Creditas

Cloudflare Zero Trust secures work-from-home access for 5,000+ Creditas employees

When Spanish entrepreneur Sergio Furio first became aware of the reality of borrowing money in Brazil — where unsecured consumer debt was common and interest rates could reach as high as 100% — he spotted an opportunity. Furio set out to democratize the Brazilian finance industry and bring liquidity to illiquid assets by making money available at sustainable rates to consumers through home equity and vehicle loans.

Creditas began partnering with establishment banks in 2012 to provide consumer loans but has since become an independent fintech platform with over 5,000 employees and a valuation of 4.8 billion USD. They have expanded operations into Mexico and Spain, offering home equity, automobile, and secured loans against employee salaries. Creditas also maintains a vehicle marketplace and provides secondary services like vehicle and home insurance.

Challenge: Providing 5,000 employees secure access to internal tools and applications — overnight

When COVID-19 hit Brazil, Creditas were commissioning their newly constructed headquarters, onboarding new hires, and moving its existing workforce to the new space. Then they received instructions from the Brazilian government to send everybody home.

“Overnight, we had to go from 100% on-site to almost entirely remote,” explains Ricardo Girardelli, Creditas Network Engineering Team Lead. “We had to change our entire working model and get everybody offsite in 48 hours.”

The Creditas engineering team faced multiple challenges simply keeping employees online during the lockdown. One significant pain point was maintaining a legacy VPN that demanded complex configuration to run on different operating systems (Windows, Linux, and macOS) and could only support a limited subset of employees.

In addition to a high maintenance effort, the VPN also often required time-consuming collaborations between Creditas teams with their third-party vendors to modify new tools before they were safe to use.

Creditas' next concern was upholding security and data protection standards for 45 internal applications and core third-party tools that were secured only for use within their offices. Unwilling to risk remote data breaches for both the safety of their clients and to remain compliant with Brazil’s 2020 Lei Geral de Proteção de Dados Pessoais (LGPD) personal data protection and privacy legislation, Creditas needed an immediate solution.

“We are a startup, and don’t have the time to build every tool we need, so we use third-party services. With our developers concentrating on user experience and developing new products, we did not want to shift their focus to security if we could avoid it. That said, we had to protect our customer data — a breach would expose us to fines or, worse, fatally damage our reputation and destroy customer trust,” says Girardelli. “Without a secure solution, it was not a matter of if, but when the worst would happen. When several local companies got hit with ransomware attacks and experienced data breaches, it was a red flag and a powerful reminder that we could be next.”

Cloudflare core security and a strategic pivot to Zero Trust Network Access

Creditas reached out to Cloudflare to discuss security services, based on its reputation as a security leader and recommendations from fellow fintech organizations.

“When we started discussions with Cloudflare, I could tell they actually believed in their products — there was no hard sell, and they had evidence to show they knew what they were talking about,” recalls Girardelli. “When Cloudflare offered us an obligation-free proof of concept (POC), and we liked the product, there was no turning back — we are addicted to it.”

Creditas began with the Cloudflare core security suite, rapidly implementing the Cloudflare WAF, global cloud network, certificates, and DDoS protection for secure volumetric and geographic growth as they expanded their territory to include Latin America, Europe, and Mexico.

With the onset of the COVID-19 pandemic, however, the company’s focus pivoted to streamlining employee connectivity and securing access to internal resources to meet the high-pressure government deadline to secure remote work. Creditas rapidly deployed Cloudflare Zero Trust, averting the potential threats to the business of working offsite. Specifically, Creditas rolled out Cloudflare Access, a Zero Trust Network Access (ZTNA) service, to enforce identity-based authentication per application across their workforce.

“Before we got Access up and running, we prepared by organizing our user directory with our identity provider and defining groups for single sign-on (SSO) authorizations,” says Girardelli. “The preparations took longer than the deployment, but now we can implement and secure a new tool in a couple of days. We can also have our employees online within hours.”

Efficient use of resources for all Creditas teams

Access essentially eliminates the resource-heavy process of dedicating Creditas teams to work with its third-party vendors to recode or reconfigure tools to meet VPN and security requirements. As a result, Creditas DevOps teams have increased their productivity and reduced implementation delays.

“Before we implemented Cloudflare Access, preparing an application for safe deployment was a two- to four-week project. With Cloudflare Zero Trust, we save almost 90% of that time.”

The time saved and lightened workload has also led to improved cooperation between teams.

With 5,000 Cloudflare Access licenses, the Creditas engineering teams reported additional efficiency gains, including reduced demands from its onboarding and hardware maintenance processes. While the headcount at Creditas has doubled, the engineering team that supports it has increased by less than 30% — an achievement Girardelli attributes to the reduced complexity of tooling like Cloudflare Access which helps engineers more efficiently support the wider organization as it scales.

“Now our service desk can easily maintain thousands of computers — it is far faster to set up a new employee's computer or replace an existing one with Access because we don’t need to install, configure, and test the VPN,” says Girardelli. “We can operate using a much more basic setup. If my computer breaks, I can use any other computer and have access to everything by entering a URL. It saves everybody a lot of time.”

A partnership for growth

For Creditas, Cloudflare support is a key factor in the partnership's success. To illustrate, Girardelli recalls the two companies' combined attempts to configure a critical, but unsupported locally developed legacy application to work through Access.

“The application was a dinosaur, but Cloudflare support refused to give up, even after we exchanged 70 emails to find a resolution. Knowing we have that extra layer of support makes us sleep better at night.”

It is one of many reasons Cloudflare continues to play a key role in Creditas’ growth.

“Cloudflare is trustworthy, performant, and intuitive. When I face a challenge with Cloudflare in my corner, I say, ‘Yes. I can do that.’ With any other vendor, I wouldn’t be that confident.”