CENTRALIZED COMPLIANCE MANAGEMENT PLATFORM FOR SECURITY OBJECTS

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Response to Arguments Applicant's arguments filed 12/22/2025 have been fully considered, but cannot be held as persuasive. While an updated rejection is presently presented responsive to the new and amended claim language, the previously cited prior art references of Modesitt in view of Moghe, Parekh, and Sabharwal remain applicable to the presently presented claims. On page 8, Applicant notes the presently amended claim language, and argues that “Modesitt does not describe ‘calculate a first compliance rating . . .’” . In response, the Examiner notes that this newly amended claim language is addressed via a combination of Modesitt in view of Moghe and Parekh. Modesitt shows calculating compliance reports, including where these report calculations are regularly performed (and thus account for updates and changes, as Modesitt describes in [23-24] and [73-77]). Utilization of a “rating” is suggested in Parekh as, e.g., a mechanism for drawing an administrator’s attention to the most important information (Parekh, col. 19 line 47 – col. 20 line 10). While the “ratings” in Parekh are not explicitly referred to as “compliance ratings”, the combination of Modesitt’s compliance reports with the “security and compliance controls” of Parekh, which are utilized to generate ratings, suggest the claimed “compliance ratings”. One of ordinary skill in the art would have readily appreciated how the well-know prior art concept of a rating could be integrated into the reports of Modesitt to, e.g., facilitate improved comprehension of the information contained within said reports. In addition, the Examiner notes that Parekh’s ratings are provided in the context of a “dashboard” that tracks “security services, vulnerabilities, compliance, risk management, etc.” (Parekh, col. 14 lines 40-45). The dashboard of Parekh (e.g., Fig. 5A, discussed in above noted col. 19 line 47 – col. 10 line 10) is described by Parekh in col. 15 lines 30-51 as part of an overall security service that provides insight into both “compliance” and “vulnerability” as part of evaluating “security risk”. One of ordinary skill in the art would have readily understood that, given the overall context of Parekh and the described connections between security risk, vulnerability, and compliance tracking result in the described “scoring and ranking” disclosed by Parekh to be linked to compliance (particularly given the explicit compliance reporting suggested by Modesitt). Further discussion regarding the combination of Modesitt in view of Moghe and Parekh, and what this combination would have suggested to one of ordinary skill in the art is provided in the rejections presented below. The remaining arguments rely on the rationale addressed above, and thus are similarly unpersuasive. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1 – 5, 8, 9, 12, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Modesitt (US-20240330015-A1) in view of Moghe (US-20240187376-A1), Parekh (US-11503078-B2) and Sabharwal (Sabharwal, Navin, Sarvesh Pandey, and Piyush Pandey. "Infrastructure-as-Code Automation Using Terraform, Packer, Vault, Nomad and Consul: Hands-on Deployment, Configuration, and Best Practices." (Year: 2021)). Regarding claim 1, Modesitt shows a security object compliance management platform (Figs. 1, 15) comprising: a computing system including a processor and memory (Figs. 1, 15), the memory storing instructions executable by the processor to: determine one or more enterprise compliance policies applicable to security objects maintained across the enterprise ([24,27]); generate an administrative user interface ([89], Fig. 10) at the security object compliance management platform ([92]), the administrative user interface having a compliance view ([92]); calculate a first compliance report ([33-34]) based at least in part on a comparison of the one or more enterprise compliance policies to information ([21,25,73-77]); automatically generate one or more compliance alerts based on the first compliance reports ([25,74]), the one or more compliance alerts being presented in at least one of the plurality of views (Fig. 3, [29,33]), receive an update to the information associated with at least one of the security objects ([73-77]); and calculate a second compliance ([21] describing “monitoring of compliance on an on-going basis”, i.e., “during regular intervals”) report ([33-34]) based at least in part on a comparison of the one or more enterprise compliance policies ([23-24]) to the updated ([73-77] discussing modification detection as part of the continual compliance monitoring and report generation) information ([37]); Modesitt does not show to: receive connection parameters for each of a plurality of distributed vaults, each vault storing security information used by an enterprise, the connection parameters including details useable for access to security objects maintained within the respective vault; based on the connection parameters, communicatively connect to each of the plurality of vaults; and analysis and use of information associated with the security objects across the plurality of vaults. Moghe shows to: receive connection parameters for each of a plurality of distributed vaults, each vault storing