Kane Narraway has been at the helm of security for one of the most meteoric rises in the tech world. As the Head of Enterprise Security at Canva, he has managed the protection of data for over 260 million monthly active users while the company’s internal headcount exploded fivefold in less than five years. This discussion explores how a global design powerhouse maintains its “path of least resistance” for developers while hitting $3.5 billion in annualized revenue and ensuring every new hire is secure from their very first day. We dive into the logistical hurdles of securing a workforce spread across eight countries and the technical strategies used to eliminate “secret sprawl” without slowing down innovation.
The conversation covers the vital intersection of engineering productivity and credential management, the specific challenges of managing shared accounts for social media teams, and the philosophy of “safe at work, safe at home” through personal security benefits. We also examine how Canva transitioned from a high-growth startup to an enterprise-grade platform capable of meeting rigorous SOC 2 compliance standards. By focusing on automation and centralized management, the security team has transformed from a potential bottleneck into a primary driver of global scale and customer trust.
Scaling a workforce fivefold across eight countries creates immense pressure on internal systems. How did you manage the logistical and security nightmare of onboarding thousands of new employees without letting protection slip?
When you are growing at the pace we have—expanding into eight different countries with over 5,000 team members—you cannot afford to have a manual or slow onboarding process. We realized early on that every minute a new “Canvanaut” spends waiting for access is a minute of lost productivity and a potential security gap. By implementing 1Password Enterprise Password Manager, we created a system where every single team member, whether they are a full-time employee, a contractor, or a contingent worker, is onboarded in just minutes on their very first day. This immediate access is vital because it ensures that people aren’t tempted to use insecure workarounds or personal accounts just to get their jobs done. It has allowed us to maintain a cohesive security posture even as our annualized revenue soared to $3.5 billion and our user base grew to 260 million.
Many organizations struggle with “secret sprawl” as they grow, leading to critical vulnerabilities. What specific actions did you take to centralize credentials and protect infrastructure secrets across your DevOps teams?
Secret sprawl is a non-trivial issue that often lies at the heart of major security incidents, and as we scaled, we knew we had to tackle it head-on with a centralized approach. We provided our DevOps teams with a secure, unified way to share and automate access to infrastructure secrets, which drastically reduced the risk of sensitive data leaking into code or Slack channels. By using granular access controls, we ensure that teams can share only what is absolutely necessary for a specific task, protecting high-level credentials while still providing the tools needed for fast iteration. We also make extensive use of one-time passwords for shared service accounts, ensuring that even if an account isn’t tied to one specific person, it remains protected by two-factor authentication. This methodology gives us a bird’s-eye view of our security health through tools like Watchtower, which flags weak passwords and accounts that lack two-factor authentication before they can be exploited.
Developers often view security protocols as a barrier to speed. How did you manage to integrate security into the engineering workflow so that it actually increased velocity instead of hindering it?
Our philosophy is that security should be the path of least resistance, which is why we leaned so heavily into the 1Password CLI for our large developer population. Instead of forcing an engineer to break their focus by jumping into a browser or a UI prompt, they can authenticate, retrieve credentials, and spin up new services directly from their command line. This seamless experience blends security into the tasks they are already doing, like generating templates or managing SSH keys, without any unnecessary friction. We have found that when you give developers tools that make their lives easier—like detecting plain-text passwords or outdated cryptography automatically—they naturally gravitate toward the more secure option. It preserves our engineering-centric culture while ensuring that as we iterate on our visual communication platform, we are doing so on a foundation that is secure by design.
Managing shared accounts for teams like social media or marketing is notoriously difficult from a security standpoint. What was your strategy for allowing multiple people to access a single account without compromising its integrity?
Shared accounts, especially in high-visibility areas like social media and marketing, represent a unique challenge because you have multiple team members who need simultaneous access to the same platform. To solve this, we utilized 1Password to store and manage these logins centrally, allowing us to apply strong authentication measures that aren’t tied to a single individual’s phone or email. This means we can maintain rigorous two-factor authentication on these shared service accounts while still allowing the entire team to collaborate across different time zones and locations. It removes the need for insecurely sharing “the code” via messaging apps and ensures that access can be revoked or changed instantly if someone leaves the team. This centralized approach has been a cornerstone of our workforce security architecture, especially as we embrace a flexible remote work policy that sees our team working from all over the globe.
You’ve mentioned that employee behavior at home is a key indicator of corporate security. Why did you choose to provide personal security tools to your staff, and how has that influenced the company’s overall safety?
We believe that being safe at work and being safe at home are two sides of the same coin, which is why we provide the free 1Password Families benefit to our team. When we see high at-home adoption of these security tools, it is a very good indicator to the security team that these healthy habits and behaviors are going to translate into the workspace as well. If an employee is using a password manager to safeguard their personal banking and private information, they are far less likely to reuse a weak password on a critical internal Canva system. This cultural shift helps us mitigate risks before they ever reach our perimeter, creating a workforce that is inherently more conscious of digital hygiene. It turns every employee into a proactive participant in our security strategy, which is essential when you are managing the data of 260 million users.
As Canva continues to grow through acquisitions and enterprise partnerships, how has your security framework helped you meet the high expectations of SOC 2 compliance and large-scale corporate clients?
Moving into the enterprise space meant we had to satisfy much more complex security requirements and prove our commitment to standards like SOC 2 compliance. We used the 1Password SCIM Bridge to automate provisioning, which allowed us to integrate new acquisition teams and their systems quickly without creating security gaps or inheriting old vulnerabilities. When we bring a new team on board, we can reset high-risk application credentials as a precaution and provide clear documentation for migrating away from legacy, insecure tools. This has essentially turned security into a growth enabler for us; we can tell our enterprise customers with confidence that their data is protected by the same rigorous standards we use for our own internal operations. Ultimately, it allows us to focus on our mission of empowering the world to design while knowing our infrastructure is robust enough to handle the next 260 million users.
What is your forecast for the future of identity and credential management in hypergrowth tech companies?
I believe we are moving toward a future where the traditional, static password becomes almost entirely invisible to the end-user, replaced by seamless, automated authentication that lives within the tools developers and employees already use. We will see a massive shift toward “zero-touch” security, where SCIM bridges and CLI integrations handle the heavy lifting of credential rotation and access control without any human intervention. As companies continue to scale globally, the ability to centralize and automate identity will be the only way to stay ahead of “secret sprawl” and the increasing complexity of cloud-native environments. Those who can make security the “path of least resistance” will not only protect their data better but will also outpace their competitors by removing the friction that usually slows down innovation.
