DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 21-25 are pending for examination.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 21-25 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim language in the following claims is not clearly understood:
As per claim 21, line 9, it is unclear whether “account credentials” are the same “account credentials” in line 3 (i.e. consistent term should be used with “the” or “said” if they are the same)
Line 14, it is unclear whether “a network resource” is one of “cloud based resources” in line 2 (i.e. consistent term should be used with “the” or “said” if they are the same)
Line 15, it is unclear whether “an ephemeral mapping” is one of the “ephemeral mappings” in line 1 (i.e. consistent term should be used with “the” or “said” if they are the same)
Line 18, it is unclear what it meant by “completion of a session” (i.e. is the session related to the cloud provider account or usage of the network resource?)
Line 20, it is unclear whether “the mapping” is referring to “the ephemeral mapping” in line 15 (i.e. consistent term should be used with “the” or “said” if they are the same)
Line 21, it is unclear whether “the cloud provider account” referring to “the at least one of the one or more cloud provider accounts” in line 10-11 (i.e. consistent term should be used with “the” or “said” if they are the same)
As per claim 22, it is unclear whether “erase the ephemeral mapping” same or different from “ephemeral mapping … expires upon … destruction of the network resource”?
As per claim 23, it is unclear whether “account credentials”, “a cloud provider” and “a second cloud provider account” are one of the “account credentials”, “cloud provider” and “one or more cloud provider accounts” recited in claim 21 (i.e. consistent term should be used with “the” or “said” if they are the same)
As per claims 24-25, line 3, it is unclear whether “an active session” is related to “completion of a session” (i.e. consistent term should be used with “the” or “said” if they are the same)
As per claim 22-25, they depend from rejected claims and do not resolve the deficiencies thereof and are therefore rejected for at least the same reasons.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 21 and 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jain US Pub 2020/0319907 (hereafter Jain) in view of Poghosyan et al. US Patent 11,770,382 (hereafter Poghosyan) and further in view of Lu et al. US Patent No. 11,070,620 (hereafter Lu).
References Jain and Lu were cited in the previous office action.
As per claim 1, Jain teaches the invention substantially as claimed including a system for creating and managing mappings between cloud based resources and one or more cloud provider accounts of a cloud provider, the system comprising: a programmable processor; a non-transitory machine-readable medium storing instructions that when executed by the programmable processor, cause the programmable processor to perform operations comprising: acquire account credentials from the cloud provider via a published application programming interface (API), the account credentials being associated with at least one of the one or more cloud provider accounts of the cloud provider (para[0033-0040, 0044], a cloud provider creates appropriate credentials for the resources that are associated with whitelisted (authorized) VM with applications (accounts of the cloud provider), and send it to the cloud resource credential provisioning system to store the received credentials and map between the whitelisted VM and the resource and access type, thus credentials associated with the whitelisted VM (account) for the cloud provider is acquired from the cloud provider);
receive a request to allocate the account credentials to a network resource (para[0034-0038], receive a cloud resource request from application (VM), and if the access to resource is allowed for the VM, then the provisioning system add (allocate) the credentials to the request);
generate a mapping of the cloud provider account with the network resource based at least in part on the acquired account credentials of the cloud provider account (para[0034, 0039, 0044], the requested resource is mapped to the requesting VM (account) that is allowed to make the request, based on the received credentials);
Jain does not explicitly teach ephemeral mapping of cloud based resources to one or more cloud provider accounts of a cloud provider without persistently storing account credentials; using a remote procedure call (RPC) service associated with a centralized service; wherein the account credentials are acquired on-demand and not persistently stored to enhance security and isolation between the centralized service and the cloud provider; wherein the ephemeral mapping is generated dynamically and expires upon completion of a session or destruction of the network resource to prevent unauthorized access; return the mapping based on the cloud provider account to the centralized service of the non-transitory machine-readable medium.
However, Poghosyan teaches ephemeral mapping of cloud based resources to one or more cloud provider accounts of a cloud provider without persistently storing account credentials; wherein the account credentials are acquired on-demand and not persistently stored to enhance security and isolation between the centralized service and the cloud provider (col 6, line 30-43, col 7, line 16-61, FIG. 2, the system grants access, for a limited time period, to a user to a particular cloud application in the cloud environment (cloud resource) by returning temporary credentials to the user to access the cloud resource, thus mapping the temporary user account credentials to the cloud resource);
wherein the ephemeral mapping is generated dynamically and expires upon completion of a session or destruction of the network resource to prevent unauthorized access (col 6, line 30-43, col 7, line 16-61, FIG. 2, when the user has completed his tasks on the cloud application, the profile service revokes access to the user account and removes temporary user account if the profile period has expired, thus mapping generated upon a request, and expires upon completion);
return the mapping based on the cloud provider account to the centralized service of the non-transitory machine-readable medium (col 6, line 30-43, col 7, line 16-61, FIG. 2, the temporary credentials for the user to access the cloud application in the cloud environment (mapping) is returned to the profile service).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Poghosyan’s teaching to Jain’s invention in order to incorporate Poghosyan’s teaching to Jain’s invention in order to improve existing security solutions/options and provides secure privileged access in a way that is cloud-native and adapts to the dynamic nature of the cloud systems and to avoid inadequate security controls in public cloud systems result in confidential data breaches, business disruption, and financial losses, by provide a novel dynamic privileged access governance system and processes including a just-in-time access system which grants access to the user account temporarily (col 1, line 26-53, col 4, line 42-53).
