In terms of storing user information, today's approach is to delegate authentication and authorization to security providers if possible. This means that an enterprise application doesn't store security information, but asks a third-party, a trusted security provider.

This is especially interesting in distributed environments, where multiple applications offer potential endpoints to the outside world. The secure information moves to a single point of responsibility.

Security concerns are usually not a part of the core business logic. The application will ask the trusted security provider system to validate the security of user requests. The security provider acts as a secure single point of responsibility.

There are decentralized security protocols, such as OAuth or OpenID, that implement this approach.

Delegating the responsibility to a trusted security provider eliminates the need to share passwords within enterprise systems. Users identify directly against security providers. Applications that require security information about a user will be provided session tokens that do not directly contain confidential data.

This principle, however, mainly targets communication that includes application users as persons.