Last year alone, three African government agencies we are aware of had production systems compromised through routes that perimeter security was supposed to prevent. In two of the three cases, the initial foothold was a contractor laptop on a permitted network. In the third, an insider with legitimate VPN credentials moved laterally for six weeks before detection. The lesson is uncomfortable but unavoidable. The perimeter is a fiction we keep telling ourselves because the alternative feels expensive.
Zero-trust in plain language
Zero-trust is a marketing term wrapped around a simple idea. Never trust a request because of where it came from. Trust it because of who made it, what they are asking for, and whether the context matches their normal behavior. Every API call gets the same scrutiny whether it originates from the minister's laptop in the office or a contractor's tablet in a coffee shop. There is no inside and outside. There is only authenticated and unauthenticated, authorized and unauthorized, on-policy and off-policy.
The reason zero-trust feels expensive is that vendors have spent ten years selling it as a product. It is not a product. It is a posture. The product purchases come later, and most of them are smaller than you expect if you sequence the work correctly.
A pragmatic three-phase roadmap
We have walked three African public sector clients through a phased adoption that fits within realistic budget and political constraints. Phase one is identity. You cannot enforce a policy you cannot articulate, and you cannot articulate a policy if you do not know who is acting. Consolidate identity providers, enforce phishing-resistant multi-factor for privileged users, and start logging every authentication event to a tamper-evident store.
// Policy decision point — the heart of any zero-trust gateway.
type Decision = "allow" | "deny" | "step-up";
function decide(req: Request, principal: Identity): Decision {
if (!principal.mfaFresh(15)) return "step-up";
if (req.resource.sensitivity === "high" && !principal.deviceManaged) return "deny";
if (geo.anomalous(principal, req.ip)) return "step-up";
if (!policy.permits(principal.roles, req.action, req.resource)) return "deny";
return "allow";
}“The perimeter died the day the first ministry laptop went home with a director. We have been pretending otherwise for fifteen years.”
Phase two and three
- Phase two: segment your networks by sensitivity, not by department. The HR system should not share a flat network with the treasury system because they happen to sit in the same building.
- Phase three: introduce policy enforcement points in front of every sensitive API. Start with the systems that, if compromised, would make the national news.
- Throughout: invest in detection. Zero-trust without detection is just a more complicated way to be breached.
- Never: deploy a 'zero-trust platform' before you have agreed on what the policies are. The platform is the easy part.
The cost of doing nothing is not zero. It is paid quietly, in stolen records, manipulated databases, and slow erosion of public trust. The cost of starting is real but manageable. The agencies that have begun the journey are already harder targets than the ones that have not, and that asymmetry compounds. Attackers move on to softer targets. Be the harder target.