• United States




Image management in identity management: a picture paints a thousand words

Oct 31, 20176 mins
Cloud SecurityData and Information SecurityIdentity Management Solutions

Image management can give us the tools to secure and optimize image-based PII.

lg v30 camera hold
Credit: Doug Duvall/IDG

As we are all aware, we are living in the era of the “selfie.” Like them or loath them, they are filling the cloud like billions of droplets of water. In 2016, Google had 24 billion selfies uploaded to Google Photos. But it isn’t just selfies winging their way into the clouds. Social media in general is having a long, drawn out, love affair with images, Facebook having 350 million images uploaded every day.

There is a real, human-based, reason for this. A photo is a way to share who we are, what we do, and how we do it. And in the world of identity, images of ourselves, are, and will continue to be, a way to associate the real-me with the digital-me; even being used as proof of identity and authentication.

The new era of mass-adopted and verified digital identity is also enabling images to be used to do digital jobs. Life management platforms/personal data stores can be used to host and share image based data. Images of, for example, passports and driver’s licenses, can be stored in a data store and securely shared with third parties, to perform transactions and as proof of identity. Similarly, images of utility bills, financial statements, even certifications and personal wills, can be stored and shared from personal data stores, under user direction to do jobs for that user.

But all of these images hitting the cloud take up space, add cost, and present security issues.

As well as managing our customer’s identity, we also need to manage their identity images.

Image management and the data store: a story of two halves – image optimization and security

In a report in 2013 into the personal data ecosystem, the World Economic Forum stated that:

“Given the complexity of the personal data ecosystem, the rate of change, the potential for significant value from data and the changing role of the individual, there is a need for a flexible, adaptive and resilient approach”

The use of the data store offers us adaptive ways to use identity. It takes us outside of the constraints of digital identity as a simple access control measure and into the realms of identity as a service. The data store does this by using verified personal information and sharing it with third parties to do jobs. Jobs such as proving you have certain finances in place to purchase a house; showing you are qualified to do a specific job; sharing your patient data with a physician, and so on. All of this can be done by sharing one or more identity or related documents – a passport photo, a degree certificate, an MRI scan. Each may well be in the form of an image. Each image may have been used previously as part of an earlier verification process too. The image has its own lifecycle, it is created, uploaded, stored, shared, checked, updated, archived.

As data stores become more important and we extend the use of a digital identity, image management needs to be as central a part of a consumer identity platform as verification is.

Image management, in an era where document checks play a vital part of identity verification needs to incorporate two key areas:

1. Security/privacy

Images are part of our personal data. They are seen as Personally Identifiable Information (PII) by many institutions. The GDPR recognizes images with personal characteristics as PII, examples being a face on a passport or signature on a will. Images have also been the source of cyberattacks. Various celebrity iCloud image hacks have made the news. But once we start storing, en masse, photographic evidence of our identity, it’s highly likely cybercriminals will turn their beady eyes to the rest of us. So, security is an integral part of image management within a data store context. As far as security is concerned we are talking of measures such as:

  • Robust authentication measures like second factor, risk-based and behavioral context methods for data store login, access, and storage
  • Access control measures granular to image format type
  • Accessible only over HTTPS
  • Nonrepudiation using digitally signed images

In terms of privacy of identity and personal images we are looking at several options, including:

  • Redaction of certain parts of an image – based on access privilege
  • Consent models for sharing of personal data images
  • Secured management of images in storage

2. Image optimization and data sharing

The mass upload of images to data stores will be a challenge in elastic scalability. And, we need to find an optimum value between the perfect image resolution and image size. Having a scanned passport is a very useful inclusion in a data store. It can be used the verify the person during registration, and it can also be shared to do jobs such as go through an apartment rental process.  However, the passport image needs to go through a process of image optimization to make it small enough for hosting purposes, but still machine/person readable. Striking a balance that gets image resolution vs image size right is one thing, but we consumers are pretty impatient beings. A recent study showed that more than half of users expected web pages to load within 2 seconds.

Getting that mix of usability, resolution, and size right, is a heady mix to perfect. And, image optimization will become increasingly vital in mass-adopted consumer ID systems because of the sheer volume of images representing individuals. I fully expect to see companies like Cloudinary, who host millions of images for companies like Salesforce, to become part of the extended identity ecosystem. Companies who offer image optimization services will be a key way for service companies to manage the bandwidth and load of offering a hosted life management platform or using a photo-based ID verification service that retains images.

The sharper image of identity

Our love affair with the sharper image is not just about getting the right picture. Images and photos of documents will be increasingly used in data transactions as the world of digital identity management opens up to new opportunities. The cost of managing images needs to be controlled using image management and image optimization to allow us to open up this important part of identity management. We need, yet again, to find solutions that bring us a balance. Getting security right, but keeping usability central is being addressed. We now need to put our heads into the image optimization tent and bring that into the identity ecosystem to make personal data stores a cost effective powerful tool in our identity arsenal.


Formerly a scientist working in the field of chemistry, Susan Morrow moved into the tech sector, co-founding an information security company in the early 1990s. She have worked in the field of cybersecurity and digital identity since then and helped to create award winning security solutions used by enterprises across the world.

Susan currently works on large scale, citizen and consumer identity systems. Her focus is on balancing usability with security. She has helped to build identity solutions that are cutting edge and expanding the boundaries of how identity ecosystems are designed. She has worked on a number of government based projects in the EU and UK. She is also interested in the human side of cybersecurity and how our own behavior influences the cybercriminal.

The opinions expressed in this blog are those of Susan Morrow and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author