Changed Scenario of Removable Devices - Are we ready?

Managing data moving in and out of an organization through removable media was easy in the good old days of floppy disk drives. You just disable the drive. Or even better, remove it from the computer. As the technology advanced (read OS and applications got fatter) floppy disks become unviable and obsolete and slowly went away from the workplace PCs.

Then came CD writers, becoming more and more affordable, easy to use and reliable. Even controlling that was relatively easy. But what with the advent of USB thumb drives, the nightmare for Information security manager just started. USB drives are very small that they can be easily concealed almost anywhere. We could disable the USB ports on the computers, but for the fact that most of the new hardware that is now being manufactured is USB only. So obviously we cannot disable the ports. Plus the fact that users plug in the drive almost anywhere which makes them very dangerous as carriers of unwanted software.

So how do we protect the data of our enterprise? Frankly speaking, I don't know. But here are some ideas I want to throw in the wild:
1. Use encryption on the USB drives. I am not yet sure, but I guess there are vendors who provide this software. If not this is one market to tap.
2. Ensure that the Virus scanners detect the presence of USB storage device and scan all the data on it.
3. If possible, try and prevent data from being copied onto and from unknown USB devices. I don't know how to do it, but I guess this can be done.

The third approach defeats the entire point of buying a USB drive and the convenience associated with it. But then security was never a convenience.