In a landmark move, Rajya Sabha – the upper house of the Indian Parliament passed the Aadhaar and Other Laws (Amendment) Bill, 2019 on 8th July, 2019. The amended bill that was earlier passed by the Indian Parliament’s lower house – Lok Sabha, now allows Aadhaar holders to voluntarily share their Aadhaar Number as a valid identity proof for opening bank accounts or applying for new mobile phone connections.
Apart from the original Aadhaar Number, the amended bill also allows individuals to share their Virtual (Aadhaar) Identification Number for e-KYC authentication. Aadhaar holders can self-generate their Virtual Identification Number by logging into UIDAI’s website.
The amended bill comes as a welcome relief to authenticating entities who had heavily invested in Aadhaar-based e-KYC infrastructure and were earlier stopped by the Indian Supreme Court from initiating e-KYC using people’s Aadhaar details. With the new amendment, these entities can now restart Aadhaar-based e-KYC, provided they adhere to the stringent privacy guidelines issued by regulators like UIDAI and RBI. Failure to comply with these security mandates can result in hefty penalties to the tune of Rs. 1 crore!
One such regulatory mandate is that authenticating entities should store Aadhaar details in a specialized Aadhaar Data Vault only.
What is Aadhaar Data Vault?
While the use of Aadhaar has been made voluntary for citizens, Aadhaar remains critical for organizations providing Direct Benefit Transfers or Aadhaar Enabled Payment Systems (AEPS). UIDAI has mandated all Aadhaar-based e-KYC authenticating entities to encrypt and store the Aadhaar data in a separate repository called an ‘Aadhaar Data Vault’. This mandate also laid down regulations for Secure Key Management to ensure sensitive encryption keys are stored separately in the impregnable Hardware Security Module (HSM).
Thus, to protect sensitive data as per the newly amended bill, all AEPS entities will need a secure centralized storage in the form of an Aadhaar Data Vault. The UIDAI also put out a circular detailing specifications for Reference Keys mandating all Aadhaar-related information to be on an Aadhaar Data Vault.
How does an Aadhaar Data Vault work?
UIDAI’s circular mandates that all Aadhaar-related data should be encrypted using a Reference Key and stored in the Aadhaar Data Vault. Therefore, an Aadhaar Data Vault should be the only place where Aadhaar-related information can be stored. All businesses will now be required to use the Reference Keys for all transactions with only internal systems having access to the Aadhaar Data Vault.
How Thales can help with an Aadhaar Data Vault?
Cohesive suite of data security solutions from Thales Cloud Protection & Licensing offer all the key components that go in developing a secure Aadhaar Data Vault. Below are 4 such notable features:
- A robust software package that generates random Reference Keys for all Aadhaar Numbers.
- A highly scalable Key Management Solution that seamlessly manages the entire crypto key lifecycle – from key creation, distribution, storage, rotation, archival or deletion of the master keys.
- A single, highly secure database that stores the encrypted Aadhaar Numbers, Hash Values and Reference Keys.
- A nifty Bulk Transformation Utility that converts existing Aadhaar Number into Reference Keys and vice versa using a secure CSV file format.
Important aspects to be considered while developing an Aadhaar Data Vault
- Many solutions available in the market store the encryption keys within their software application itself. From a security compliance standpoint, this is a risky proposition. We strongly recommend that all encryption keys should be stored in intrusion-resistant HSM devices only and not just in the root of the Master Key.
- These HSM devices should be FIPS-140, Level 3 certified to ensure the highest possible data security and protection.
- Pre-defined schedules should be set up for automatic key rotation with zero downtime.
- For secure key management, IP whitelisting should be done on the HSM devices instead of the software.
To sum it up
While the Aadhaar Amendment Bill makes Aadhaar voluntary for e-KYC, it also mandates Aadhaar-based private AEPS to set up Aadhaar Data Vaults to safeguard Aadhaar information.
The latest circular from the UIDAI allows storing only the demographic and or photo of the Aadhaar card holder in other systems apart from an Aadhaar Data Vault. This vault will now be the only place where Aadhaar numbers can be stored and mapped.
Additionally, with the Data Privacy Bill currently being discussed by the civic bodies, data security essentials will come into the picture in the future just like the Aadhaar Data Vault and organizations need to be ready to meet the regulators’ security mandates.
Find additional information on how Thales can help your organization comply with many of the regulations and mandates required for Aadhaar.