how do you secure your Intranet Webservices? On our company we are stuck in a discussion what level of security is necessary to protect our Webservices.
- Message Encryption
- HTTPS (TLS)
- Both?
Is it useful to make high secure Webservices which will nobody use because its so difficult to implement them?
Do you have any experiences or some Resources (Links / White paper) for me?
Thanks for your help!
I can vouch that WS-Security can be difficult to implement but has much more control over the level of security around your message:
But if you are looking at internal web services I find that SSL/TLS is easier to implement but will still provide strong encryption. If you want to add authentication you can accomplish that with basic auth on the server.
I doubt you would need to use both WSS and TLS, but some of those info sec people will come around shouting defense-in-depth, and say it's a good idea in case someone can decrypt your HTTPS session. I used to be one of those guys and probably said that, but I was looking for reasons to justify my boss's consulting fees.
So it really comes down to business requirements and what kind of data you're looking at.
Also I would consider that a malicious person on an internal network would probably go after your data sources rather than your data in transit.
A little personal experience:
I've implemented WS-Security for government web services but they can go across the public internet. The internal services I've worked on for a financial institution met the audit requirements with HTTPS and basic auth.
Cheers!