Tech
Canva uses 1Password to secure ID during growth phase | Computer Weekly
In May 2019, graphic design platform Canva fell victim to a major cyber security breach in which a threat actor known as Gnosticplayers hacked its database and stole the personal data of more than 100 million users, including their usernames, email addresses and bcrypt-hashed passwords.
In the wake of this unfortunate incident, the company, based in Sydney, Australia, ploughed significant investment into cyber security measures, alongside which came a new engagement with credential management service 1Password.
By the time Kane Narraway arrived at the firm as head of enterprise security towards the end of 2023, the firm had righted the ship and entered a major growth phase as its active user base ballooned to more than 260 million per month, generating over $3.5bn (£2.5bn) in annualised revenues. This went alongside a fivefold increase in headcount since 2020, and an expanding global base of operations.
Narraway, who previously worked in security roles at Shopify and Atlassian, and also spent some time working on digital forensics for the UK government – although he now calls New Zealand home – says that managing this phase has proved an interesting challenge.
Indeed, throughout his time at the firm so far, the pressure to maintain and improve its security posture has been immense, says Narraway. In the past three years, he has juggled keeping Canva’s growing enterprise customer portfolio safe, securely managing onboarding and access, mitigating the risks associated with shared accounts and balancing security with in-house developer efficiency.
“When you scale out rapidly, people do more things, they have more unique workflows, and then it becomes harder and harder to lock things down, essentially,” says Narraway. “So, it’s a case where you’ll see people buying more SaaS [software-as-a-service] tools that need to be secured, you’ll see people using more IDEs [integrated development environments] for coding and things like that. There’s lots of different scenarios.
“There’s nothing unique about rapid growth assuming that you’re putting investment in, but I definitely think it’s a case where you need to scale out your security organisation alongside your engineers and your non-engineering organisation as well, otherwise you’ll end up falling behind and not be able to catch up.”
New hires: a security blind spot
Two of the biggest cyber security blind spots for many organisations are introducing new recruits to the business and saying goodbye to old ones. The risks associated with former employees – particularly disgruntled ones – absconding with your most valuable data are pretty well known at this point. However, the risk that new employees present when they walk through the door is perhaps less talked about. New hires bring their own preconceptions and misconceptions about security, and will need to be quickly brought up to speed on how things are done in their new role lest they accidentally cause a mishap.
At the core of Canva’s engagement with 1Password sits the supplier’s Enterprise Password Manager product, which it is now using to mitigate some of these risks, onboarding so-called Canvanauts swiftly and securely – ensuring consistent credential management from the second they first sit down at their new workstation, and supporting SOC2 compliance into the bargain.
“If you have your password manager set up, where people get onboarded on day one, it takes them through initial onboarding training on how to use it,” says Narraway. “All the other team’s credentials are already in it, so they’re kind of forced to use it. People use it because it’s the easiest option.”
At the same time, he is using 1Password’s SCIM Bridge (System for Cross-domain Identity Management) to automate provisioning of new applications across the business, so that new users can be integrated seamlessly with clear documentation on migrating credentials from any legacy tools in play. For higher-risk applications, this service can reset credentials to cut the chances of inherited vulnerabilities sneaking in.
“1Password has turned security into a growth enabler,” he says. “We can integrate new teams and systems quickly while maintaining the highest security standards and enabling exceptional creative experiences for our customers.”
Narraway characterises the role 1Password plays as making the path to security as smooth as possible. “We have this concept in security called the paved road,” he says. “The idea is that people will use your paved road because it’s the easiest thing. Whereas, if the paved road isn’t so paved, it’s like a gravel road, people are going to use the other easiest thing, right?”
Fumbling the identity experience as is probably the easiest way to introduce potholes along this path, says Narraway, because doing so will force people to take alternate routes, like using password managers on their personal phones, or Google’s in-built management services.
“While all of those things are good, you don’t have any of those enterprise settings [and] you don’t know the security of those accounts,” he says. “As much as possible, you want to prevent any sort of personal password syncing.”
Canva is also benefiting from 1Password’s centralised approach to storing and accessing logins and secrets. For example, on shared accounts – such as social media logins used by comms and marketing teams – 1Password enables Canva to apply stronger authentication measures, such as one-time passcode-based logins for accounts that aren’t tied to any one person, meaning they are accessible to the teams that need them but are still protected by multifactor authentication (MFA).
