Security Service Edge (SSE) Onboarding Project

Progress update - May 2025

In May 2025, the SSE Project team focused on advancing onboarding readiness and platform integration. Key progress included exploration of the Cloud Access Security Broker (CASB) feature, which enhances visibility, data protection and threat prevention. The team finalized the Seattle PoP discussion with Netskope and began identifying logging solutions, with plans to evaluate cost-effective options for ingestion of SSE logs. Initial onboarding guide writing tasks were distributed, and a draft internal communication about the SSE migration was created.

Guided Borderless Wide Area Network (BWAN) deployment was initiated with Network Operations, and integration testing continued to validate that network and client management were fully functional with the SSE client installed on endpoint devices.

Looking ahead, the Department of Ecology began preparations to deploy the SSE client using a phased license activation approach. The internal WaTech SSE team continued developing a rollout plan that avoids disrupting day-to-day operations and ensures VPN continuity during the transition.

These efforts collectively strengthened the agency’s readiness posture and supported alignment between technical implementation and organizational change management goals.

Read the full update.

SSE project timeline at 43% complete

Overview

Background

WaTech is implementing the Security Service Edge (SSE) as an enterprise offering to replace the Virtual Private Network (VPN) service. The new cloud-native security solution will integrate Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). This essential initiative will enhance security for the remote workforce and accelerate the state's transition to cloud services.

The project will develop policies, procedures, and integration requirements for the SSE service. It will also conduct an onboarding pilot with five agencies and transition the onboarding and maintenance processes to operations.

Secure Service Edge project timeline, which shows milestones and dates for the project.

Vision

Successfully establish Secure Service Edge (SSE) as a core enterprise service to fortify Washington’s IT infrastructure, ensuring resilience and safeguarding the state's capacity to deliver essential services with security and efficiency.

 

Project goals

  • Deploy SSE service to 100% of WaTech, DSHS, DFW, ESD, and Ecology staff by August 7, 2025.
  • Establish SSE as a WaTech enterprise service offering and make available to all state agencies by 1 July 2025.

 

Key features and benefits

Zero Trust Network Access (ZTNA) securely verifies user identity and device posture before granting access to applications, eliminating implicit trust and reducing the attack surface. This enhances security, supports remote work, and replaces traditional VPNs for efficiency. Benefits include:

  • Enhanced security: Only authenticated users can access specific applications, reducing security breaches from unauthorized access.
  • Micro-segmentation: Limits access to necessary data, reducing the attack surface.
  • Continuous monitoring: Real-time threat detection and response.

Secure Web Gateway (SWG) provides advanced threat protection, blocking malware, phishing, and other web-based threats. It offers comprehensive visibility into all network traffic, including encrypted traffic, enabling better threat detection and management. SWG also includes User and Entity Behavior Analytics (UEBA) to identify and respond to abnormal behavior patterns, enhancing overall security. Benefits include:

  • Seamless access: Securely access apps and services from any device, anywhere, without the hassle of VPNs.
  • Enhanced security: Threat protection for a safer and more secure online experience.
  • Reduced downtime: Continuous monitoring, adaptive controls = less disruptions for users.

Borderless Wide Area Network (BWAN) combines zero trust security with network optimization to provide secure, high-performance access for remote users, devices, and cloud services. It simplifies traffic management to the cloud, ensuring a seamless and efficient experience. Benefits include:

  • Simplified access management: Automates the process of granting and revoking access.
  • Improved security posture: Continuous monitoring, protects sensitive data, and improves response to security incidents.
  • Reduced VPN dependencies: Reduces the need for legacy VPNs, lowering maintenance costs and complexity.

 

Rate for SSE Service

The monthly rate of $12.50 per user, per month will not increase. The intent is to lower the rate over time as more agencies are onboarded.

  • The rate will be billed like SSL VPN, per user per month, identified as a new service. A new cost center has been established for the “Security Service Edge” service, under Secure Connectivity.
  • The rate includes license costs, tax, FTEs, professional services, Virtual Machines, and WaTech overhead.
  • Agencies can deprecate SSL-VPN as they onboard SSE users.
  • The SSL-VPN service will still be available since there are use cases that SSE does not support.
  • WaTech overhead and tax expenses are factored into the rate structure. Overhead includes additional Full Time Employees (Global tenant administrators and maintainers), Professional Services costs, and Virtual Machines (publishers) required to securely connect users to private applications.
  • By default, all agencies will receive two publishers as a baseline. As the agency needs expand, WaTech will provide additional publishers at no additional charge.