Thanks to mobile computing, cloud apps and tele-working, the de-perimeterization of IT security is a \u201cfait accompli\u201d.\u00a0 This has created new challenges for CSOs and new opportunities for attackers. \u00a0One of the leading threats emerging from the post-perimeter IT landscape involves using Identity as an attack vector. \u00a0Here\u2019s why.Historically, information security professionals have focused on mitigating vulnerabilities across traditional attack vectors, namely networks, software or physical plants within their computing environments. Despite the large investments made in preventive and detective security technologies, protecting these traditional attack surfaces continues to be a challenge. \u00a0As Ponemon states in their 2014 report on Mega Breaches, many companies have failed to prevent breaches with the technology they currently have, where 65% responded that attacks evaded existing preventive security controls.What\u2019s changed?\u00a0 Instead of targeting hardened networks and application infrastructures, more and more bad actors, whether outsiders or insiders, are exploiting identities to gain \u201clegitimate\u201d access to sensitive systems and data. Protecting this new attack surface is hard, since identities must be trusted unless there\u2019s conclusive proof that they have been comprised.2014 will be remembered as the year of the mega security breach, many of which have been found to be directly attributable to compromised identities.For example, in the Anthem Blue Cross data breach where cyber attackers stole millions of health insurance records, hackers reportedly obtained the identity credentials of five different employees, possibly through phishing attacks, including computer administrators, which allowed them to access the company\u2019s internal network.\u00a0 Data stolen included names, social security numbers, and other personal information for up to 80 million Anthem customers.Meanwhile, Premera Blue Cross is facing five class-action lawsuits and continuing questions since it disclosed a data breach.\u00a0 The lawsuits, filed in U.S. District Court in Seattle on behalf of Premera customers from Washington, Nevada and Massachusetts, claim that Premera was negligent, breached its contract with customers, violated the Washington Consumer Protection Act and failed to disclose the breach in a timely manner. \u00a0As well, the lawsuits argue Premera violated the Health Insurance Portability and Accountability Act (HIPAA), as well as the insurer\u2019s own privacy policies, by allowing the data to be accessed.\u00a0These lawsuits, and pending penalties, are claiming negligence due to the poor management of identities and access credentials. Clearly, the bar has been raised on what constitutes appropriate due care of identity information by organizations.One of the core challenges for information security professionals is rooted in the fact that current security models are not designed to address identity as an attack surface. Instead of treating identity as a basic access provisioning function, it should be managed and monitored as a critical resource for the organization.To prevent identity from being exploited as an attack surface, Information Security Professionals must return to something \u201cold\u201d and engage with something \u201cnew\u201d.The \u201cold\u201d is verifying how effectively traditional Identity and Access Management systems are being managed. Is basic, good quality hygiene being rigorously applied and exercised for these critical systems? For example, how often are users required to update their passwords? Is a reasonable amount of complexity required for those passwords?\u00a0 Also, is Security Awareness being promoted among users, including the importance of strong password choices, as well as the techniques used by attackers to steal passwords like phishing and social engineering?The \u201cnew\u201d involves monitoring who, how, where and what identities are being used for in the organization\u2019s computing environment, including the Cloud. To keep watch over the typical \u201cflock\u201d of identities in an enterprise, need new tools and automation are required. Gartner provides a good overview of these identity analytics technologies here.