“When you look at security incidents, a non-trivial amount of breaches happen because of secret sprawl,” says Narraway. “1Password solves this by providing granular access controls, so teams can share only what’s necessary, protect credentials, and still give them access to the tools they need.”
Securing developer workflows
Canva prides itself on rapidly evolving its visual communications platform and quick iteration, so with a highly active developer population, 1Password is also being heavily used to support the tools and workflows these teams need, going beyond mere password management.
Among other things, Canva’s developers are now using 1Password to secure things like service account credentials, SSH keys and other infrastructure secrets, while the 1Password Command Line Interface (CLI) is helping to streamline access in their workflows.
Canva’s developers use this CLI to authenticate, retrieve credentials and continue working directly from the command line, with no browser or user interface (UI) prompt.
“With your typical workflow, say if you’re logging into LinkedIn, you’re going to just open a browser, you’re going to log in, you’re going to use the 1Password extension,” says Narraway. “It’s all going to be built-in for you.
“The problem with this CLI is that you’re not going to get any of that – it’s just going to come up with the command prompt terminal, and it’s going to say ‘enter your password’, which means that you’re stuck back in those clunky days from 10 years ago, where you’ve got to go to your password manager, you’ve got to copy your password, you’ve got to paste it,” he says.
“I want to make the user experience as nice as possible, so we’ve integrated the 1Password command line with our internal developer tooling. It will ask if you want to store the credentials automatically. It’ll ask if you want to retrieve a certain credential. It saves you a lot of this effort of going to select manual stuff. It speeds up workflows.
“We’re only talking like two, three seconds each time – we’re not talking big numbers,” says Narraway. “But when you scale that out across 5,000 engineers, we’re saving weeks and weeks of effort every year just doing basic stuff.”
Security begins at home
But the engagement doesn’t end at the office door. Beyond becoming a cornerstone of Canva’s workforce security architecture, the global team is also offered free access to the 1Password Families consumer product to safeguard their personal accounts and data outside of work. Narraway is among those who have taken it up.
As any security expert knows full well, one of the biggest challenges faced by the industry is getting people to listen to security advice, do the right thing, and not write down credentials on sticky notes or update them every few months by adding a new number to the end.
Narraway says that bringing tools like 1Password to bear on the personal lives of Canva’s employees not only helps address these challenges by making it easier for them to do the right thing at home, but has the potential to improve Canva’s cyber posture, too – particularly if, for example, a remote working employee’s kid gets access to their PC.
It helps that password management technology has improved no end in recent years, he adds.
“If you used one 10 years ago, they weren’t great,” says Narraway. “They were clunky and awkward. You had to copy and paste your passwords on your phone, and not a lot of people used them.
“It’s looking a lot better these days – Google and Apple have obviously integrated the technology into their ecosystems … but the onus is still on individuals, so you still have to go through that pre-emptive hygiene.
“A lot of people don’t think about that until they get hacked, or their email turns up in a breach somewhere,” he concludes.
“I had very little correspondence with Epstein and declined repeated invitations to go to his island or fly on his ‘Lolita Express,’ but was well aware that some email correspondence with him could be misinterpreted and used by detractors to smear my name,” Musk said in a post on X on Saturday. “I don’t care about that, but what I do care about is that we at least attempt to prosecute those who committed serious crimes with Epstein, especially regarding heinous exploitation of underage girls.” Musk did not immediately respond to a request for comment from WIRED.
Larry Page (314 Files), Sergey Brin (294 Files)
The Google cofounders appear in the Epstein files roughly the same number of times, and both have been linked to Epstein previously. Page and Brin were both issued subpoenas in 2023 related to a civil lawsuit by the US Virgin Islands against JP Morgan Chase tied to Epstein’s sex trafficking crimes. In court documents related to Virginia Giuffre’s defamation lawsuit against Ghislaine Maxwell, which were unsealed in 2024, Epstein victim Sarah Ransome alleged that she had met Brin and his fiancée, Anne Wojcicki, prior to their 2007 wedding, “when they visited the island for the day.”
The recently released DOJ files provide a much fuller picture of their relationships with Epstein, particularly for Brin. An email exchange in April 2003 with Ghislaine Maxwell suggests that Brin had dinner at Epstein’s New York townhouse that month. (“Dinners at Jeffrey’s are always happily casual and relaxed,” Maxwell wrote.) In it, Brin offered to invite “our CEO Eric,” referring to Google’s then CEO Eric Schmidt, though he says that Schmidt’s “schedule will probably be a bit more packed,” and there is no indication Schmidt attended.
