Posture control for cloud environments

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments, see Remarks, filed 12/08/2025, with respect to the rejection(s) of independent claims 1 and 11 under 35 USC § 103 have been fully considered but are moot because of the new ground of rejection based on newly found prior arts, Srivastava, US 2012/0297484, and Gilad, US 2023/0388352. Claim Objections Claims 1 and 11 are objected to because of the following informalities: Claim 1, lines 8-9, and claim 11, lines 9-10, the statement “wherein anomalous activity is identified for a specific identity among a plurality of identifies by:” should read “wherein anomalous activity is identified for a specific identity among a plurality of identities by:”. Appropriate correction is required. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 6, 11 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. 2024/0195821 A1 to Ithal et al. (hereinafter “Ithal”), US-PGPUB No. 2012/0297484 A1 to Srivastava, and further in view of US-PGPUB No. 2023/0388352 A1 to Gilad et al. (hereinafter “Gilad”) Regarding claim 1: Ithal discloses: A method (¶08: “a computer-implemented method of streamlined analysis of security posture of a cloud environment,”) comprising steps of: scanning a cloud environment for posture control data (¶164: “… the scanner can return real-time results at block 456. … cloud security posture analysis 122 receives updates to the security posture data as changes are made to the cloud services.”); identifying one or more configurations associated with the cloud environment (¶187: “… identify one or more configurations or settings of compute resources 130.”, ¶123: “… compute resources 130 can include … elastic compute cloud (AWS EC2) resources, AWS Lambda, etc.”); identifying one or more activities (¶160: “… a display element 413 that identifies a number of users with access to the sensitive data,”, see Fig. 8, users accessing sensitive data 413) performed by a plurality of identities associated with the cloud environment (¶160: “The dashboard identifies a number of users 402,”, see Fig. 8, Users 402); However, Ithal does not explicitly disclose the following limitation taught by Srivastava: and providing an alert related to a combination of a configuration of an asset of the cloud environment and an activity performed by an identity, the combination representing an activity performed in relation to an asset (Srivastava, ¶41-42: “if an activity segment value comprises a deviation from the baseline value for that activity segment (e.g., singly or in combination with other activity segment values), … the online user account can be identified at potentially compromised. … the user of the potentially compromised online user account can be notified, and provided a suggestion to mitigate …”), wherein anomalous activity is identified for a specific identity among a plurality of identifies (Srivastava, ¶41: “if an activity segment value comprises a deviation from the baseline value for that activity segment (e.g., singly or in combination with other activity segment values), … the online user account can be identified at potentially compromised.”) by: establishing a baseline of historical activity performed by the specific identity in the cloud environment (Srivastava, ¶15: “establishing a baseline for the online user account, at 104.”, ¶25: “establishing the baseline can comprise determining historical use of the online user account by the user for a desired period of time.”) and stored as a historical view of activities associated with the specific identity (Srivastava, ¶25: “when determining the baseline for the user account a particular communication-related activity (e.g., new friend requests) from a particular period of time, such as the previous week, month, year, may be mined. Further, identifying historical communication-related activity can comprise mining data from one or more activity segments related to communication.”); and. detecting a deviation from the established baseline of historical activity for the specific identity indicative of anomalous behavior (Srivastava, ¶19: “a deviation from the baseline is detected that comprises an indication of a potentially compromised online user account.”), It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Ithal to incorporate the techniques for detecting and/or mitigating a potentially compromised online user account by establishing one or more baselines for a user's online account to determine a normal usage pattern for the account by the user, and periodically or continually monitoring the online user account for use of the same resources used to determine the baseline(s), as disclosed by Srivastava, such modification would enable the system to detect potentially compromised accounts, and take appropriate mitigation actions. The combination of Ithal and Srivastava does not explicitly teach the following limitation taught by Gilad: wherein the alert alerts to a combination of a misconfiguration and an activity as a risk (Gilad, ¶88: “a first cloud entity is an unknown user (e.g., user from outside an organization) which is accessing a second cloud entity, such as a database resource. … the database resource is found to be misconfigured (e.g., not having a password), and an alert is generated in response to detecting that the database resource includes a cybersecurity threat.”), and provides guided remediation for the risk (Gilad, ¶107: “the mitigation action includes generating an instruction to inspect a resource in the computing environment.