Tuesday, November 7, 2017

All you need to know about Aadhaar Data Vault

Recently there have been numerous instances of Aadhaar data being exposed online by various agencies. Over 130 millions aadhaar data and bank account details leaked from the government website. According to aadhaar regulations sharing, circulating or publishing of aadhaar number is restricted. To enhance the security of Aadhaar numbers, UIDAI has introduced the “Aadhaar Data Vault". Aadhaar Data Vault is a centralized storage for all the Aadhaar numbers collected by the AUAs/KUAs/Sub-AUAs/ or any other agency for specific purposes. It is a secure system accessible only on a need to know basis. The Aadhaar data vault consists of reference key, which is a unique token to represent the Aadhaar number in the entire internal ecosystem of the agency. Mapping of reference key and Aadhaar number is to be maintained in the Aadhaar Data Vault. The primary objectives of aadhaar data vault are reducing the footprinting of aadhaar number, preventing 360 profiling of residents, ceasing the usage of aadhaar number as the domain-specific identifier. The course of action for implementation of aadhaar data vault is given below.

1. All entities are directed to mandatorily store Aadhaar Numbers and any connected Aadhaar data on a separate secure database/vault/system. This system will be termed as "Aadhaar Data Vault" and will be the only place where the Aadhaar Number and any connected Aadhaar data will be stored.
2. Entities are allowed to store any relevant demographic data and/or photo of the Aadhaar Number Holder in other systems as long as Aadhaar Number is not stored in those systems.
3. Each Aadhaar number is to be referred by an additional key called as Reference Key. Mapping of reference key and Aadhaar number is to be maintained in the Aadhaar Data Vault.
4. Actual Aadhaar number should not be stored in any business databases other than Aadhaar Data Vault.
5. Access to Aadhaar Data Vault shall be made secure and accessed through internal systems only.
6. The Aadhaar number and any connected data maintained on the Aadhaar Data Vault should always be kept encrypted and access to it strictly controlled only for authorized systems. 
7. Aadhaar numbers along with connected data should only be stored in a single logical instance of Aadhaar Data Vault with corresponding reference key. 
8. The Aadhaar Data Vault containing system must be kept in a highly restricted network zone that is isolated from any untrusted zone and other internal network zones.
9. Only trusted communications must be permitted in and out of the vault. 
10. The Aadhaar Data Vault must implement strong access controls, authentication measures, monitoring and logging of access and raising necessary alerts for unusual and/or unauthorised attempts to access.
11. The Aadhaar Data Vault should support mechanisms for secure deletion/update of Aadhaar number and corresponding data if any as required by the data retention policy of the entities.
12. The chosen Reference Key generation method is to ensure that the recovery of the original Aadhaar number must not be computationally feasible knowing only the reference key or number of reference keys. 

For more information contact us.
We, Finahub, are experts in Aadhaar related products and services like eSign, eKYC, Authentication etc. If you want to know how your enterprise can start using it, please give us a call  @ 0484 2388285 or email us at [email protected]