Introduction: The Assumption That Derails Zero Trust
Every security program operates on a hidden assumption: once a system is connected, the problem is solved. Open a ticket, stand up a gateway, push the data through—and consider it done. But that assumption is flawed, and it’s a primary reason why Zero Trust initiatives stall before they deliver real security outcomes.
New research from the Cyber360: Defending the Digital Battlespace report reveals the scale of this oversight. Based on a survey of 500 security professionals, the report quantifies what many practitioners suspect: secure data movement is the bottleneck nobody talks about.
The Zero Trust Promise and the Data Movement Gap
Zero Trust architecture demands continuous verification for every access request—whether from a user, device, or application. But most implementations focus heavily on static controls like identity and device posture, while ignoring the dynamic nature of data as it travels across networks, clouds, and APIs.
Why Connectivity Alone Isn’t Enough
As soon as a system is connected, data begins to move. And moving data introduces risk: interception, tampering, unauthorized exposure. Traditional perimeter-based security assumed internal networks were safe, but Zero Trust rightly rejects that idea. Yet many organizations stop at establishing a connection without securing the data flow itself.
Research Findings from the Cyber360 Report
The Cyber360: Defending the Digital Battlespace survey found that 67% of security leaders cite data-in-transit protection as a top challenge—yet only 23% have implemented consistent encryption across all data paths. The disconnect between recognizing the problem and solving it is a key reason Zero Trust programs lose momentum.
Common Challenges in Secure Data Movement
- Lack of visibility – Many organizations cannot map all data flows between on-premises, cloud, and hybrid environments.
- Inconsistent encryption – Data may be encrypted at rest but left unprotected during transit, especially in east-west traffic between microservices.
- API security gaps – Modern applications rely on APIs that can expose sensitive data if not properly authenticated and encrypted.
- Compliance complexity – Regulations like GDPR, HIPAA, and PCI DSS impose strict rules on data movement, often requiring detailed auditing.
- Performance concerns – Adding encryption and inspection to every data flow can degrade application performance if not designed carefully.
Overcoming the Bottleneck with Strategic Approaches
Addressing secure data movement requires a shift in mindset—from connect-and-forget to continuous data protection. Here are key strategies:
Adopt Data-Centric Security
Instead of only protecting the network perimeter, apply security controls directly to the data. Use object-level encryption and data masking that travel with the information, regardless of where it moves.
Implement Microsegmentation with Data Flow Awareness
Microsegmentation divides the network into small zones, but it’s only effective when coupled with policies that govern how data moves between segments. Use granular rules for both North-South and East-West traffic.
Continuous Monitoring and Logging
Deploy network detection and response (NDR) tools that can analyze metadata and payloads in real time. Centralize logs to detect anomalies in data movement patterns.
Standardize Encryption for All Data in Transit
Require TLS 1.3 for all external communications and consider mutual TLS (mTLS) for internal service-to-service calls. For legacy protocols, use VPNs or gateways to wrap traffic in secure tunnels.
Automate Policy Enforcement
Manual policy management cannot scale. Use security orchestration and automation (SOAR) to enforce data movement policies based on identity, context, and risk scores.
Conclusion: Making Data Movement Visible and Secure
Zero Trust cannot succeed if we treat connectivity as the end goal. The real measure of success is how securely data moves from point A to point B, through every intermediate hop. By acknowledging that data movement is the bottleneck—and investing in visibility, encryption, and automated controls—organizations can unblock stalled Zero Trust programs and achieve the resilient security posture they seek.
Jump to the list of key challenges for a quick refresher.