Security Service Edge (SSE) Onboarding Project

Progress update - March 2025

In March 2025, the SSE project team completed Sprint 1 and launched Sprint 2, with a focus on cross-agency application access and refining Borderless WAN (BWAN) use cases. Key accomplishments included successful testing of Sentinel log ingestion, limited mainframe app testing with negligible latency, and completion of the HIPAA Business Associate Agreement with Netskope. The team also progressed on training, user group configurations, and change management assessments.

Risks remain around local broker limitations within the FedRamp environment, which may cause high latency for certain applications. However, Netskope confirmed a West Coast FedRamp data center is planned for mid-summer, and local broker functionality is on their roadmap. CJIS compliance concerns continue, though engagement with stakeholders is underway. The BWAN architecture also faced issues and questions around scalability, leading to a reevaluation of its necessity.

Overview

Background

WaTech is implementing the Security Service Edge (SSE) as an enterprise offering to replace the Virtual Private Network (VPN) service. The new cloud-native security solution will integrate Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). This essential initiative will enhance security for the remote workforce and accelerate the state's transition to cloud services.

The project will develop policies, procedures, and integration requirements for the SSE service. It will also conduct an onboarding pilot with five agencies and transition the onboarding and maintenance processes to operations.

Vision

Successfully establish Secure Service Edge (SSE) as a core enterprise service to fortify Washington’s IT infrastructure, ensuring resilience and safeguarding the state's capacity to deliver essential services with security and efficiency.

Project goals

• Deploy SSE service to 100% of WaTech, DSHS, DFW, ESD, and Ecology staff by August 7, 2025.
• Establish SSE as a WaTech enterprise service offering and make available to all state agencies by 1 July 2025.

Key features and benefits

Zero Trust Network Access (ZTNA) securely verifies user identity and device posture before granting access to applications, eliminating implicit trust and reducing the attack surface. This enhances security, supports remote work, and replaces traditional VPNs for efficiency. Benefits include:

• Enhanced security: Only authenticated users can access specific applications, reducing security breaches from unauthorized access.
• Micro-segmentation: Limits access to necessary data, reducing the attack surface.
• Continuous monitoring: Real-time threat detection and response.

Secure Web Gateway (SWG) provides advanced threat protection, blocking malware, phishing, and other web-based threats. It offers comprehensive visibility into all network traffic, including encrypted traffic, enabling better threat detection and management. SWG also includes User and Entity Behavior Analytics (UEBA) to identify and respond to abnormal behavior patterns, enhancing overall security. Benefits include:

• Seamless access: Securely access apps and services from any device, anywhere, without the hassle of VPNs.
• Enhanced security: Threat protection for a safer and more secure online experience.
• Reduced downtime: Continuous monitoring, adaptive controls = less disruptions for users.

Borderless Wide Area Network (BWAN) combines zero trust security with network optimization to provide secure, high-performance access for remote users, devices, and cloud services. It simplifies traffic management to the cloud, ensuring a seamless and efficient experience. Benefits include:

• Simplified access management: Automates the process of granting and revoking access.
• Improved security posture: Continuous monitoring, protects sensitive data, and improves response to security incidents.
• Reduced VPN dependencies: Reduces the need for legacy VPNs, lowering maintenance costs and complexity.

Rate for SSE Service

The monthly rate of $12.50 per user, per month will not increase. The intent is to lower the rate over time as more agencies are onboarded.

• The rate will be billed like SSL VPN, per user per month, identified as a new service. A new cost center has been established for the “Security Service Edge” service, under Secure Connectivity.
• The rate includes license costs, tax, FTEs, professional services, Virtual Machines, and WaTech overhead.
• Agencies can deprecate SSL-VPN as they onboard SSE users.
• The SSL-VPN service will still be available since there are use cases that SSE does not support.
• WaTech overhead and tax expenses are factored into the rate structure. Overhead includes additional Full Time Employees (Global tenant administrators and maintainers), Professional Services costs, and Virtual Machines (publishers) required to securely connect users to private applications.
• By default, all agencies will receive two publishers as a baseline. As the agency needs expand, WaTech will provide additional publishers at no additional charge.