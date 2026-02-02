In May 2019, graphic design platform Canva fell victim to a major cyber security breach in which a threat actor known as Gnosticplayers hacked its database and stole the personal data of over 100 million users, including their usernames, email addresses and bcrypt-hashed passwords.

In the wake of this unfortunate incident, the Sydney, Australia-based company ploughed significant investment into cyber security measures, alongside which came a new engagement with credential management service 1Password.

By the time Kane Narraway arrived at the firm as head of enterprise security towards the end of 2023, the firm had righted the ship and entered a major growth phase as its active user base ballooned to over 260 million per month, generating over $3.5bn (£2.5bn) in annualised revenues. This went alongside a fivefold increase in headcount since 2020, and an expanding global base of operations.

Narraway, who previously worked in security roles at Shopify and Atlassian, and also spent some time working on digital forensics for the UK government – although he now calls New Zealand home – says that managing this phase has proved an interesting challenge.

Indeed, throughout his time at the firm so far, says Narraway, the pressure to maintain and improve its security posture has been immense. In the past three years he has juggled keeping Canva’s growing enterprise customer portfolio safe, securely managing onboarding and access, mitigating the risks associated with shared accounts, and balancing security with in-house developer efficiency.

“When you scale out rapidly, people do more things, they have more unique workflows, and then it becomes harder and harder to lock things down, essentially,” says Narraway. “So, it’s a case where you’ll see people buying more SaaS [software as a service] tools that need to be secured, you’ll see people using more IDEs [integrated development environments] for coding and things like that. There’s lots of different scenarios.

“There’s nothing unique about rapid growth assuming that you’re putting investment in, but I definitely think it’s a case where you need to scale out your security organisation alongside your engineers and your non-engineering organisation as well, otherwise you’ll end up falling behind and not be able to catch up.”

IAM is critical to an organisation’s data security posture, and its role in regulatory compliance is just as crucial. Narraway characterises the role 1Password plays as making the path to security as smooth as possible. “We have this concept in security called the paved road,” he says. “The idea is that people will use your paved road because it’s the easiest thing. Whereas, if the paved road isn’t so paved, it’s like gravel road, people are going to use the other easiest thing, right?” Fumbling the identity experience as is probably the easiest way to introduce potholes along this path, says Narraway, because doing so will force people to take alternate routes, like using password managers on their personal phones, or Google’s in-built management services. “While all of those things are good, you don’t have any of those enterprise settings [and] you don’t know the security of those accounts,” he says. “As much as possible, you do want to prevent any sort of personal password syncing.” Canva is also benefiting from 1Password’s centralised approach to storing and accessing logins and secrets. For example, on shared accounts – such as social media logins used by comms and marketing teams – 1Password enables Canva to apply stronger authentication measures, such as one-time passcode-based logins for accounts that aren’t tied to any one person, meaning they are accessible to the teams that need them but are still protected by multi-factor authentication (MFA). “When you look at actual security incidents, a non-trivial amount of breaches happen because of secret sprawl,” says Narraway. “1Password solves this by providing granular access controls, so teams can share only what’s necessary, protect credentials, and still give them access to the tools they need.”

Securing developer workflows Canva prides itself on rapidly evolving its visual communications platform and quick iteration, so with a highly active developer population, 1Password is also being heavily used to support the tools and workflows these teams need, going beyond mere password management. Among other things, Canva’s developers are now using 1Password to secure things like service account credentials, SSH keys and other infrastructure secrets, while the 1Password Command Line Interface (CLI) is helping to streamline access in their workflows. Canva’s developers use this CLI to authenticate, retrieve credentials and continue working directly from the command line, with no browser or user interface (UI) prompt. “With your typical workflow, say if you’re logging into LinkedIn, you’re going to just open a browser, you’re going to log in, you’re going to use the 1Password extension,” says Narraway. “It’s all going to be built in for you. “The problem with this CLI is that you’re not going to get any of that – it’s just going to come up with the command prompt terminal, and it’s going to say ‘enter your password’, which means that you’re stuck back in those clunky days from 10 years ago, where you’ve got to go to your password manager, you’ve got to copy your password, you’ve got to paste it,” he says. “I want to make the user experience as nice as possible, so we’ve integrated the 1Password command line with our internal developer tooling. It will ask if you want to store the credentials automatically. It’ll ask if you want to retrieve a certain credential. It saves you a lot of this effort of going to select manual stuff, it speeds up workflows. “We’re only talking like two, three seconds each time – we’re not talking big numbers,” says Narraway. “But when you scale that out across 5,000 engineers, we’re saving weeks and weeks of effort every year just doing basic stuff.”