I would still recommend making it available as a web service rather than giving direct access; besides the security/load issues, it lets you change the representation of the data without necessarily affecting customers (of course, you can do this also at the DB level with views). The web service is a little extra work, but it lets you re-use the data access layer that already exists in your web application, so it's just a matter of putting a SOAP layer on top of that. My general philosophy is to only allow trusted apps/users to hit the database directly. -Doug
