bg-intro-1-banner

UIDAI’s Aadhaar Number Regulation Compliance

Thales can help you comply with key Aadhaar provisions.

UIDAI’s Aadhaar Number Regulation Compliance

Test

The Unique Identification Authority of India (UIDAI) was established under the provisions of India’s 2016 Aadhaar Act. UIDAI is responsible for issuing unique identification numbers (UIDs), called Aadhaar1, and providing Aadhaar cards to all residents of India. The 12-digit UIDs are generated after the UIDAI verifies the uniqueness of enrollees’ demographic and biometric information; UIDAI must protect individuals’ identity information and authentication records.

Thales can help your organization comply with many of the regulations and mandates required for Aadhaar.

1https://uidai.gov.in/my-aadhaar/about-your-aadhaar.html

  • Regulation
  • Compliance

The following standards are excerpted from the “UIDAI Information Security Policy – UIDAI External Ecosystem – Authentication User Agency/KYC User Agency” section of UIADAI’s 30 April 2018 update of its Compendium of Regulations, Circulars & Guidelines for (Authentication User Agency [AUA]/E-KYC User Agency [KUA], Authentication Service Agency [ASA] and Biometric Device Provider) [The Compendium]:

User Access Control

2.6 Access Control
1. Only authorized individuals shall be provided access to information facilities (such as Authentication application, audit logs, authentication servers, application, source code, information security infrastructure etc.) processing UIDAI information

Encryption of Data at Rest and in Motion

2.8 Cryptography
1. The Personal Identity data (PID) block comprising of the resident’s demographic / biometric data shall be encrypted as per the latest API documents specified by the UIDAI at the end point device used for authentication (for e.g. PoT terminal)
2. The PID shall be encrypted during transit and flow within the AUA / KUA ecosystem and while sharing this information with ASAs

Encryption Key Management

2.8 Cryptography
6. Key management activities shall be performed by all AUAs / KUAs to protect the keys throughout their lifecycle. The activities shall address the following aspects of key management, including;

a) key generation;

b) key distribution;

c) Secure key storage;

d) key custodians and requirements for dual Control;

e) prevention of unauthorized substitution of keys;

f) Replacement of known or suspected compromised keys;

g) Key revocation and logging and auditing of key management related activities.

Database Access Logging

2.10 Operations Security
12. AUAs/KUAs shall ensure that the event logs recording the critical user-activities, exceptions and security events shall be enabled and stored to assist in future investigations and access control monitoring;
13. Regular monitoring of the audit logs shall take place for any possible unauthorized use of information systems and results shall be recorded. Access to audit trails and event logs shall be provided to authorized personnel only

Tokenization of Aadhaar numbers

This guidance is from "Circular 11020/205/2017" in The Compendium:

In order to enhance the security level for storing the Aadhaar numbers, it has been mandated that all AUAs/KUAs/Sub-AUAs and other entities that are collecting and storing the Aadhaar number for specific purposes under the Aadhaar Act 2016, shall start using Reference Keys mapped to Aadhaar numbers through tokenization in all systems.

(a) All entities are directed to mandatorily store Aadhaar Numbers and any connected Aadhaar data (e.g. eKYC XML containing Aadhaar number and data) on a separate secure database/vault/system. This system will be termed as “Aadhaar Data Vault” and will be the only place where the Aadhaar Number and any connected Aadhaar data will be stored.

(c) Each Aadhaar number is to be referred by an additional key called as Reference Key. Mapping of reference key and Aadhaar number is to be maintained in the Aadhaar Data Vault.

(d) All business use-cases of entities shall use this Reference Key instead of Aadhaar number in all systems where such reference key need to be stored/mapped, i.e. all tables/systems requiring storage of Aadhaar numbers for their business transactions should from now onwards maintain only the reference key. Actual Aadhaar number should not be stored in any business databases other than Aadhaar vault.

The use of FIPS 140-2 Certified HSMs for Cryptographic Key Protection

Also from Circular 11020/205/2017 in The Compendium:

(f) The Aadhaar number and any connected data maintained on the Aadhaar Data Vault shall always be kept encrypted and access to it strictly controlled only for authorized systems. Keys for encryption are to be stored in HSM devices only.

Compliance Summary

Thales e-Security can help you meet the many of the requirements UIDAI’s Aadhar Number Regulation through the following:

Strong access management and authentication

Thales Access Management and Authentication solutions provide both the security mechanisms and reporting capabilities organizations need to comply with data security regulations. Our solutions protect sensitive data by enforcing the appropriate access controls when users log into applications that store sensitive data. By supporting a broad range of authentication methods and policy driven role-based access, our solutions help enterprises mitigate the risk of data breach due to compromised or stolen credentials or through insider credential abuse.

Support for smart single sign on and step-up authentication allows organizations to optimize convenience for end users, ensuring they only have to authenticate when needed. Extensive reporting allows businesses to produce a detailed audit trail of all access and authentication events, ensuring they can prove compliance with a broad range of regulations.

Thales Compliance Solutions

The following Thales solutions can help you comply with South Korea’s PIPA.

Data discovery and classification

The first step in protecting sensitive data is finding the data wherever it is in the organization, classifying it as sensitive, and typing it (e.g. PII, financial, IP, HHI, customer-confidential, etc.) so you can apply the most appropriate data protection techniques. It is also important to monitor and assess data regularly to ensure new data isn’t overlooked and your organization does not fall out of compliance.

Thales’ CipherTrust Data Discovery and Classification efficiently identifies structured as well as unstructured sensitive data on-premises and in the cloud. Supporting both agentless and agent-based deployment models, the solution provides built-in templates that enable rapid identification of regulated data, highlight security risks, and help you uncover compliance gaps. A streamlined workflow exposes security blind spots and reduces remediation time. Detailed reporting supports compliance programs and facilitates executive communication.

Protection of sensitive data at rest

Separation of privileged access users and sensitive user data

With the CipherTrust Data Security Platform, administrators can create strong separation of duties between privileged administrators and data owners. CipherTrust Transparent Encryption encrypts files, while leaving their metadata in the clear. In this way, IT administrators -- including hypervisor, cloud, storage, and server administrators -- can perform their system administration tasks, without being able to gain privileged access to the sensitive data residing on the systems they manage.

Separation of administrative duties

Strong separation of duties policies can be enforced to ensure one administrator does not have complete control over data security activities, encryption keys, or administration. In addition, the CipherTrust Manager supports two-factor authentication for administrative access.

Granular privileged access controls

The CipherTrust Data Security Platform can enforce very granular, least-privileged-user access management policies, enabling protection of data from misuse by privileged users and APT attacks. Granular privileged-user-access management policies can be applied by user, process, file type, time of day, and other parameters. Enforcement options can control not only permission to access clear-text data, but what file-system commands are available to a user.

Protection of sensitive data in motion

Thales High Speed Encryptors (HSEs) provide network independent data-in-motion encryption (Layers 2,3 and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back. Our HSE solutions allow customers to better protect data, video, voice, and metadata from eavesdropping, surveillance, and overt and covert interception—all at an affordable cost and without performance compromise.

  • Related Resources
  • Other key data protection and security regulations

    GDPR

    Regulation
    Active Now

    Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.

    PCI DSS

    Mandate
    Active Now

    Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

    Data Breach Notification Laws

    Regulation
    Active Now

    Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.