how do you secure your Intranet Webservices? On our company we are stuck in a discussion what level of security is necessary to protect our Webservices.
Is it useful to make high secure Webservices which will nobody use because its so difficult to implement them?
Do you have any experiences or some Resources (Links / White paper) for me?
Thanks for your help!
I can vouch that WS-Security can be difficult to implement but has much more control over the level of security around your message:
But if you are looking at internal web services I find that SSL/TLS is easier to implement but will still provide strong encryption. If you want to add authentication you can accomplish that with basic auth on the server.
I doubt you would need to use both WSS and TLS, but some of those info sec people will come around shouting defense-in-depth, and say it's a good idea in case someone can decrypt your HTTPS session. I used to be one of those guys and probably said that, but I was looking for reasons to justify my boss's consulting fees.
So it really comes down to business requirements and what kind of data you're looking at.
Also I would consider that a malicious person on an internal network would probably go after your data sources rather than your data in transit.
A little personal experience:
I've implemented WS-Security for government web services but they can go across the public internet. The internal services I've worked on for a financial institution met the audit requirements with HTTPS and basic auth.
Cheers!