> Just keeping the secret data on a secured server that only a few, very highly vetted sysadmins had root access to, that carefully logged all requests for information (and set off a pager somewhere if too many unscheduled requests were made) would have solved the problem, assuming you didn't hire some random body shop to staff /those/ sysadmins.
The problem with that theory is that you're assuming only some data is secret. Actually, all the data is secret. Even the information about which data is secret, or what are the criteria of secret data, or how secret data should be handled. Everything is secret.
So rather than dealing with a neat pack of documents that you want to keep secret, think of an organisation with 100k+ people where every single bit of data they produce or interact with every single day is top secret.
The problem with that theory is that you're assuming only some data is secret. Actually, all the data is secret. Even the information about which data is secret, or what are the criteria of secret data, or how secret data should be handled. Everything is secret.
So rather than dealing with a neat pack of documents that you want to keep secret, think of an organisation with 100k+ people where every single bit of data they produce or interact with every single day is top secret.