Security Service Edge (SSE) Onboarding Project

Related Links

Contact

Kelly Sanders
Project Manager

Progress update - July 2025

The SSE team evolved the agency onboarding plan, devising a concept where several agencies will onboard simultaneously in a ‘cohort’ to build a knowledge base, share best practices, capture lessons learned, and mutually support each other as the WaTech onboarding team guides them through SSE service migration. The project team has received approval to move Security Service Edge into the production environment from the Architecture and Innovation Division, a significant project milestone! The WaTech SSE internal team has devised the products to inform and educate the SSE ‘champions’ to support WaTech’s change journey as we prepare to rollout clients to all WaTech staff.

May 2025 update.

SSE project timeline at 43% complete

Overview

Background

WaTech is implementing the Security Service Edge (SSE) as an enterprise offering to replace the Virtual Private Network (VPN) service. The new cloud-native security solution will integrate Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). This essential initiative will enhance security for the remote workforce and accelerate the state's transition to cloud services.

The project will develop policies, procedures, and integration requirements for the SSE service. It will also conduct an onboarding pilot with five agencies and transition the onboarding and maintenance processes to operations.

Secure Service Edge project timeline, which shows milestones and dates for the project.

Vision

Successfully establish Secure Service Edge (SSE) as a core enterprise service to fortify Washington’s IT infrastructure, ensuring resilience and safeguarding the state's capacity to deliver essential services with security and efficiency.

 

Project goals

  • Deploy SSE service to 100% of WaTech, DSHS, DFW, ESD, and Ecology staff by August 7, 2025.
  • Establish SSE as a WaTech enterprise service offering and make available to all state agencies by 1 July 2025.

 

Key features and benefits

Zero Trust Network Access (ZTNA) securely verifies user identity and device posture before granting access to applications, eliminating implicit trust and reducing the attack surface. This enhances security, supports remote work, and replaces traditional VPNs for efficiency. Benefits include:

  • Enhanced security: Only authenticated users can access specific applications, reducing security breaches from unauthorized access.
  • Micro-segmentation: Limits access to necessary data, reducing the attack surface.
  • Continuous monitoring: Real-time threat detection and response.

Secure Web Gateway (SWG) provides advanced threat protection, blocking malware, phishing, and other web-based threats. It offers comprehensive visibility into all network traffic, including encrypted traffic, enabling better threat detection and management. SWG also includes User and Entity Behavior Analytics (UEBA) to identify and respond to abnormal behavior patterns, enhancing overall security. Benefits include:

  • Seamless access: Securely access apps and services from any device, anywhere, without the hassle of VPNs.
  • Enhanced security: Threat protection for a safer and more secure online experience.
  • Reduced downtime: Continuous monitoring, adaptive controls = less disruptions for users.

Borderless Wide Area Network (BWAN) combines zero trust security with network optimization to provide secure, high-performance access for remote users, devices, and cloud services. It simplifies traffic management to the cloud, ensuring a seamless and efficient experience. Benefits include:

  • Simplified access management: Automates the process of granting and revoking access.
  • Improved security posture: Continuous monitoring, protects sensitive data, and improves response to security incidents.
  • Reduced VPN dependencies: Reduces the need for legacy VPNs, lowering maintenance costs and complexity.

 

Rate for SSE Service

The monthly rate of $12.50 per user, per month will not increase. The intent is to lower the rate over time as more agencies are onboarded.

  • The rate will be billed like SSL VPN, per user per month, identified as a new service. A new cost center has been established for the “Security Service Edge” service, under Secure Connectivity.
  • The rate includes license costs, tax, FTEs, professional services, Virtual Machines, and WaTech overhead.
  • Agencies can deprecate SSL-VPN as they onboard SSE users.
  • The SSL-VPN service will still be available since there are use cases that SSE does not support.
  • WaTech overhead and tax expenses are factored into the rate structure. Overhead includes additional Full Time Employees (Global tenant administrators and maintainers), Professional Services costs, and Virtual Machines (publishers) required to securely connect users to private applications.
  • By default, all agencies will receive two publishers as a baseline. As the agency needs expand, WaTech will provide additional publishers at no additional charge.