Secure computer architecture

A secure computer architecture having a central processing unit, zero or more memories, at least one input, at least one output and a bus to communicate signals between the components which are all untrusted elements. The computer architecture also includes a trusted access monitor device, a trusted gateway device located between each of the memories, a further trusted gateway device located between each of the inputs and the bus, and a further trusted gateway device located between each of the outputs and the bus, where the access monitor device controls either the one-way or two-way direction of the signals through a respective gateway device. In one aspect of the invention each memory location is each of the zero or more memories, and each input and each output has a respective tag which is representative of a security related attribute associated with the data in that memory location or that input or that output. The trusted access monitor contains tags which are representative of other security attributes of the processes that can be processed by the central processing unit, whereby when the central processing unit attempts to perform an access to data in a memory location or an input operation using the input or an output operation using the output, the access monitor compares the respective tags and controls either the one-way or two-way direction of the signals through a respective gateway device. The architecture disclosed can be adapted to fit within a device which connects to a peripheral input/output port of an untrusted computer device.