Everything You Need To Know About The Aadhaar Data Vault
An Overview
- On July 8, 2019, the Rajya Sabha, the Indian Parliament’s upper chamber, passed the Aadhaar Card and Other Laws (Amendment) Bill, 2019. The modified bill, which was previously approved by the Indian Parliament’s lower chamber, the Lok Sabha, now permits Aadhaar Card subscribers to freely submit their Aadhaar Number as a valid identity evidence when opening bank accounts or applying for new mobile phone connections.
- The modified bill permits individuals to disclose their Virtual (Aadhaar) Identification Number for e-KYC authentication in addition to their original Aadhaar Card Number. By connecting into the UIDAI website, Aadhaar holders can generate their own Virtual Identification Number.
- The modified bill is a welcome relief for authenticating businesses that had significantly invested in Aadhaar-based e-KYC infrastructure and were previously barred from commencing e-KYC using people’s Aadhaar details by the Indian Supreme Court. These companies can now resume Aadhaar-based e-KYC as a result of the new amendment, as long as they follow the severe privacy requirements imposed by regulators such as the UIDAI and RBI. Failure to comply with these security requirements could result in fines of up to rupees one crore! Authenticating entities must only store Aadhaar Card download in a specific Aadhaar Data Vault.
Table of Contents
What is an Aadhaar Data Vault?
While citizens are no longer required to use Aadhaar, it is nevertheless necessary for organisations that provide Direct Benefit Transfers or Aadhaar Enabled Payment Systems (AEPS). All Aadhaar-based e-KYC authenticating companies are required by UIDAI to encrypt and store Aadhaar data in a separate repository known as a “Aadhaar Data Vault.” This requirement also established Secure Key Management guidelines to ensure that sensitive encryption keys are kept isolated in the impenetrable Hardware Security Module (HSM).
As a result, all AEPS companies will require a secure centralised storage in the form of an Aadhaar Data Vault to preserve sensitive data under the newly modified bill. The UIDAI also issued a circular outlining Reference Key standards and requiring all Aadhaar-related data to be stored in an Aadhaar Data Vault.
How does it work?
All Aadhaar-related data must be encrypted with a Reference Key and stored in the Aadhaar Data Vault, according to the UIDAI circular. As a result, the only place where Aadhaar-related data can be held should be in an Aadhaar Data Vault. Only internal systems would have access to the Aadhaar Data Vault, and all organisations will be required to use Reference Keys for all transactions.
Things to keep in mind
- Many commercially accessible methods keep the encryption keys in the software application itself. This is a dangerous concept in terms of security compliance. We highly advise that all encryption keys, not just the root of the Master Key, be stored in intrusion-resistant HSM devices.
- To offer the maximum level of data security and protection, these HSM devices should be FIPS-140, Level 3 certified.
- Automatic key rotation should be set up with no downtime using pre-defined schedules.
- IP whitelisting should be done on the HSM devices rather than the software for secure key management.
Wrapping Up
While the Aadhaar Amendment Bill makes Aadhaar optional for e-KYC, it also requires Aadhaar-based private AEPS to establish Aadhaar Data Vaults to protect Aadhaar data. Apart from an Aadhaar Data Vault, the latest circular from the UIDAI enables just the demographic and the photo of the Aadhaar card holder to be stored in other systems. This vault will be the only location where Aadhaar numbers can be kept and mapped in the future.
Furthermore, with the Data Privacy Bill presently being debated by civic authorities, data security elements, such as the Aadhaar Data Vault, will be introduced in the future, and enterprises must be prepared to satisfy the regulators’ security demands.