security information used by an enterprise ([52-57,66]), the connection parameters including details useable for access to security objects maintained within the respective vault ([66-68, 73-74]); based on the connection parameters, communicatively connect to each of the plurality of vaults ([63-66]); analysis and use of information associated with the security objects across the plurality of vaults ([55-56,63,69]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the orchestration and management techniques of Modesitt with the cloud and enterprise management techniques of Moghe in order to provide both device and system management that supports a wide variety of common platforms and deployments (Moghe, [2,4,6]). The above combination does not show: where for the distributed vaults, each vault is storing security information used by an enterprise and utilizing account details, use of a dashboard view and a security object view, consideration of data across the plurality of distributed vaults, and calculation of a rating for each of the plurality of distributed vaults. Parekh shows where for the distributed (col. 8 line 54 – col. 9 line 4) vaults (col. 4 lines 22-30, col. 5 lines 32-44), each vault is storing security information used by an enterprise and account details (col. 4 lines 22-30, col. 5 lines 32-44), use of a dashboard view and a security object view (col. 7 lines 9-24), and consideration of data across the plurality of distributed vaults (col. 9 lines 1–5 and 28-45), and calculation of a rating for each of the plurality of distributed vaults (col. 19 line 47 – col. 20 line 10). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the above combination with the security compliance techniques of Parekh in order to ensure support for further deployment and implementation scenarios while ensuring each customer/tenant is able to fully control their assets regardless of their deployment disposition (col. 1 line 34 – col. 2 line 3). It would have further been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the above combination’s use of compliance reports to utilize the rating information of Parekh in order to provide a clear and concise summary of information importance (i.e., to utilize a rating, such as a numerical rating, for its intended purpose) in order to enable a system user to more quickly and reliably ingest and process information, thus enabling faster and more appropriate reactions to changing system conditions and priorities. The above combination does not show use of a vault location and a vault connection view. Sabharwal shows use of a vault location (pgs. 142-143) and a vault connection view (pg. 172). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the above combination with the initialization and configuration techniques of Sabharwal in order to ensure customers can configure the management techniques utilizing their preferred server and enterprise topology configuration. Regarding claim 2, the above combination further shows wherein the one or more compliance alerts are presented in the security object view (Modesitt, [74,79]). Regarding claim 3, the above combination further shows wherein the computing system is further configured to transmit, to one or more of the plurality of distributed vaults (Parekh, col. 4 lines 22-30, col. 5 lines 32-44, col. 8 line 54 – col. 9 line 4), one or more policy notifications identifying one or more security objects that are non-compliant with the one or more enterprise compliance policies (Modesitt, [9,21,24-25,33]). Regarding claim 4, the above combination further shows wherein the computing system is further configured to transmit the one or more enterprise compliance policies (Modesitt, [23,39-42,45]) to the one or more of the plurality of distributed vaults (Parekh, col. 4 lines 22-30, col. 5 lines 32-44, col. 8 line 54 – col. 9 line 4). Regarding claim 5, the above combination further shows wherein the computing system is further configured to receive one or more compliance policies (Modesitt, [39-42,45]) within the compliance view (Modesitt, [45]) the one or more compliance policies defined as operations testing compliance with a security standard (Modesitt, [40-42]) associated with the security objects (Moghe, [66-68, 73-74]). Regarding claim 8, the above combination further shows wherein the security objects include encryption keys managed (Moghe, [68,90,106]) within the enterprise (Modesitt, [24,27]) in the plurality of distributed vaults (Parekh, col. 4 lines 22-30, col. 5 lines 32-44, col. 8 line 54 – col. 9 line 4). Regarding claim 9, the above combination further shows wherein the security objects include security secrets (Moghe, [68,90,106]) managed within the enterprise (Modesitt, [24,27]) in one or more of the plurality of distributed vaults (Parekh, col. 4 lines 22-30, col. 5 lines 32-44, col. 8 line 54 – col. 9 line 4). Regarding claim 12, the above combination further shows wherein the plurality of distributed vaults (Parekh, col. 4 lines 22-30, col. 5 lines 32-44, col. 8 line 54 – col. 9 line 4) are maintained across an enterprise infrastructure (Modesitt, [24,27]) includes one or more distributed enterprise computing systems and one or more cloud instances (Moghe, [53,78]) implemented on third party cloud computing infrastructure (Parekh, Fig. 5, [141]). Regarding claim 