Can i block uploads to cloud apps?

Brass Contributor

Hi everyone,

 

Does anyone know if possible to block uploads to certain cloud apps using Defender for Cloud Apps?

 

For example block uploads to Onedrive (personal) or Google Drive (Personal) or Dropbox (personal).

 

I have seen that before that the endpoint client was able to identity personal versions of cloud apps and then block HTTP(S)/HTML POST commands.

 

The reason why only blocking uploads could be that customers and/or partners use such services. so we would want to allow our staff to download things that are sent to them but not to upload anything.

 

Best regards

3 Replies
I am not sure about your exact scenario but there are many ways to bypass this method, for example even if you block access to these websites, they might be able to open Google Drive Document and copy and paste contents and don't upload anything. You might block the upload feature but they might go and find other websites which are not in your blacklist and upload it there. Therefore, it is better to change your strategy and you may consider Windows Information Protection , take a look at:
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protect...

And have a look at:

https://docs.microsoft.com/en-us/mem/intune/protect/data-leak-prevention

This is advance way to protect data and contents not only from uploading but in any form of leakage like copy and paste and you have power to prevent your data from being leaked.

Defender for Cloud Apps on its own is only a reverse proxy, which can monitor traffic to your corporate apps. Traffic to personal apps (Shadow IT) will not pass through Defender for Cloud Apps, so you will need something like a forward proxy or SWG with SSL inspection capabilities.

 

As @Reza_Ameri pointed out though, it is difficult to block access completely.

For future searchers, WIP has been deprecated in favor of a new, paid DLP tool from MS. In my testing, WIP was unable to differentiate between personal docs and business docs consistently. If the user was using a personal device, managed by an MDM (Intune in my case), WIP would mis-code their personal files as business. Not a problem until the user retires the device and finds all his personal files irrevocably erased. In general, WIP was a clunky solution. It only worked with certain programs, mostly from MS. Forget about editing PDFs, for example. WIP was difficult to turn off, and now, months after dismantling all my WIP policies, one of my test devices still shows lock icons on its files. I couldn't shake the feeling that with WIP lots of files would someday become un-openable, leaving me in a lurch. I opted not to use it. Hope that helps someone else.