As seen in our earlier blog post, the Unique Identification Development Authority of India (UIDAI) has directed all e-KYC authenticating agencies in India to mandatorily encrypt all Aadhaar-related data and store it separately in a secure, access-controlled data repository known as an “Aadhaar Data Vault”.
It has further mandated the agencies that the encryption keys used to encrypt the Aadhaar data should be stored securely in a Hardware Security Module (HSM) device only.
Authenticating agencies (AUAs, KUAs, Sub-AUAs) that fail to comply with UIDAI’s Aadhaar Data Vault mandate will attract penal action and hefty financial penalties.
With major incidents of data breaches and identity thefts on the rise in recent years, the objective behind this stringent Aadhaar Data Vault mandate of UIDAI is quite understandable – protect the Personally Identifiable Information (PII) of Aadhaar users at any cost.
Understanding Aadhaar Data Vault
Before organizations rush to select a vendor to implement Aadhaar Data Vault, it is imperative that they look at the Aadhaar Data Vault ecosystem in totality, rather than in silos. A cohesive Aadhaar Data Vault solution should comprise of 4 key components:
1. Tokenization Manager – a special software that generates a random token (known as a Reference Key) for each Aadhaar number. The Tokenization Manager receives the sensitive data at its initial entry point, encrypts it, stores it in the Data Vault and creates a Reference Key for the data. From entry point, through applications, to databases, the Reference Key is stored, processed or transmitted throughout the organisation, while the sensitive data is encrypted and securely stored in the Data Vault.
2. Data Vault – a single data repository that securely holds the encrypted Aadhaar number, hash value and the corresponding Reference Key number. While the Reference Key can be stored, processed or transmitted throughout the organization, the encrypted Aadhaar data should never leave the Data Vault.
3. HSM Appliance: FIPS 140-2 with Key Management functionality – comprises all the processes that are used to create, store, distribute, archive, delete the master keys, key versioning and auto rotation of the encryption keys within the HSM appliance without any downtime. It further supports IP whitelisting to restrict access to untrusted applications.
4. Bulk Transformation Utility – a very useful utility tool that seamlessly converts Aadhaar number to a Reference Key number and vice-versa using the CSV file format.
Choosing the Right Partner
Once organizations start looking at the Aadhaar Data Vault ecosystem holistically and understand that the whole is more than the sum of its parts, selecting the right vendor becomes relatively easier.
Here are 5 tips to keep in mind when selecting the right Aadhaar Data Vault vendor for your organization:
#1: Subject Matter Expertise
Choose a vendor that has an undisputed reputation and subject matter expertise in all aspects of digital data protection, cryptography and identity management. Vendors with a dedicated team of Subject Matter Experts (SMEs) and own Intellectual Property (IP) – protected technology should be preferred as they are better equipped to quickly resolve any technical issue that may crop up during, and after, the implementation.
Opt for a vendor who has demonstrated flawless execution skills across multiple large organisations spanning diverse industries. While it can definitely be tempting to choose new startups with promising technologies, when it comes to entrusting the security of your sensitive data, it is always advisable to choose a vendor who has years of proven track record that can be easily verified through reference checks. Enterprise Security Solution Providers with advanced infrastructure facilities like their own state-of-the-art R&D centres always have an edge over the others as they are constantly on the lookout for new threats and in an enviable position to release security updates in no time.
#3: Unified Approach
To ensure snag-free implementation, rather than choosing multiple vendors to individually implement each of the above-mentioned Aadhaar Data Vault components, choose a single vendor that has a wide gamut of in-house solutions for all the 4 components and who can address all the implementation complexities in a unified way.
#4: Ease of implementation and Scalability of the solution
Choose a vendor whose Aadhaar Data Vault solution can be seamlessly integrated with your existing back-end systems and its technologies are widely adopted across the globe. Preference should be given to solutions that can be fully implemented within a short span of 5-7 working days.
Further, the solution should be futuristic and scalable to meet other data protection related use-cases like encrypting the data residing on file servers, storage, VMs, data generated at application level, etc. Today, the mandate is restricted to encrypt only the Aadhaar data, but tomorrow, additional mandates may be introduced to safeguard other PIP data like the PAN Card data.
#5: 24×7 Support
In today’s always-connected world with hackers working overtime to lay their hands on sensitive data, it takes only a few minutes of security lapse for a major data breach to happen. Opt for a vendor that has a dedicated team engaged in real-time intelligence gathering of data breaches across the globe, and a 24×7 support team to ensure quick remediation.
To Sum It Up
With private organizations and government entities intensifying their focus on improving technologies to enable better delivery of services, the increasing dependence on technology acts as a double-edged sword by making sensitive data vulnerable to data breaches.
As technology evolves, so do hackers. Today’s cyber-attacks are more sophisticated, more frequent and far more damaging than before. In perilous times like these, choosing the right vendor for your organization’s data security can make or break your business.
For a critical and complex data security project like an Aadhaar Data Vault, “better safe than sorry” should be the mantra. Choose a partner that has an impeccable reputation and multiple, verifiable case studies of complex deployments in large organizations, instead of unknown newbies eager to undertake your Aadhaar Data Vault implementation as a launch pad for their new venture. Good luck!
*** This is a Security Bloggers Network syndicated blog from Enterprise Security – Gemalto blog authored by Ved Prakash. Read the original post at: https://blog.gemalto.com/security/2018/08/29/how-to-choose-the-right-vendor-for-your-aadhaar-data-vault/