Platform Engineering

Enhancing Security Practices on Google Cloud

How Astrafy helped Rubyx strengthen its Google Cloud security practices with Terraform, Kubernetes hardening and IAM best practices, achieving ISO 27001 certification.

Rubyx is a Lending-as-a-Service platform for companies that want to offer digital financing solutions to entrepreneurs and small businesses in emerging markets.

Website

Industry

Financial Services

Location

Belgium

Stack

Google Cloud Platform · Kubernetes · Terraform · Cloud Armor

Astrafy has acted as the security department for Rubyx in order to strengthen all their security practices on Google Cloud. The areas covered spanned from Google Workspace security best practices, Kubernetes strict security rules, and so on.


The challenge

Raising security standards to support ISO 27001

Rubyx has grown from being a small startup to being a more renowned company, and this entails that it can attract bigger customers — and those customers are more demanding on security around the application. For that reason, Rubyx started the journey to have its application certified ISO 27001, which required setting up a culture of security and implementing different security controls.


The solution

Hardening infrastructure and centralizing IAM control

From the "Technical Design Document" that listed all the epics to work on in order to step up Rubyx's game in terms of security, we made their application very robust and bulletproof against external attacks (no more public IPs, deployment of Cloud Armor, etc.). We then tackled all the logging and monitoring topics to give Rubyx full visibility into everything that happens within Google Cloud.


Results

Certified, fully automated, and fully visible security

  • All infrastructure provisioning is now done via Terraform code (using Terraform Cloud)

  • Their Kubernetes cluster (where they host all their applications) abides by the utmost security standards

  • No more IAM bindings at user level, with all IAM bindings in dedicated repos following "least privileged access" and "segregation of duty"

  • Successfully passed the ISO 27001 certification

Latest case studies

Turn your scattered data & AI initiatives into a coherent strategy

Turn your scattered data & AI initiatives into a coherent strategy

Turn your scattered data & AI initiatives into a coherent strategy