UIDAI’s Aadhaar Number Regulation Compliance

Thales eSecurity can help you comply with key Aadhaar provisions

APAC Map

Regulation

Active now

UIDAI’s Aadhaar Number Regulation Compliance

The Unique Identification Authority of India (UIDAI) was established under the provisions of India’s 2016 Aadhaar Act. UIDAI is responsible for issuing unique identification numbers (UIDs), called Aadhaar, and providing Aadhaar cards to all residents of India. The 12-digit UIDs are generated after the UIDAI verifies the uniqueness of enrollees’ demographic and biometric information; UIDAI must protect individuals’ identity information and authentication records.

Thales eSecurity can help your organization comply with many of the regulations and mandates required for Aadhaar.

The following standards are excerpted from the “UIDAI Information Security Policy – UIDAI External Ecosystem – Authentication User Agency/KYC User Agency” section of UIADAI’s 30 April 2018 update of its Compendium of Regulations, Circulars & Guidelines for (Authentication User Agency (AUA)/E-KYC User Agency (KUA), Authentication Service Agency (ASA) and Biometric Device Provider) [The Compendium]:

User Access Control

2.6 Access Control
1. Only authorized individuals shall be provided access to information facilities (such as Authentication application, audit logs, authentication servers, application, source code, information security infrastructure etc.) processing UIDAI information

Encryption of Data at Rest and in Motion

2.8 Cryptography
1. The Personal Identity data (PID) block comprising of the resident’s demographic / biometric data shall be encrypted as per the latest API documents specified by the UIDAI at the end point device used for authentication (for e.g. PoT terminal)

2. The PID shall be encrypted during transit and flow within the AUA / KUA ecosystem and while sharing this information with ASAs

Encryption Key Management

2.8 Cryptography
6. Key management activities shall be performed by all AUAs / KUAs to protect the keys throughout their lifecycle. The activities shall address the following aspects of key management, including;

  • a) key generation;
  • b) key distribution;
  • c) Secure key storage;
  • d) key custodians and requirements for dual Control;
  • e) prevention of unauthorized substitution of keys;
  • f) Replacement of known or suspected compromised keys;
  • g) Key revocation and logging and auditing of key management related activities.
Database Access Logging

2.10 Operations Security
12. AUAs/KUAs shall ensure that the event logs recording the critical user-activities, exceptions and security events shall be enabled and stored to assist in future investigations and access control monitoring;

13. Regular monitoring of the audit logs shall take place for any possible unauthorized use of information systems and results shall be recorded. Access to audit trails and event logs shall be provided to authorized personnel only

Tokenization of Aadhaar numbers

This guidance is from Circular 11020/205/2017 in The Compendium:

In order to enhance the security level for storing the Aadhaar numbers, it has been mandated that all AUAs/KUAs/Sub-AUAs and other entities that are collecting and storing the Aadhaar number for specific purposes under the Aadhaar Act 2016, shall start using Reference Keys mapped to Aadhaar numbers through tokenization in all systems.

(a) All entities are directed to mandatorily store Aadhaar Numbers and any connected Aadhaar data (e.g. eKYC XML containing Aadhaar number and data) on a separate secure database/vault/system. This system will be termed as “Aadhaar Data Vault” and will be the only place where the Aadhaar Number and any connected Aadhaar data will be stored.

(c) Each Aadhaar number is to be referred by an additional key called as Reference Key. Mapping of reference key and Aadhaar number is to be maintained in the Aadhaar Data Vault.

(d) All business use-cases of entities shall use this Reference Key instead of Aadhaar number in all systems where such reference key need to be stored/mapped, i.e. all tables/systems requiring storage of Aadhaar numbers for their business transactions should from now onwards maintain only the reference key. Actual Aadhaar number should not be stored in any business databases other than Aadhaar vault.

The use of FIPS 140-2 Certified HSMs for Cryptographic Key Protection

Also from Circular 11020/205/2017 in The Compendium:

(f) The Aadhaar number and any connected data maintained on the Aadhaar Data Vault shall always be kept encrypted and access to it strictly controlled only for authorized systems. Keys for encryption are to be stored in HSM devices only.

Compliance Summary

Thales eSecurity can help you meet the many of the requirements UIDAI’s Aadhaar Number Regulation through the following:

User Access Control: Vormetric Data Security Manager

Thales eSecurity’s Vormetric Data Security Manager enables the organization to limit user access privileges to information systems that provide access to nonpublic Information.

