The editorial mentions that "we haven't yet built a good, easy to understand framework that provides good monitoring and auditing in a way the majority of DBAs can understand and implement". I think that last bit is a fallacy. As a DBA and a manager, I know that I cannot be the person to implement monitoring/auditing of database security. I have a lot of responsibility for managing security at the database layer, but I will always have the "keys to the kingdom". As such, auditing has to happen from some other angle to prevent "inside jobs", which represent a large percentage of data breaches to begin with.

I've implemented an appliance-based approach that does packet-sniffing in a previous company and I think that was a good approach. I'd be curious to know how others are tackling database auditing.