You will need to use more than one technique to secure your Web Service. The combination of techniques depends on what your security requirements are. Pay attention to where you deploy the Web Service, and make sure that your critical data is protected from the public Internet. Web Services, by providing a well-defined interface, can offer quite a bit of data protection by putting the Web Service on the public Internet and allowing only the Web Service server to get at the data.
By locking down the boxes and allowing only authenticated users to access the data, you lock out a number of malicious users. Of the users you do allow through, you will want to monitor what they are doing and store that data in a log. Even if you allow everyone through, you should include logging mechanisms and design these early in the development process. Adding logging after the fact is error prone and time consuming.
If you follow the recommendations in this chapter, you will have a more secure Web Service. By monitoring who is calling the Web Service, you will be able to figure out how it is being used. If you notice abuse, you will be able to figure out what group of machines is misusing the service and block them from any more transgressions.