Hoff has a good post on putting the Cloud in Context, and I quite like the layers he describes
1) you must have interoperable identity tokens and security token services in the Metastructure, and
2) for a number of reasons like consistency it you might like to perform some level of authN and authZ in the metastructure, but
3) the Infostructure must have some authZ at the last mile - all trust is local.
Why is this important? Its because to meet requirements 1&2, consistent token types and security token services should be sufficient. But to meet requirement 3, crossing the chasm from the meta to the infostructure, decentralized policy is required as well.