Page also appears to have dined with Epstein. “David Gergen is asking who was at the lunch or dinner years ago when he came=to your house and the Google guys were there (Larry Page and Sergey Brin),” Groff wrote to Epstein in 2015. There are references in the files, too, to purported business dealings between Page and Epstein. “Larry Page’s chief pilot, Tony contacted Nicolas today and is interested ‘again’ using your Bell 407 for the St. Barts operation,” says an email to Epstein from a redacted address sent on December 23, 2010, followed by a breakdown of the potential associated fees. The Bell 407 is a type of helicopter; emails show that an entity called “Air Ghislaine Inc” purchased one on October 30, 2002. The “St. Barts operation” appears to be a visit; Epstein was notified in an email later that same day that “Larry Page has changed his mind and will use boat to st barts.”
On another occasion, Epstein emailed a link to a news story about Google testing “internet-broadcasting drones” in New Mexico to a redacted address. “You can tell larry page that they can use my runway =s most of this land is my ranch,” he wrote. There’s no indication that this happened. Alphabet did not immediately respond to a request for comment from WIRED. Anne Wojcicki did not immediately respond to a request for comment.
Mark Zuckerberg (282 Files), Jeff Bezos (196 Files), Eric Schmidt (193 Files)
While Epstein appeared to email primarily about Meta CEO Mark Zuckerberg rather than with him, the files do indicate at least one occasion when the two met. They were both on an invite list emailed by Reid Hoffman’s assistant for a dinner on August 2, 2015, with neuroscientist Ed Boyden. Peter Thiel, Elon Musk, and Joi Ito were among the other invitees. Hoffman followed up a few days later with an email to Zuckerberg and Epstein with the subject line “intros.” “Jeffrey, Zuck,” the message reads, “email connections from the Ed Boyden dinner — so that convo can continue.”
There’s no indication that Zuckerberg ever responded. And otherwise, Epstein appears to have spent far more time emailing about Zuckerberg—his marriage to Priscilla Chan, whether he deserved a Nobel Peace Prize—than with him.
Tired of the crackly, flat audio that’s constantly blaring from your television’s built-in speakers? A sound bar is a simple and effective way to massively improve your movie nights, and our favorite pick for most people, the Yamaha SR-C30A, is currently marked down at Amazon. You can grab the soundbar and included subwoofer for just $230, a $50 discount from the usual price.
You don’t need to be a surround sound expert to get a big boost from the SR-C30A. Thanks to HDMI eARC, all you need to get up and running is an HDMI connection to the television, and power for both the soundbar and the subwoofer. Everything else, including matching volume and turning off the TV’s speakers, is handled instantly and automatically. There are handy presets for other functions too, like a mode specifically for playing video games, and a 3D movie mode that helps improve the spatial audio performance. Having used a similar Yamaha soundbar for several years, I found the “Clear Voice” function particularly useful for helping adjust the levels to help dialogue cut through the mix.
Unlike some of the other more expensive picks from our list, the SR-C30A comes bundled with a surprisingly adept subwoofer. The big, dedicated speaker can slide under or behind your couch, giving a huge boost to the cinematic experience, and making those action movie explosions really come through. It’s even wireless, so you don’t need to find room for it directly under your screen, which is particularly nice if you’re wall-mounting your TV or have a smaller entertainment stand.
If you’re limited on space for speakers, you should know that the SR-C30A does double duty as a dedicated speaker for music and podcasts too. With built-in Bluetooth, as well as an aux input, you can easily send your favorite songs over for some quick listening while working around the house or having folks over.
While we think the Yamaha SR-C30A is an excellent pick for anyone who just wants their soundbar to work without thinking about it much, we have a full roundup of the best soundbars that includes more premium picks.
Consider These Floodlight Cameras
Photograph: Simon Hill
Reolink Elite Floodlight WiFi (Wired) for $230: Similar to our Reolink pick above, the difference with the Elite Floodlight is that it’s a fixed dual-lens camera designed to give you a wide 180-degree view (59 degrees vertically), rather than a pan-and-tilt camera. If you want a fixed camera to cover the entire side of a property, this could be a solid pick. It records up to 4K video at up to 20 frames per second, has a 105-decibel alarm, and supports dual-band Wi-Fi 6. The rest of the specs, including the two-panel, 3,000-lumen, adjustable temperature floodlight, match the TrackFlex above.
