Non-Human Crisis with Kane Narraway, Head of Enterprise Security at Canva | Patch Me If You Can™

Kane Narraway [00:00:00]:

Often teams get stuck in this rut of we do the operational work because we do rather than thinking like if we just stopped doing it, we could actually do this other thing which unlocks more every time.

 

Arek Dreyer [00:00:19]:

Today's guest is Kane Narraway, Head of Enterprise Security at Canva. Kane brings a unique perspective to the table, having rotated between IT and security roles throughout his career at places such as Shopify, Atlassian and even the UK government. That balance has shaped how he approaches some of the industry's most complex challenges. He's built Zero Trust architectures at three of the world's largest tech companies, including one entirely from the ground up, before most of today's tooling even existed. Kane's an expert in securing systems without over engineering them, staying grounded, avoiding tunnel vision and building solutions that actually work across teams. Kane, welcome to Patch Me If You Can™.

 

Kane Narraway [00:01:01]:

Hey, thanks, it's great to be here.

 

Arek Dreyer [00:01:03]:

Excited me too. Well, let's dive in. When we discussed you coming on the show, you mentioned that everyone seems to have a different opinion on what that last mile of Zero trust really is. And that the real last mile of zero trust isn't the browser or the network, it's non human identities. What led you to that conclusion?

 

Kane Narraway [00:01:26]:

Yeah, so I think this is one where everyone will have their own, their own thoughts depending on their sort of risk appetite industry they're in. Like a lot of the research that Google has been doing is like physical networks and how to sort of get those in zero trust because they have a lot of hardware manufacturing, they have a lot of warehouses, they have a lot of that kind of stuff. But I think kind of what I was getting at here is that almost every company, whether you're an engineering company, IT company consulting or anything in between, you're probably using something that has APIs somewhere. So you're probably using a SaaS tool and you're trying to talk to that SaaS tool via service accounts, no doubt. And so sort of when we designed Zero Trust as a whole, a lot of it was focused on SAML and single sign on and protecting human authentication flows. But what we really missed I think is looking at like how do we sort of secure those non human identities? Because the reality is that we've done a really good job with humans in the last few years. You know, we have passkeys, we have device posture, we have it so we can validate you're coming from a company device. But if you're using a service account, it's probably just still a long token of numbers and letters and if someone gets that, it's full access and it's game over.

 

Kane Narraway [00:02:58]:

And you can do things like scope it down and put them in your password manager and stuff like that, but it's still really easy. Developers commit these to repos, people share them with each other. They can get included in files that get uploaded to various platforms. And so. And a lot of the breaches you see today are through this. It's through people accidentally exposing these API tokens in a lot of cases.

 

Arek Dreyer [00:03:24]:

And so part of that is just the change in technology and what we're using to do the things that we need to do.

 

Kane Narraway [00:03:32]:

Yeah. And like I'm sure we were using service accounts, you know, back in early 2000s and even beyond. Right. And so, but I think what's changed is the scale. So back then, I think in 2017, I remember the company I was working at had about 0.5 service accounts per person. And over the years it's become one service account per person, two service accounts per people. And I think that the reality is, if you look at it today, I would say a lot of tech companies especially are probably in the tens to hundreds, even thousands in some cases. And I think that's only going to grow as LLM's model context protocol.

 

Kane Narraway [00:04:17]:

All of this AI stuff expands because a lot of it is powered by service accounts under the hood. And it's still that thing that we, you know, it's kind of security's dirty secret almost that we haven't properly fixed it.

 

Arek Dreyer [00:04:30]:

And just to be clear, the number of service accounts per person is that per employee? Is that per I team and security? Like what is.

 

Kane Narraway [00:04:39]:

Yeah, I would say it's usually per employee. And of course it's going to depend. Right. Like if you are a sort of a manufacturing company and you're a lot of like on prem hardware, you're probably going to have less. But I think for a lot of modern SaaS companies, consulting companies, et cetera, it's only growing over time. Right. And you know, every piece of automation you do, it tends to be that best practices make a service account to that thing, scope it down minimally to just the things it needs. But the reality is that I think just with my own automations alone, there's a lot of access I need into things.