14, Modesitt shows a method of managing compliance with security policies, the method comprising: generating an administrative user interface ([89], Fig. 10) at the compliance management platform ([92]), the administrative user interface having a compliance view ([92]); and calculating a first compliance report ([33-34]) based at least in part on a comparison of the one or more enterprise compliance policies to information ([21,25,73-77]); automatically generate one or more compliance alerts based on the first compliance reports ([25,74]), the one or more compliance alerts being presented in at least one of the plurality of views (Fig. 3, [29,33]), receiving an update to the information associated with at least one of the security objects ([73-77]); and calculating a second compliance ([21] describing “monitoring of compliance on an on-going basis”, i.e., “during regular intervals”) report ([33-34]) based at least in part on a comparison of the one or more enterprise compliance policies ([23-24]) to the updated ([73-77] discussing modification detection as part of the continual compliance monitoring and report generation) information ([37]) Modesitt does not show to: receive connection parameters for each of a plurality of distributed security object storage locations, each security object storage locations storing security information used by an enterprise, the connection parameters including details useable for access to security objects maintained within the respective security object storage locations; based on the connection parameters, communicatively connect to each of the compliance management platform to each of the plurality of distributed security object storage locations; analysis and use of information associated with the security objects across each of the plurality of distributed security object storage locations. Moghe shows to: receive connection parameters for each of a plurality of distributed security object storage locations, each security object storage locations storing security information used by an enterprise ([52-57,66]), the connection parameters including details useable for access to security objects maintained within the respective security object storage locations ([66-68, 73-74]); based on the connection parameters, communicatively connect to each of the compliance management platform to each of the plurality of distributed security object storage locations ([63-66]); analysis and use of information associated with the security objects across each of the plurality of distributed security object storage locations ([55-56,63,69]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the orchestration and management techniques of Modesitt with the cloud and enterprise management techniques of Moghe in order to provide both device and system management that supports a wide variety of common platforms and deployments (Moghe, [2,4,6]). The above combination does not show: where for the distributed set of security object storage locations, each is a vault is with security information used by an enterprise and utilizing account details, use of a dashboard view and a security object view, and consideration of data across the plurality of distributed set of security object storage locations, and calculation of a rating for each of the plurality of distributed set of security object storage locations. Parekh shows where for the distributed (col. 8 line 54 – col. 9 line 4) set of security object storage locations, each is a vault (col. 4 lines 22-30, col. 5 lines 32-44) storing security information used by an enterprise and account details (col. 4 lines 22-30, col. 5 lines 32-44), use of a dashboard view and a security object view (col. 7 lines 9-24), and consideration of data across the plurality of distributed set of security object storage locations (col. 9 lines 1–5 and 28-45), and calculation of a rating for each of the plurality of distributed set of security object storage locations (col. 19 line 47 – col. 20 line 10). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the above combination with the security compliance techniques of Parekh in order to ensure support for further deployment and implementation scenarios while ensuring each customer/tenant is able to fully control their assets regardless of their deployment disposition (col. 1 line 34 – col. 2 line 3). It would have further been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the above combination’s use of compliance reports to utilize the rating information of Parekh in order to provide a clear and concise summary of information importance (i.e., to utilize a rating, such as a numerical rating, for its intended purpose) in order to enable a system user to more quickly and reliably ingest and process information, thus enabling faster and more appropriate reactions to changing system conditions and priorities. The above combination does not show use of a vault location and a vault connection view. Sabharwal shows use of a vault location (pgs. 142-143) and a vault connection view (pg. 172). