There are many of these and they are well priced. For example here . It is possible to bind to RUTOKEN out of the box. My teacher works there. And I have a similar development at my enterprise. The main thing is that the information security facility and the enterprise have the necessary valid certificates of the FSB and FSTEC. Your protection will be guaranteed.

Information is stored on the server, access to data is only through a terminal session. You correctly wrote on thin clients. Ordinary PCs can be used as thin clients. Close all other data access.

keys at workplaces can be arranged using usb tokens or fingerprint scanners (and this is inexpensive by the way).

So that information cannot be taken out of the building. So that it was impossible to send it over the soap, it was done with the help of a firewall. We need to add a hardware component to this.

uh? barrier? a guard with a club? in fact, there is only one way - to close all external channels in general, and to plant an n-th number of paranoid security guards, sort of big brothers who monitor all the actions of employees. By the way, this will cost money, and contradicts the Labor Code in most cases.
otherwise, with a relatively small budget and technical knowledge, you can “endure” anything.
in get requests, in dns requests, steganography in faxes, background "noises" during a telephone conversation, and a laser transmitter through a window, after all.

www.infowatch.ru/
This is a product of Kaspersky, it does not allow you to copy files to external media or send them by mail for internal use. Technologically, the same antivirus, only the signature database is not from malicious software, but from files prohibited from being removed.

and also - the analysis of micro-jerks in the power network :) there are no ideal solutions, there is only the price of the issue