Transport or Message Level Security?

This is a question that has been posed to me at a lot of state government pilots over the past few years with regard to encryption/privacy of messages. The following is the simple rule of thumb that I have used based on the best practices ( http://www.ws-i.org ) and discussions with security/web service professionals.

• If securing two points (a client and a service for instance) and the assumption is that security is not required once it is received on either end, then transport level security is sufficient (HTTPS, SFTP etc.)
• If it is unknown how many systems/intermediaries will be touching the message then message level security should be utilized (WS-Security / XML-Encryption).

An interesting point by the security gurus is that transport level security has the potential of being at various strengths (i.e. 128 bit). As a message travels between more than one point, there is the potential for the privacy of the message to vary. This is not the case with message level security as the strength is specified within the SOAP Headers of the message and thus remains constant. This is an important consideration as a lot of state agencies begin integrating across departments/agencies which in turn may be across networks.