Computer security architecture and related computing method

The invention claimed is: 1. A system for providing a computer security architecture, the system comprising: computing hardware, including at least one processor, a data store, and input/output facilities interfaced with the at least one processor, the data store containing an operating system and a plurality of subject entities executable by the at least one processor; the data store further containing a security subsystem executable by the at least one processor, that, when executed, causes the computing hardware to implement: a security server engine configured to apply selected rules, from among a set of rules defining one or more security policies, to a given set of security context parameters, to produce a security verdict representing whether a certain action requested by a subject entity is permissible, wherein each of the one or more security policies is associated with a corresponding communication interface, and wherein each of the one or more security policies is defined by at least a conjunction of a first predefined access mechanism and a second predefined access mechanism, and each of the first predefined access mechanism and the second predefined access mechanism are described in a configuration language accessible by the security server engine to implement the security policy without recompilation of the security server engine; and a plurality of gateway engines, each gateway engine being associated with at least one of the subject entities and dedicated to interfacing with the security server, each of the gateway engines being configured to: monitor requested actions by the associated at least subject entity and, for each requested action detected, identify a security context, determine an applicable security policy for the requested action based on a corresponding identified security context, and request a security verdict corresponding to the applicable security policy from the security server engine via a communication interface, wherein the request for the security verdict includes at least one security context parameter transmitted to the security server engine, the at least one security context parameter related to the requested actions, the security context, or the applicable security policy for the requested action, wherein the gateway engine is unable to produce a security verdict, and wherein the gateway engine is configured by a system-level configuration applicable to all subject entities on the system, and a reflection configuration unique to one of the subject entities; and a security enforcement engine configured to either permit or deny each of the requested actions according to the security verdict. 2. The system of claim 1 , wherein each of the plurality of subject entities is associated with exactly one gateway engine. 3. The system of claim 1 , wherein security context for each requested action includes at least one parameter selected from the group consisting of: a time of occurrence of the requested action, an identifier of a user initiating the requested action, a command called by the requested action, of any combination thereof. 4. The system of claim 1 , wherein each communication interface of the security server engine is an application programming interface accessible only to the plurality of gateway engines. 5. The system of claim 1 , wherein each requested action includes an application programming interface call. 6. The system of claim 1 , wherein each requested action includes an interprocess communication. 7. The system of claim 1 , wherein the plurality of subject entities includes at least one process as a subject entity. 8. The system of claim 1 , wherein the plurality of subject entities includes at least one application program as a subject entity. 9. The system of claim 1 , wherein the plurality of subject entities includes at least one computing device as a subject entity. 10. The system of claim 1 , wherein the security server engine is implemented by execution of a microkernel. 11. The system of claim 1 , wherein each of the gateway engines includes an evaluation engine that is independent of any of the security policies. 12. The system of claim 1 , wherein each of the gateway engines includes a configuration that is specific to the corresponding subject entity and defines a plurality of action requests that the corresponding subject entity is able to take, along with corresponding policies implicated by those action requests. 13. The system of claim 1 , wherein each of the gateway engines includes a security verdict cache configured to store previously-rendered security verdicts corresponding to that gateway engine. 14. The system of claim 1 , wherein the one or more security policies includes parameters for a mandate access security model. 15. The system of claim 1 , wherein the one or more security policies includes parameters for a Bell-LaPadula security model. 16. The system of claim 1 , wherein each of the gateway engines is autonomously generated by the security subsystem. 17. A method for executing a computer security architecture on a computer system that includes at least one processor, a data store, and input/output facilities interfaced with the at least one processor, the data store containing an operating system and a plurality of subject entities executable by the at least one processor, the method being automatically executed by the computer system, and comprising: executing a security server, including: applying selected rules from among a set of rules defining one or more security policies to a given set of security context parameters, to produce security verdicts, each security verdict representing whether a certain action requested by a subject entity is permissible, wherein each of the one or more security policies is associated with a corresponding communication interface, and wherein each of the one or more security policies defined by at least a conjunction of a first predefined access mechanism and a second predefined access mechanism, and each of the first predefined access mechanism and the second predefined access mechanism are described in a configuration language accessible by the security server to implement the security policy without recompilation of the security server; and executing a plurality of gateway engines, each gateway engine being associated with at least one of the subject entities and dedicated to interfacing with the security server, and each of the gateway engines carrying out: monitoring of requested actions by the associated at least subject entity and, for each requested action detected, identifying a security context; determining an applicable security policy for the requested action based on a corresponding identified security context, and obtaining a security verdict from among the produced security verdicts corresponding to the applicable security policy via a communication interface, wherein the request for the security verdict includes at least one security context parameter transmitted to the security server engine, the at least one security context parameter related to the requested actions, the security context, or the applicable security policy for the requested action, wherein the gateway engine is unable to produce a security verdict, and wherein the gateway engine is configured by a system-level configuration applicable to all subject entities on the system, and a reflection configuration unique to one of the subject entities; and executing a security enforcement decision to either permit or deny each of the requested actions according to the securit