The traditional concept of an in-house data center behind a static corporate firewall is history once and for all. The enterprise is now in full embrace of dynamic applications provided and scaled by dedicated cloud service providers. To innovate faster, regain control, and compete in a new world that is shifting from a "need to know" to "need to share" paradigm requires a new focus on security and authorization in a dynamic perimeter. This dynamic perimeter spans hybrid models that seamlessly mix local applications and cloud services. This is irrelevant to the end user – they need SSO and AuthZ based on their need to share regardless of where the app is delivered. Administrators shouldn’t be forced to duplicate ids in the cloud – they want to maintain authoritative ids and policies from centralized decision points. And service providers do not have the expertise or desire to manage security. Service Gateways when combined with ABAC Attribute-based Access Control engines deliver a ready on-premise or cloud outsourced service to regain control of security within the virtualized data center.
One of the many advantages of claims-based architectures is that they abstract away the details of their components, including where things are hosted. As long as services and identity providers are network-addressable, they can live on-premises and in the cloud and easily move between the two environment without changing the emerging properties of the system. The immediate advantage is that existing identity providers, typically on-premises, are readily available for the new applications in the cloud; on the long term, claims-based identity is a key enabler for incorporating the choice of deploying to the cloud in your current arsenal of IT tools. With claims-based identity, the cloud requires no special arrangements: things can fluidly move from distributed to centralized, following your own requirements and management style.