Google Nest Cam With Floodlight (Wired) for $280: This aging floodlight security camera might still be your best bet if you prefer Google Home and have a Nest doorbell. The limited 1080p resolution is mitigated by the high frame rate (30 fps), HDR, and decent 6X digital zoom. The two-panel floodlight can put out up to 2,400 lumens of warm (4,000K) light, and brightness is adjustable. Google’s AI detection is perhaps the smartest in the business, and this is a very reliable camera, but you must subscribe to make it worthwhile, as there’s no local recording option. Google Home Premium starts at $10 per month or $100 per year, but that covers all your devices. It might be best to wait, as Google recently released 2K Nest cameras, and there’s a decent chance it will update its floodlight camera soon.
Photograph: Simon Hill
Philips Hue Secure Camera for $130 and Discover Floodlight (Wired) for $160: Strictly speaking, these are two separate devices, but I used this setup at my old house, and it worked very well. If you’re invested in Hue lighting, the Discover Floodlight is one of my favorite outdoor lights and a versatile way to light up your space. It can put out 2,300 lumens, and you can tweak the temperature, color, and brightness easily in the Hue app, which also allows scheduling and animated scenes. Add a Philips Hue Secure Wired Camera and you can have it trigger the floodlight and any other Hue lights you have. It is only 1080p, but the wired camera worked well for me, triggering reliably, and Philips Hue now offers 24 hours of video history for free. But if you want the AI detection, back-to-back recording, activity zones, and 30 days of video history, you must subscribe for $40 a year for a single camera.
Arlo Pro 3 Floodlight Camera (Battery) for $250: An obvious pick for folks with an Arlo system, this battery-powered camera allows for a wireless install, though you will need to charge it. It offers up to 2K footage with HDR and Arlo’s excellent app and alert system, though you need an Arlo Secure plan ($10 per month or $96 a year for a single camera, $20 per month or $216 a year for unlimited cameras). The floodlight is a single panel that flanks the face of the camera and delivers up to 2,000 lumens. You can boost the brightness to 3,000 lumens and eliminate event recording delays with the Arlo Outdoor Charging Cable ($50), though you’ll need to run it to an outlet. Arlo has a newer, wired floodlight camera that I plan to test soon.
Eve Outdoor Cam (Wired) for $249: This stylish floodlight camera can replace an outdoor light to give you a motion-activated light (up to 1,500 lumens), 1080p video (157-degree field of view), and two-way audio. As a HomeKit camera, you will need an Apple HomeKit hub (Apple TV, HomePod, or iPad) and an iCloud+ storage plan. Sadly, the video and sound quality are only average. This camera also only works on 2.4-GHz Wi-Fi, and there’s no Android support.
Floodlight Cameras We Don’t Recommend
Toucan Security Floodlight Camera (Wired) for $80: You can plug this camera into an outlet, and it comes with an 8-meter waterproof cable. It has a motion-activated light (1,200 lumens), records 1080p video, and supports two-way audio. I found the footage quite detailed, but it struggled with direct sunlight. You can record locally on a microSD card (sold separately) and get 24 hours of free cloud storage, but it has limitations. Plans start from $3 per month. Even with motion detection set to the lowest sensitivity, this camera triggered too often during testing, and there’s no way to filter for people, so I got frequent false positives (blowing leaves, moths, and birds all triggered alerts).
Power up with unlimited access to WIRED. Get best-in-class reporting and exclusive subscriber content that’s too important to ignore. Subscribe Today.
Trade deal done, says Trump; PM Modi thanks him for cutting tariff to 18% – The Times of India
The Caps have won two straight. Can they keep it up against the Islanders?
New York AG issues warning around prediction markets ahead of Super Bowl
-
Sports6 days agoPSL 11: Local players’ category renewals unveiled ahead of auction
-
Entertainment6 days agoClaire Danes reveals how she reacted to pregnancy at 44
-
Fashion1 week agoSpain’s apparel imports up 7.10% in Jan-Oct as sourcing realigns
-
Sports6 days agoCollege football’s top 100 games of the 2025 season
-
Business7 days agoBanking services disrupted as bank employees go on nationwide strike demanding five-day work week
-
Politics6 days agoTrump vows to ‘de-escalate’ after Minneapolis shootings
-
Business6 days agoBoeing’s quarterly sales jump 57% as CEO says there’s ‘a lot to be optimistic about’
-
Business1 week agoShould smartphones be locked away at gigs and in schools?