You can read this post Whats is wrong with Aadhar Software System ? (Part-1) on this link :
https://digitaltechnologyarchitecture.blogspot.in/2018/01/whats-is-wrong-with-aadhar-software.html
https://digitaltechnologyarchitecture.blogspot.in/2018/01/whats-is-wrong-with-aadhar-software.html
I can't say I was shocked to hear about The Tribune (link) report
on how their reporter purchased Aadhar data for 500 INR and for another
300 INR purchased a software that could print Aadhar Card ( India's
Social Security Number card) but I was surprised at the poor design and
operating model of the system. I expected the system to be much more
smarter, secure and foolproof than it seems to be now. UIDAI has denied
the data leak but Tribune seems to have material evidence and they have
published a response to UIDAI statement today (link).
This kind of data leak does not happen because of a single point of failure. There has to be issue with the
1) Solution architecture (architectural description of a specific solution)
2) Application architecture (describes the behavior of applications),
3) Security architecture (unified security design that addresses the necessities & potential risks),
4) Operation architecture (defines control of operational procedure & execution of operational tasks)
5) Finally the Software testing plan seems to have failed to detect the flaws in the software.
As long as there is valuable data, hackers will try to attack the system but fortunately this was not a hack or else hackers would have wiped the data and held Indian government for ransom. Politicians who are enforcing Aadhar just don't seem to understand a badly designed software can play havoc and that delayed software system is better than a faulty software system. I don't think we need any more proof to call for an immediate software audit conducted by 2 independent reputed agencies. If we are so sure that system has no flaw then software audit will help regain the confidence of billion Indians. Every big software is audited periodically so why not audit Aadhar System which is a critical system for the government as well as billion Indians. I don't understand why government has not initiated a software audit after multiple 'reported' incidents of data lapses over last 2 years. If the audit highlights any issue then the Aadhar software architects are to be blamed and not the government. The other issue could be the change in Vision, possibly Aadhar system is made to do what it was not designed to do when it designed.. A software audit will only validate that you have a well designed, robust and secure software system and its operations are being managed well by the team.
When there are multiple issues in a software system they can only be addressed by conducting a detailed software audit followed by fixing the issues identified in the audit. ( Do read my earlier post Why you should be concerned about #Aadhar being made mandatory for citizen of India? ) Having worked as a fire fighter on solving complex issues on many complex software systems for fortune 100 companies I must say I have not encountered such a large software system that seems to have been put in production without due diligence. I have seen projects where leads & managers have been removed on the spot for much smaller issues than what was reported by The Tribune. Software systems are custom made to solve a particular business challenge and if there is a failure in basic operation of the software then it is because the project leadership was incompetent to handle the project right from the solution design stage to development stage and onto the operations stage.
Here is a simple picture that will give you an idea of what all could have gone wrong with Aadhar System, I am not privy to the Aadhar architecture so the picture highlights the potential issues in the software based on what we know from reports on data leaks. I am concerned that a software system has become a prestige issue and UIDAI is defending reports rather than publishing a whitepaper on health of the Aadhar System so Indians don't worry about the most critical software that is going to affect every Indian. I want to find out , what is wrong with Aadhar system? What needs to be fixed to avoid the known issues in future?
2) The data access should have been restricted at application service layer, data service layer as well as database level for additional security and I think all 3 layers have design flaws.
2) The system should have different levels of user authorization that limits user access to certain services and this authorization framework seems to be flawed or else missing from the system.
3) Creation of new user is an activity that should be restricted to a limited set of super users & if we go by the news report then it seems that a use who is not administrator has the right to create new users without approval of any superior authority and this is poor design and a big security risk. A new user creation process is typically performed by the administrator and for critical systems like Aadhar, there should be an 'approval workflow for user creation' where clearance is taken from 'access control board' or at least a super admin before creating new users. A ordinary system user who accesses the system for routine transaction should not be allowed to create new user at his will. This flaw allows the system to be misused as it seems to have happened in this case.
4) Authorities have responded that system activities are monitored so it is surprising that when users are being created at will without approval no one noticed it, when system was being accessed by unknown new users no one noticed it, when user data was being downloaded no one noticed it and even the network administrator did not notice unusual activity on the network when billion records were being accessed/downloaded.
5) In an ideal system that has Business Activity Monitoring, rules are
defined on what services needs to be monitored, what alert should be
sent by email or by SMS in case of some user accessing a set of services
and what action should be taken by the team who is responsible for
monitoring the software. None of these things seem to be in place or
else UIDAI would have nabbed the culprits before the whistle blower
initially complained to authorities and long before reporter
investigated the story.
