Tech
Canva uses 1Password to secure ID during growth phase | Computer Weekly
In May 2019, graphic design platform Canva fell victim to a major cyber security breach in which a threat actor known as Gnosticplayers hacked its database and stole the personal data of more than 100 million users, including their usernames, email addresses and bcrypt-hashed passwords.
In the wake of this unfortunate incident, the company, based in Sydney, Australia, ploughed significant investment into cyber security measures, alongside which came a new engagement with credential management service 1Password.
By the time Kane Narraway arrived at the firm as head of enterprise security towards the end of 2023, the firm had righted the ship and entered a major growth phase as its active user base ballooned to more than 260 million per month, generating over $3.5bn (£2.5bn) in annualised revenues. This went alongside a fivefold increase in headcount since 2020, and an expanding global base of operations.
Narraway, who previously worked in security roles at Shopify and Atlassian, and also spent some time working on digital forensics for the UK government – although he now calls New Zealand home – says that managing this phase has proved an interesting challenge.
Indeed, throughout his time at the firm so far, the pressure to maintain and improve its security posture has been immense, says Narraway. In the past three years, he has juggled keeping Canva’s growing enterprise customer portfolio safe, securely managing onboarding and access, mitigating the risks associated with shared accounts and balancing security with in-house developer efficiency.
“When you scale out rapidly, people do more things, they have more unique workflows, and then it becomes harder and harder to lock things down, essentially,” says Narraway. “So, it’s a case where you’ll see people buying more SaaS [software-as-a-service] tools that need to be secured, you’ll see people using more IDEs [integrated development environments] for coding and things like that. There’s lots of different scenarios.
“There’s nothing unique about rapid growth assuming that you’re putting investment in, but I definitely think it’s a case where you need to scale out your security organisation alongside your engineers and your non-engineering organisation as well, otherwise you’ll end up falling behind and not be able to catch up.”
New hires: a security blind spot
Two of the biggest cyber security blind spots for many organisations are introducing new recruits to the business and saying goodbye to old ones. The risks associated with former employees – particularly disgruntled ones – absconding with your most valuable data are pretty well known at this point. However, the risk that new employees present when they walk through the door is perhaps less talked about. New hires bring their own preconceptions and misconceptions about security, and will need to be quickly brought up to speed on how things are done in their new role lest they accidentally cause a mishap.
At the core of Canva’s engagement with 1Password sits the supplier’s Enterprise Password Manager product, which it is now using to mitigate some of these risks, onboarding so-called Canvanauts swiftly and securely – ensuring consistent credential management from the second they first sit down at their new workstation, and supporting SOC2 compliance into the bargain.
“If you have your password manager set up, where people get onboarded on day one, it takes them through initial onboarding training on how to use it,” says Narraway. “All the other team’s credentials are already in it, so they’re kind of forced to use it. People use it because it’s the easiest option.”
At the same time, he is using 1Password’s SCIM Bridge (System for Cross-domain Identity Management) to automate provisioning of new applications across the business, so that new users can be integrated seamlessly with clear documentation on migrating credentials from any legacy tools in play. For higher-risk applications, this service can reset credentials to cut the chances of inherited vulnerabilities sneaking in.
“1Password has turned security into a growth enabler,” he says. “We can integrate new teams and systems quickly while maintaining the highest security standards and enabling exceptional creative experiences for our customers.”
Narraway characterises the role 1Password plays as making the path to security as smooth as possible. “We have this concept in security called the paved road,” he says. “The idea is that people will use your paved road because it’s the easiest thing. Whereas, if the paved road isn’t so paved, it’s like a gravel road, people are going to use the other easiest thing, right?”
Fumbling the identity experience as is probably the easiest way to introduce potholes along this path, says Narraway, because doing so will force people to take alternate routes, like using password managers on their personal phones, or Google’s in-built management services.
“While all of those things are good, you don’t have any of those enterprise settings [and] you don’t know the security of those accounts,” he says. “As much as possible, you want to prevent any sort of personal password syncing.”
Canva is also benefiting from 1Password’s centralised approach to storing and accessing logins and secrets. For example, on shared accounts – such as social media logins used by comms and marketing teams – 1Password enables Canva to apply stronger authentication measures, such as one-time passcode-based logins for accounts that aren’t tied to any one person, meaning they are accessible to the teams that need them but are still protected by multifactor authentication (MFA).
“When you look at security incidents, a non-trivial amount of breaches happen because of secret sprawl,” says Narraway. “1Password solves this by providing granular access controls, so teams can share only what’s necessary, protect credentials, and still give them access to the tools they need.”
Securing developer workflows
Canva prides itself on rapidly evolving its visual communications platform and quick iteration, so with a highly active developer population, 1Password is also being heavily used to support the tools and workflows these teams need, going beyond mere password management.
Among other things, Canva’s developers are now using 1Password to secure things like service account credentials, SSH keys and other infrastructure secrets, while the 1Password Command Line Interface (CLI) is helping to streamline access in their workflows.
Canva’s developers use this CLI to authenticate, retrieve credentials and continue working directly from the command line, with no browser or user interface (UI) prompt.
“With your typical workflow, say if you’re logging into LinkedIn, you’re going to just open a browser, you’re going to log in, you’re going to use the 1Password extension,” says Narraway. “It’s all going to be built-in for you.
“The problem with this CLI is that you’re not going to get any of that – it’s just going to come up with the command prompt terminal, and it’s going to say ‘enter your password’, which means that you’re stuck back in those clunky days from 10 years ago, where you’ve got to go to your password manager, you’ve got to copy your password, you’ve got to paste it,” he says.
“I want to make the user experience as nice as possible, so we’ve integrated the 1Password command line with our internal developer tooling. It will ask if you want to store the credentials automatically. It’ll ask if you want to retrieve a certain credential. It saves you a lot of this effort of going to select manual stuff. It speeds up workflows.
“We’re only talking like two, three seconds each time – we’re not talking big numbers,” says Narraway. “But when you scale that out across 5,000 engineers, we’re saving weeks and weeks of effort every year just doing basic stuff.”
Security begins at home
But the engagement doesn’t end at the office door. Beyond becoming a cornerstone of Canva’s workforce security architecture, the global team is also offered free access to the 1Password Families consumer product to safeguard their personal accounts and data outside of work. Narraway is among those who have taken it up.
As any security expert knows full well, one of the biggest challenges faced by the industry is getting people to listen to security advice, do the right thing, and not write down credentials on sticky notes or update them every few months by adding a new number to the end.
Narraway says that bringing tools like 1Password to bear on the personal lives of Canva’s employees not only helps address these challenges by making it easier for them to do the right thing at home, but has the potential to improve Canva’s cyber posture, too – particularly if, for example, a remote working employee’s kid gets access to their PC.
It helps that password management technology has improved no end in recent years, he adds.
“If you used one 10 years ago, they weren’t great,” says Narraway. “They were clunky and awkward. You had to copy and paste your passwords on your phone, and not a lot of people used them.
“It’s looking a lot better these days – Google and Apple have obviously integrated the technology into their ecosystems … but the onus is still on individuals, so you still have to go through that pre-emptive hygiene.
“A lot of people don’t think about that until they get hacked, or their email turns up in a breach somewhere,” he concludes.