Aadhaar is a 12-digit unique number that the Unique Identification Authority of India (UIDAI) will issue for all residents of India. The number will be stored in a centralized database and linked to the basic demographics and biometric information—photograph, 10 fingerprints and iris—of each individual.
This is a very ambitious project, expecting to enroll 600 million people in the next four years. Once successfully implemented, it will provide immense benefits to the population. These benefits will be based on accurate identification and authentication of the beneficiary leading to directing the benefits to the people. This will also cut down on leakage of benefits, resource waste and impersonation. The secure centralized database itself will be cleaned of any duplicate instances by using de-duplication techniques, thus reducing the chance of frauds. The system is expected to reach authentication volume of 100 million transactions per day by 2016.
Aadhaar number can be used for multiple types of authentication:
- Type 1 Authentication—Use Aadhaar authentication system for matching Aadhaar number and the demographic attributes of a resident.
- Type 2 Authentication—Authenticate residents through a one-time-password (OTP) delivered to the resident’s mobile number and/or email address present in Central Identities Data Repository (CIDR).
- Type 3 Authentication—Authenticate residents using one of the biometric modalities (iris or fingerprint).
- Type 4 Authentication—This is a two-factor authentication offering with OTP as one factor and biometrics (either iris or fingerprint) as the second factor.
- Type 5 Authentication—This allows service delivery agencies to use OTP, fingerprint and iris together (three-factor authentication) to authenticate residents.
Security of the centralized database will be of paramount importance. This will be provided by UIDAI. The end customers will use various authentication devices. Security of these devices will be equally important and will be the responsibility of the various service providers, such as banks. As can be seen from the types of authentication, the end device used for authentication could be a mobile device or a biometric device. In the future, we may even see ATMs with biometric authentication through Aadhaar. These devices need to be secure. The communication with CIDR or an intermediary will also require secure communication links.
In August 2012, UIDAI issued a request for proposal (RFP) “Hiring of Services for design and implementation of the GRC Framework and providing Performance Assurance Services for UIDAI” and recommended the use of COBIT 4.1 or 5. COBIT 5 was published by ISACA in April 2012.
ISACA released four publications in November 2012 that are very relevant for supporting the Aadhaar implementation efforts:
- Securing Mobile Devices Using COBIT 5 for Information Security
- Biometrics Audit/Assurance Program
- VPN Security Audit/Assurance Program
- Securing Sensitive Personal Data or Information for India’s IT Act Using COBIT 5
The first publication, Securing Mobile Devices Using COBIT 5 for Information Security, deals extensively with security of mobile devices such as smartphones, tablets, GPS navigation aids and even medical implants controlled by wireless interaction. The publication provides details about threats, vulnerabilities and associated risk; security governance and management of mobile devices; and mobile device security assurance, all within the business framework provided by COBIT 5.
The second publication, Biometrics Audit/Assurance Program, is applicable for any deployment of biometric technology. Apart from planning and scoping the audit, preparatory steps and governance, it includes detailed audit and assurance steps to evaluate the biometric standards and architecture, biometric operation, network security components, and biometrics planning and deployment. Since Aadhaar will use biometric devices for authentication, security of these devices can be improved by using this comprehensive audit/assurance program.
Mobile devices and biometric authentication devices make extensive use of the Internet for communication. The only secure way of using the Internet is by deploying a Virtual Private Network (VPN). As such, the third publication, VPN Security Audit/Assurance Program, becomes very relevant. It discusses planning and scoping the Audit, describes the preparatory steps, details the governance requirements for VPN, and explains the audit and assurance steps to evaluate VPN policy, various VPN configurations, VPN maintenance and monitoring.
These four timely publications from ISACA will be useful for people responsible for deploying and maintaining various Aadhaar authentication devices and also for protecting sensitive and personal information of clients to comply with India’s IT Act.
Avinash Kadam, CISA, CISM, CGEIT, CRISC, CISSP, CSSLP, GSEC, GCIH, CBCP, MBCI, PMP, CCSK
Advisor, ISACA India Task Force
Continue the conversation…learn more about the ISACA community for constituents in India here.
We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post. To view all blog posts, please click on the ISACA Now link in the blue box on the left.