How to secure Intranet Web Services (Transport Layer Security vs. Message Encryption)

how do you secure your Intranet Webservices开发者_高级运维? On our company we are stuck in a discussion what level of security is necessary to protect our Webservices.

• Message Encryption
• HTTPS (TLS)
• Both?

Is it useful to make high secure Webservices which will nobody use because its so difficult to implement them?

Do you have any experiences or some Resources (Links / White paper) for me?

Thanks for your help!

I can vouch that WS-Security can be difficult to implement but has much more control over the level of security around your message:

• Encrypt parts separately header / body
• Message expiration
• Digital signatures
• Authentication
• More control over encryption and signature algorithms

But if you are looking at internal web services I find that SSL/TLS is easier to implement but will still provide strong encryption. If you want to add authentication you can accomplish that with basic auth on the server.

I doubt you would need to use both WSS and TLS, but some of those info sec people will come around shouting defense-in-depth, and say it's a good idea in case someone can decrypt your HTTPS session. I used to be one of those guys and probably said that, but I was looking for reasons to justify my boss's consulting fees.

So it really comes down to business requirements and what kind of data you're looking at.

Also I would consider that a malicious person on an internal network would probably go after your data sources rather than your data in transit.

A little personal experience:

I've implemented WS-Security for government web services but they can go across the public internet. The internal services I've worked on for a financial institution met the audit requirements with HTTPS and basic auth.

Cheers!