As I mentioned earlier this looks like case of multi point failure and if one of the checks had failed still the monitoring system should have automatically notified the authorities about the suspicious activities within minutes if not seconds of the suspicious event. My guess is a good Business Activity Monitoring tool which is must for any critical enterprise system is either not implemented or the implementation is flawed.
Obviously there could be other issues in Aadhar system that we are not aware of. For example scalability and availability issues and performance issues - and I have reason to believe that the way it is being implemented today Aadhar system is going face major performance issues one day. The 1 lakh plus municipal employee in Mumbai are using Aadhar bio-metrics to sign-in & sign-out at work. (I have got proof that municipal employees get emails twice a day from Aadhar system when they scan their finger prints). Which means Aadhar system is being accessed for employee attendance 2 lakh times every day by Mumbai municipality alone! There are around 4000 cities in India which makes 4000 x 2 lakh = 800,000,000 hits to Aadhar server everyday by municipal employees alone! I assume if municipality is using Aadhar for attendance then other government employees will also be using Aadhar verification for attendance and a conservative guess would be 1 lakh government employees across 4000+ cities in India ( I am not considering the employees working in smaller town & remote areas). This means there will be 1.6 billion hits to Aadhar server everyday just verification of attendance of government & municipal employees! At 9 am when all employees reach office there will be at least 80,000 hits to the server every 3 second (assuming 4000 cities , 10 offices in each city, 2 bio-metrics scanner in each office) Did UIDAI plan for this? Is Aadhar Architecture built to take this kind of peak load? Why the heck should we use national bio-metrics server to verify that employee in each city has reached office! Did we create Aadhar for such stupid mundane tasks? Which other SMART DIGITAL COUNTRY in the world has implemented this kind of verification system for government employee? Which software architect gave this idea to goverment to use Aadhar for employee attendance verification and what are other redundant uses that Aadhar is going to be used for? It is absurdly, insanely, mind boggling crazy to implement Aadhar based attendance! Imagine when Hospitals, Railways, Airlines, Jios & every other company starts using Aadhar for verification we will need a new Aadhar Hardware City to host the servers required to cater to such large population! (Ok! Ok! I exaggerated it! Wont need a new city but a huge number of computing nodes on a Cloud since it is quite likely that Aadhar system is hosted on a Cloud)
In my next post I will explain the potential missing blocks that could lead to such system failure in a software system (again I am assuming The Tribune report is reliable and they have indeed purchased billion records for 500 INR. Damit!)
My next post will be about Whats needs to be fixed in Aadhar Software System ? (Part-2) & after that 3rd post will be on How blockchain or similar trust framework could have prevented the Aadhar Data leaks in Aadhar System? (part-3)
This kind of data leak does not happen because of a single point of failure. There has to be issue with the
1) Solution architecture (architectural description of a specific solution)
2) Application architecture (describes the behavior of applications),
3) Security architecture (unified security design that addresses the necessities & potential risks),
4) Operation architecture (defines control of operational procedure & execution of operational tasks)
5) Finally the Software testing plan seems to have failed to detect the flaws in the software.
As long as there is valuable data, hackers will try to attack the system but fortunately this was not a hack or else hackers would have wiped the data and held Indian government for ransom. Politicians who are enforcing Aadhar just don't seem to understand a badly designed software can play havoc and that delayed software system is better than a faulty software system. I don't think we need any more proof to call for an immediate software audit conducted by 2 independent reputed agencies. If we are so sure that system has no flaw then software audit will help regain the confidence of billion Indians. Every big software is audited periodically so why not audit Aadhar System which is a critical system for the government as well as billion Indians. I don't understand why government has not initiated a software audit after multiple 'reported' incidents of data lapses over last 2 years. If the audit highlights any issue then the Aadhar software architects are to be blamed and not the government. The other issue could be the change in Vision, possibly Aadhar system is made to do what it was not designed to do when it designed.. A software audit will only validate that you have a well designed, robust and secure software system and its operations are being managed well by the team.
When there are multiple issues in a software system they can only be addressed by conducting a detailed software audit followed by fixing the issues identified in the audit. ( Do read my earlier post Why you should be concerned about #Aadhar being made mandatory for citizen of India? ) Having worked as a fire fighter on solving complex issues on many complex software systems for fortune 100 companies I must say I have not encountered such a large software system that seems to have been put in production without due diligence. I have seen projects where leads & managers have been removed on the spot for much smaller issues than what was reported by The Tribune. Software systems are custom made to solve a particular business challenge and if there is a failure in basic operation of the software then it is because the project leadership was incompetent to handle the project right from the solution design stage to development stage and onto the operations stage.
