Security Controls Requirements for Aadhaar API providers

With the commencement of Aadhaar project of UIDAI to round up all the citizen of India from centralized data repository of large user database to provide a unique identification of the Indian residents. today i am writing this blog for Aadhaar based authentication service providers companies because companies like NBFC is accessing the data of NSDL through APIs.

First of all we need to understand about the Aadhaar and APIs

Aadhaar is a 12 digit unique-identity number issued to all Indian residents based on their biometric and demographic data. The data is collected by the Unique Identification Authority of India (UIDAI), a statutory authority established on 12 July 2016 by the Government of India, under the Ministry of Electronics and Information Technology, under the provisions of the Aadhaar Act 2016. Now let’s understand the API.

Application program interface (API) is a set of routines, protocols, and tools for building software applications. An API specifies how software components should interact. Additionally, APIs are used when programming graphical user interface (GUI) components.

So there are key area of considerations for API providers or in the straightforward approach, the requirements of security controls for Aadhaar API service providers. Companies are providing Aadhaar APIs to developers, therefore that is more convenient and sophisticated to developers.

The API users organization are fetching the Aadhaar data  by using customized APIs and these APIs get the response from Aadhaar database after authentication of the Aadhaar API providers end, with the knowing that developers don’t have the direct access on the CIDR. So this middle connect(API providers) should have implement security controls to prevent and detect mala-fide users and their malicious activities for legal and statutory compliance to prevent fine, penalties and reputation loss.

The following are required controls and sub controls given, that will help to API providers to comply with legal and technical requirements on the basis of best practices.

  1. Asset Management
  • Inventory of Assets
  • Ownership of assets
  • Asset list on the basis of criticality
  • Asset handover process
  1. Access Control

There are four main categories of access controls;

  • Mandatory access control
  • Discretionary access control
  • Role-based access control
  • Rule-based access control

In the above described categories Aadhaar based API providers should choose the access controls according to best practices and the other points should be considered.

  • User Access on ‘need to know basis’
  • Provisioning of Privileged access
  • User’s Access logs
  1. Communication Security
  • Secure Configuration
  • Segregation of network
  • Encryption in transmission
  1. Secure Development

Secure development is a practice to ensure that the code and processes that go into developing applications/ systems are as secure as possible.

Follow OWASP Top 10 Controls:

The following are the controls but not limited to these only.

  • Input Validation
  • Output Encoding
  • Authentication and Password Management (includes secure handling of credentials by external services/scripts)
  • Session Management
  • Cryptographic Practices
  • Error Handling and Logging
  1. Malware Protection

To protect the IT systems from malwares, some points needs to be considered.

  • Daily new virus definition updated
  • Scheduled system scan
  1. Email Security
  • Block unknown sources
  • Awareness to users
  • Secure authentication process
  1. Internet Security
  • Restricted use only
  • log maintenance
  • Periodic review of Access
  1. Information Backup and Restoration
  • Procedural approach
  • Periodic Backup plan
  • Process review
  • Ensure the successful restoration
  1. Change Management
  • Identify the required change
  • Prior approval
  • Implementation and Monitoring
  • Alignment of the process according to changes in system


  1. BCP & DRP
  • Documented Business Continuity plan
  • Obtain Approval for plan
  • Periodic drills and review
  • Aligned process according the change
  1. Log Maintenance

To detect the anomaly of the systems logs are required because to investigate the incident the logs of systems should be maintained.

  1. Internal Audit
  • Periodic review of system controls
  • To measure the effectiveness of the controls
  • Assess the risks of the organization
  • Corrective actions
  1. Technical Vulnerability Management
  • Periodic review of the technical controls
  • To incorporate current security trends
  • Reduce the risk of security holes
  • Provides upgrade in the current security posture
  1. Compliance of legal and statutory requirements
  • Comply with the industrial rules and regulations
  • Country specific laws
  • Ensures the protection of information
  • Reduce the monetary loss

We have been consulting NBFC vendors who use NSDL database for providing Authentication & EKYC support to establish security requirements from NSDL guidelines.

For any requirements Contact us at

Aditya Soni, is an information security consultant @ISECURION, and an Lead Auditor, Lead Implementer ISO 27001:2013, enthusiast in Cyber security and Law.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.