In my experience there may be two aspects to what you want to achieve;
- Confidentiality - only those who need access to the data can see the data
- Integrity - tamper evident & non repudiation…
With regard to 1, encryption is the typical approach. This will likely apply to your process variables (and business data). Ive seen two approaches to this.
If you use something like AWS RDS, then you can encrypt the database such that data at rest, eg backups etc cannot be read without access to the encryption key. Access to the database by DBAs is audited rather than prevented.
With regard to 2, some approaches Ive seen are to create a tamper evident linked list in the audit/history table. Thus for each history entry perform a SHA256 hash of the entry’s content plush the hash of the prior record and store with the entry. More secure approaches use say an HMAC and/or an external timestamp service.
In the longer term, data encryption and a secure, tamper evident audit log would make useful feature requests…