View from India: GSTN, special purpose vehicle for IT infrastructure
Goods and Services Tax Network (GSTN) a private company established in March 2013, provides IT infrastructure and services to the Central and State governments, tax payers and other stakeholders for implementation of the Goods and Services Tax (GST). GSTN is the backbone of the new GST regime ushered in on July 1 2017.
“GSTN is the special purpose vehicle for laying the IT infrastructure for the income generated by GST payers. In India the number of new taxpayers are expected to be around 7mn-8mn, which means there will be two to three billion B2B invoice data that will be uploaded on to the portal every month,” said Mr Anand Pande, senior vice president (CISO), GSTN, at a recent event.
GSTN has partnered with Infosys, wherein Infosys functions as a single managed service provider (MSP) for the design, development and deployment of GST system, including all application software, tools and Infrastructure and for operating and maintaining the system for a period of five years from the go-live date.
GSTN has been envisioned to create a uniform interface for the tax payer and a common and shared IT infrastructure between the Centre and States. This can happen only when there is a strong IT Infrastructure and Service back bone which enables capture, processing and exchange of information amongst the stakeholders including tax payers, States and Central Governments, Accounting Offices, Banks and RBI. Two development centres (DCs) have been set up in Bangalore and Delhi to deploy services.
GSTN has rolled out an IT strategy for taxpayers. “We are preparing a platform with back-end executives to assess refunds. We are developing modules that include back-end and front operations to interact with the GST inflow,” he added.
As GST carries the promise of being a game-changer, GSTN has conceptualised an ecosystem to mitigate risk. That’s because the core GST system is not directly exposed to the Internet, it has multi-layered security architecture with some of the best-in-breed technology and products.
While designing the application, the focus has been on security, apart from openness, scalability and a data-driven ground approach. There’s a role-based access to the GST system through secured and real-time collection. The application involves various testing stages, beginning with the development of software. The operating software used in GST systems is scanned for malwares or security risk purposes. Upon approval, an online application is developed. The DCs in Bangalore and Delhi have been built with multi-level security. The IT infrastructure security happens in a caged area, complete with access controls.
The GST system has a G2B portal for taxpayers to access the GST systems. Yet there are other options available to interact with the GST system as the taxpayer via the choice of third-party applications, which will provide all user interfaces and convenience via desktop, mobile, other interfaces, will be able to interact with the GST system. The third-party applications will connect with GST system via secure GST system application programme interface (APIs). Third-party service providers who have been given a generic name, GST Suvidha Provider or GSP, develop all applications. “The GST system has layered access to taxpayers, books and government offices and GSPs come through APIs,” highlighted Mr Pande.
Every API call is authenticated through user ID password and authentication. A dedicated security operations centre (SOC) monitors the activities for the IT system and application devices, twenty four hours a day, on every day of the year. A dedicated team manages the network operations centre (NOC) and takes into account aspects like performance, utility, availability of IT infrastructure and network devices.
The security testing audits includes GRC framework, information, cyber-security framework and programme governance framework. A static and dynamic analysis of third-party components and operating software binaries are conducted to detect malware using licensed and customised tools.
The data transfer for the GST system happens in an encrypted format using industry-known standards like Capability Maturity Model Integration (CMMI) and International Standards Organisation (ISO) Standard.
The Standardisation Testing Quality and Certification (STQC) a government agency will audit the system.