Security Service Edge (SSE) Onboarding Project

Related Links

Contact

Sean McNiff
Project Manager

Progress update - September 2025

WaTech’s SSE enterprise service deployment is underway. We’re excited to announce that the SSE project will continue hosting Townhalls throughout the end of the year to keep the community updated and support agencies as they choose to replace VPN with the modernized SSE solution. In August, more than 35 agencies joined to explore the benefits of SSE migration. Our upcoming September townhall will dive deeper into key features, training opportunities, migration resources, and onboarding lessons learned.

SSE Onboarding Townhalls

Audience: CIOs and CISOs

  • September 29, 11:05 am – 12:00 pm: Virtual only: Microsoft Teams
  • October 29, 11:05 am – 12:00 pm: Virtual only: Microsoft Teams
  • December 4, 11:05 am – 12:00 pm: Virtual only: Microsoft Teams

To find additional details, please refer to our SSE brochure and recent Agency Communication.

Calendar invites were sent out to all CIOs and CISOs. If your agency did not receive an invite and want to attend or to learn more about the project, please contact the project manager.

Timeline graph for project

Overview

Background

WaTech is implementing the Security Service Edge (SSE) as an enterprise offering to replace the Virtual Private Network (VPN) service. The new cloud-native security solution will integrate Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). This essential initiative will enhance security for the remote workforce and accelerate the state's transition to cloud services.

The project is developing policies, procedures, and integration requirements for the SSE service. It is piloting onboarding with five agencies and transitioning the onboarding and maintenance processes to operations.

Gantt chart for project

Vision

Establish Security Service Edge (SSE) as a core enterprise service that strengthens Washington’s IT infrastructure, improves resilience, and ensures secure, efficient delivery of state services. 

Project goals

  • Deploy SSE to 100% of WaTech, Department of Fish & Wildlife (DFW), Employment Security Department (ESD), and Department of Ecology by December 31, 2025. Begin migrating DSHS and ESD by January 2026.
  • Ecology has completed 100% of its migration.
  • Completed: WaTech will offer SSE as an enterprise service to all state agencies starting July 1, 2025.
  • Note: The project was briefly delayed by initial configuration issues, now resolved. The original goal was full SSE deployment to WaTech, the Department of Social and Health Services (DSHS), DFW, ESD, and Ecology by August 7, 2025.

Key features and benefits

Zero Trust Network Access (ZTNA)

Verifies user identity and device posture before granting application access. This eliminates implicit trust and reduces the attack surface.

Benefits:

  • Enhance security by allowing only authenticated users access to specific applications.
  • Uses micro-segmentation to restrict access to necessary data only.
  • Enables real-time threat detection and response through continuous monitoring.

Secure Web Gateway (SWG)

Protects against web-based threats such as malware and phishing. Provides full visibility into encrypted traffic and uses User and Entity Behavior Analytics (UEBA) to detect anomalies.

Benefits:

  • Enables seamless app access from any device, anywhere—no VPN required.
  • Strengthens threat protection.
  • Reduces downtime with adaptive controls and real-time monitoring.

Borderless Wide Area Network (BWAN)

Combines zero-trust security with network optimization to ensure secure, high-performance access for remote users and cloud services.

Benefits:

  • Automates access management.
  • Improves response to security threats through ongoing monitoring.
  • Reduces reliance on legacy VPNs, cutting maintenance costs.

Rate for SSE Service

The SSE service rate is $12.50 per user, per month.

This rate includes license costs, tax, professional services, Virtual Machines, and WaTech overhead. Overhead includes additional Full Time Employees (Global tenant administrators and maintainers), Professional Services costs, and Virtual Machines (publishers) required to securely connect users to private applications.

WaTech expects to lower the rate as more agencies adopt the service. Billing will follow the same per-user model as SSL VPN, but under a new cost center labeled "Security Service Edge" in the Secure Connectivity category.

Agencies can begin deprecating SSL VPN as they onboard to SSE. The SSL VPN service will remain available to support use cases not yet compatible with SSE.

Each agency will receive two publishers by default. WaTech will provide additional publishers at no extra cost as agency needs grow.