Human identity verification started moving to digital formats in the early 2000s and accelerated significantly over the past decade. In fact, many travel apps, financial services, and consumer apps now request identity verification through submitted photos of government issued IDs. 

In this blog, we’ll talk about the new data security (DSPM) capabilities Orca has released to help organizations protect sensitive data in image files, like photos of passports, voter cards, and driver’s licenses.

Common use cases for storing image files with sensitive data

Government-issued identification is essential to living. Not only do many countries require people to carry their ID with them, government-issued ID is also required for starting a job, opening a bank account, and traveling. As early as the 2010s, mobile banking apps began requesting photo IDs and other sensitive documents (such as signed checks) for identity verification and regulatory compliance. 

With the rise of high-quality smartphone cameras, submitting photos of government-issued IDs became increasingly commonplace. Today, hotel booking platforms often request passport photos for international reservations, while online gambling and gaming platforms require identity verification to ensure players meet age requirements.

Compliance requirements with GDPR and data privacy laws

The challenge with uploading these types of photos to applications lies in ensuring that the files are stored in compliance with data privacy laws, since these images usually contain personally identifiable information (PII). 

The General Data Protection Regulation (GDPR) has strict guidelines on how to handle personal data, as do other data privacy laws, like the California Consumer Privacy Act (CCPA), India’s Digital Personal Data Protection Act (DPDPA), Indonesia’s Personal Data Protection Law (PDPL). Organizations that breach these privacy laws face serious fines and possible imprisonment for severe cases. For example, breaching GDPR can cost an organization fines up to €20 million or 4% of annual global turnover, whichever is higher.

Data security with Orca

To help organizations remain compliant with sovereign privacy laws, the Orca Platform helps customers answer three important questions about the data security posture of their cloud native applications, including:

  • What type of sensitive data is stored? Orca detects and automatically classifies personally identifiable information (PII), protected health information (PHI), payment card industry (PCI) data, secrets, and any custom sensitive identifiers customers may configure.
  • What assets store this sensitive data? Orca’s agentless SideScanning technology identifies sensitive data across cloud-managed databases, unmanaged databases, buckets, serverless functions and files throughout your organization.
  • What risks are associated with these assets and data? Orca creates alerts when it has identified misconfiguration risk, vulnerabilities, or other types of risk to sensitive data. The risk score for these alerts are dynamically calculated to factor in asset context, attack paths, and type of sensitive data. These alerts also provide a redacted sample of the sensitive data detected as evidence that this data was, in fact, identified.

With the addition of Optical Character Recognition (OCR), Orca now extends sensitive data detections for PII to image files stored in buckets helping customers with controlling their sensitive data inventory and reducing their data attack surface. 

In the example following, we stored photos of the government-issued IDs shown below in an S3 bucket. (Note that redacted images are shown here, but unredacted images were stored in the S3 bucket)

A screenshot of example photo IDs
Sample images of photo IDs

Orca identifies the passport card number and the permanent account numbers in these IDs , classifies it PII, and flags these as sensitive data, complete with a redacted sample of the PII discovered.

A screenshot of the Orca platform displaying a redacted sample of PII detected in image files
Orca shows a redacted sample of PII detected in image files

Admins can also create custom identifiers for Orca to detect, choosing to match content found in databases, text files, and/or image files.

A screenshot of the Orca platform setup for custom sensitive data identifiers
Custom sensitive data identifier setup in the Orca Platform

About the Orca Cloud Security Platform

Orca offers a unified and comprehensive cloud security platform that identifies, prioritizes, and remediates security risks and compliance issues across AWS, Azure, Google Cloud, Oracle Cloud, Alibaba Cloud, and Kubernetes. The Orca Cloud Security Platform leverages Orca’s patented SideScanning™ technology to provide complete coverage and comprehensive risk detection. 

Learn More

Interested in exploring data security (DSPM) capabilities in the Orca Platform? Schedule a personalized 1:1 demo.