You also can use a network IPS (intrusion-prevention system) to detect malicious streams before they can gain entry to the network. Since other portions of your security architecture will benefit from an IPS, implementing one makes a lot of sense. Clearly, however, a network IPS won't directly protect your data, nor guard against a misguided or mischievous employee, but it will indirectly protect data by protecting the network of machines that have direct access to that data. While not as directly related, host IPS can offer protection to the machines connected to that same network--a different level of protection--and thus is worth considering also.
So let's say we've restricted access to a particular table--"customer"--to only the users who have a valid reason to see such data. There's still the question of what rights they have and how you manage for abuse. If the sales manager has access to the entire customer database and someone learns his login, how do you stop that person from taking all the data out of the database? There are tools available to minimize potential damage, but there's no tool on the market mature enough to stop this type of attack entirely. And though vendors are hard at work developing solutions--such as limiting the number of rows a query can return, or profiling a given user's "normal" behavior and disallowing anything egregiously outside the bounds of normal--a solid solution to this problem is a ways off. We need to be able to set policies of acceptable use and, in the end, employees must have nearly unfettered access to the data that lets them do their jobs.
So the problem isn't so much data protection as it is a combination of possible problems in two other areas--human resources and intrusion prevention. In short, an employee could be siphoning off data for personal gain. This potential exposure must be addressed by human resources before an employee or outside contractor is given access to sensitive data. An IPS and an antivirus solution will help you guarantee that a person accessing data with an employee's account is the employee and only the employee.
Finally, there is the world of ILP (information leak prevention), which encompasses tools to determine what data is going beyond the perimeter of the network and for stopping what's not supposed to leave.
ILP products attempt to keep critical data from leaving the network. How they go about it varies quite a bit as these products are relatively new. Generally, they reside on the network and monitor user actions and try to determine if someone is passing intellectual property or customer data out of the network. In detection mode they notify administrators of what users are sending and where; in prevention mode they stop the communication, then send the notification to administrators. Of course, these systems don't guard only against user malfeasance; they don't care what the source of the leak is, just that there is a leak. This makes them at least minimally effective against Trojans that target customer or IP data. Such systems are less useful against attempts to share passwords over the network--because there is no hard-and-fast rule for identifying password data--though some do detect user names.
