I do have a concern about saving the SugarCRM credentials in the database and I want to change this. Considering a good setup process where the user using REST services will be limited to certain operations only, still I don't feel comfortable with that.

Perhaps that 'good' and 'secure' setup should specify that the user/password pair used to communicate Drupal and SugarCRM must not be a valid SugarCRM user, but a portal user only (not being able to login to SugarCRM).

Another good approach could be to do not save username and password, and provide a login form to enter these values and obtain a valid REST session. Keeping the session alive (using cron or changing session timeout in SugarCRM) is easy to do, and also sessions are tracked against IP addressess by SugarCRM, and the user could still be restricted using access control). For me keeping the session is as secure as keeping API keys or alike, and this is not a bad practice.

I'll leave this issue open to grab some opinions, but I'm in favour or the session approach.