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the above combination with the initialization and configuration techniques of Sabharwal in order to ensure customers can configure the management techniques utilizing their preferred server and enterprise topology configuration. Regarding claim 20, the limitations of said claim are addressed in the analysis of claim 14. Claims 6 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Modesitt in view of Moghe, Parekh, and Sabharwal, as applied to claim 1 above, further in view of Wang (US-20210211283-A1). Regarding claim 6, the above combination shows claim 5. The above combination does not show: wherein the operations include a key algorithm test to determine whether a particular encryption algorithm used in association with an encryption key is among a plurality of acceptable encryption algorithms. Wang shows: wherein the operations include a key algorithm test to determine whether a particular encryption algorithm used in association with an encryption key is among a plurality of acceptable encryption algorithms (Abstract, [21]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the management teachings of the above combination with the encryption and key management techniques of Wang in order to prevent security gaps and improve the protection of the managed computer resources (Wang, [19-20]). Regarding claim 7, Modesitt in view of Moghe, Parekh, and Sabharwal show claim 5. The above combination does not show: wherein the operations include a key expiry test to determine whether a key has an expiration period within a predetermined key expiration duration defined by the enterprise. Wang shows wherein the operations include a key expiry test to determine whether a key has an expiration period within a predetermined key expiration duration defined by the enterprise ([21-23, 25, 29]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the management teachings of the above combination with the encryption and key management techniques of Wang in order to prevent security gaps and improve the protection of the managed computer resources (Wang, [19-20]). Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Modesitt in view of Moghe, Parekh, and Sabharwal, as applied to claim 1 above, further in view of Zaidi (US-20160373263-A1) and Charters (US-20190229896-A1). Regarding claim 10, the above combination shows 8, including enterprise security databases (Parekh, col. 4 lines 22-30, col. 5 lines 32-44, col. 8 line 54 – col. 9 line 4) maintained by the enterprise (Modesitt, [24,27]). The above combination does not show: wherein the security objects include one or more certificates stored within one or more databases. Zaidi shows wherein the security objects include one or more certificates stored within one or more databases ([14,18,20]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the management teachings of the above combination with the certificate management of Zaidi in order to protected the operational stability of the enterprise (Zaidi, 15]). The above combination does not show where the certificates are issued by the enterprise. Charters shows where the certificates are issued by the enterprise ([3]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the management teachings of the above combination with the certificate management of Charters in order to enable the management entity to have additional of control over their protected resources. Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Modesitt in view of Moghe, Parekh, and Sabharwal, as applied to claim 1 above, further in view of Vadhera (US-20210288798-A1) and Buchan (US-20230004671-A1). Regarding claim 11, the above combination shows claim 1. The above combination does not show: wherein the plurality of distributed vaults includes a plurality of different types of vaults, the plurality of different types of vaults including a Key Management Interoperability Protocol (KMIP) vault and a secrets vault. Vadhera shows wherein the plurality of distributed vaults includes a plurality of different types of vaults, the plurality of different types of vaults including a Key Management Interoperability Protocol (KMIP) vault and a secrets vault (Fig. 1, items 110 and [35]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the management teachings of the above combination with the security features of Vadhera in order to ensure support for securing additional types of important and confidential data items. The above combination does not show a Transparent Data Encryption (TDE) key vault. Buchan shows a Transparent Data Encryption (TDE) key vault (Abstract). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the management teachings of the above combination with the TDE management of Buchan in order to better protect the secured data by further limiting the number of potential scenarios that could result in a data breach (Buchan, 46]). Claims 13, 15, 18, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Modesitt in view of Moghe, Parekh, and Sabharwal, as applied to claim 1 above, further in view of Brooker (US-20220103338-A1). Regarding claim 13, the above combination shows the security objects (Modesitt, [24,27]) maintained in the plurality of distributed vaults (Parekh, col. 4 lines 22-30, col. 5 lines 32-44, col. 8 line 54 – col. 9 line 4). The above combination does not show: obtaining metadata describing the objects maintained without retrieving the objects. Brooker shows: obtaining metadata describing the security objects (Fig. 1item 164) maintained without retrieving the objects ([37]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the