 

Kane Narraway [00:05:19]:

And even if I only have three or four service accounts, it might be like a service account into Kandji, for example. Right. And so that has maybe read level access audit for me as a security person. Maybe that's fine, maybe that's not super super sensitive. But I think if you're talking about IT teams and stuff like that, who might have admin tokens, you know, that that gives you access to a laptop, which can then give you access to customer data production infrastructure, et cetera.

 

Arek Dreyer [00:05:47]:

So with that explosion of service accounts, why do you think that API authentication, especially continued reliance on one factor authentication tokens, why has it been overlooked for so long as a to organizations?

 

Kane Narraway [00:06:04]:

Yeah, like I say, I remember looking at this back in about 2016, 2017 and I remember thinking, oh, that's not great, but there's not enough of these accounts to really worry about it that much. And all the breaches are coming from human accounts. So I probably don't need to worry about these, you know, couple small accounts over here. And I think that we've kind of got tunnel vision focusing on human accounts which like I say, I think we've done a really good job on. I think, like I said, passkeys, device posture, et cetera. The reality is that sort of credential thefts attacks are going down and I would recommend everyone to look at the recent 2025 Verizon report. There's a really interesting graph in that that shows that credential theft is very much going down quite rapidly and vulnerability attacks are going up. And I think that, you know, if you separated those credential theft between human and non human, I think it would probably, you know, provide an interesting data piece.

 

Arek Dreyer [00:07:05]:

Yeah, I'd love to see that breakdown in the next Verizon report, which is full of really good information and insights. So speaking of non human identities, what's your approach to securing those non human identities? That's practical and not just theoretical.

 

Kane Narraway [00:07:22]:

Yeah, I guess there's a few ways we can tackle this. Right? So I'll tell you what you can do now, like in your organization and then I'll tell you where I think we need to get to, which is a bit more theoretical. But I think you have a couple of options. I think there's probably three realistic ones that people are going to do. There's one, the simplest, the easiest, the tried and trusted IPL listing. It's painful. You'll probably increase support load on your IT team. People will change their IP addresses weekly, daily.

 

Kane Narraway [00:07:59]:

It'll be a nightmare. But it'll get you to where you need to go. And basically all you're doing there is you're saying, you know, in my SaaS tool of choice, my Salesforce, my Jira, et cetera, only allow connections from these IP addresses. Off you go. Actually really hard to do in practice because, you know, you might work with vendors who need access. It's just the reality of the world is everything's connected. But that is what most people do. And maybe you only do it for your most sensitive services.

 

Kane Narraway [00:08:28]:

So maybe you've got your crown jewels. You say we'll do iplr listing on this, but for everything else it's too painful, we won't bother. So you kind of, you still have that risk over there. It might not be as bad, but it's still there. Now 2 and 3 are connected and so I don't think there's anything you can buy off the shelf really. And really what this is is proxies that only give you short lived tokens rather than these long lived ones. So Chainguard has a really great blog on how they removed GitHub personal access tokens. Definitely something I would recommend for anyone who's interested in this.

 

Kane Narraway [00:09:13]:

Basically what they did is they made a GitHub app that uses OIDC and it turns long lived tokens into short lived session bound ones. And so the idea is that even if you leak your token, yes, it's one fa, but it's going to be so short that hopefully, you know, an attacker logs in and then they're immediately removed because it's just not long enough. And the reason I say 2 and 3 are the same is you can do this approach in two ways and you can do it in this sort of low level way, I would say, where you are intercepting sessions, you're doing sort of verification of the user. So you can have this proxy, I connect to it and then I have iplr listing from that proxy to my, to my service and that, that will work for everything. It'll be a bit more lightweight, but it's still a lot of work. I think the heavier solution is that you talk to every single tool that you use and you build an integration with that and you talk to their APIs and you, you have code that generates an API key, gives it, removes it straight in the tool itself. So you don't need a proxy at all. And the reason I kind of differentiate these two options is that the best usability is going to be native integration with the tool.

 

Kane Narraway [00:10:33]:

But for you as a security team or an IT team to maintain that, you're not going to have a good time. I know people have built such things and it's a lot of maintenance like keeping up with APIs. And so I think you've kind of got those three picks today and I think IPL listing, you can very much go with a vendor, you can go with your Zscaler, your cloudflare, your tools like that in the middle, I don't think there's much. There's a lot of teams who have built their own, we've built our own. Like I say, Chenga built their own and wrote about it. Makari also wrote a great blog on how they did a similar thing. And that final one, I don't think I've read any good blogs about it. I know people doing it, but not ones that want to talk about it because it's very painful.

