you can add any security option to a web service

trying to make sense of all of it

you have 2 different web applications. One runs in the cloud and one runs locally, correct?

the one in the cloud is the webapp with user interface and the one locally provides web services to the one in the cloud

You say "Users must be logged on to access the webservice"

i am guessing you mean logged into the cloud web app. This of course will not provide any security in calling the web service but maybe you added login security to the webservice webapp as well

you do want some sort of security on the web service as long as it isnt supposed to be a public service. That could be a session, a Bearer Token, a JWT token, OAUTH, SAML etc.