How Canva scaled to 260+M users while elevating security and productivity

Outcomes

• Strengthened sign-ins and centralized credential management, creating the secure foundation necessary for Canva to scale its operations.

• Enabled secure, same-day onboarding for a globally dispersed workforce, eliminating employee downtime and improving workforce security. 

• Increased engineering productivity by fully integrating the 1Password CLI into developer workflows.

1Password has made security a growth enabler, letting us integrate new teams fast while maintaining high standards and great experiences for customers

Kane Narraway
Head of Enterprise Security at Canva

Challenges

Since its founding in 2012, Canva has grown into a global visual communication powerhouse. Guided by its mission to empower the world to design, Canva’s user base has grown to more than 260 million monthly active users and it’s generating more than $3.5B in annualized revenue. But as more organizations increasingly discovered the power of Canva’s platform, its rapid expansion – fueled in part by multiple acquisitions – also introduced some unique challenges.

With a 5X increase in employees in just under five years and expanded operations across eight countries, Canva needed to embrace growth while maintaining the security that its customers deserve and expect. By adopting 1Password Enterprise Password Manager to improve its workforce security, Canva addressed the following: 

• Meeting complex enterprise security expectations. Canva faced pressure to satisfy the requirements of a broad enterprise customer base by maintaining security and SOC 2 compliance.   

• Managing onboarding and access during hypergrowth. Canva needed to securely onboard thousands of employees, contractors, and new acquisition teams without disrupting services or creating security gaps. 

• Balancing security with developer efficiency. Canva sought ways to support developer workflows and credential management while avoiding friction or inefficiencies in critical engineering processes. 

• Mitigating shared account security risks. Canva worked to secure shared accounts, particularly in areas like social media, where multiple team members required simultaneous access. 

“Our products, processes, and systems are designed to protect our community and its data,” said Kane Narraway, Head of Enterprise Security at Canva. “As we’ve grown, we’ve put more focus on implementing the enterprise-level security controls that our customers expect from us.”

Cultivating a culture of security: safe at work, safe at home

Canva’s global team of 5,000+ use 1Password Enterprise Password Manager to gain trusted access to their work credentials. On the first day of their onboarding at Canva, all team members – regardless of their location or status as full-time employees, contractors, or contingent workers – are shown how to use 1Password and onboarded in minutes. The product is a cornerstone of Canva’s workforce security architecture, helping the company build an even more robust infrastructure that will enhance its team's performance. With Canva’s flexible remote work policy, its team can securely access the tools and information they need from anywhere, ensuring seamless collaboration across time zones and locations.

For Canva, a centralized approach for storing and accessing logins and secrets is crucial for risk reduction. 1Password gives DevOps teams a secure, centralized way to share and automate access to infrastructure secrets. It also makes it simple to apply strong authentication measures, like storing and using one-time passwords for shared service accounts that aren’t tied to any individual user. This ensures those accounts remain protected by two-factor authentication while still being accessible to the teams that need them. These include Canva’s social media and marketing teams, where multiple members need access simultaneously.  

“When you look at actual security incidents, a non-trivial amount of breaches happen because of secret sprawl,” says Narraway. “1Password solves this by providing granular access controls, so teams can share only what’s necessary, protect credentials, and still give them access to the tools they need.”

As a Business Plan member, Canva taps into other 1Password benefits to further mitigate risks. 1Password Watchtower identifies weak and compromised passwords, accounts that lack two-factor authentication, and other security issues. 1Password Insights helps track data breaches, password health, and team usage across the organization. Canva makes use of the free 1Password Families that comes with 1Password Business, enabling its team to safeguard their personal information outside of work with at-home adoption, a crucial data point for the security team.

Knowing that our team is using 1Password in their personal lives is a good indicator that these behaviors are going to translate into work as well.

Kane Narraway
Head of Enterprise Security at Canva

Increasing engineering velocity by securing developer workflows

Canva owes much of its growth to its rapidly evolving visual communication platform and its ability to iterate quickly, bringing value to customers. 1Password offers robust features beyond password management to support developer tools and workflows. 

To this end, Canva’s large developer population uses 1Password to secure service account credentials, SSH keys, and other infrastructure secrets, as well as 1Password CLI to streamline access within developer workflows. The team relies on the CLI for a range of internal tasks – spinning up new services, generating templates, and more – all without needing a browser or UI prompt. Developers can authenticate, retrieve credentials, and continue working directly from the command line. It’s a seamless experience that blends security into everyday engineering tasks, allowing Canva to maintain its engineering-centric culture and secure developer workflows, without compromising productivity. 

“When it comes to developer workflows, we’re not prescriptive," says Narraway. “Instead, we give our developers options that make their lives easier. 1Password is the path of least resistance. 

Additionally, 1Password enables Canva to detect potential credential-related vulnerabilities, such as plain-text passwords or SSH keys using outdated cryptography. 

Driving growth with enterprise-grade protection and compliance at the core

With 1Password Enterprise Password Manager in place, Canva can now onboard Canvanauts swiftly and securely as it continues to reach new growth milestones, ensuring consistent credential management from day one while supporting SOC 2 compliance. 

Using 1Password SCIM Bridge for automated provisioning, new users can be integrated seamlessly, supported by clear documentation for migrating credentials from legacy tools. High-risk application credentials can be reset as a precaution, reducing the chance of inherited vulnerabilities. 

“1Password has turned security into a growth enabler,” says Narraway. “We can integrate new teams and systems quickly while maintaining the highest security standards and enabling exceptional creative experiences for our customers.”