Replacing distinct data in a relational database with a distinct reference to that data and distinct de-referencing of database data

What is claimed is: 1 . A method, comprising: configuring, with a computer system, a database to apply a masking policy to data values in the database that are designated as sensitive, thereby causing a response to a read request to the database to include obfuscated values in response to determining a first user is not entitled by the masking policy to view un-obfuscated values, the obfuscated values only being a subset of response, and the response also including values that are not obfuscated; accessing, with a computer system, a log of access events in which the database is accessed, the log documenting the read request among a plurality of other access events from members of an organization including the user; and determining, based on the log, that a second user has made more than a first threshold amount of access requests within less than a second threshold duration of time and, in response, causing an indication of the determination to be presented for investigation. 2 . The method of claim 1 , wherein: obfuscating comprises cryptographically hashing at least part of each of the data values designated as sensitive. 3 . The method of claim 2 , wherein the computer system is a multi-tenant computer system, and wherein cryptographically hashing comprises applying a tenant-specific salt value to the respective data values and then hashing resulting salted values. 4 . The method of claim 1 , wherein obfuscating comprises causing a predetermined number of characters of a prefix or suffix of the each of the data values designated as sensitive to be replaced. 5 . The method of claim 1 , wherein obfuscating is applied during writing and is not removed during reading. 6 . The method of claim 1 , wherein obfuscating comprises encrypting data values designated as sensitive. 7 . The method of claim 1 , wherein the masking policy is applied by a database gateway for the database. 8 . The method of claim 1 , wherein the masking policy is applied by a database management system of the database. 9 . The method of claim 1 , wherein the masking policy is applied by a security driver. 10 . The method of claim 1 , wherein an entry in the log comprises: an identifier of a user account making a logged access request, a command indicating what is to be read, and a timestamp. 11 . The method of claim 10 , wherein the entry identifies a requesting workload application that issued the command. 12 . The method of claim 10 , wherein the entry comprises a network address from which the command was issued. 13 . The method of claim 1 , comprising determining: that an alert is to be emitted when more than a third threshold number of rows of with data designated as sensitive are accessed within a fourth duration of time; and that an alert is to be emitted when more than a fifth threshold number of access requests is received within a sixth duration of time. 14 . The method of claim 1 , comprising determining, with a machine learning model, that a third user has made an access request that deviates from past behavior. 15 . The method of claim 1 , comprising determining that an alert is to be emitted in response to a risk metric that depends on aggregate amounts of access across a plurality of different databases. 16 . The method of claim 15 , wherein the plurality of different databases comprises a relational database, a noSQL database, and a key-value pair database. 17 . The method of claim 1 , comprising steps for predicting likelihood of a sequence of access requests. 18 . The method of claim 1 , comprising: computing a risk metric for a third user based on access requests of the third user documented in the log; and determining that the risk metric satisfies a risk threshold and, in response, emitting an alarm. 19 . The method of claim 1 , comprising: designating a field of the database as sensitive by determining the first field matches a pattern. 20 . The method of claim 1 , comprising: designating a set of data values as sensitive based on a determination that the set of data values satisfy a regular expression. 21 . The method of claim 1 , comprising: classifying a set of data values in the database as sensitive with a trained machine learning model. 22 . The method of claim 1 , wherein the masking policy is applied in a way that transparently retrofits a workload application. 23 . A tangible, non-transitory, machine-readable medium storing instructions that, when executed, effectuate operations comprising: configuring, with a computer system, a database to apply a masking policy to data values in the database that are designated as sensitive, thereby causing a response to a read request to the database to include obfuscated values in response to determining a first user is not entitled by the masking policy to view un-obfuscated values, the obfuscated values only being a subset of response, and the response also including values that are not obfuscated; accessing, with a computer system, a log of access events in which the database is accessed, the log documenting the read request among a plurality of other access events from members of an organization including the user; and determining, based on the log, that a second user has made more than a first threshold amount of access requests within less than a second threshold duration of time and, in response, causing an indication of the determination to be presented for investigation. 24 . The medium of claim 23 , wherein: obfuscating comprises cryptographically hashing at least part of each of the data values designated as sensitive. 25 . The medium of claim 24 , wherein the computer system is a multi-tenant computer system, and wherein cryptographically hashing comprises applying a tenant- specific salt value to the respective data values and then hashing resulting salted values. 26 . The medium of claim 23 , wherein obfuscating comprises causing a predetermined number of characters of a prefix or suffix of the each of the data values designated as sensitive to be replaced. 27 . The medium of claim 23 , wherein obfuscating is applied during writing and is not removed during reading. 28 . The medium of claim 23 , wherein obfuscating comprises encrypting data values designated as sensitive. 29 . The medium of claim 23 , wherein the masking policy is applied by a database gateway for the database. 30 . The medium of claim 23 , wherein the masking policy is applied by a database management system of the database. 31 . The medium of claim 23 , wherein the masking policy is applied by a security driver. 32 . The medium of claim 23 , wherein an entry in the log comprises: an identifier of a user account making a logged access request, a command indicating what is to be read, and a timestamp. 33 . The medium of claim 32 , wherein the entry identifies a requesting workload application that issued the command. 34 . The medium of claim 32 , wherein the entry comprises a network address from which the command was issued. 35 . The medium of claim 23 , the operations comprising determining: that an alert is to be emitted when more than a third threshold number of rows of with data designated as