 

Arek Dreyer [00:11:20]:

So it sounds like all of that takes some time to set up. But what I'm really interested in is now that you've spent the time, you've invested that to address non human identity, what has that extra time that you no longer have to worry about, what has that unlocked for you and your team?

 

Kane Narraway [00:11:40]:

Yeah, I think the reality is that it means you don't have to worry about it nearly as much. So a lot of the focus I see teams putting in is in the detection and response realm. So you need to have an inventory of all your tokens. You need to know where they are, who has them, who's using them, what tools they're being used in, how they're scoped. And that's really hard to keep on top of. In a fast company that allows a lot of freedom. The reality is that it's just hard to keep on top of. And so I think almost like with passkeys, you kind of don't need to worry about sort of the basic phishing.

 

Kane Narraway [00:12:27]:

Yes. You still have to worry about malware and stuff like that, but it's just like, oh, a factor's been breached, let's reset it. No worries. You know, you don't need to do or all hands on deck investigation. And I think you get a similar level of security. Maybe it's not quite as good. Like I said, it depends on how you build it. But it does mean that you don't need to immediately jump onto it to fix it.

 

Kane Narraway [00:12:51]:

It's not that Seb0 critical incident, someone logging into your prod infrastructure. It's now, oh, we've seen a login, it's been blocked, look into that. Maybe the token's been posted somewhere, we should still go and rotate it, you know, all of that good stuff. But it's not like I've got to do this right now. So maybe it's not what it frees up, but it's what it what it enables you to worry about, which is a lot less. A lot less urgency. So you can put that urgency into the things that do require it.

 

Arek Dreyer [00:13:22]:

I really like that framing. It's not, it's not what it frees up, but it's. It's more your. Your reaction and that the things that happen that are bad, they're not as urgent. You don't have to drop everything, really. That's really cool. I want to shift gears a bit to a hot topic. Enabling AI in the workplace.

 

Arek Dreyer [00:13:43]:

That's become part of your role. So how are you approaching enabling AI securely and what's the opportunity that you see there?

 

Kane Narraway [00:13:52]:

Yeah, it's funny, so much of my time recently has gone into thinking about how we secure the tools, not how we use them. So I think it's only in the last few weeks I've kind of been tinkering around with stuff and being like, oh look, we could use it for this. And so I definitely recommend like anyone in IT security to start looking at this stuff. Like, there's some really cool things that like, I've played around with. Things like automating your screenshots for audit is a great example that I've played around with recently. So you know how before you might have to go get some Jira tickets or something for your auditors and so stuff to screenshot them because they don't have access, put it in a Google Drive. I recently played around with a little script where you can just post in all the JIRA tickets you want. It goes off, it gets them, it pulls them down, it screenshots them, saves them in the folder, like hundreds of hours saved.

 

Kane Narraway [00:14:50]:

So there's definitely some incredible, like usability things. And I've seen people interact with Kandji APIs to pull custom reports and stuff. Really interesting stuff. Would recommend it. But on the securing side, I think really a lot of the focus has been on model Context protocol, which is kind of the simple explanation, I guess, is it's a layer in front of your APIs that lets an LLM interact with them. So it used to be before that LLMs just generate and summarize text and images and stuff. Great, but limited in terms of what they can do. And so what really MCP lets you do is go talk to your LLM of choice, Your Claude, your OpenAI, et cetera, and say, look, I want to know all the machines on my fleet that have like, I don't been wiped in the last day or something like that.

 

Kane Narraway [00:15:47]:

And it can go, oh yeah, cool, well, I've got some Windows machines in Engine and I've got some Mac devices in Kandji. I can go reach out to both. I can grab them, consolidate you a nice report. And that's kind of the future that I think we were hoping for. It's still a bit limited at the moment in terms of it's very fresh. Security was definitely not like forethought, I think, when it comes to it. And so a lot of that stuff is coming later down the line. And so I think there's some hesitation to use some of this stuff in production workflows at the moment.

 

Kane Narraway [00:16:22]:

But I think a lot of my time has been going into where MCP is used today. So people talking to GitHub and stuff like that, where it's got reasonable support at the moment. So, you know, developers raising pull requests automatically and stuff like that.

