Every day, military intelligence officers transmit sensor data from forward operating bases to command centres thousands of miles away. These transmissions pass through multiple networks, allied nation systems, and satellite uplinks. Traditional security little to no protection once the data leaves the originating terminal.
This isn’t a hypothetical. It’s a daily reality for defence organisations, intelligence agencies, and government entities worldwide. Traditional security models offer no reliable answer for data that must cross boundaries to be useful.
Sensitive data doesn’t respect organisational boundaries, network perimeters, or system architectures. It moves because it must. Operations depend on it. Yet our security thinking remains anchored to a fortress mentality that assumes data stays put.
Organisations handling classified, sensitive, or regulated information require a fundamental shift: from protecting the container to protecting the content itself. What government and military organisations learned through hard experience now applies to every entity managing sensitive data.
The Boundary Problem: Why Traditional Security Falls Apart
Traditional security architecture resembles a medieval castle. Strong walls, guarded gates, a clear distinction between inside and outside. For decades, this model worked reasonably well. Data lived on servers inside the building. Users accessed it from terminals inside the building. The security team controlled the environment end-to-end. That world no longer exists.
Organisations now operate across multiple cloud providers, each with different security models and APIs. Employees work from home networks, coffee shops, and airport lounges. Partners, contractors, and clients require access to sensitive information without ever setting foot in your building. The perimeter hasn’t just expanded, it’s dissolved.
Consider the scenarios that keep security officers awake: Intelligence analysts from allied nations need to collaborate on threat assessments, but their systems won’t talk to each other. Field-deployed sensors generate data that must reach rear-echelon analysts through unreliable connections. Government agencies pursuing joint operations discover their classification systems are incompatible. Critical infrastructure sites, such as power plants, water treatment facilities, and transport networks, must report to central monitoring facilities across public networks. Defence contractors exchange technical specifications with dozens of stakeholders, each with their own security posture.
In every case, the data must move. In every case, traditional perimeter security offers no protection once it does.
The numbers tell the story. According to the IBM Cost of a Data Breach Report 2025, 30% of breaches involve data distributed across multiple environments. These multi-environment breaches cost an average of $5.05 million and take 276 days to identify and contain. More than five weeks longer than the global average. Research we undertook confirms that 40% of breaches occur when data moves outside the enterprise, precisely where traditional tools lose visibility.
Meanwhile, 20% of breaches now involve shadow AI, which refers to unsanctioned tools adopted by employees without IT oversight. These incidents add $670,000 to the average breach cost and disproportionately expose customer data and intellectual property.
Traditional Data Loss Prevention tools monitor known channels such as email, USB ports, and network transfers, but they cannot follow data everywhere it goes. They’re guards at the gate, but useless once someone has already left the building.
What Government and Defence Organisations Learned First
Military and intelligence organisations have grappled with cross-boundary data exchange for decades. They learned early that marking a document SECRET accomplishes nothing if the systems handling that document cannot enforce that classification. The gap between knowing data is sensitive and protecting it across boundaries is where breaches happen. Manual processes such as checking clearances, verifying need-to-know, and logging access in spreadsheets, don’t scale. Rather, they introduce human error at every step. Plus, they create friction that pushes users toward workarounds that bypass security entirely.
The zero-trust security model emerged from military and intelligence thinking, born from a simple premise: assume every network is compromised. Trust nothing. Verify everything. But zero-trust for networks only solves half the problem. The more radical insight is that data itself must carry its own protection. It cannot rely on the environment it passes through because that environment is, by definition, untrusted.
This means embedding access controls, encryption, and policy enforcement into the data itself. A classified document should remain protected whether it sits on a secure server, transits a satellite link, or lands on an allied nation’s system. The protection travels with the content.
Role-based permissions proved too blunt for sensitive data exchange. A junior analyst and a senior analyst might hold the same clearance, but their need-to-know differs by assignment. Location matters. Device security matters. The specific action requested matters.
Attribute-based access control evaluates all these factors simultaneously. Can this user view this document? Perhaps if they’re accessing from a secure facility, on a managed device, during working hours, and the document’s classification matches their clearance level. Can they download it? Different question, potentially different answer. Can they share it externally? Another evaluation entirely. This granularity transforms access control from a binary gate into a context-aware decision engine.
Government security standards can appear bureaucratic from the outside. They’re anything but. These standards encode decades of hard-won lessons about what protects sensitive data under adversarial conditions. Comprehensive audit logging isn’t paperwork; it’s the ability to reconstruct exactly who accessed what, when, and from where. Encryption validation isn’t checkbox compliance; it’s assurance that the mathematics will hold when tested.
