GSTN Security 101: How Secure Is Your Data?
With GST taking all the taxation formalities digital, concerns of data security are obvious. The question “how secure is your data?” is the center of many conversations. With the recent series of malware attacks, people are also asking “How vulnerable GSTN might be to ransomware attacks?”.
In this blog, we try our best to address the security concerns based on data confidentiality and protection against malware.
Firstly, one needs to understand that there are two different infrastructures of GSTN specifically in the context of how the ecosystem outside GSTN interacts with GSTN for returns filing etc.
- The API Server: This server is primarily used by all the GST Suvidha Providers and the Application Service Providers. These interact with the external world primarily using JSON data streams over HTTP.
- The GSTN portal: The portal itself where the files are sent
Secondly, this blog addresses the concerns of security in three divisions for clarity;
Confidentiality of trade information
Access of invoice and trade data information is restricted to the tax payer and the tax officer alone.
The return filing system followed by the GST requires for organisations to share multiple details present on the invoice format that starts with invoice value stating the unit price of goods or services to the line item details in case of goods; and other financial details of the business. Information of this nature is something that organisations consider extremely confidential as it could impact the business’ ability to remain competitive in the market. Security of this information has been acknowledged and taken into consideration by the GSTN.
To ensure confidentiality, the GSTN has set protocols that only allow access to the tax payer and the tax officer at the administration end. The only information available to any business is what they communicate to or receive from the GSTN which is tracked based on the GSTIN.
Security of data during transfer
Use of json data streams over HTTP
“But how will data security be monitored during GST return filing?” is one of the few questions that are being asked by many tax payers.
The first step taken to ensure security at this stage is the regulation that the GSP is also not allowed to store any of the data during transmission. The second step is ensuring that the ASPs encrypt the data before initiating return filing. But the most stringent of measures taken is the use of json data streams over HTTP. While it is not impossible that a virus can propagate from this channel, the chances are extraordinarily low. Creation of a virus that can infect this channel will require in depth knowledge of the software which actually parses the data and this is not public knowledge. Moreover, a vulnerability in that software has to be found which would allow some other malicious code to be executed. The time investment with no guarantee of results are strong deterrents to making this channel at the focus point of any attack.
Security of the GST Network (GSTN) in itself
The GSTN has some of the best security practices in place.
The data visibility at the GSTN is restricted but is the GSTN vulnerable to malware? How does the network protect itself from malware attacks?
Linux based systems with other security measures to avoid malware attacks through excel uploads are likely to be in place. In the first place, Linux systems have been known to be far more secure than Microsoft platforms. Creating malware needs knowledge of the codes of the software that it is meant to infect. In case of Linux, this information is not common knowledge. This puts in place security at the infrastructure level in itself. The next level of security breach can occur is malware is coded into the excel files transferred to the GSTN. This, however, can only be triggered by an action and the malware will have to be created with the system that it is intended to infect. The software and codes that the GSTN is built is again not information that can be easily found.
While these measures do not ensure that a security breach is impossible, it does make the task a lot more improbable. To support these measures, the GSTN will also be mostly likely to run periodic tests to find and plug any loopholes before there is a possibility of exploitation.