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Ithal and Srivastava to incorporate the functionality of the method to generate an alert in response to the database resource is found to be misconfigured (e.g., not having a password) and the database resource includes a cybersecurity threat, as disclosed by Gilad, such modification would enable the system to detect cybersecurity threats which are present on a virtual workload and additionally actually posing a threat, as opposed to a cybersecurity vulnerability which is present but is not currently being exploited, and allows remediation and mitigation actions to be prioritized to such workloads. Regarding claim 6: The combination of Ithal, Srivastava and Gilad discloses: The method of claim 1, wherein the posture control data includes any of historical data (Ithal, ¶138: “… historical resource state can be tracked automatically and/or in response to user input.”) and real-time data (Ithal, ¶164: “… the scanner can return real-time results at block 456. Accordingly, cloud security posture analysis 122 receives updates to the security posture data as changes are made to the cloud services.”), […] Ithal does not explicitly disclose the following limitation taught by Srivastava: […] the historical data including configurations and activities collected up to a preconfigured historical date (Srivastava, ¶25: “historical communication between the user and the contacts can be identified. For example, when determining the baseline for the user account a particular communication-related activity (e.g., new friend requests) from a particular period of time, such as the previous week, month, year, may be mined.”). The same motivation which is applied to claim 1 with respect to Srivastava applies to claim 6. Regarding claim 11: Ithal discloses: A non-transitory computer-readable medium (¶68: “a suitable non-transitory storage medium,”) comprising instructions that, when executed, cause one or more processors (¶145: “software, can be stored in one or more non-transitory memory storage devices in an executable format to be executed by one or more processors.”) to perform steps of: In addition to the above limitations, claim 11 recites substantially the same limitations as claim 1 in the form of a non-transitory computer readable medium for storing instructions. Therefore, it is rejected by the same rationale. Regarding claim 16: Claim 16 recites substantially the same limitation as claims 6 in the form of a non-transitory computer readable medium for storing instructions. Therefore, it is rejected by the same rationale. Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Ithal, Srivastava, Gilad, and further in view of USPAT No. 7647622 B1 to Sobel et al. (hereinafter “Sobel”) Regarding claim 2: The combination of Ithal, Srivastava and Gilad discloses: The method of claim 1, wherein the alert is provided based on a combination of a misconfiguration of an asset of the cloud environment and an activity performed by an identity on the misconfigured asset (Gilad, ¶88: “a first cloud entity is an unknown user (e.g., user from outside an organization) which is accessing a second cloud entity, such as a database resource. … the database resource is found to be misconfigured (e.g., not having a password), and an alert is generated in response to detecting that the database resource includes a cybersecurity threat.”), The same motivation which is applied to claim 1 with respect to Gilad applies to claim 2. The combination of Ithal, Srivastava and Gilad does not explicitly disclose the following limitation taught by Sobel: the combination being identified as a correlated risk based on security policy findings (Sobel, col 7, lines 33-38: “a correlated risk measure can include the number of times a risk factor corresponding to utilization of a vulnerable service occurs where a security patch for the vulnerable service was not installed, and where a virus related to that vulnerable service was detected, e.g., a correlation.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Ithal, Srivastava and Gilad to incorporate the functionality of the method for logging risk factors associated with a computer system and/or a user over time and dynamically generating a risk profile for the computer system and/or the user based on the logged risk factors, as disclosed by Sobel, such modification would enable the system to dynamically set and update a security policy based on the risk profile. Regarding claim 12: Claim 12 recites substantially the same limitation as claims 2 in the form of a non-transitory computer readable medium for storing instructions. Therefore, it is rejected by the same rationale. Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Ithal, Srivastava, Gilad, and further in view of USPAT No. 10057184 B1 to Prahlad et al. (hereinafter “Prahlad”) Regarding claim 3: The combination of Ithal, Srivastava and Gilad discloses: The method of claim 1, wherein the posture control data includes any of assets, identities, network flow logs, activities, and code repositories in the cloud environment (Ithal, ¶160: “The dashboard identifies a number of users 402, a number of assets 404, a number of data stores 406, and a number of accounts 408.”), The combination of Ithal, Srivastava and Gilad does not explicitly disclose the following limitation taught by Prahlad: and wherein the posture control data further includes current and historical configurations from one or more multi-cloud configuration management databases (Prahlad, col 2, lines 