Enforcing security within a data platform

The invention claimed is: 1 . A computing system that implements security controls within a data platform, comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the system to perform: partitioning, within the data platform, segments, each segment having a different set of constraints, wherein the constraints comprise a maximum classification or one or more permitted classifications, wherein the maximum classification is selected from discrete hierarchical classification levels corresponding to different categories, the maximum classification defining a highest acceptable level corresponding to each of the categories in order for an external resource to conform with or satisfy the constraints, and the permitted classifications comprising non-hierarchical classifications; implementing a set of constraints within a segment while insulating resources within the segment from inheriting the set of constraints; and controlling, via a wired or wireless communication network, an ingestion of a first external resource into the segment based on the set of constraints, wherein the controlling the ingestion of the first external resource comprises: determining, for each of the categories in the segment, whether a corresponding classification level of the first external resource, as indicated by one or more markings of the first external resource, satisfies the set of constraints for each of the categories; and in response to determining that the corresponding classification level of the first external resource fails to satisfy the set of constraints for one of the categories, selectively permitting, via the wired or wireless communication network, the ingestion of the first external resource into the segment while issuing a flag indicating a category of which the corresponding classification level of the first external resource failed to satisfy the set of constraints; generating an issue or log associated with the first external resource; ingesting, via the wired or wireless communication network, the issue or log into the segment; and propagating the set of constraints in the segment associated with the first external resource to the issue or the log; in response to determining that the first external resource or that a second external resource has a classification level that fails to satisfy the set of constraints, determining or predicting whether the first external resource or the second external resource will have a future classification level that satisfies the set of constraints; in response to the determining or predicting that the first external resource or the second external resource will have a future classification level that satisfies the set of constraints, ingesting the second external resource into the segment and at least temporarily restricting access to the first external resource or the second external resource. 2 . The computing system of claim 1 , wherein the maximum classification indicates that, if the corresponding classification level of the first external resource exceeds the maximum classification, then the first external resource fails to satisfy the set of constraints. 3 . The computing system of claim 2 , wherein the implementing of the set of constraints includes: defining a mirrored user constraint based on the maximum classification, the mirrored user constraint requiring a user attempting to access the segment to have at least a clearance level corresponding to the maximum classification. 4 . The computing system of claim 3 , wherein, even if the first external resource or a different resource within the segment has a classification level at or below a corresponding clearance level of the user, the mirrored user constraint prohibits the user from accessing the first external resource or the different resource. 5 . The computing system of claim 1 , wherein the set of constraints comprise the maximum classification that includes the categories. 6 . The computing system of claim 5 , wherein the categories include a general classification level, a dissemination control, and a release control, and the controlling an ingestion of the first external resource into the segment includes: determining whether a corresponding general classification level of the first external resource satisfies the general classification level indicated by the set of constraints; determining whether a corresponding dissemination control of the first external resource satisfies the dissemination control indicated by the set of constraints; determining whether a corresponding release control of the first external resource satisfies the release control indicated by the set of constraints; and in response to determining that the corresponding general classification level, the corresponding dissemination control, and the corresponding release control of the first external resource satisfies the general classification level, the dissemination control, and the release control indicated by the set of constraints, permitting the ingestion of the first external resource into the segment. 7 . The computing system of claim 5 , wherein the controlling an ingestion of the first external resource into the segment includes: determining, for each of the categories, whether the corresponding classification level of the first external resource, as indicated by one or more markings of the first external resource, satisfies the highest acceptable level indicated by the set of constraints; and in response to the determining that the corresponding classification level of the first external resource satisfies the highest acceptable level indicated by the set of constraints for each of the categories, permitting the ingestion of the first external resource into the segment. 8 . The computing system of claim 1 , wherein the set of constraints include a conjunctive classification rule and a disjunctive classification rule; and implementation of the set of constraints comprises: expanding the conjunctive classification rule to include implied hierarchical relationships among different levels associated with the conjunctive classification rule; and enforcing the disjunctive classification rule conjunctively such that, a particular resource that includes only some but not all disjunctive features indicated in the disjunctive classification rule is deemed to fail to satisfy the set of constraints. 9 . The computing system of claim 1 , wherein implementation of the set of constraints within the segment includes determining whether to propagate a change in a classification level of an upstream resource to a downstream resource within the segment, depending on whether the upstream resource is stored within the segment or an other segment, determination of whether to propagate including: if the upstream resource is stored within the segment, propagating the change in the classification level to the upstream resource if a changed classification level complies with the set of constraints; and if the upstream resource is stored in an other segment, propagating the change in the classification level to the upstream resource if the changed classification level complies with the set of constraints and is compatible with a classification level of the downstream resource. 10 . The computing system of claim 1 , wherein the implementing of the set of constraints within the segment further comprises controlling an ingestion of the second external resource into the segment based on the set of constraints, wherein the controlling the ingestion of the second external resource comprises: determining that, upon merging or joining of the second external resource a