CaseStudy Banking Regulator

Banking Regulator Implements JISA’s Tokenisation, Encryption and Hardware Security Module for Data Lake Project

The Organisation

The organisation is India’s Banking Regulator under the jurisdiction of Ministry of Finance, Government of India. It is responsible for the issue and supply of the Indian rupee and the regulation of the Indian banking system. It also manages the country’s main payment systems. Until the Monetary Policy Committee was established in 2016, it also had full control over monetary policy in India. It commenced its operations on 1 April 1935. The original share capital was divided into shares of 100 each fully paid. It is a member bank of the Asian Clearing Union. The bank is also active in promoting financial inclusion policy and is a leading member of the Alliance for Financial Inclusion (AFI). 

The Business Challenge

The banking regulator has to collect and store personal and sensitive data in a large amount. The sensitive data includes Customer data (Name, Mobile Number, email, Aadhaar Number, PAN number, etc.), Payment sensitive data (customer and beneficiary account details); Payment Credentials (OTP, PIN, Passwords, etc.) and Transaction data was stored in a Data Lake. Data lake is a storage repository which stores large amount of structured, semi-structured, and unstructured data. It stores every type of data in its native format with no fixed limits on account size or file. It offers high data quantity to increase analytic performance and native integration. Just like in a lake it has multiple tributaries coming in, a data lake has structured data, unstructured data, logs etc.

This data would be collected and stored in their system in plain text format i.e. in unencrypted format. If any unauthorized person accesses the data or there is data loss, it would lead a serious data breach. This not only risks harm to the individuals but also strict penalties.

Apart from storing the sensitive data, banking regulation often need to transfer data to and from banks, financial institutions etc. This data also needed to be transferred in an encrypted manner to avoid unauthorized access, data loss etc.

Hence the organisation wanted to store and transfer the sensitive data in an encrypted format. Considering large amount of encrypted data, key management is essential part of the encryption solution.

The Solution

Since the large amount of data was stored in unstructured format, appropriate solution needed for securing each kind of data. Considering this challenge, JISA has deployed  encryption  and  tokenization solutions for the organisation. 

JISA’s CryptoBind SecureVault (J-Vault Vaultbased Tokenisation) was deployed primarily to store PII data, financial data. CryptoBind SecureVault allows applications to tokenize and replace sensitive data with token values. In order to secure sensitive data, JISA has developed this solution that will help agency to implement an encrypted secure Data Vault to tokenise and securely store PII data.

It exposes SOAP/ REST API to directly and securely store the data in a Data Vault using the Tokenization method. CryptoBind SecureVault is connected to CryptoBind HSM (Network Security Module by JISA powered by LiquidSecurity) to manage encryption keys.

ADV Admin Portal is hosted on client location which works in sync with tokenization engine services. It facilitates various operations like User Access Control and Management, Application Onboarding, Key Management, Token Management and Policy Management. 

CryptoBind SecureVault Deployment Architecture:

CryptoBind HSM (Network Security Module by JISA powered by LiquidSecurity) is  a high performance hardware based transaction security solution for cloud data centers, Enterprise, government organisation and ecommerce applications. HSM family provides a FIPS 140-2 level 3 certified solution that provides elastic and centralized key management and key operation functionality. As required by organization, encryption  keys are securely stored in CryptoBind HSM.

To add an additional layer of security CryptoBind Transparent Encryption (J-STE Transparent Data Encryption) was implemented to encrypt data files at rest. Data at rest is subject to threats from hackers and other malicious threats. To prevent this data from being accessed, modified or stolen, JISA’s TDE employ security protection measures such as password protection, data encryption, or a combination of both to encrypt data at rest.  The TDE solution is connected to CryptoBind HSM to manage TDE encryption keys. By implementing CryptoBind Transparent Encryption, if a hacker or malicious user tries to access data files, his access is blocked by encrypted files. 

CryptoBind Transparent Encryption Deployment Architecture:

To transfer the sensitive data to and from banking institutions or financial institution, CryptoBind SecureApp (J-SA Data in Transit Encryption) has been deployed. JISA’s CryptoBind SecureApp provides encryption of data in transit. Data in transit, or data in motion, is data actively moving from one location to another such as across the internet or through a private network. JISA’s CryptoBind SecureApp involves a lightweight library which works seamlessly in desktop, enterprise, and cloud environments as well.

CryptoBind SecureApp Deployment Architecture:

The Result