I guess you can have a key-per-row, or key-per-partition, and throttle and monitor access to that key. This isn't going to make operations like database indexing or joins very happy, so you're probably limited to payload-level data; hard to judge if that's okay since I don't know the requirements for the schema.
This presupposes you know what you're doing, security-wise, on your network, and with your backups, and with temporary data on servers. All of your interior traffic is encrypted, right? Right.
It doesn't sound like Equifax was even on the map.
