The Zero Trust Data Layer: What Most CISOs Are Missing
Zero Trust got the architecture right. Its data pillar explicitly calls for protecting data at the source; not just controlling who reaches it. The problem has never been the framework. It has been execution: encrypting data in use at scale has not been commercially viable, until now. Most organizations have implemented the identity, network, and device pillars of Zero Trust and left the data pillar incomplete. That is where breaches happen.
If you haven’t read the foundational argument for why perimeter security alone isn’t enough, start here before continuing.
What Is the Zero Trust Data Layer?
Zero Trust security is built on a clear principle: trust nothing, verify everything. Identity controls, network segmentation, and least-privilege access all serve that principle well. What they do not cover is what happens to data after access is granted.
The Zero Trust data pillar is the security layer that protects the data itself; not the perimeter around it. It needs data encrypted during active processing, so that even an authenticated user with legitimate access cannot read data outside their authorized workflow. It is the difference between controlling who opens the door and ensuring what is behind the door is still locked.
Without it, Zero Trust is a strong fence around an open safe.
External vs. Internal Threats
Cyber threats fall into two main categories: external attacks and insider threats. Most organizations remain vulnerable to both.
External attacks come from criminal actors, organized groups, and nation state adversaries who find ways into systems to steal or ransom data. Common vectors include malware, phishing, ransomware, denial-of-service attacks, and man-in-the-middle attacks. Larger organizations also contend with SQL injection, zero-day exploits, and spoofing. In the first five months of 2025, more than 22,000 new Common Vulnerabilities and Exposures (CVE) records were received by NIST, with a backlog of nearly 25,000 more awaiting analysis. In 2024, over 40,000 new CVEs were published; up more than 37% from 2023. The pace of weaponization is accelerating even faster with AI.
Insider threats occur when credentialed individuals misuse their access; intentionally or not. The Cybersecurity Insiders 2024 Insider Threat Report found that 83% of organizations reported insider attacks in 2024, with 51% experiencing six or more in a single year. These threats are often socially engineered: employees bribed, contractors placed deliberately, or administrators carrying access that far exceeds what their role requires. Supply chain attacks follow the same logic; they compromise a third-party vendor to reach the primary target through the back door.
Data protection cannot be delegated to IT alone. It requires a web of stakeholders working together for organizational awareness, executive engagement, and the right architecture.
The Threat Is Already Inside Your Network
Most leaders want to believe an insider breach is unlikely. It is a reasonable instinct; it is also wrong. Nearly one in three organizations will experience a data breach this year.
The persistent misconception is about encryption. Security teams confidently report that data is encrypted in transit and at rest. What they are not saying is that once systems are running, that protection disappears. Most enterprise applications run continuously; which means data is decrypted and exposed around the clock to anyone who reaches it inside the perimeter.
The Coinbase breach is instructive. It was not a technical exploit. Support staff with legitimate credentials stole data over nearly six months in exchange for modest bribes; compromising PII for approximately 70,000 users along with account balances and transaction histories. Coinbase refused a $20 million ransom demand and offered a matching reward for information. The estimated total cost: between $180 million and $400 million. At least six class action lawsuits followed.
Capital One’s 2019 breach tells a related story. A misconfigured web application firewall exposed sensitive data for more than 100 million customers. System administrators had escalated their own access privileges without management’s knowledge. The data was available in cleartext during normal operations; anyone who reached it could read it.
In 2024, a hacker accessed AT&T’s cloud storage through Snowflake, reaching call and text records for nearly 109 million US customers. The resulting class action lawsuits settled for $177 million.
Each of these breaches shares the same root: data was decrypted for use and left exposed in cleartext. Zero Trust frameworks were in varying stages of implementation across all three organizations. None of it was sufficient at the data layer.
5 Steps to Close the Gap
Perimeter security will always have vulnerabilities. New ones emerge daily through system updates and vendor patches. The question is not whether to patch; it is what to do when the patch comes too late. Here are five steps to take now.
