• Saturday, 13th December, 2025

Embedding Zero-Trust Micro-Segmentation in Nigeria’s Draft Data Protection Act

Featured | 3 years ago

By Jamiu Akande

As Nigeria prepares to review its Draft Data Protection Act (NDPA) at the Federal Executive Council, cybersecurity experts are calling for the inclusion of zero-trust micro-segmentation as a technical safeguard. This recommendation aims to give policymakers enforceable internal network controls while providing enterprises with a practical framework to secure sensitive data.

Although the proposed NDPA is a significant milestone in data privacy legislation, it currently lacks explicit requirements for isolating internal networks. Experts believe that embedding micro-segmentation directly into the Act will not only elevate security standards but also support implementation through clear and accessible technical guidance.

Why Micro-Segmentation Should Be in the NDPA

Zero-trust micro-segmentation is a modern cybersecurity approach that breaks down IT environments into small, controlled zones, each with its own security perimeter. Every user, application, or API session must be independently authenticated and authorized, significantly reducing the risk of lateral movement in case of a breach.

This approach enables:
• Role- and context-aware access policies (e.g., adaptive multi-factor authentication, geo-based access restrictions)
• Real-time visibility into internal traffic and granular logging
• Enhanced forensics and incident response

As global frameworks like NIST SP 800-207 and ISO/IEC 27001 treat segmentation as a fundamental control, integrating it into Nigeria’s NDPA would elevate it from a best-practice guideline to a legal mandate.

How Segmentation Could Be Structured

A proposed model includes the following three security zones, each tailored to the sensitivity of the data it handles:
• Zone A: Public metadata and logs, protected using TLS 1.3 and IP allow-lists.
• Zone B: Personally Identifiable Information (PII) and financial data, secured by network firewalls, IDS/IPS systems, and adaptive MFA.
• Zone C: Health and biometric data, requiring host-based firewalls, full-disk encryption, and privileged-access management.

Data controllers would be required to map these zones in their Data Protection Impact Assessments (DPIAs) and validate their configurations through annual penetration testing and continuous monitoring.

Proposed Legal Language

A recommended clause for inclusion in the NDPA reads:

“Data controllers shall implement network and host micro-segmentation to isolate personal data processing zones. Lateral data flows must be governed by role-based, context-aware policies, with compliance demonstrated through annual DPIAs and regulator-approved testing.”

To support this provision, the Nigeria Data Protection Commission (NDPC) could release companion guidance with open-source implementation examples (e.g., Calico, Open vSwitch) and segmentation templates.

Lessons from Other Countries

International case studies show the value of mandated segmentation:
• After the WannaCry attack, the UK’s NHS reported a 70% reduction in lateral malware spread after introducing micro-segmentation.
• Several top-tier EU banks have cut insider breach incidents by 40% through zone-based architecture.

These examples offer proof that well-defined segmentation controls yield measurable results and can serve as valuable references for Nigeria’s evolving data protection regime.

Strategic Recommendations

To ensure robust implementation, cybersecurity experts advise the following steps:
• Add the proposed segmentation clause to the NDPA’s security annex.
• Publish a technical annex that includes blueprints and real-world segmentation models.
• Establish a CISO advisory panel ahead of the FEC review to guide and refine these security controls.

By taking these actions, Nigeria can align its data protection law with global standards, reduce the impact of breaches, and deliver long-term resilience for both public and private data handlers.

About the Author
Jamiu Olamilekan Akande holds a BSc in Mathematics and an MSc in Cybersecurity from Birmingham City University, UK. Recognized by the World Economic Forum as an emerging global leader, he is the founder and CEO of PhishCLICK Limited, a Nigerian cybersecurity software company. He also served as President of the Urban Professionals Toastmasters Club in Abuja, where he coached professionals on communication and leadership.

Related Articles

Founded on January 22, 1995, THISDAY is published by THISDAY NEWSPAPERS LTD., 35 Creek Road Apapa, Lagos, Nigeria with offices in 36 states of Nigeria , the Federal Capital Territory and around the world. It is Nigeria’s most authoritative news media available on all platforms for the political, business, professional and diplomatic elite and broader middle classes while serving as the meeting point of new ideas, culture and technology for the aspirationals and millennials. The newspaper is a public trust dedicated to the pursuit of truth and reason covering a range of issues from breaking news to politics, business, the markets, the arts, sports and community to the crossroads of people and society.

Helpful Links

Contact Us

You can email us at: hello@thisdaylive.com or visit our contact us page.