Here is a simple picture that will give you an idea of what all could have gone wrong with Aadhar System, I am not privy to the Aadhar architecture so the picture highlights the potential issues in the software based on what we know from reports on data leaks. I am concerned that a software system has become a prestige issue and UIDAI is defending reports rather than publishing a whitepaper on health of the Aadhar System so Indians don't worry about the most critical software that is going to affect every Indian. I want to find out , what is wrong with Aadhar system? What needs to be fixed to avoid the known issues in future?
My understanding of Aadhar System
< Click image to zoom >
So what are the key take away from this data leak incident?
1) Critical software system like Aadhar are used for verification of Aadhar user's identity and when user input is passed to the system, the systems responds as verification success or failure. The system should not allow users to download Aadhar number or details of Aadhar users. This is a grave software design flaw and there is no doubt about it whatever UIDAI might claim.2) The data access should have been restricted at application service layer, data service layer as well as database level for additional security and I think all 3 layers have design flaws.
2) The system should have different levels of user authorization that limits user access to certain services and this authorization framework seems to be flawed or else missing from the system.
3) Creation of new user is an activity that should be restricted to a limited set of super users & if we go by the news report then it seems that a use who is not administrator has the right to create new users without approval of any superior authority and this is poor design and a big security risk. A new user creation process is typically performed by the administrator and for critical systems like Aadhar, there should be an 'approval workflow for user creation' where clearance is taken from 'access control board' or at least a super admin before creating new users. A ordinary system user who accesses the system for routine transaction should not be allowed to create new user at his will. This flaw allows the system to be misused as it seems to have happened in this case.
4) Authorities have responded that system activities are monitored so it is surprising that when users are being created at will without approval no one noticed it, when system was being accessed by unknown new users no one noticed it, when user data was being downloaded no one noticed it and even the network administrator did not notice unusual activity on the network when billion records were being accessed/downloaded.
< Click image to zoom >
As I mentioned earlier this looks like case of multi point failure and if one of the checks had failed still the monitoring system should have automatically notified the authorities about the suspicious activities within minutes if not seconds of the suspicious event. My guess is a good Business Activity Monitoring tool which is must for any critical enterprise system is either not implemented or the implementation is flawed.
Obviously there could be other issues in Aadhar system that we are not aware of. For example scalability and availability issues and performance issues - and I have reason to believe that the way it is being implemented today Aadhar system is going face major performance issues one day. The 1 lakh plus municipal employee in Mumbai are using Aadhar bio-metrics to sign-in & sign-out at work. (I have got proof that municipal employees get emails twice a day from Aadhar system when they scan their finger prints). Which means Aadhar system is being accessed for employee attendance 2 lakh times every day by Mumbai municipality alone! There are around 4000 cities in India which makes 4000 x 2 lakh = 800,000,000 hits to Aadhar server everyday by municipal employees alone! I assume if municipality is using Aadhar for attendance then other government employees will also be using Aadhar verification for attendance and a conservative guess would be 1 lakh government employees across 4000+ cities in India ( I am not considering the employees working in smaller town & remote areas). This means there will be 1.6 billion hits to Aadhar server everyday just verification of attendance of government & municipal employees! At 9 am when all employees reach office there will be at least 80,000 hits to the server every 3 second (assuming 4000 cities , 10 offices in each city, 2 bio-metrics scanner in each office) Did UIDAI plan for this? Is Aadhar Architecture built to take this kind of peak load? Why the heck should we use national bio-metrics server to verify that employee in each city has reached office! Did we create Aadhar for such stupid mundane tasks? Which other SMART DIGITAL COUNTRY in the world has implemented this kind of verification system for government employee? Which software architect gave this idea to goverment to use Aadhar for employee attendance verification and what are other redundant uses that Aadhar is going to be used for? It is absurdly, insanely, mind boggling crazy to implement Aadhar based attendance! Imagine when Hospitals, Railways, Airlines, Jios & every other company starts using Aadhar for verification we will need a new Aadhar Hardware City to host the servers required to cater to such large population! (Ok! Ok! I exaggerated it! Wont need a new city but a huge number of computing nodes on a Cloud since it is quite likely that Aadhar system is hosted on a Cloud)
In my next post I will explain the potential missing blocks that could lead to such system failure in a software system (again I am assuming The Tribune report is reliable and they have indeed purchased billion records for 500 INR. Damit!)
My next post will be about Whats needs to be fixed in Aadhar Software System ? (Part-2) & after that 3rd post will be on How blockchain or similar trust framework could have prevented the Aadhar Data leaks in Aadhar System? (part-3)
