Cloud Computing will be the next big paradigm shift in IT. I have no doubt about that. But like with in many other cases, there is first of all a vision, then a buzzword, then some basic technology - and then people start to think about things like reliability and security. The same is true with Cloud Computing. There are many services out there, but IAM and GRC for the cloud are heavily underestimated.

That is somewhat funny given that some of these services appeared in the big New Economy bubble some ten years ago. is just one example, some of the online conferencing providers are as well in the market for years now. But only few of them support at least basic standards like SAML (Security Assertion Markup Language) for Identity Federation. And many still lack the support for such standards, not to talk about more advanced approaches like Information Cards or XACML.

Beyond the fact of missing support for existing standards, there is the issue of missing standards. There are virtually no standards for GRC, for example for auditing and alerting (and SNMP isn't the solution for the cloud). Even XACML is more sort of a technical standard, which needs a lot of additional work to really support the authorization management issues in the cloud.

There are some additional offerings for example for Single Sign-On to the cloud, there are some identity providers for the very lightweight OpenID and even less for Information Cards, and there are few offerings for Identity Provisioning from the cloud, e.g. managed services for Identity Management. Some of the more interesting vendors in the market are, amongst others, companies like Fischer (Provisioning), Ping Identity (Federation), TriCipher (Authentication), Arcot Systems (Authentication), Multifactor Authentication (again Authentication), and Fun Communications (Information Cards). But the number of offerings is still relatively small.

On the other hand it is obvious that IAM and GRC will become a very fast growing segment of the IT market, for ISVs as well as for Identity Providers. And it will be as well an interesting opportunity for consultants supporting all the other providers in the cloud in enabling their applications for the IAM and GRC requirements of their customers.

To become successful as a provider in the cloud, the "externalization" of the management of authentication and authorization as well as externalized auditing will become mandatory. Customers can't afford to manage authorizations per cloud service but will have to apply pre-defined policies. Thus, we need new standards and we need new semantics for existing standards like XACML on a much higher level than today.

The entire industry, e.g. cloud providers as well as customers and IAM/GRC vendors have to work together on this. Feel free to send me your ideas and proposals on this - we're currently preparing a launch of a standards initiative on some IAM/GRC issues and that might be the next one.

More on IAM and GRC for the Cloud at the European Identity Conference 2009 (Munich, May 5th to 8th).