I am part of a project that aims to SOA enable my organization. This is being achieved through Web Services and the use of an ESB. We now have a requirement to expose one of our Web Services onto the internet to be consumed by a number of mobile devices - this is not a public service, but a third party organization will invoke our service from a number of mobile devices. How can we make sure that our web service is secure? Would using SSL with Client authentication be sufficient? I have been reading a few articles around XML Digital Signatures and XML Encryption/SAML ...etc but this all seems to be message-level security and I don't feel that those technologies are relevant. Our main requirements are to authenticate the client and ensure that messages exchanged are secured, in addition to securing the service against DoS attacks.