Zero Trust alone can’t win the next digital war

For more than a decade, Zero Trust has been positioned as the ultimate doctrine for modern cybersecurity, an architecture built on the principle that no user, device or system should ever be inherently trusted. But as digital warfare reshapes the battlespace, a stark reality is emerging: Zero Trust, when applied in isolation, is increasingly mismatched to the environments it is now expected to defend.

Conflict today is defined not by isolated networks but by sprawling, multi-domain, multinational ecosystems that depend on the rapid movement of data across classification levels, partner nations and operational theatres.

This increasing scale, interconnectedness and criticality of data has given rise to an unprecedented challenge for governments, critical agencies and defence organisations: how to share mission-critical information securely while preserving sovereignty, speed, and trust.

This is where the limits of Zero Trust begin to show.

Zero Trust in a multi-domain world

Defence alliances such as NATO and initiatives like CJADC2 depend on the ability to pass sensor data, drone feeds, targeting information and tactical reports between multiple classification levels at near real-time speeds. Yet organisations increasingly report that the greatest barrier to effective Zero Trust strategies is not verification, but secure data movement across domains.

In Everfox's CYBER360 research, 64% of security leaders cited secure data movement as the top challenge within Zero Trust programmes, underscoring that the architecture is straining under requirements it was never designed to meet.

Zero Trust Architecture’s (ZTA) focus on locking down infrastructure, verifying each endpoint, each identity, and each request, is vital for preventing intrusions, but far less helpful when the mission requires moving high-value intelligence between networks that operate at different trust levels. In modern defence coalitions, latency isn’t just inconvenient: it’s operationally dangerous.

The hidden risks of isolated Zero Trust

The dangers of relying solely on Zero Trust are rarely dramatic or immediately visible. Instead, they accumulate gradually as friction, delays and workarounds that compound into systemic vulnerability.

Intelligence becomes trapped at classification boundaries, awaiting manual review or physical movement. Decision timelines stretch out as analysts wait for data that cannot cross domains without human mediation. Commanders hesitate because they cannot trust the integrity of information received through improvised, non-standard channels. Over time, this degrades not only the organisation’s tempo but also its coalition partners’ confidence.

These are not abstract fears. Over half of security professionals surveyed in the CYBER360 report cited data tampering or theft as the most serious consequence of insecure data transfer, closely followed by compromised intelligence or communications and disrupted operational readiness.

And with attack volumes against defence and critical service organisations increasing, as adversaries exploit gaps created by legacy systems, manual workflows and uneven interoperability across allied networks, Zero Trust is no longer enough.

Building a data-centric framework

The solution emerging across defence and critical national sectors is a shift from protecting the network to protecting the data itself.

A data-centric approach applies controls directly to the information object, ensuring that the data remains governed, verified and protected no matter who accesses it, where it travels or which networks it crosses.

It also recognises that the challenges in securing data access, transfer and sharing cannot be overcome with a single framework. Protecting that movement requires an integrated architecture built on three mutually reinforcing pillars:

• Zero Trust Architecture (ZTA) for continuous verification
  
• DataCentric Security (DCS) for persistent, portable protection
• Cross Domain Solutions (CDS) for secure, policy-enforced data exchange across classification levels

Together, these frameworks form a cohesive system where trust is established through policy and cryptographic assurance, not by the boundaries between networks.

The path to mission assurance

To achieve mission assurance, organisations must adopt an integrated model that combines ZTA, DCS and CDS. The path to this can be built through four critical steps.

Prioritise data over perimeter controls

Security must follow the data wherever it travels. Embedding labelling, classification, and usage policies into the data itself ensures it remains protected across networks, partners and operational environments.

Bake interoperability into system design

Architects should assume multi-domain and coalition operations from day one. Combining Zero Trust for identity assurance, data-centric protection for content integrity, and Cross Domain Solutions for trusted exchange enables fast, policy-driven collaboration.

Balance sharing with sovereignty

Policy-based controls should dynamically enforce what can be shared, with whom, and under what conditions, maintaining national or organisational sovereignty while supporting operational integration.

Maintain domain separation while modernising

CDS solutions make it possible to upgrade systems without disrupting missions by isolating sensitive data flows while still connecting legacy and modern platforms.

Digital warfare has rewritten the rules of engagement

The battlespace is now a network of networks, where alliances depend on fast, reliable and sovereign data sharing. In this environment, Zero Trust remains essential, but insufficient. Its strengths in identity and perimeter verification cannot solve the challenge of moving high-value data across domains and partners.

By embracing a data-centric model anchored by Zero Trust, Data Centric Security and Cross Domain Solutions, organisations can achieve what neither approach can deliver alone: trusted data in motion at mission speed. And in the digital battlespace, that is now the decisive advantage.