The notion of security, as it applies to information processing, encompasses many approaches and a wide variety of desired ends. A great deal of effort has gone into the problem of certifying the security of a system for use in a ‘multi-level’ environment. Both the data and the population of users are assumed to have different (but discernable) characteristics; policies are established to determine the access rights of users to data based upon these characteristics; and the system is deemed secure if and only if it may be shown never to permit violations of the policy. As the policy typically involves both read and write access, this paradigm has relevance to both national security and the private sector, concerned with disclosure and fraudulent modification of data respectively. It has been customary to model the mechanisms enforcing policies as security kernels. The original notion was of a reference monitor with three notable properties, and the security kernel was one possible embodiment of the monitor. This paper argues that the kernel, seen as being at the heart of the operating system, is in need of rethinking in light of the newer architectures (especially those based upon capabilities) and the proliferation of excellent, readily available, supporting software. What is suggested is that an appropriate use of architectural principles, coupled with vigorously applied administrative procedures and some of the advances in technology, might very well serve to form the basis of the demonstration that a system is secure. It will be argued that only such an amalgam of mechanisms will provide sufficient power both to demonstrate the security of a system and to serve as a criterion of certification for those concerned with this type of security.