In this paper, we propose an operational model to support the security of Web services. In addition to satisfying the basic security requirements, including authentication, confidentiality, data integrity, and nonrepudiation, the proposed model supports security mechanisms such as element-wise encryption and temporal-based element-wise digital signatures. Furthermore, the proposed model supports a flexible key specification scheme called explicit key definition, which can be used to define three different types of keys: static keys, dynamically selected keys, and keys applied to digital signatures. The service requester can determine the identity of the keys used without negotiating with the service provider. The proposed operational model is designed to reduce the costs of system development and maintenance in two ways: (1)by separating service implementation and specification of the security policy for Web services, and (2) by using a specially designed application programming interface to support the proposed operational model. The implementation and experimental results demonstrate the feasibility of the proposed system.