 

Arek Dreyer [00:16:39]:

Oh, it's interesting that you've got a mix of really low tech where you're taking screenshots. I mean, it's not low tech, but it's grabbing screenshots and grabbing information directly from the API. So it's cool that you've got that screenshot and the API, both kinds of technology. And it's really cool to hear you say that. You know, you don't have all the answers right now. Like, things are maybe weeks, maybe months, maybe years ahead. And it's really cool to see that things are always changing. Which leads me to my next question, which is I want to dive into your career approach.

 

Arek Dreyer [00:17:25]:

So I've noticed that you switch from IT to security and back frequently. You want to tell us a little bit about that philosophy?

 

Kane Narraway [00:17:35]:

Yeah. So at least in the land of security, I've spent a lot of time running platform engineering teams. So teams that are building services that other people use. And I think that a flaw maybe in platform teams is like if you are building a product externally, there's probably lots of products that you can use, so you have that sort of choice. When you're building an internal platform, people kind of have to use your platform. That's kind of the design. And so there can sometimes be a tendency to not make it the best experience. It's like there's always the next feature you want to be working on, always the next cool thing.

 

Kane Narraway [00:18:15]:

But you're building a product and so you have to think like a product manager. And so I think that switching between them really helped me gain a better understanding from like a customer mindset. Like, you can do surveys all day, right. But actually experiencing the things you build will Give you like a new level of empathy for teams that you build stuff for, I think. And so I feel like the stereotype these days is that, like vulnerability teams that scan for all vulnerabilities and just post tickets out to everyone to fix stuff. And I feel like that might happen some places. It doesn't happen here. I don't think it happens as much as people complain about it, but it definitely is a stereotype for a reason.

 

Kane Narraway [00:19:01]:

And so I think, how can we avoid cases like that? And that's where we need to think about what's the problem we're solving and how can we fix the problem before it even starts? So how do we stop just raising vulnerability tickets and how do we provide golden images? How do we provide fixes in advance and say, here's the fix, just check it, maybe it'll work. Maybe you need to make some changes. I've made the start for you, right? Rather than just raising a ticket and say, hey, you gotta fix it. And a great analogy I used recently was that, like, you wouldn't be happy if you had a leak in your house and you hired a plumber and they went, yep, yeah, there's three leaks, see you later. And just left, right? And that's kind of what we do in security teams. Sometimes we're like, yep, here's your problems, go fix them. And so I think switching between them, you kind of see, like, how do I actually fix these problems? What things do I need to do? And what problems are the tools that we're developing cause for people? And so I think if you kind of do that rotation, you can get a much better understanding of what you need to build, how you can make it better, and how you can make a great user experience for people. And so I guess the last thing bringing it back to it, like in security teams, a lot of what we go is into securing tools like Kandji, securing tools like Okta.

 

Kane Narraway [00:20:26]:

And sometimes those things that we recommend can be not the best, like they can break things. If you turn on all your CIS benchmarks, probably not going to have a great time. And so I think actually going and like running the team, working on the team that's implementing that, you get close to that feedback and so you get that better understanding.

 

Arek Dreyer [00:20:46]:

So to sum it up, switching between IT and InfoSec, switching between IT and security teams every few years, what does that unlock for you?

 

Kane Narraway [00:20:58]:

I think not only does it give you sort of a better understanding of how those teams work, but it gets you closer to the technology. Like, I don't think I would care about things like WWDC releases and stuff like that if I didn't work on an end user computing team. But like many, many years ago, I learned about those. I watch them every year. I find the cool security stuff that comes out as well as the cool IT stuff. I sort of work with our IT leads to make a plan on how we can adopt all those things. And so I think it becomes more of a collaborative exercise where you have a greater understanding of the priorities that those teams have. And you're not like, do this security stuff, just work on security things.

 

Kane Narraway [00:21:40]:

And you're like, oh, actually this IT thing's really cool, you should go work on that, then do the security thing afterwards because that's way more important, you.

 

Arek Dreyer [00:21:47]:

Know, so when, when thinking about importance and like jumping on the latest thing and what is, what is some practical advice that you've got for teams that are stuck in a reactive mode? What do you have? What, what words of advice do you have for making that first shift towards leverage?

