The recent Aadhaar data security conundrum, resulting in identity theft and data breaches, was due to poor implementation of security, monitoring and authentication mechanisms, according to a panel of security experts assembled by Information Security Media Group.
Unique Identification Authority of India's efforts to protect its Aadhaar data repository with information on 1.2 billion Indians lacks an effective data protection framework, the panel concludes in an exclusive, in-depth audio report (see link below image).
Aadhaar Data Compromise
"There have been many instances of Aadhaar data compromise. It is a challenge to ascertain where the compromise has occurred - at the Central Identities Data Repository or at the user agency system level; there is little information about whether the data has been secured," says Bengaluru-based Naavi Vijayashankar, a cyber dispute risk management consultant and cyber law expert.
Bengaluru-based C. N. Shashidhar, CEO at SecureIT, a security consulting firm, notes during the panel: "Aadhaar is a very good instrument for data governance, but its security is poorly implemented; its present policy is opaque - we call it 'security by obscurity' - with very little information on security measures for protecting such huge data.
"UIDAI must do a better job of sharing its program on protecting citizens' data, as its generalized disclosure on the best practice of encrypting the data does not explain its security posture," Shashidhar says. "And this parlance is valid for a limited period before the zero-day attacks occur."
Mumbai-based K. K. Mookhey, CEO at NII Consulting, a security service provider, argues: "Any assumption by UIDAI that citizens' biometric data has not been compromised or breached might be proven wrong when big breaches such as Equifax, JP Morgan, OPM, have not been spared despite huge security investments. Any central repository of personal or private demographic data is sure to be a lucrative target."
The key issue, according to the three experts who participated in the panel discussion, is mapping the risks associated with storing such a huge amount of data and enabling access by third parties.
"Any user or agency accessing UIDAI's data and requesting hundreds of details has been provided these," Naavi says. "This is a misuse of data; the system needs to send an alert."
Shashidhar contends that UIDAI failed to map the risk. He charges that the Aadhaar mobile app failed the basic security test of writing simple security code.
"The approach is immature, with inadequate controls while providing access to third parties," he says.
Resilient Data Protection Framework
UIDAI has added new security layers for Aadhaar via Virtual ID - a temporary, 16-digit Virtual ID number that can be used by Aadhaar holders for authentication purposes - and a UID token - a 72-character alphanumeric string all entities can use to ensure customer uniqueness. The panelists, however, call this a Band-Aid approach because the key functionalities for protecting data are not well articulated (see: Aadhaar Getting Additional Security Layer).
Although the three panelists commended UIDAI's efforts to build a framework to protect data, they urged benchmarking Aadhaar against PCI DSS, NIST and other compliance and security frameworks to spot weak areas.
The panelists also questioned how useful VID and UID tokens would prove to be.
Mookhey says, in theory, VID and UID tokens would help authenticate transactions. "But the fundamental question remains: Is my Aadhaar private or not, as UIDAI clearly says the Aadhaar number is not an authentication mechanism? Then why do I need a virtual ID when it cannot be used for authentication purposes or if no service provider will validate transactions based on this number?"
Critical steps UIDAI needs to take in building a resilient data protection framework for Aadhaar, according to the panelists, are:
- Collaborate with security professionals on the effort;
- Use better authentication methods while sharing data with third parties;
- Clearly articulate the security functions of VID and UID tokens and the technical implementation in protecting customer credentials;
- Deploy role-based controls to restrict abuse of data by super-users;
- Adopt device based encryption;
- Deploy technologies for better monitoring and detection of user behavior.
Vijayashankar, an information assurance consultant, is a pioneer in cyber law in India and founder of www.naavi.org. He pioneered "Total Information Assurance," an approach to information security going beyond confidentiality, integrity and availability to authentication and nonrepudiation.
Mookhey, CEO at NII Consulting, is well-versed with the security challenges of various industry verticals, and international standards. The author of books on Linux security and on the metasploit framework, he's also written numerous articles on information security.
Shashidhar, CEO at SecureIT, is a certified expert in information security, governance, risk and compliance with 28 years of experience. He has managed security and control transitions for acquisitions and created control and governance frameworks. With experience in several business sectors, he's currently focused on information security training and consulting. He previously was a global information security adviser at IBM India for 20 years.
(Editor's Note: Recording this panel from multiple locations resulted in some minor audio quality issues. Editors Suparna Goswami and Varun Haran also participated in this project.)