I'm curious to know how others are dealing with removable storage governance and restrictions, especially in contexts where compliance is required (like SOC II or SOX). We're a small to medium-sized business with around 600 users and a small IT team of only three. Most of our setup is Windows-based and we utilize CrowdStrike for security. Recently, we invested in their device control solution to help implement these restrictions. To figure out who absolutely needs access to removable storage for business-related reasons, we conducted a survey, and surprisingly, nearly 25% of our staff fall into that category!
As an engineering firm, many of these employees need to use USB drives for tasks like updating firmware and collecting logs on our field devices. I've already started creating a workflow for those departments to get their devices added to the exclusion policy in CrowdStrike, and I'm documenting everything for SOC II compliance. However, I'd love to hear from anyone facing a similar situation. What solutions are you using to manage these requirements? Are you taking a more lenient approach?
3 Answers
We're pretty strict and block all USB access by default, but we do allow exceptions for company-owned drives. Every user has to sign a contract stating that they can't take these drives off-site unless they're encrypted. It helps us maintain some level of control.
We also block all USB devices except for specific cases. If users request access, we usually steer them towards using OneDrive instead. The only exceptions we make are for legacy equipment, like a really old CNC scanner on XP that's totally isolated from the network.
It's definitely a bit of a hassle, but one approach might be to restrict access to only known USB drives, or even require that they be encrypted. If your users are only downloading files from managed devices, that can help keep things secure. Just make sure to log any USB activity; it sets up a decent compensating control.
Yeah, it really is a pain! We're considering issuing approved USB drives for those who need them after we restrict access for most of the staff. Since our Windows machines are managed with Intune, that should help streamline things a bit. The users needing access mainly connect to IoT devices we produce that run Linux for updates and log collection. Thanks for the tips!