Datagent is a hardware component that is loaded into target computers and provides for the organization a pre-boot access control platform for user workstations. Prior to BIOS execution on the target machines, the NSA/NIAP EAL4 validated Datagent module authenticates the individual and provides access to only those workstation assets (specifically, hard drives, NICs, and USB ports) that that specific user is entitled to.

The module is smart card-based; a user's smart card includes both their authentication information as well as their administrator defined access rights. To access the workstation, the user inserts their smart card into the reader, and then provides PIN/password information that are verified by the platform. Provided the PIN/Password information match that stored in the card and in the microcontroller memory of the module itself, the user is granted access to those resources within the workstation for which they are allowed.

The Datagent module controls access to the workstation components primarily through the use of power toggles following the authentication of the individual. I.E., to prevent access to a specific hard drive, the power to that drive is cutoff; making it appear "dead" to the computer prior to BIOS initialization. The vendor states that Datagen is designed for use with TPM (Trusted Computing Group) 1.2 compliant motherboards, and lists the Dell Precision T3400 Workstation and HP dc7900 Business PC as the initial machines available with the module. Because it is hardware-based and operates prior to operating system bootup, the Datagent module itself is operating system agnostic and works irrespective of the target machine's operating system.

For management, administrator software is supplied (Windows XP/sp2+ with a smart card reader/writer required) for the configuration of smart cards, management of security levels, and collection of audit data (unsuccessful authentications, attempts to establish sessions, etc.). The vendor notes that user and administrator roles are separated--the admin can program the user's PIN but cannot access the password in the microcontroller of the Datagent.

Other features include anti-tampering capabilities (the module erases the microcontroller's memory in the event of electrical of physical attacks; a Datagent that has been so erased would need to be replaced from the vendor, as the microcontroller is not field-programmable); support for time-of-day-based access policies; and encryption of microcontroller memory at the end of each session.

Three models of the Datagent are initially available. The Datagent 1000 includes a single fixed hard drive and provides single-domain access restrictions (i.e., a single set of access restrictions can be defined for the machine). The Datagent 2000 includes both a fixed hard drive and a removable drive; the fixed drive in this system operates as an unrestricted drive and therefore be utilized without a smart card or authentication (while the removable drive is accessed via authentication, only). Finally, the Datagent 3000 includes a single fixed hard drive (unrestricted) and a pair of removable hard drives (restricted access). The Datagent 3000 supports definition of up to three separate access domains (combinations of NICs, HDs, and USB ports) within a single workstation. In each of the Datagent 2000/3000 systems, the removable hard drives include a Talis-manufactured ID board that provides feedback mechanisms to the Datagent access controls.

Datagent is available now. Visit the Talis Data Systems Web site for further information.