Jain and Poghosyan do not explicitly teach using a remote procedure call (RPC) service associated with a centralized service.
However, Lu teaches using a remote procedure call (RPC) service associated with a centralized service (col 5, line 38-65, col 6, line 64-67, col 7, line 1-6, FIG. 3, clients can communicate with a cloud system through a centralized server, and the centralized server communicates with the cloud system using RPCs in order to perform some object storage related operations associated with the user’s account, including validating credentials and command parameters and receives returns from the cloud system to the server).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Lu’s teaching to Jain and Poghosyan’s invention in order to provide an efficient data transfer between a client and a cloud system, which reduces network latencies, data transfer times and network access, by providing a server as an endpoint for the client that enables clients to communicate with cloud system through the server rather than connect directly to the cloud system where the server is configured to improve the efficiency with which objects are transferred to and from the cloud storage system (abstract, col 3, line 52-61).
As per claim 23, Jain, Poghosyan and Lu teach the system in accordance with claim 21, and Jain teaches wherein the centralized service is further configured to cause the programmable processor to: acquiring account credentials from the cloud provider associated with a second cloud provider (para[0033-0040, 0044, 0047], a cloud provider (of one or more cloud resource providers) creates appropriate credentials for the resources that are associated with whitelisted (authorized) VM with applications (accounts of the cloud provider), and send it to the cloud resource credential provisioning system to store the received credentials and map between the whitelisted VM and the resource and access type, thus credentials associated with the whitelisted VM (account) for the cloud provider is acquired from the cloud provider of the one or more cloud resource providers);
receive a request to allocate the account credentials of the second cloud provider account to a second network resource (para[0034-0038], receive a cloud resource request from application (VM), and if the access to resource is allowed for the VM, then the provisioning system add (allocate) the credentials to the request);
generate a mapping of the second cloud provider account with the second network resource based at least in part on the acquired account credentials of the second cloud provider account (para[0034, 0039, 0044], the requested resource is mapped to the requesting VM (account) that is allowed to make the request, based on the received credentials).
In addition, Poghosyan teaches return the mapping based on the second cloud provider account to the centralized service of the non-transitory machine-readable medium (col 5, line 45-61, col 6, line 16-43, col 7, line 16-61, FIG. 2, the temporary credentials for the users (different users) to access the cloud application in the cloud environments (mapping) is returned to the profile service).
Claim(s) 22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jain in view of Poghosyan and Lu as applied to claim 21 above, and further in view of Das et al. US Patent No. 10,771,337 (hereafter Das).
Reference Das was cited in the previous office action.
As per claim 22, Jain, Poghosyan and Lu teach the system in accordance with claim 21, but does not explicitly teach wherein the centralized service is further configured to cause the programmable processor to erase the mapping upon destruction of the corresponding network resource.
However, Das further teaches wherein the centralized service is further configured to cause the programmable processor to erase the mapping upon destruction of the corresponding network resource (col 14, line 18-33, when resources are added or removed, then the user policy for mapping user account to resources is edited accordingly).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Das’ teaching to Jain, Poghosyan and Lu’s invention in order to improve the ability of network-based service platforms to control permissions or privileges of users that manage network-based services provisioned in the network-based service platform, where the techniques include mapping cloud identities of the users to the resources and allow users to remotely manage resources of the network based services while ensuring that the users are unable to execute commands on the resources that are outside the set of permissions (abstract, col 6, line 9-27).
Claim(s) 24-25 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jain in view of Poghosyan and Lu as applied to claim 21 above, and further in view of Hameiri et al US Pub 2022/0029886 (hereafter Hameiri).
Reference Hameiri was cited in the previous office action.
As per claim 24, Jain, Poghosyan and Lu teach the system in accordance with claim 21, but they do not explicitly teach wherein the network resource includes a virtual network.
However, Hameiri teaches the network resource includes a virtual network (para[0048], managed network include virtual private network).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Hameiri’s teaching to Jain, Poghosyan and Lu’s invention in order to provide an automatic creation of the multiple service account by the discovery computing system for the multiple projects in the remote computing system, which saves significantly the effort and time to manually create the service accounts (para[0005, 0009).
As per claim 25, Jain, Poghosyan and Lu teach the system in accordance with claim 21, but they do not explicitly teach wherein the network resource includes a virtual private cloud (VPC).
However, Hameiri teaches the network resource includes a virtual private cloud (VPC). (para[0057], network referred to a virtual private cloud (VPC)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Hameiri’s teaching to Jain, Poghosyan and Lu’s invention in order to provide an automatic creation of the multiple service account by the discovery computing system for the multiple projects in the remote computing system, which saves significantly the effort and time to manually create the service accounts (para[0005, 0009).
Response to Arguments
Applicant’s arguments with respect to claim(s) 21-25 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TAMMY EUNHYE LEE whose telephone number is (571)270-7773. The examiner can normally be reached Mon, Tues, Thur 9PM-4PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Meng-Ai An can be reached at (571)272-3756. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/TAMMY E LEE/Primary Examiner, Art Unit 2195