Contact
Kelly Sanders
Project Manager
Progress update - April 2025
The Security Service Edge (SSE) project is advancing quickly, with the Department of Ecology as the first agency adopter. The multi-agency team is developing procedures to give agencies visibility and control over user traffic, while enabling the state Security Operations Center to centrally monitor network activity—capabilities not possible with previous tools. Partner agencies are actively testing and refining the service, including client performance over Starlink, mainframe integration, and latency testing. WaTech has launched its internal SSE deployment and will invite all agencies to the April 17 town hall to showcase the Next Gen Firewall and SSE projects.

Overview
Background
WaTech is implementing the Security Service Edge (SSE) as an enterprise offering to replace the Virtual Private Network (VPN) service. The new cloud-native security solution will integrate Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). This essential initiative will enhance security for the remote workforce and accelerate the state's transition to cloud services.
The project will develop policies, procedures, and integration requirements for the SSE service. It will also conduct an onboarding pilot with five agencies and transition the onboarding and maintenance processes to operations.

Vision
Successfully establish Secure Service Edge (SSE) as a core enterprise service to fortify Washington’s IT infrastructure, ensuring resilience and safeguarding the state's capacity to deliver essential services with security and efficiency.
Project goals
- Deploy SSE service to 100% of WaTech, DSHS, DFW, ESD, and Ecology staff by August 7, 2025.
- Establish SSE as a WaTech enterprise service offering and make available to all state agencies by 1 July 2025.
Key features and benefits
Zero Trust Network Access (ZTNA) securely verifies user identity and device posture before granting access to applications, eliminating implicit trust and reducing the attack surface. This enhances security, supports remote work, and replaces traditional VPNs for efficiency. Benefits include:
- Enhanced security: Only authenticated users can access specific applications, reducing security breaches from unauthorized access.
- Micro-segmentation: Limits access to necessary data, reducing the attack surface.
- Continuous monitoring: Real-time threat detection and response.
Secure Web Gateway (SWG) provides advanced threat protection, blocking malware, phishing, and other web-based threats. It offers comprehensive visibility into all network traffic, including encrypted traffic, enabling better threat detection and management. SWG also includes User and Entity Behavior Analytics (UEBA) to identify and respond to abnormal behavior patterns, enhancing overall security. Benefits include:
- Seamless access: Securely access apps and services from any device, anywhere, without the hassle of VPNs.
- Enhanced security: Threat protection for a safer and more secure online experience.
- Reduced downtime: Continuous monitoring, adaptive controls = less disruptions for users.
Borderless Wide Area Network (BWAN) combines zero trust security with network optimization to provide secure, high-performance access for remote users, devices, and cloud services. It simplifies traffic management to the cloud, ensuring a seamless and efficient experience. Benefits include:
- Simplified access management: Automates the process of granting and revoking access.
- Improved security posture: Continuous monitoring, protects sensitive data, and improves response to security incidents.
- Reduced VPN dependencies: Reduces the need for legacy VPNs, lowering maintenance costs and complexity.
Rate for SSE Service
The monthly rate of $12.50 per user, per month will not increase. The intent is to lower the rate over time as more agencies are onboarded.
- The rate will be billed like SSL VPN, per user per month, identified as a new service. A new cost center has been established for the “Security Service Edge” service, under Secure Connectivity.
- The rate includes license costs, tax, FTEs, professional services, Virtual Machines, and WaTech overhead.
- Agencies can deprecate SSL-VPN as they onboard SSE users.
- The SSL-VPN service will still be available since there are use cases that SSE does not support.
- WaTech overhead and tax expenses are factored into the rate structure. Overhead includes additional Full Time Employees (Global tenant administrators and maintainers), Professional Services costs, and Virtual Machines (publishers) required to securely connect users to private applications.
- By default, all agencies will receive two publishers as a baseline. As the agency needs expand, WaTech will provide additional publishers at no additional charge.