Data protection
Find overshared assets and sensitive content, assess exposure risk, and coordinate remediation with employees.
Overview
Data Protection identifies supported assets that are shared outside their intended audience or contain sensitive content. Administrators can investigate exposures, distribute issues to employees, and use source-specific actions or playbooks to remediate them.
Open the module for your Elba region:
Supported sources
Data Protection currently uses seven source families:
- Google Workspace
- Microsoft Teams
- Slack
- SharePoint
- OneDrive
- Dropbox
- Confluence
All seven sources support external-sharing signals. Slack and Microsoft Teams also support sensitive-content signals in messaging. Detection and remediation capabilities still vary by source, connection, and object type; use the capability shown in Elba for the specific source as the source of truth.
Navigate the workspace
The module has four tabs:
- Radar summarizes high-risk and common exposure patterns.
- Issues lists detected exposures and their current status.
- Playbooks contains available automation templates and configured workflows.
- Sources shows connections, synchronization status, and source-specific settings.
Use the Radar
The Data Protection Radar contains:
- High Risk Exposures for issues with the highest AI-assessed risk
- Overly shared data for sensitive-data categories and their exposure levels
- Playbooks for configured workflows and available templates
- Most common exposures for sensitive categories by internal, external, or public sharing
- Frequent data recipients for external users, domains, Slack channels, or Teams channels receiving the most shared data
Select a widget result to open the related filtered issue view.
Understand detections
Sharing types
Elba classifies detected sharing as:
- Professional for an external professional domain
- Personal for an external personal domain
- Public for access available through a public link
- Internal for exposure within the organization, including supported messaging signals
Sensitive-content categories
The current sensitive-content categories are:
- Credentials
- Financials
- Legal
- PHI for protected health information
- PII for personally identifiable information
An issue can also include more specific detected elements and a confidence level. Treat automated findings as investigation signals and validate important decisions against the source asset and your organization's data-classification policy.
Risk levels
When AI risk analysis is available, Elba assigns Low, Medium, or High and provides an explanation. The issue details also show the score on a 0-to-10 scale.
File formats
The current file-format selector contains 312 extensions. It covers documents, spreadsheets, source code, presentations, images, audio and video, fonts, 3D files, databases, email, archives, executables, design files, and chat exports.
Format availability is source-dependent. A file extension alone does not confirm that content was analyzed; check the issue details for the format, sensitive findings, tags, and AI analysis actually available for that asset.
Work with issues
The Issues tab shows each asset, member, source, risk level, status, and last activity. Search by object name or filter by:
- Member, enrolled-member status, or group
- Source
- Issue status, creation date, or distribution date
- Object last-updated period or file format
- Risk, tag, sensitive-content category, or sharing type
- Recipient
Issue statuses displayed in the workspace are:
- Detected for a new issue that has not been sent to an employee
- Distributed for an issue sent to an employee and awaiting completion
- Changes made for a completed issue where permissions or the asset changed
- Ignored for a completed issue accepted without a source change
Admin actions
Select one or more open issues to see the actions supported for that selection. Depending on the source and object, actions can include:
- Distribute issues to enrolled employees
- Ignore issues
- Remove sharing permissions
- Delete assets
Elba only displays a direct source-changing action when the source settings report that capability. If the source does not support it, investigate and remediate the asset in the source system.
Configure playbooks
Playbooks can distribute detected issues and, where supported, apply remediation actions. Available triggers, conditions, exclusions, and actions are specific to the selected source.
To activate a workflow safely:
- Connect the source and let its initial detection complete.
- Review the issue volume and representative assets in Issues.
- Select or create a playbook for the source.
- Configure sharing, content, risk, age, format, tag, or recipient conditions that the editor makes available.
- Configure exclusions or an allow-list when supported.
- Review the action, audience, and any delay before activation.
- Activate the playbook and monitor its run history.
Issue detection does not itself notify an employee. Notification timing is controlled by issue distribution, the playbook action, and communication settings; there is no universal Friday or weekly digest schedule.
Employee remediation
Distributed issues appear in the employee's Checklist. The available actions depend on the source:
- Ignore to complete the issue without changing the source asset.
- Edit permissions to select and remove supported sharing permissions.
- Delete asset when the source supports direct deletion.
- Open the asset in the source and make the change there when direct remediation is unavailable.
Elba can also offer Refresh for sources that support checking the asset again. If a connection has an error, actions that change the source can be temporarily unavailable.
Recommended rollout
- Connect one source and let detection finish.
- Review high-risk exposures and a sample of lower-risk issues.
- Validate sensitive findings and sharing classifications against the source.
- Configure exclusions for legitimate recurring sharing where supported.
- Distribute a small, representative set of issues and review the employee experience.
- Add source-supported remediation only after confirming ownership and rollback procedures.
- Monitor issue outcomes and refine conditions before expanding the workflow.