Multicast networks are partitioned into hierarchical security domains. Each security domain may comprise one or more lower security domains. Each security domain includes a security broker that distributes a group key and translates multicast data destined to the security domain, if necessary. A primary security broker at the second level of the hierarchical multicast system distributes the top security key to all peer members, including all peer security domain brokers to establish trust relationships. For each security domain boundary with security domain border routers, a multicast virtual link in configured that connects the security domain border routers and the security broker for the security domain to reduce the latency in forwarding multicast data. It can also make the backbone of the security domain contiguous so that multicast data can travel unchanged across the backbone. The multicast data is forwarded to the security domain through the security broker with security translation. A group key is distributed at each hierarchy level by exchange of Group request and Group reply messages. The rekey process is accomplished by multicasting Rekey Announcement messages, either regionally by a security broker, or globally by the group controller through the primary top regional security broker.