HyTrust, a provider of policy management and access control solutions for virtual and cloud environments, today announced that it has secured $ 33 million in new funding, including $ 8 million in venture debt and credit facilities.

According to the company, the new cash will be used to boost marketing, sales and product development initiatives, as well as expansion into international markets.  

HyTrust’s solutions enable the adoption of next-generation architectures through policy-based controls, visibility and data security, which helps enterprises more easily meet compliance mandates, improve application uptime, and securely take advantage of cloud-based capabilities.

The new investment is being led by AITV (Accelerate-IT Ventures). New investor Vanedge Capital also participated in the funding, while existing venture investors—Epic Ventures, Granite Ventures and Trident Capital—and strategic investors Cisco, Fortinet, Intel Corp. and VMware, also participated.

In addition to being backed by several venture firms and enterprise technology companies, HyTrust entered into a strategic investment and technology development agreement with In-Q-Tel (IQT), the not-for-profit venture capital arm of the CIA, back in July 2013.

Along with the $ 25 million equity investment from the syndicate, HyTrust expanded its relationship with banking partner City National Bank to fund up to $ 8 million in venture debt and credit facilities.  

“HyTrust is perfectly positioned to meet the needs of a market in which so many organizations are building on cloud-based technologies to increase agility for their business,” said Brian Nugent, founding principal and general partner at AITV.  

Brian Nugent will join HyTrust’s board of directors, while AITV co-founder and general partner, Bill Malloy III, and Moe Kermani, a partner with Vanedge Capital, will join as board observers, the company said.  

“Our goal at HyTrust is to make security automated and policy-based to address the needs of private and hybrid cloud data centers, as well as provide complete visibility into what is happening in cloud environments,” said John De Santis, Chairman and CEO of HyTrust.

Tags:

VMware released a series of updates to address the OpenSSL vulnerability known as Heartbleed in its products in April, but many organizations still haven’t secured their installations, virtualization management firm CloudPhysics reported on Monday.

Based on machine metadata collected from virtualized datacenters, CloudPhysics determined that 57% of VMware vCenter servers and 58% of VMware ESXi hypervisor hosts are still vulnerable to Heartbleed attacks.

“This is a remarkably high percentage given that ESX run the majority of business critical VMs in the world. I speculate that IT teams are more lax about patching ESXi since those machines are typically behind the firewall and not easy to reach from the outside world,” Irfan Ahmad, CTO and co-founder of CloudPhysics, wrote in a blog post.

“However, that laxity doesn’t make the delay in patching a good idea,” he added. “For one thing, insider attacks continue to be a major source of breaches. Another consideration is that if outside attackers do manage to infiltrate a low privilege service inside your firewall, you have just given them carte blanche to attack your most sensitive data.”

According to Ahmad, 40% of the organizations in CloudPhysics’ dataset have at least one vCenter server or ESXi host running a vulnerable version of OpenSSL. By May, over 25% of vCenter servers and ESXi hosts had been patched, but over the next two months, the rate at which organizations were applying the updates had slowed down.

Shortly after the existence of the Heartbleed bug came to light, there were roughly 600,000 vulnerable systems. A couple of months later, Errata Security reported that the number was down to 300,000. However, some experts predict that it will take months, possibly even years, until all systems are patched.

“If insiders, or attackers via insiders, exploit the Heartbleed vulnerability through an untraceable attack they can gain access to mission-critical systems. With the window for the exploit being so large, combined with the current slowness of patching, the severity of an already serious problem is exacerbated,” Ron Zalkind, CTO of cloud data protection company CloudLock, told SecurityWeek.

“Maintaining patches is always prudent, but with an exploit like Heartbleed, its importance cannot be overstated. We strongly encourage organizations to immediately patch their systems per guidance from VMware, with a particular focus on systems that are the most significant to their businesses.”

Eric Chiu, founder and president of cloud control company HyTrust, points out that the traditional approach to security has been to protect the perimeter, which has bred a long-standing misconception that systems within an organization’s datacenter don’t need to be protected.

“However, breaches are not only happening more often and getting bigger, but they’re also primarily happening from the inside. Attackers are using social engineering, phishing, malware and other attack techniques to steal employee or I.T. credentials in order to gain access to networks. Once in, they can move forward, backward or laterally, and siphon large amounts of sensitive data without ever being detected. Given that virtualization is a ‘concentration’ of systems and data, the result is a higher concentration of risk. If an attacker is able to pose as a virtualization admin, for example, that could ultimately be ‘game over’ for a victim company,” Chiu told SecurityWeek.

“Bottom line, organizations need to shift their security strategy from that of just an ‘outside-in’ approach, to an ‘inside-out’ model. They should assume attackers are already inside, in which case access controls, audit logging, alerts and data encryption are important—if not critical… especially in ensuring a secure cloud environment.”

Related: Heartbleed Vulnerability Still Beating Strong

Related: Recovering from Heartbleed: The Hard Work Lies Ahead

Tags:

• NEWS & INDUSTRY
• Cloud Security
• Vulnerabilities