Platform Engineering
Enhancing Security Practices on Google Cloud
How Astrafy helped Rubyx strengthen its Google Cloud security practices with Terraform, Kubernetes hardening and IAM best practices, achieving ISO 27001 certification.


Rubyx is a Lending-as-a-Service platform for companies that want to offer digital financing solutions to entrepreneurs and small businesses in emerging markets.
Website
Industry
Financial Services
Location
Belgium
Stack
Google Cloud Platform · Kubernetes · Terraform · Cloud Armor
Astrafy has acted as the security department for Rubyx in order to strengthen all their security practices on Google Cloud. The areas covered spanned from Google Workspace security best practices, Kubernetes strict security rules, and so on.
The challenge
Raising security standards to support ISO 27001
Rubyx has grown from being a small startup to being a more renowned company, and this entails that it can attract bigger customers — and those customers are more demanding on security around the application. For that reason, Rubyx started the journey to have its application certified ISO 27001, which required setting up a culture of security and implementing different security controls.
The solution
Hardening infrastructure and centralizing IAM control
From the "Technical Design Document" that listed all the epics to work on in order to step up Rubyx's game in terms of security, we made their application very robust and bulletproof against external attacks (no more public IPs, deployment of Cloud Armor, etc.). We then tackled all the logging and monitoring topics to give Rubyx full visibility into everything that happens within Google Cloud.
Results
Certified, fully automated, and fully visible security
All infrastructure provisioning is now done via Terraform code (using Terraform Cloud)
Their Kubernetes cluster (where they host all their applications) abides by the utmost security standards
No more IAM bindings at user level, with all IAM bindings in dedicated repos following "least privileged access" and "segregation of duty"
Successfully passed the ISO 27001 certification
Latest case studies