65-67 to col 3, line 1-: “The resource configuration service … maintains historical records of the configuration items of computing resources …”, col 14, lines 7-10: “information reflecting the current configuration state of all resources associated with the subscriber's account is retrieved from the subscriber's configuration recording service 134.”) and identity activity data from identity and access management catalogs (Prahlad, col 7, lines 6-10: “The subscriber data store 104 also maintains … identity access management role,”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Ithal, Srivastava and Gilad to incorporate the functionality of the method to retrieve information reflecting the current configuration state of all resources associated with a subscriber's account from the subscriber's configuration recording service, and maintaining historical records of the configuration items of computing resources, as disclosed by Prahlad, such modification would enable system administrators to understand how different resources are related, how those relationships changed, and how configuration changes may have affected related computing resources. Regarding claim 13: Claim 13 recites substantially the same limitation as claims 3 in the form of a non-transitory computer readable medium for storing instructions. Therefore, it is rejected by the same rationale. Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Ithal, Srivastava, Gilad, and further in view of US-PGPUB No. 2022/0300340 A1 to Cardenas et al. (hereinafter “Cardenas”) Regarding claim 4: The combination of Ithal, Srivastava and Gilad discloses: The method of claim 1, wherein the cloud environment (Ithal, see Fig. 1, Cloud Environment 102) is any of a run-time cloud environment (Ithal, ¶121: “Users 110, administrators 112, developers 114, or any other actors 104, can interact with cloud environment 102 …”) and a build-time cloud environment (Ithal, ¶121: “… developers 114, … can interact with cloud environment 102 …”), The combination of Ithal, Srivastava and Gilad does not explicitly disclose the following limitation taught by Cardenas: the build-time cloud environment comprising one or more infrastructure-as-code code repositories or continuous integration/continuous deployment tools (Cardenas, ¶43-44: “creating and deploying the cloud environment may correspond to a merge of the IaC configuration files in the repository, … at operation 512 the cloud environment generator 104 may initiate a CI/CD pipeline, and at operation 514 the cloud environment generator 104 may use the CI/CD pipeline to execute the files created within the repository.”, IaC- infrastructure-as-code, CI/CD- continuous integration/continuous deployment), and the run-time cloud environment comprising one or more public-cloud accounts (Cardenas, ¶44: “deployment of the cloud environment may correspond to merge of configuration files from the repository into a main branch of the organization within a public cloud environment.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Ithal, Srivastava and Gilad to incorporate the functionality of the cloud provisioning system for deploying the cloud environment by provisioning instructions to be transmitted to one or more cloud service providers, as disclosed by Cardenas, such modification would enable the system to create and manage groups of cloud-based environments. Allowable Subject Matter Claims 5 and 7 are objected to as being dependent upon rejected independent base claim 1, but would be allowable if rewritten in independent form. Claims 8-10 are objected based on their dependency on claim 7. Claims 15 and 17-20 recite substantially the same limitations as claims 5 and 7-10, respectively, in the form of a non-transitory computer readable medium for storing instructions. Therefore, claims 15 and 17-20 are also objected to for containing allowable subject matter. The following is the examiner's statement of reasons for allowance: With respect to claim 5, the combination of Ithal, Srivastava and Gilad discloses the method of claim 1, but fails to teach the limitation: “wherein prior to the scanning, the steps include configuring one or more discovery modules, including configuring one or more parameters that control collection intervals for the posture control data, and wherein the scanning is performed in agentless manner using application programming interfaces or secure file transfers.”. Claim 15 recites substantially the same limitation as claim 5 in the form of a non-transitory computer readable medium for storing instructions, and thus is indicated as allowable subject matter. With respect to claim 7, the combination of Ithal, Srivastava and Gilad discloses the method of claim 1, but fails to teach the limitation: “wherein the steps further include providing a Graphical User Interface (GUI) displaying the identified configurations and activities, the GUI further displaying a correlated relationship view between identities, assets, alerts, and vulnerabilities.”. Claims 8-10 are indicated as allowable subject matters based on their dependency on claim 7. Claims 17-20 recite substantially the same limitations as claims 7-10, respectively, in the form of a non-transitory computer readable medium for storing instructions, and thus are indicated as allowable subject matters. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William R. Korzuch can be reached at (571)272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /M.H./ Examiner, Art Unit 2491 /DANIEL B POTRATZ/ Primary Examiner, Art Unit 2491