Most often, people said blocking USB port is a control in the company but somehow there is exception process to “authorize” company USB storage device to connect due to business reason.
Two mistakes:
1. USB ports are standard I/O interface now. There are different needs like keyboard, mouse, IP phone device using USB connection. They cannot be blocked as a blanket directive. The proper way to say is to manage removable media.
2. The protection objective is not clear. What is this technical control for:
- Limit importing malware
- Limit data leakage
- Something else
With an “authorized” company USB storage device, it will be in vain for any of these cases as long as that company device is shared with other non-company computers. This is totally outside technical control.
The reality is that file exchange is always legitimate business needs. Providing a means to facilitate secure file exchange will eliminate the use of removable media as well as getting user buy-in.
The ultimate control relies on management directive, user awareness and enforcement with disciplinary process for violation. Like in some countries, if you are importing drugs, you will be subject to death sentence.