management teachings of the above combination with the retrieval techniques of Brooker in order to improve data access efficiency by retrieving a minimal amount of data when servicing requests or data accesses. Regarding claim 15, the above combination shows the security objects (Modesitt, [24,27]) maintained in the plurality of distributed vaults (Parekh, col. 4 lines 22-30, col. 5 lines 32-44, col. 8 line 54 – col. 9 line 4). The above combination does not show: obtaining metadata describing the objects maintained without retrieving the objects. Brooker shows: obtaining metadata describing the security objects (Fig. 1item 164) maintained without retrieving the objects ([37]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the management teachings of the above combination with the retrieval techniques of Brooker in order to improve data access efficiency by retrieving a minimal amount of data when servicing requests or data accesses. Regarding claim 18, the above combination shows wherein communicatively connecting to each of the plurality of distributed security object storage locations is performed in response to receiving the connection parameters (Moghe, [52-57,66] and Sabharwal, pgs. 142 - 143). Regarding claim 19, the above combination shows transmitting, from the compliance management platform to one or more of the plurality of distributed security object storage locations (Parekh, col. 4 lines 22-30, col. 5 lines 32-44, col. 8 line 54 – col. 9 line 4), one or more policy notifications identifying one or more security objects that are non-compliant with the one or more enterprise compliance policies (Modesitt, [9,21,24-25,33]). Claims 16 is rejected under 35 U.S.C. 103 as being unpatentable over Modesitt in view of Moghe, Parekh, Sabharwal, and Brooker as applied to claim 15 above, further in view of Zaidi and Charters. Regarding claim 16, the above combination shows wherein the security objects include: encryption keys managed (Moghe, [68,90,106]) within the enterprise (Modesitt, [24,27]) in the plurality of security object storage locations (Parekh, col. 4 lines 22-30, col. 5 lines 32-44, col. 8 line 54 – col. 9 line 4); security secrets (Moghe, [68,90,106]) managed within the enterprise (Modesitt, [24,27]) in one or more of the plurality of security object storage locations (Parekh, col. 4 lines 22-30, col. 5 lines 32-44, col. 8 line 54 – col. 9 line 4); and enterprise security databases (Parekh, col. 4 lines 22-30, col. 5 lines 32-44, col. 8 line 54 – col. 9 line 4) maintained by the enterprise (Modesitt, [24,27]). The above combination does not show: wherein the security objects include one or more certificates stored within one or more databases. Zaidi shows wherein the security objects include one or more certificates stored within one or more databases ([14,18,20]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the management teachings of the above combination with the certificate management of Zaidi in order to protected the operational stability of the enterprise (Zaidi, 15]). The above combination does not show where the certificates are issued by the enterprise. Charters shows where the certificates are issued by the enterprise ([3]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the management teachings of the above combination with the certificate management of Charters in order to enable the management entity to have additional of control over their protected resources. Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Modesitt in view of Moghe, Parekh, Sabharwal, Zaidi, and Charters as applied to claim 16 above, further in view of Vadhera and Buchan. Regarding claim 17, the above combination shows claim 1. The above combination does not show: wherein the plurality of secure object storage locations includes a plurality of different types of vaults, the plurality of different types of vaults including a Key Management Interoperability Protocol (KMIP) vault and a secrets vault. Vadhera shows wherein the plurality of secure object storage locations includes a plurality of different types of vaults, the plurality of different types of vaults including a Key Management Interoperability Protocol (KMIP) vault and a secrets vault (Fig. 1, items 110 and [35]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the management teachings of the above combination with the security features of Vadhera in order to ensure support for securing additional types of important and confidential data items. The above combination does not show a Transparent Data Encryption (TDE) key vault. Buchan shows a Transparent Data Encryption (TDE) key vault (Abstract). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the management teachings of the above combination with the TDE management of Buchan in order to better protect the secured data by further limiting the number of potential scenarios that could result in a data breach (Buchan, 46]). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN M MACILWINEN whose telephone number is (571)272-9686. The examiner can normally be reached Monday - Friday, 9:00 - 5:00. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton B Burgess can be reached at (571) 272 - 3949. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. JOHN MACILWINEN Primary Examiner Art Unit 2442 /JOHN M MACILWINEN/ Primary Examiner, Art Unit 2454