UIDAI’s Aadhaar Number Regulation Compliance

The following standards are excerpted from the “UIDAI Information Security Policy – UIDAI External Ecosystem – Authentication User Agency/KYC User Agency” section of UIADAI’s 30 April 2018 update of its Compendium of Regulations, Circulars & Guidelines for (Authentication User Agency (AUA)/E-KYC User Agency (KUA), Authentication Service Agency (ASA) and Biometric Device Provider) [The Compendium]:

User Access Control

2.6 Access Control
1. Only authorized individuals shall be provided access to information facilities (such as Authentication application, audit logs, authentication servers, application, source code, information security infrastructure etc.) processing UIDAI information

Encryption of Data at Rest and in Motion

2.8 Cryptography
1. The Personal Identity data (PID) block comprising of the resident’s demographic / biometric data shall be encrypted as per the latest API documents specified by the UIDAI at the end point device used for authentication (for e.g. PoT terminal)

Encryption Key Management

2.8 Cryptography
6. Key management activities shall be performed by all AUAs / KUAs to protect the keys throughout their lifecycle. The activities shall address the following aspects of key management, including;

• a) key generation;
• b) key distribution;
• c) Secure key storage;
• d) key custodians and requirements for dual Control;
• e) prevention of unauthorized substitution of keys;
• f) Replacement of known or suspected compromised keys;
• g) Key revocation and logging and auditing of key management related activities.

Database Access Logging

2.10 Operations Security
12. AUAs/KUAs shall ensure that the event logs recording the critical user-activities, exceptions and security events shall be enabled and stored to assist in future investigations and access control monitoring;

13. Regular monitoring of the audit logs shall take place for any possible unauthorized use of information systems and results shall be recorded. Access to audit trails and event logs shall be provided to authorized personnel only

Tokenization of Aadhaar numbers

This guidance is from Circular 11020/205/2017 in The Compendium:

In order to enhance the security level for storing the Aadhaar numbers, it has been mandated that all AUAs/KUAs/Sub-AUAs and other entities that are collecting and storing the Aadhaar number for specific purposes under the Aadhaar Act 2016, shall start using Reference Keys mapped to Aadhaar numbers through tokenization in all systems.

(a) All entities are directed to mandatorily store Aadhaar Numbers and any connected Aadhaar data (e.g. eKYC XML containing Aadhaar number and data) on a separate secure database/vault/system. This system will be termed as “Aadhaar Data Vault” and will be the only place where the Aadhaar Number and any connected Aadhaar data will be stored.

(c) Each Aadhaar number is to be referred by an additional key called as Reference Key. Mapping of reference key and Aadhaar number is to be maintained in the Aadhaar Data Vault.

(d) All business use-cases of entities shall use this Reference Key instead of Aadhaar number in all systems where such reference key need to be stored/mapped, i.e. all tables/systems requiring storage of Aadhaar numbers for their business transactions should from now onwards maintain only the reference key. Actual Aadhaar number should not be stored in any business databases other than Aadhaar vault.

Compliance Summary

Thales can help you meet the many of the requirements UIDAI’s Aadhaar Number Regulation through the following:

User Access Control: Vormetric Data Security Manager

Thales’s Vormetric Data Security Manager enables the organization to limit user access privileges to information systems that provide access to nonpublic Information.

Encryption of Data at Rest: Vormetric Transparent Encryption

Thales’s Vormetric Transparent Encryption solution protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases or infrastructure. Deployment of the transparent file encryption software is simple, scalable and fast, with agents installed above the file system on servers or virtual machines to enforce data security and compliance policies. Policy and encryption key management are provided by the Vormetric Data Security Manager.

Encryption Key Management: Vormetric Integrated Key Management

Thales’s Vormetric Integrated Key Management unifies and centralizes encryption key management on premises and provides secure key management for data storage solutions. Cloud Key Management products include the CipherTrust Cloud Key Manager for centralized multi-cloud key life cycle visibility and management with FIPS-140-2 secure key storage.

Database Access Logging: Security Intelligence Logs

The Vormetric Platform’s Security Intelligence Logs let your organization identify unauthorized access attempts and to build baselines of authorized user access patterns. Vormetric Security Intelligence integrates with leading security information and event management (SIEM) systems that make this information actionable. The solution allows immediate automated escalation and response to unauthorized access attempts, and all the data needed to build behavioral patterns required for identification of suspicious use by authorized users, as well as training opportunities.

Tokenization of Aadhaar Numbers: Vormetric Tokenization with Dynamic Masking

Vormetric Vaultless Tokenization with Dynamic Data Masking dramatically reduces the cost and effort required to comply with security policies and regulatory mandates, such as Aadhaar. The solution delivers capabilities for database tokenization and dynamic display security. Now you can efficiently address your objectives for securing and anonymizing sensitive assets—whether they reside in data center, big data, container or cloud environments.