Data-Centric Security: Protection That Travels
The necessary change is straightforward to describe and difficult to execute: Stop securing the network and start securing the data. This means protection embedded in the data itself, not just the pipes it travels through. Policies that persist regardless of which system processes the information. Encryption that remains intact across every hop and handoff.
Effective cross-boundary data protection demands several interlocking capabilities:
- Persistent encryption ensures data remains encrypted at rest and in motion, with keys managed centrally even as content is distributed globally.
- Embedded policy enforcement means access rules travel with the data. A document marked for internal use only remains restricted even when it lands on an external system.
- Possessionless access enables users to view and even edit sensitive documents without downloading them. This matters enormously for classified materials. The data never leaves controlled infrastructure, even while authorised users work with it remotely.
- Granular controls enable different permissions for different actions, contexts, and users. Viewing differs from downloading. Printing differs from forwarding. Each action can carry its own authorisation requirements.
- Complete audit trails document the chain of custody from origin through every access point. When something goes wrong, investigators can trace exactly what happened.
Many organisations have invested in Data Security Posture Management tools that excel at finding sensitive data across sprawling environments. These tools answer the question: where does our sensitive information live?
But discovery without enforcement is only half the battle. While DSPM solutions excel at discovering and classifying sensitive data at rest, they lack enforcement capabilities when that data moves outside the enterprise. Kiteworks research indicates that 66% of organisations exchange sensitive content with more than 1,000 third parties. Each exchange represents a potential gap between discovery and protection. The gap between finding sensitive data and controlling it across boundaries represents the most significant vulnerability in modern security architectures.
From Classified to Commercial: Why Every Organisation Now Faces This Challenge
What was once a military and intelligence concern is now universal. Remote work scattered data across home networks and personal devices. Cloud adoption means data lives in third-party infrastructure by default. Supply chain integration requires constant data exchange with partners, vendors, and clients.
The third-party risk has become acute. According to SecurityScorecard research, at least 36% of all data breaches originate from third-party compromises, representing a 6.5% year-over-year increase. The IBM 2025 report confirms that supply chain compromise is now the second most common attack vector, accounting for 15% of breaches.
Every organisation with sensitive information now faces the same fundamental challenge that defence and intelligence agencies confronted years ago.
Regulations have caught up with reality. GDPR requires organisations to know where personal data resides and prove they can delete it upon request. Sector-specific rules govern healthcare, finance, and critical infrastructure. The most serious GDPR violations can result in fines of up to €20 million or 4% of a company’s total annual worldwide turnover, whichever is higher.
Here’s the catch: you cannot comply with regulations you cannot enforce across boundaries. If personal data is transferred to a partner organisation, a cloud provider, or a contractor’s system, compliance obligations follow it. Traditional perimeter security offers no mechanism for enforcing compliance once data leaves your direct control.
Beyond regulatory penalties, the commercial consequences of inadequate cross-boundary data protection continue to mount. The 2025 IBM report found that US breach costs reached an all-time high of $10.22 million—a 9% increase driven by regulatory fines and detection costs. Organisations implementing AI-powered security automation alongside data-centric controls can achieve potential savings of $1.9 million per breach. Customer trust erodes with each breach headline. Partner relationships increasingly depend on demonstrable data protection practices.
Organisations that can prove they control sensitive data across boundaries hold a competitive advantage. Those that cannot face growing risks to reputation, relationships, and revenue.
Managing Sensitive Data Risk Exposure
Data will continue crossing boundaries. That’s how modern organisations function. The question isn’t whether to allow cross-boundary data exchange but how to control it. Government and defence organisations learned through painful experience that perimeter security fails when data must move. Their solutions, including zero-trust architectures, data-centric protection, attribute-based access control, and persistent policy enforcement, represent proven approaches to a problem that now touches every sector.
The perimeter isn’t dead, but it’s no longer sufficient. Organisations that recognise this reality and implement protection that travels with their sensitive data will manage risk effectively. Those who cling to fortress thinking will discover, eventually and painfully, that their walls protect nothing that matters.
The data is leaving the building. The only question is whether your security goes with it.
Wouter is General Manager of EMEA Strategy & Operations at Kiteworks, responsible for regional growth, partnerships, and operational execution across Europe, the Middle East, and Africa. Previously, he was CEO and co-founder of Zivver (a Kiteworks company), scaling the company to over 100 employees and establishing it as a leader in secure communication for regulated industries. With experience in tech leadership, management consulting, and privacy and internet law, he focuses on delivering trusted solutions that support compliance with GDPR, NIS2, ISO 27001, and other regional frameworks. He holds master’s degrees in Business Administration (Erasmus University Rotterdam) and Internet & ICT Law (VU University Amsterdam).
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.