Modern interconnected computer systems handling classified information can be built using Windows NT. The architecture provides each user with a private desktop in which to work, along with services for sharing data. Within a desktop, the user is helped to attach security labels to their data. When data is shared, labelling prevents accidental compromise, but other measures defend against other forms of compromise.
A prototype implementation called Purple Penelope supports this approach. It customises NT to provide discretionary labelling, easy to use role based access controls and effective accounting and audit measures to shared files.