ColorTokens, a provider of an Xshield platform for applying microsegmentation to networks, has acquired PureID, a provider of an identity and access management (IAM) platform.

Sunil Muralidhar, vice president of marketing for ColorTokens, said the IAM platform developed by PureID will allow ColorTokens to further extend the reach and scope of the company’s zero-trust IT portfolio.

The PureID platform makes use of a passwordless approach to cryptographically secure identities, dubbed PureAuth, that can be centrally managed via a key management platform. That approach enables organizations to implement multifactor authentication (MFA) as well.

In addition, PureId has developed a PureAuth Trist Kit that enables its IAM platform to be integrated with a continuous integration/continuous delivery (CI/CD) platform to better secure software supply chains that are being increasingly targeted by cybercriminals.

The pace at which organizations are embracing zero-trust IT is not clear but as they do the need for a more identity-centric approach to cybersecurity becomes apparent. Historically, cybersecurity teams have invested heavily in network perimeter security but as cybercriminals increasingly bypass these defenses a need to apply granular controls based on identity has become crucial.

The challenge is that implementing zero-trust IT policies based on identity requires significant additional investments. It’s been well over four years since the move to zero-trust IT began in earnest and a lot of progress has been made. However, most organizations now recognize zero-trust is a journey that requires securing not just human identities but also identities attached to specific machines and software components, noted Muralidhar.

Cybercriminals, in the meantime, are using phishing attacks to gain access to credentials that can not only be used to escalate privileges but also gain access to additional machine and software identities. Keeping track of all those human and non-human identities at scale requires cybersecurity teams to adopt and implement not just additional tools, but also define workflows where in many cases none previously existed. Many organizations, for example, don’t realize that each machine used has a unique identity that could be compromised, said Muralidhar.

Time, of course, is as usual, not on the side of cybersecurity teams. The volume and sophistication of cyberattacks aimed at compromising one form of identity or another will continue to increase. The longer it takes to detect these threats the more damage an organization is likely to incur once the breach is discovered. Many cybercriminals now patiently pose as a legitimate identity, otherwise known as living off the land, for months to better understand the scope of the damage they might inflict.

There may never be such a thing as perfect security to thwart all those attacks but as cybersecurity continues to evolve the scope of any breach becomes less catastrophic as the tools, technologies and processes needed to achieve that goal become easier to master. The issue, as always, is convincing business leaders to allocate the additional funding required, when many of them are still questioning the value of the cybersecurity investments the organization has previously made.