Thanks for the comments, I understand the security concerns and there is actually a simple strategy how to deal with them: Delegate them to each individual system which being aggregated.
In this article, I am talking a client-side architecture where the client (a mobile app, desktop or a app running in a browser) fetches the events from the various systems (CRM, HR, Office 365) using the oAuth protocol and Web Services and Rest. So only the events, which the user has read access for, will actually be retrieved and then displayed by the Universal Activity Stream. If you click on a CRM event, then you will to say salesforce.com only if you have a salesforce aceess and rights to access that record.
Indeed, a server-to-server architecture would be a security nightmare.
Co-founder & CEO
Keep Up with TechRepublic