A customer is asking me to put a web service on my production machine, which will be called from a web-server. Today there is no connection between this machines. I see that the security get reduced, but how much? Will I be in big risk? See this as more secure than if he runs SQL, but is it more secure? The other possibility is to move data from production machine to the web machine.
Running a web service is not inherently more or less secure than running a regular web server. It is of course another point of attack, but it can be secured just like a web app (encryption, authentication, etc.).