Step 1: Create and Regularly Test Incident Response Plans
A plan that has never been tested is not a plan; it is a document. CISOs and technical leaders must work with executive leadership to simulate real-world scenarios, assign clear roles, and conduct regular tabletop exercises. Response speed matters when an attack occurs; every hour of ambiguity translates directly to cost and exposure. Build the plan. Test it. Review and update it quarterly.
Step 2: Audit Data Access Policies
In most organizations, IT staff are stretched thin across a complex ecosystem of hardware and software. The result is predictable: administrators carry broader access than their roles require, often without anyone in a position to notice. The IT function is frequently overseen by CFOs or COOs whose expertise does not extend to the operational risks sitting inside their own systems. Employees should have access to exactly what their role requires. No more.
Step 3: Implement Continuous Monitoring
Until recently, anomalous activity was easy to hide within the noise of routine network checks. AI-assisted monitoring is changing that. It is now feasible to detect unusual access patterns and behavioral anomalies in near real time. This is not a future investment; the tools exist today. Organizations that have not deployed continuous monitoring are operating with a significant blind spot.
Step 4: Enforce Multi-Factor Authentication
Weak authentication remains one of the most preventable breach vectors. MFA alone is not sufficient; but organizations that have not yet implemented it are exposing themselves to risks that have known and available solutions. It is the floor, not the ceiling. Build on top of it.
Step 5: Encrypt the Data Layer
This is where Zero Trust becomes complete.
Continuous encryption keeps data encrypted across all three states: at rest, in transit, and in use. It eliminates the decrypt-to-use requirement that makes every other security layer’s job harder. When data is continuously encrypted through active processing, a breach produces nothing usable; stolen files are unreadable, compromised credentials reach encrypted output, and insider access operates only within encrypted boundaries.
Most solutions marketed as “end-to-end” encryption protect data only at rest and in transit. The moment an application is running, that protection ends. That is the gap responsible for the majority of enterprise breaches; and it is the gap most organizations do not know they have.
The Conduent breach exposed 10.5 million records because data was decrypted for active processing with no protection at the data layer. Nine class action lawsuits followed. Defense counsel faced a question that is becoming familiar in courtrooms: why wasn’t continuous encryption in place? “We followed industry standards” is a harder answer to defend than it used to be.
Donoma Seshat integrates at the data layer of enterprise applications and keeps data encrypted even during active processing; with no performance penalty and no operational limits. For organizations already operating under Zero Trust frameworks, it is the step that makes the rest of the framework hold.
In Closing
Perimeter security is a moat. It deters; but it does not stop the threats. It will not prevent a determined attacker from eventually finding a way in, plug a gap created by a misconfiguration, or stop a credentialed insider from walking out with data. The most important investment most organizations can make right now is a layered defense strategy; one that includes perimeter controls, Zero Trust frameworks, and continuous encryption at the data layer. That is where the data lives. It is where the breach happens. Securing it is no longer optional.
Continuous encryption at the data layer is not a future investment. It is available now; it deploys without disruption, and it works without a performance penalty. If you are ready to change the dynamics of data security and risk, schedule a briefing with us.
Frequently Asked Questions
What is the Zero Trust data layer?
It is the security layer that protects data itself during active processing; not the network around it. Zero Trust controls access. The data layer controls what happens to data once that access is granted. Without continuous encryption at the data layer, authenticated users and compromised accounts can both reach cleartext data.
What is the difference between Zero Trust networking and Zero Trust data security?
Zero Trust networking secures how users and devices connect to systems. Zero Trust data security protects the data itself; regardless of who is connected or how. The two are complementary; neither replaces the other.
How does continuous encryption support a Zero Trust strategy?
It extends Zero Trust to the data layer. Identity controls determine who can access data. Continuous encryption determines what that access produces. Even a fully credentialed user inside a Zero Trust network cannot read data outside their authorized workflow when continuous encryption is in place.
Does Zero Trust prevent insider threats?
When the Zero Trust data pillar uses continuous encryption, the insider threat is eliminated. When data is never decrypted, there is nothing for an insider to take.
What does data-centric Zero Trust mean?
It means applying Zero Trust principles to the data itself; not just the network or identity layer. Data-centric Zero Trust treats every data access event as untrusted until verified; and keeps data encrypted even during processing so that access alone is never sufficient to expose it.

