Security Service Edge (SSE) Onboarding Project

Related Links

Contact

Sean McNiff
Project Manager

Progress update - August 2025

The Security Service Edge (SSE) team is identifying key applications and workloads to support the development of a zero-trust environment through security groups. This month, the team successfully integrated SSE into the Security Information and Event Management (SIEM) system and finalized the environment and feature configurations.

Migration timelines have been updated: WaTech plans to complete its migration by October. The Department of Fish & Wildlife (DFW) is expected to follow by the end of the fiscal year.

Although the project is still in its early stages, the SSE tool is already delivering measurable value. Insights from WaTech’s Change Champions process are helping shape a standardized onboarding guide. This guide will streamline the transition for future agency partners.

 

Timeline graph for project

Overview

Background

WaTech is implementing the Security Service Edge (SSE) as an enterprise offering to replace the Virtual Private Network (VPN) service. The new cloud-native security solution will integrate Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). This essential initiative will enhance security for the remote workforce and accelerate the state's transition to cloud services.

The project is developing policies, procedures, and integration requirements for the SSE service. It is piloting onboarding with five agencies and transitioning the onboarding and maintenance processes to operations.

Gantt chart for project

Vision

Establish Security Service Edge (SSE) as a core enterprise service that strengthens Washington’s IT infrastructure, improves resilience, and ensures secure, efficient delivery of state services. 

Project goals

  • Deploy SSE to 100% of WaTech, Department of Fish & Wildlife (DFW), Employment Security Department (ESD), and Department of Ecology by December 31, 2025. Begin migrating DSHS and ESD by January 2026.
  • Ecology has completed 100% of its migration.
  • Completed: WaTech will offer SSE as an enterprise service to all state agencies starting July 1, 2025.
  • Note: The project was briefly delayed by initial configuration issues, now resolved. The original goal was full SSE deployment to WaTech, the Department of Social and Health Services (DSHS), DFW, ESD, and Ecology by August 7, 2025.

Key features and benefits

Zero Trust Network Access (ZTNA)

Verifies user identity and device posture before granting application access. This eliminates implicit trust and reduces the attack surface.

Benefits:

  • Enhance security by allowing only authenticated users access to specific applications.
  • Uses micro-segmentation to restrict access to necessary data only.
  • Enables real-time threat detection and response through continuous monitoring.

Secure Web Gateway (SWG)

Protects against web-based threats such as malware and phishing. Provides full visibility into encrypted traffic and uses User and Entity Behavior Analytics (UEBA) to detect anomalies.

Benefits:

  • Enables seamless app access from any device, anywhere—no VPN required.
  • Strengthens threat protection.
  • Reduces downtime with adaptive controls and real-time monitoring.

Borderless Wide Area Network (BWAN)

Combines zero-trust security with network optimization to ensure secure, high-performance access for remote users and cloud services.

Benefits:

  • Automates access management.
  • Improves response to security threats through ongoing monitoring.
  • Reduces reliance on legacy VPNs, cutting maintenance costs.

Rate for SSE Service

The SSE service rate is $12.50 per user, per month.

This rate includes license costs, tax, professional services, Virtual Machines, and WaTech overhead. Overhead includes additional Full Time Employees (Global tenant administrators and maintainers), Professional Services costs, and Virtual Machines (publishers) required to securely connect users to private applications.

WaTech expects to lower the rate as more agencies adopt the service. Billing will follow the same per-user model as SSL VPN, but under a new cost center labeled "Security Service Edge" in the Secure Connectivity category.

Agencies can begin deprecating SSL VPN as they onboard to SSE. The SSL VPN service will remain available to support use cases not yet compatible with SSE.

Each agency will receive two publishers by default. WaTech will provide additional publishers at no extra cost as agency needs grow.