Security Service Edge (SSE) Onboarding Project

Related Links

Contact

Sean McNiff
Project Manager

Progress update - October 2025

Security Services Edge (SSE) Onboarding Project

We’re making exciting progress on WaTech’s Security Service Edge (SSE) migration! Each milestone - license activation, application setup, and progress tracking - brings us closer to retiring the legacy F5 VPN. The result will be stronger security, simplified access and an improved user experience.

At the September townhall we showcased what administrators would see in the system such as sentinel logs and malware alerts, as well as a CISO dashboard summarizing the system’s overall data. Catch up with our latest Agency Communication , and join us at our upcoming townhalls as we keep learning and moving forward together.

SSE Onboarding Townhalls

Audience: CIOs and CISOs

  • Oct. 29, 11:05 a.m. – 12:00 p.m., virtual (Microsoft Teams)
  • Dec. 4, 11:05 a.m. – 12:00 p.m., virtual (Microsoft Teams)

Calendar invites were sent out to all CIOs and CISOs. If your agency did not receive one or would like more information about the project, please contact the project manager.

Check out the SSE panel at the Washington State IT Industry Forum.

 

SSE

Overview

Background

WaTech is implementing the Security Service Edge (SSE) as an enterprise offering to replace the Virtual Private Network (VPN) service. The new cloud-native security solution will integrate Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). This essential initiative will enhance security for the remote workforce and accelerate the state's transition to cloud services.

The project is developing policies, procedures, and integration requirements for the SSE service. It is piloting onboarding with five agencies and transitioning the onboarding and maintenance processes to operations.

Gantt chart for project

Vision

Establish Security Service Edge (SSE) as a core enterprise service that strengthens Washington’s IT infrastructure, improves resilience, and ensures secure, efficient delivery of state services. 

Project goals

  • Deploy SSE to 100% of WaTech, Department of Fish & Wildlife (DFW), Employment Security Department (ESD), and Department of Ecology by December 31, 2025. Begin migrating DSHS and ESD by January 2026.
  • Ecology has completed 100% of its migration.
  • Completed: WaTech will offer SSE as an enterprise service to all state agencies starting July 1, 2025.
  • Note: The project was briefly delayed by initial configuration issues, now resolved. The original goal was full SSE deployment to WaTech, the Department of Social and Health Services (DSHS), DFW, ESD, and Ecology by August 7, 2025.

Key features and benefits

Zero Trust Network Access (ZTNA)

Verifies user identity and device posture before granting application access. This eliminates implicit trust and reduces the attack surface.

Benefits:

  • Enhance security by allowing only authenticated users access to specific applications.
  • Uses micro-segmentation to restrict access to necessary data only.
  • Enables real-time threat detection and response through continuous monitoring.

Secure Web Gateway (SWG)

Protects against web-based threats such as malware and phishing. Provides full visibility into encrypted traffic and uses User and Entity Behavior Analytics (UEBA) to detect anomalies.

Benefits:

  • Enables seamless app access from any device, anywhere—no VPN required.
  • Strengthens threat protection.
  • Reduces downtime with adaptive controls and real-time monitoring.

Borderless Wide Area Network (BWAN)

Combines zero-trust security with network optimization to ensure secure, high-performance access for remote users and cloud services.

Benefits:

  • Automates access management.
  • Improves response to security threats through ongoing monitoring.
  • Reduces reliance on legacy VPNs, cutting maintenance costs.

Rate for SSE Service

The SSE service rate is $12.50 per user, per month.

This rate includes license costs, tax, professional services, Virtual Machines, and WaTech overhead. Overhead includes additional Full Time Employees (Global tenant administrators and maintainers), Professional Services costs, and Virtual Machines (publishers) required to securely connect users to private applications.

WaTech expects to lower the rate as more agencies adopt the service. Billing will follow the same per-user model as SSL VPN, but under a new cost center labeled "Security Service Edge" in the Secure Connectivity category.

Agencies can begin deprecating SSL VPN as they onboard to SSE. The SSL VPN service will remain available to support use cases not yet compatible with SSE.

Each agency will receive two publishers by default. WaTech will provide additional publishers at no extra cost as agency needs grow.