 

Kane Narraway [00:22:09]:

Yeah, I think it depends where your team is. But I always recommend at least every couple years, kind of if you can all get in a room, that's great. Or at least with your tech leads, if you're a really big team and just think about first principles, think about like, what, what does your team do for the business? Like, we often get stuck in our own sort of tech world and we think, you know, what's this cool new Apple feature that I want to release? But like, like how is that going to help is what I would think about. So even in security I think about the same thing. Like realistically, what risks are there for your, like vertical, for your horizontal, et cetera? Like what risks are there to your company and be realistic about it, you know, like I think some stuff that you, you could think is super high risk, but in reality it's like you being a security person, constantly seeing the news and stuff like that. Whereas realistically, you know, I think a great example in the security world is Scattered Spider attacked a lot of supermarkets and so like, do you need to be worried about them if you're not a supermarket, maybe, but like that's who they're focusing on right now. And so I think that, you know, you might want to care about some of the initial access things, but you probably don't need to worry in depth about all of that. So yeah, kind of, kind of bringing it back.

 

Kane Narraway [00:23:33]:

I think it's just a case of look at what you're doing, what are you trying to achieve and almost don't be afraid to just cut out big things of what you're doing. Like often teams get stuck in this rut of we do the operational work because we do rather than thinking like if we just stopped doing it, we could actually do this other thing which unlocks more, it gives us more free time. And so, especially for end user computing teams who are often under the pump on a new operating system, a new app, et cetera, you sometimes have to go back and think, look, maybe we don't support this new operating system because we're already supporting Mac and Windows, maybe we can't support Linux, maybe we just have to make a stand here and it'll free us up later. So I think there's, there's a big value in going back, thinking about what you're trying to achieve and doing that.

 

Arek Dreyer [00:24:30]:

Is there any time that's best to come back to best principles or is.

 

Kane Narraway [00:24:34]:

Every time, anytime, if you feel like you're incredibly overwhelmed. I think it's a great example. I remember working with an incident response team some years ago who were just constantly dealing with incidents. They never had time to improve processes, to write playbooks, to automate because they were working on incidents. I just kind of said to them, which is why are you working on the incidents? Because that's what we do, we work on incidents. I'm like, we're just don't. Some people can probably deal with their own incidents. You don't need to be involved in everything.

 

Kane Narraway [00:25:09]:

And so sometimes you do have to let some tactical fires burn to stop the whole thing going up in flames.

 

Arek Dreyer [00:25:18]:

Super powerful to, to take a step back, maybe even when you feel like you can't even take a breath. I've got a closing question for you. If you could instantly patch something in your world, what would it be?

 

Kane Narraway [00:25:31]:

Yeah, that's a great question. I will skip the obvious one, which is I spoke a lot about non human identities today and I think that like I said, the fix for non human identities is we, we kind of have something like single sign on for our APIs and we can like add some extra controls there. You know, like a lot of people have OIDC in front of their APIs that functionally does this. I think convincing a thousand, ten thousand vendors to support another protocol is going to be a tough, tough one. So I'll skip past that and I'll say that I think like I said, I spoke a little bit about model context protocol today. I think that is great. It's a great step in the Right direction. It's a great step to make things easier, but I would love for there to be vendor provided MCP servers.

 

Kane Narraway [00:26:26]:

So every vendor has their own. It has OAuth, it's secured. I can go talk to it. And what this enables is it stops me having to download code from the Internet, run it on my local machine to go talk to all the vendors that I'm using. And this is starting to become a thing. Like a lot of vendors are now building these out. They have them, they're starting to come to fruition. Some of them are getting breached, unfortunately, because the security of MCP still isn't that great.

 

Kane Narraway [00:26:53]:

But I think I would love there to just be like, secured MCP servers for everyone, because that would just make my life so much easier. Because now I can not only say MCP secure, but I can say, hey, just go use the server like it's a URL. There you go. You don't need to worry about any complicated setup. And I can expand it beyond our really techie engineers who love to play with stuff, into everyone. And then we can start automating those use cases like the audit screenshots, for example, where people today might not be able to do that because it's a bit painful to set up.

 

Arek Dreyer [00:27:27]:

I love it. That's a great, great patch. Well, thank you, Kane, for joining us on this episode of Patch Me If You Can.

 

Kane Narraway [00:27:34]:

Perfect, thanks. It's been great to be here.

 

Arek Dreyer [00:27:36]:

If you like the episode, hit follow and share it with someone who's ready to lead it and security from the front. We'll see you next time.