Depending on the type of access your users have to the database, you might be looking at a significant uphill battle. Before you start layering additional security on the intermediaries, start by taking a long in-depth look at what you are allowing your users to do with their credentials:

1. Do users have user accounts on the DB machine? Remove these if possible
2. Are users granted least privileges access? Using whatever mechanisms you deem appropriate remove as much of the users [exec] rights as possible. One thing I have seen on the extreme end of this is to have stored procs that actually had the appropriate exec rights and the user only had exec rights on the procs.
3. Have you removed user rights to run any table altering commands? Including the ability to run system stored procedures. This can cut down on incidents (accidental and malicious) substantially
4. Do users have direct access to raw business data? If so think about moving access into views, and sps and removing user rights on the tables themselves. It solves some maintenance headaches as well
5. Do you have auditing in place? Table level or custom.

If you feel you have a solid design there, then you can start looking at wrapping your DB inside of a broker/facade for access. Beware that this can be costly in terms of performance, deployment, and security and is not an easy thing to do. A few suggestions on patterns for this:

1. Look into a service broker: WSO2 for instance, and their are others which can be used to hide critical business apps (though its intention is to publish access to them) by providing caching and proxy services to them. It might reduce your attack surface some, but configuration and management will easily overtake any gains there.
2. You could roll your own broker services (based on WCF, or the like) you will need to ensure that you adequately take into account load, and projected growth but it is not impossible or even unobtainable if you really want to do it and have the time to design it out correctly.