Wednesday, March 21, 2018

How to implement Aadhaar Data Vault without using HSM based tokenization?


In accordance with the UIDAI circular 11020/205/2017, any organisation that stores Aadhaar number in their database should implement Aadhaar Data Vault and replace the Aadhaar numbers using the reference tokens created by the Aadhaar Data Vault. The Aadhaar number and the XML returned by UIDAI as part of Aadhaar authentication/eKYC call will have to be stored in the encrypted format and the access to the Aadhaar Data Vault will have to be strictly controlled. The encryption keys should be stored in a Hardware Security Module.   This is the crux of the reference id circular published by UIDAI, for more details please follow the link given above.

Now the question is how do you implement Aadhaar Data Vault in an organisation that is storing Aadhaar numbers without using HSM based tokenization solution which can be very costly?

Hardware Security Module or HSM is a hardware device that is used to secure the encryption keys. It also optimises the encryption and signing process by providing dedicated processors for the operation. HSMs comes in the different flavours which can be based on how they are installed, made available to other application, the functionalities provided by them and the throughput or transactions per second (TPS) required. The general rule is that an HSM with higher functionality and throughput costs way more than a lower model.

The most basic form of an HSM is the card HSM that provides key storage and encryption/signing functionalities alone. The card HSM is like a graphics card that can be added to a computer and it can be used by the applications installed in the computer.  The card HSM is the cheapest HSM available.
If you want to use the HSM in multiple applications that are installed on different machines then you will have to get a network HSM. The network HSM is a dedicated machine that is installed in the data centre and made accessible to the other application using an SDK. This is costlier than the card HSM irrespective of the throughput. The HSM can get even costlier if you need the tokenization functionality in it. The tokenization supported model usually cost at least five to ten lakhs more than the base model.

HSM vendors are pitching the tokenization supported model as the go-to solution for Aadhaar Data Vault implementation. This would mean that companies that want to implement  Aadhaar Data Vault using HSM tokenization would have to shell out an additional 10 to 20 lakhs to cover DC and DR implementation.

Actually, this is a huge expense that can be avoided. The UIDAI circular 11020/205/2017 does not mandate the use of HSM for tokenization. It only requires the use of HSM for key storage which would, in turn, be used for encryption and decryption. The tokenisation can be provided through a software solution like Finavault. Using Finavault would be able to reduce your cost of implementation by 75% compared to that of an HSM based Tokenization solution.

 Apart from the cost advantage, Finavault provides you with the ability to easily scale the application to service additional load as needed. Yo also be able to quickly comply with any changes in regulation or API spec proposed by UIDAI. Imagine doing this with a hardware solution.

So if you are looking for a cost-effective and fully compliant Aadhaar Data Vault solution, then Finavault is your solution of choice.

For more information contact us.
We, Finahub, are experts in Aadhaar related products and services like eSign, eKYC, Authentication etc. If you want to know how your enterprise can start using it, please give us a call  @ 0484 2388285 or email us at inf[email protected]