Encryption of Data at Rest and in Motion: Vormetric Transparent Encryption and Datacryptor 5000

Thales eSecurity’s Vormetric Transparent Encryption solution protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases or infrastructure. Deployment of the transparent file encryption software is simple, scalable and fast, with agents installed above the file system on servers or virtual machines to enforce data security and compliance policies. Policy and encryption key management are provided by the Vormetric Data Security Manager.

To protect data in motion, Thales eSecurity’s Datacryptor 5000 network data encryption solution uses high-assurance encryption methods and state of the art key management techniques that provide robust security, low latency and high performance in Layer 2 and IP networks.

Encryption Key Management: Vormetric Integrated Key Management

Thales eSecurity’s Vormetric Integrated Key Management unifies and centralizes encryption key management on premises and provides secure key management for data storage solutions. Cloud Key Management products include the CipherTrust Cloud Key Manager for centralized multi-cloud key life cycle visibility and management with FIPS-140-2 secure key storage, and Cloud Bring Your Own Key based on secure nShield HSMs.

Database Access Logging: Security Intelligence Logs

The Vormetric Platform’s Security Intelligence Logs let your organization identify unauthorized access attempts and to build baselines of authorized user access patterns. Vormetric Security Intelligence integrates with leading security information and event management (SIEM) systems that make this information actionable. The solution allows immediate automated escalation and response to unauthorized access attempts, and all the data needed to build behavioral patterns required for identification of suspicious use by authorized users, as well as training opportunities.

Tokenization of Aadhaar Numbers: Vormetric Tokenization with Dynamic Masking

Vormetric Vaultless Tokenization with Dynamic Data Masking dramatically reduces the cost and effort required to comply with security policies and regulatory mandates, such as Aadhaar. The solution delivers capabilities for database tokenization and dynamic display security. Now you can efficiently address your objectives for securing and anonymizing sensitive assets—whether they reside in data center, big data, container or cloud environments.

The Use of FIPS 140-2 Certified HSMs for Cryptographic Key Protection: nShield HSMs

nShield HSMs from Thales eSecurity provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption and more. Certified at FIPS 140-2 Levels 2 and 3, nShield HSMs support a variety of deployment scenarios. nShield Connect and Solo HSMs also provide a secure environment for running sensitive applications.

Compliance Brief : Complying with UIDAI’s Aadhaar Number Regulations

The Unique Identification Authority of India (UIDAI) was established under the provisions of India’s 2016 Aadhaar Act. UIDAI is responsible for issuing unique identification numbers (UIDs), called Aadhaar, and providing Aadhaar cards to all residents of India. Learn how Thales can help your organization comply with many of the regulations and mandates required for Aadhaar.

Download

Data Sheet : Platform Data Sheet

The Vormetric Data Security Platform makes it efficient to manage data-at-rest security across your entire organization. Built on an extensible infrastructure, Vormetric Data Security Platform products can be deployed individually, while sharing efficient, centralized key management.

Download

Data Sheet : nShield HSMs

nShield hardware security modules (HSMs) provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption and more. Available in three FIPS 140-2 certified form factors, nShield HSMs support a variety of deployment scenarios.

Download

Solution Brief : Vormetric Tokenization with Dynamic Data Masking

Tokenization and data masking – anonymizing data for security and compliance. The Vormetric Data Security Platform features tokenization capabilities that can dramatically reduce the cost and effort associated with complying with security policies and regulatory mandates like the Payment Card Industry Data Security Standard (PCI DSS).

Download

Other key data protection and security regulations

Philippines Data Privacy Act

GDPR Thumbnail

Regulation

Active now

The Philippines Data Privacy Act adopts international principles and standards for personal data protection and apply to the processing of personal data across both government and private sector.

Learn More

South Korea’s PIPA

GDPR Thumbnail

Regulation

Active now

One of the strictest data protection regimes in the world, it is supported by two pieces of sector specific legislation related to IT and communications networks and the use of credit information.

Learn More

Australia Privacy Act

eIDAS

Regulation

February 2018

Australia's Privacy Act establishes a mandatory requirement to notify the Privacy Commissioner and affected individuals of data breaches. It will take effect on February 22, 2018.

Learn More
Contacte a un especialista en cumplimiento Contáctenos
¿Está preparado para GDPR? Tome nuestra evaluación
Lea el manual de soluciones para las reglamentaciones en materia de cumplimiento Lea el libro electrónico
Mire nuestra demostración interactiva Explorar
Programe una demostración en vivo Programar
Comuníquese con un especialista Contacto