A secure computer architecture is disclosed which has a central processing unit means (10), zero or more memory means (30), at least one input means (14, 16, 18, 20, 22, 24, 26), at least one output means (14, 16, 18, 20, 22, 24, 26, 50) and bus means (52, 54) to communicate signals between the means which are all untrusted elements, a trusted access monitor device (28), a trusted gateway device (44) located between each of said memory means (30), a further trusted gateway device (32, 34, 36, 38, 40, 42, 46) located between each of said at least one input means and said bus means, and a further trusted gateway device (32, 34, 36, 38, 40, 42, 48) located between each of said at least one output means and said bus means, where the access monitor device controls either the one-way or two-way direction of said signals through a respective gateway device. In one aspect of the invention each memory location is each of said zero or more memory means (30), and each at least one input means and each at least one output means has a respective tag (within 56) which is representative of a security related attribute associated with the data in that memory location or that input or that output means, said trusted access monitor contains tags which are representative of other security attributes of the processes that can be processed by said central processing unit means, whereby when the central processing unit means, whereby when the central processing unit (10) means attempts to perform an access to data in a memory location or an input operation using said input means or an output operation using said output means, said access monitor compares the respective tags and controls either the one-way or two-way direction of said signals through a respective gateway device. The architecture disclosed can be adapted to fit within a device which connects to a peripheral input/output port of an untrusted computer device.