Security Service Edge (SSE) Onboarding Project

Related Links

Contact

Kelly Sanders
Project Manager

Progress update - April 2025

In April 2025, the SSE project addressed service stability concerns following multiple disruptions, prompting technical root cause sessions and executive engagement with Netskope.

Netskope committed to improved transparency, assigned an escalation manager, and added Washington to its Critical Customer Program. The team completed the SSE RACI matrix, continued migration planning, and began orientation with Network Operations for BWAN support. Partner agencies received demonstrations of RBACv3, with baseline availability expected by August 2025. Initial FTI/CJI traffic exemption testing began, a prerequisite for regulatory compliance. SSE and Next-Gen Firewall efforts were showcased at a town hall, reaching over 150 stakeholders.

Key risks remain, including lack of local broker support (targeted for June 2025), CJIS/FTI compliance, and concerns about platform scalability and performance. Despite these challenges, the project reached 39% completion and continues progress toward replacing SSL VPN across agencies with enhanced security services. Deployment activities and risk mitigation efforts remain ongoing.

Read the full update here.

SSE project at 39%

Overview

Background

WaTech is implementing the Security Service Edge (SSE) as an enterprise offering to replace the Virtual Private Network (VPN) service. The new cloud-native security solution will integrate Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). This essential initiative will enhance security for the remote workforce and accelerate the state's transition to cloud services.

The project will develop policies, procedures, and integration requirements for the SSE service. It will also conduct an onboarding pilot with five agencies and transition the onboarding and maintenance processes to operations.

Secure Service Edge project timeline, which shows milestones and dates for the project.

Vision

Successfully establish Secure Service Edge (SSE) as a core enterprise service to fortify Washington’s IT infrastructure, ensuring resilience and safeguarding the state's capacity to deliver essential services with security and efficiency.

 

Project goals

  • Deploy SSE service to 100% of WaTech, DSHS, DFW, ESD, and Ecology staff by August 7, 2025.
  • Establish SSE as a WaTech enterprise service offering and make available to all state agencies by 1 July 2025.

 

Key features and benefits

Zero Trust Network Access (ZTNA) securely verifies user identity and device posture before granting access to applications, eliminating implicit trust and reducing the attack surface. This enhances security, supports remote work, and replaces traditional VPNs for efficiency. Benefits include:

  • Enhanced security: Only authenticated users can access specific applications, reducing security breaches from unauthorized access.
  • Micro-segmentation: Limits access to necessary data, reducing the attack surface.
  • Continuous monitoring: Real-time threat detection and response.

Secure Web Gateway (SWG) provides advanced threat protection, blocking malware, phishing, and other web-based threats. It offers comprehensive visibility into all network traffic, including encrypted traffic, enabling better threat detection and management. SWG also includes User and Entity Behavior Analytics (UEBA) to identify and respond to abnormal behavior patterns, enhancing overall security. Benefits include:

  • Seamless access: Securely access apps and services from any device, anywhere, without the hassle of VPNs.
  • Enhanced security: Threat protection for a safer and more secure online experience.
  • Reduced downtime: Continuous monitoring, adaptive controls = less disruptions for users.

Borderless Wide Area Network (BWAN) combines zero trust security with network optimization to provide secure, high-performance access for remote users, devices, and cloud services. It simplifies traffic management to the cloud, ensuring a seamless and efficient experience. Benefits include:

  • Simplified access management: Automates the process of granting and revoking access.
  • Improved security posture: Continuous monitoring, protects sensitive data, and improves response to security incidents.
  • Reduced VPN dependencies: Reduces the need for legacy VPNs, lowering maintenance costs and complexity.

 

Rate for SSE Service

The monthly rate of $12.50 per user, per month will not increase. The intent is to lower the rate over time as more agencies are onboarded.

  • The rate will be billed like SSL VPN, per user per month, identified as a new service. A new cost center has been established for the “Security Service Edge” service, under Secure Connectivity.
  • The rate includes license costs, tax, FTEs, professional services, Virtual Machines, and WaTech overhead.
  • Agencies can deprecate SSL-VPN as they onboard SSE users.
  • The SSL-VPN service will still be available since there are use cases that SSE does not support.
  • WaTech overhead and tax expenses are factored into the rate structure. Overhead includes additional Full Time Employees (Global tenant administrators and maintainers), Professional Services costs, and Virtual Machines (publishers) required to securely connect users to private applications.
  • By default, all agencies will receive two publishers as a baseline. As the agency needs expand, WaTech will provide additional publishers at no additional charge.