|
|
|
|
|
|
by hrimfaxi
236 days ago
|
|
|
A centralized IDP that touches every service is not mandated by NIST though. So while you are right that an IDP can handle that, the organization may not have the IDP integrated with a given system and you will still need compensating controls or mitigations. Outright incredulity over logging failed access attempts is surprising. |
|
|
If you’re a company trying to meet a compliance regime and you don’t already have a central IDP, that’s step zero. None of the NIST requirements say “you must have an IDP”, but a massive portion of them are trivial with an IDP and a massive pain in the ass (both to implement and evidence to auditors) without one.