access the credentials or session data flowing through the system. Sessions can be recorded and audited, giving compliance teams visibility into who accessed what data and when.
Craig Lurey, Keeper Security’s CTO and co-founder, framed the product as addressing a gap that existing PAM solutions have largely ignored. Traditional privileged access management tools focus on server access and application credentials, but direct database connections — particularly interactive ones used by DBAs and developers — have been treated as an afterthought. KeeperDB is designed to bring those sessions under the same governance umbrella.
The product operates without requiring a VPN, which is notable. Many organizations still rely on VPN tunnels to provide developers with database access, an approach that grants broad network connectivity when all that’s needed is a connection to a specific database port. KeeperDB instead uses Keeper’s gateway infrastructure to establish direct, encrypted tunnels between the user’s client and the target database. The connection is scoped to a single database instance. Nothing more.
The Competitive Pressure Behind the Launch
Keeper isn’t the first company to recognize this opportunity. StrongDM, Teleport, and HashiCorp’s Boundary product have all targeted the database access problem with varying approaches. CyberArk, the dominant player in enterprise PAM, offers database credential vaulting as part of its broader platform. But Keeper’s advantage may lie in its existing footprint. The company claims millions of users across its consumer and enterprise password management products, and KeeperDB is designed to work within the same administrative console and policy framework that IT teams already use.
That matters because adoption is the real challenge. Security tools that require separate infrastructure, separate training, and separate administrative workflows face an uphill battle in organizations already drowning in security tooling. By embedding database access controls into a platform that many organizations have already deployed for credential management, Keeper is attempting to reduce the friction that has historically prevented companies from governing database access at all.
The zero-trust architecture also aligns with where federal cybersecurity mandates are heading. The U.S. government’s zero-trust strategy, outlined in OMB Memorandum M-22-09, explicitly calls for agencies to implement strong access controls around data stores. And the SEC’s cybersecurity disclosure rules, which took effect in late 2023, have made database breaches a board-level concern for public companies. Organizations that can demonstrate granular access controls and session auditing for database access are in a materially better position when responding to regulatory inquiries after an incident.
So what does this look like in practice? A database administrator needing to run a query against a production PostgreSQL instance would authenticate through Keeper, select the target database from their authorized connections, and launch a session. The actual database credentials — username, password, connection string — are never displayed or transmitted to the user’s machine. The session is brokered through Keeper’s gateway, encrypted end-to-end, and logged for audit purposes. When the session ends, there are no residual credentials on the user’s workstation to steal.
For developers working in staging or pre-production environments, the workflow is similar but can be configured with different access policies. Time-limited access windows, approval workflows, and just-in-time provisioning are all supported. An engineer who needs database access for a two-hour debugging session gets exactly that — and nothing more.
The session recording capability deserves particular attention. In regulated industries — financial services, healthcare, government contracting — the ability to produce a complete audit trail of database access is not optional. It’s a compliance requirement. KeeperDB captures session activity in encrypted recordings that can be reviewed by security teams or produced during audits. This is the kind of feature that procurement teams in regulated industries will flag as a requirement, and its inclusion signals that Keeper is targeting enterprise buyers with specific compliance obligations.
What This Means for the Broader PAM Market
The privileged access management market is undergoing rapid consolidation and expansion. CyberArk’s $1.54 billion acquisition of Venafi in 2024 signaled the industry’s move toward machine identity management. Delinea, BeyondTrust, and One Identity continue to compete for enterprise PAM budgets. And a growing number of startups are attacking specific slices of the privileged access problem — database access, Kubernetes secrets, CI/CD pipeline credentials — with purpose-built tools.
Keeper’s approach is to build from the bottom up. Start with password management. Add secrets management. Layer on privileged session management. Now, database access. Each addition expands the platform’s value proposition while keeping the core architecture — zero-knowledge encryption, a unified admin console, and a single agent framework — consistent.
But the company faces real challenges. Enterprise PAM buyers are notoriously conservative. They want proven platforms with deep integration into their existing identity infrastructure — Active Directory, Okta, Azure AD, CyberArk’s own vault. Keeper will need to demonstrate that KeeperDB can operate reliably at scale in complex, multi-database environments with thousands of users and strict uptime requirements. The password management pedigree helps with credibility, but database access governance is a different animal. The stakes are higher. The failure modes are more consequential. And the buyers — CISOs and infrastructure security leaders — will demand proof.
There’s also the question of how KeeperDB handles the messy reality of database access in large organizations. Not every database connection is interactive. Automated jobs, ETL pipelines, application service accounts, and microservices all connect to databases using credentials that need to be managed differently than human user sessions. Keeper offers a separate secrets management product for machine-to-machine credentials, but the integration between that product and KeeperDB will be critical for organizations trying to govern all database access through a single policy framework.
The launch comes at a moment when database security incidents continue to make headlines. Snowflake’s customer data breach in 2024, which affected AT&T, Ticketmaster, and other major companies, was traced back to stolen credentials that lacked multi-factor authentication. That incident alone likely accelerated enterprise interest in tools that can eliminate credential exposure as an attack vector.
Keeper Security is privately held and does not disclose revenue figures, but the company has raised over $120 million in funding and claims more than a million business customers. KeeperDB is available immediately as part of Keeper’s enterprise platform, with pricing based on the number of users requiring database access.
Whether KeeperDB gains meaningful traction will depend on execution — specifically, on how well it handles the complexity of real-world database environments and how effectively Keeper’s sales organization can position it against entrenched competitors. The product addresses a genuine gap. That much is clear. But in enterprise security, identifying a problem and solving it at scale are very different things.
WebProNews is an iEntry Publication