When a major breach makes the news, whether it’s a mortgage servicer exposing millions of records or a global bank facing a ransomware attack, my phone lights up.
I started my career at Imperva as a Sales Engineer and worked my way up to CTO over the next two decades. During that time, I’ve been involved in thousands of database security projects, helping customers in financial services, healthcare, and other regulated industries protect their most critical data.
So when I get these phone calls, peers and customers in all verticals want to know: “How do we make sure this doesn’t happen to us?”
The first step is always the same. You must be able to answer:
- What data is sensitive?
- Who can access it?
- Who has accessed it, and what did they do?
If you can’t answer these questions with confidence, you are missing the foundation of data security. Over the past 10 years or so, it’s become much harder to put this foundation in place as organizations went from single‑vendor on‑prem database environments to complex tech stacks consisting of multi‑cloud, hybrid, and managed services.
AI compounds exposure risk by creating exponentially more access paths and by giving attackers (and insiders) the tools to automate reconnaissance and social engineering. Regulations make exposures more costly with more strict disclosure requirements and higher penalties, and accountability for weak controls.
The playbooks we outgrew
For years, organizations would pick one of the following three options to try and secure their databases:
- A legacy agent-based DAM solution for query monitoring, anomaly detection, and privileged user tracking.
- Native logs (sometimes connected to a SIEM) to integrate audit trails, correlate alerts, and enforce retention policies.
- Ad-hoc controls that rely on DBAs managing access controls, manually performing security assessments, and accessing reviews (usually only when an auditor asks).
None of these approaches work for modern database environments and threat landscapes.
Legacy, agent‑based DAM doesn’t work with cloud and managed databases and demands agents on every on-prem DB server, resulting in long deployment cycles and requiring constant upgrades and troubleshooting.
Native logs (even with a SIEM) are delayed and inconsistent across vendors. These delays and inconsistent log qualities eliminate any capability for real-time attack prevention. Additionally, native logs can introduce performance impacts for many databases, especially on-premises. Native logs can only work well enough on less critical databases where the objective is regulatory compliance reporting rather than security best practices.
Ad‑hoc DBA controls leave data largely exposed since teams typically only engage during audits or incident investigations.Three pillars of modern database security
Securing data in today’s environment requires a shift in mindset. It’s not about more tools or more logs. It’s about clarity and control.
1) Know what data is sensitive
You can’t protect what you don’t know exists. The first step is to discover and classify sensitive data across your entire estate. This can’t be a quarterly project. It must be a continuous and preferably automated effort that becomes the foundation for everything else: access reviews, policy enforcement, analytics, and incident response.
Here are some practical steps for understanding your sensitive data:
- Treat classification as part of your data lifecycle, not an audit exercise.
- Classify both your structured and unstructured data.
- Track data flows to understand and control how sensitive data moves from transactional systems into files, collaboration spaces, and analytics platforms.
- Ensure that classification results are actionable, fueling entitlement reviews, monitoring, and remediation. Classification without action is documentation, not defense.
2) Minimize the blast radius
To minimize blast radius, entitlements must match business needs and be right‑sized, time‑bound, and identity‑aware. Most organizations allow users and applications to have access to much more data than they need. People accumulate accounts and permissions, and many teams still use shared credentials. Until you can tie every credential to a corporate identity, you will continue to underestimate risk and overreact to noise.
Practical steps for minimizing the blast radius include:
- Resolve every set of login credentials to one and only one corporate identity.
- Track permissions usage to drive least privilege and regularly revoke access that’s not being used, especially on sensitive datasets.
- Time‑bound high‑risk privileges and introduce just‑in‑time elevation for rare tasks.
- Be deliberate about shared accounts. Remove all that you can, and for the ones that remain, add compensating controls and robust attribution so you still have visibility into who does what (track IP addresses, MAC addresses, etc.).
3) Monitor with context and automate response
Activity without context is noise. Effective monitoring correlates who (the identity), what (the data’s sensitivity and location), and how (the behavior) in near real time. The monitoring approach must be consistent across on‑prem and cloud, including managed databases.
Practical steps for monitoring with context:
- Implement a security solution that brings high-fidelity, low-friction telemetry that’s consistent across all your data environments.
- Implement data-centric UEBA that detects aberrant behaviors through modern automations, ML, AI, and detection and response services rather than legacy static policies.
- Implement triage and escalation tools and processes to separate meaningful risk from noise.
- Automate risk remediation with dynamic data masking, policy enforcement, and just-in-time access.
Architecture matters
Security programs stagnate when teams spend their energy managing the tooling rather than reducing risk. Legacy, agent‑based DAM solutions require lots of agents, gateways/collectors, managers, and analytics components, each with HA pairs and complex upgrade cycles. When you scale that to hundreds or thousands of databases, complexity becomes the program.
You need a modern approach that inverts the ratio:
- SaaS solution so upgrades and analytics are no longer your burden.
- Private, lightweight collection in your environment to build the sensitive data map and entitlement picture without moving raw data.
- Agentless, stateless interception for activity monitoring — so you get consistent, enriched telemetry across on‑prem and managed databases without touching the database hosts.
- Managed Data Detection and Response for data to triage alerts and escalate what matters, so that not every SOC must be a database security specialist.
This isn’t about one vendor’s features. It’s about aligning your operating model with the way your data and infrastructure actually work today. When the security architecture is simpler, the program can finally focus on outcomes.
The future of database security
At Varonis, we’ve spent years perfecting data security with unified classification, identity context, analytics, activity monitoring, threat detection, and automated remediation to help organizations understand what data is sensitive, who can access it, what’s happening to it, and to continuously and automatically minimize blast radius and respond to threats.
We started with unstructured data, and now we’re bringing that same clarity and control to databases with Varonis Next Generation DAM. It’s agentless, cloud-ready, and delivers high-fidelity telemetry without the operational drag.
Our complete Data Security Platform simplifies architecture, unifies visibility, and automates response across on-prem, cloud, and managed service environments.
If you’re curious how Varonis could work for your environment, we're happy to help pressure-test your current posture with a free Data Risk Assessment.
-1.png)
