Systems and methods for enforcing policy based on assigned user risk scores in a cloud-based system

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments, filed 12/1/2025, with respect to the rejection(s) of claim(s) 1-20 under 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Pearce. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-3, 6-7, 9-13, 16-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Deshpande (US Patent Pub. 2022/0417279) in view of Kozlowski (US Patent Pub 2023/0153150) and in view of Pearce (US Patent Pub. 2017/0214721). As per claims 1 and 11: Deshpande discloses a method comprising steps of: receiving a request to access a resource from a device (Paragraph 28; identifying a user and one or more devices associated with the user, collecting information identifying applications used by the user on the one or more devices); determining whether a user associated with the request is allowed to access the resource, wherein the determining is based on a risk score of the user; and responsive to the user being permitted to access the resource (claim 1; determining respective security sub-scores for each item of the one or more devices, computing an overall security score for the user based, at least in part, on an aggregation of the security sub-scores, and creating a user profile based on the overall security score, the user profile to enable the at least one of the one or more devices to exchange data with an external device when the overall security score meets a security score threshold). However, Deshpande in view of Kozlowski do not specifically disclose stitching together a connection between a cloud-based system, the resource, and the device to provide access to the resource (see Kozlowski, Paragraph 120; Upon detecting a request for access to managed data or managed resource, at block 410, the workspace orchestration service may authenticate the identity of the user making the request…additional authentication may be required in order to evaluate a user's request and to determine a risk score for the user's request)( Paragraph 70; the calculation of risk scores and other productivity and security metrics based on ongoing collection of context information, the generation of workspace definitions, and the assembly of one or more files or policies that enable the instantiation of a workspace in accordance with a workspace definition at a cloud service and/or IHS 300B). Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Deshpande and Kozlowski in it’s entirety, to modify the technique of Deshpande for computing an overall security score for the user based, at least in part, on an aggregation of the security sub-scores, and creating a user profile based on the overall security score by adopting Kozlowski's teaching for upon detecting a request for access to managed data or managed resource, the workspace orchestration service may authenticate the identity of the user making the request. The motivation would have been to improve enforcing policy based on assigned user risk scores in a cloud system. Deshpande in view of Kozlowski do not specifically disclose (i) causing the device to establish an outbound connection to the cloud-based system, and (II) causing a connector associated with the resource to establish an outbound connection to the cloud-based system, and (iii) stitching the outbound connections together within the cloud-based system to create a brokered per-user, per-resource secure communication path without permitting either the device or the connector to accept inbound connections (See Pearce; Paragraph 20; a second communication path between the initiating device and the called device is established through another of the first network and the second network. In other words, if the first communication path is established through the first network (e.g., an IP or cloud-based network), the second communication path will be established through the second network (e.g., the PSTN network). On the other hand, if the first communication path is established through the second network (e.g., the PSTN network), the second communication path will be established through the first network (e.g., the IP or cloud-based network)). Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Deshpande, Kozlowski and Pearce in it’s entirety, to modify the technique of Deshpande for computing an overall security score for the user based, at least in part, on an aggregation of the security sub-scores, and creating a user profile based on the overall security score by adopting Pearce's teaching for second communication path being established through the first network (e.g., the IP or cloud-based network). The motivation would have been to improve enforcing policy based on assigned user risk scores in a cloud system. As per claims 2 and 12: The method of claim 1, wherein the steps further comprise: receiving the risk score from a security system associated with the cloud-based system (see Deshpande; claim 1; producing a security score, the method comprising: determining security sub-scores for respective items a plurality of devices and applications used by a first user and applications used by the first user; computing an overall security score for the user based). As per claims 3 and 13: The method of claim 2, wherein the steps further comprise: storing the risk score in a user database; and retrieving the risk score from the user database prior to the determining (see Deshpande, Paragraph 79; compute an overall security score for the first user based, at least in part, on the collected information; and report the computed overall security score to at least one of the one or more devices). As per claims 6 and 16: The method of claim 1, wherein the steps comprise: receiving a policy configuration from an admin User Interface (UI) prior to the determining, and determining whether the user is allowed to access the resource based on the policy and the risk score (see Kozlowski, Paragraph 75; calculate a risk score associated with a request for use of a managed data source and/or application. Classification policy 304 may include administrator and machine-learning defined policies describing risk classifications associated with different security contexts). As per claims 7 and 17: The method of claim 1, wherein the stitching together the connections comprises selecting within the cloud-based system a particular service edge or node to broker the per-user, per resource connection (see Pearce, Paragraph 20; a second communication path between the initiating device and the called device is established through another of the first network and the second network. In other words, if the first communication path is established through the first network (e.g., an IP or cloud-based network), the second communication path will be established through the second network (e.g., the PSTN network). On the other hand, if the first communication path is established through the second network (e.g., the PSTN network), the second communication path will be established through the first network (e.g., the IP or cloud-based network). As per claims 9 and 19: The method of claim 1, wherein the steps further comprise: identifying the user as belonging to one of a plurality of risk levels, wherein the risk levels include any of low, medium, high, critical, and unknown based on the risk score; and one of allowing or blocking the user from accessing the resource based on the user’s risk level (see Deshpande, Paragraph 62 In some embodiments, the exemplary Security Alerts in table 800 may be specifically tailored to the SPS value scenarios described herein. For example, different alerts and/or actions may be prescribed depending on whether the SPS value is abnormally high (versus abnormally low). In a normal industrial scenario, abnormally high or abnormally low scores may be equally distressing, but, in the context of security scores, only an abnormally low score (i.e., a very insecure environment) may require further action or input from the user). As per claims 10 and 20: The method of claim 1, wherein the resource is located in one of a public cloud, a private cloud, and an enterprise network, and wherein the request originates from a device that is remote over the Internet and wherein the cloud-based system mediates all communication between the device and the resource such that no direct network connectivity is established between the device and the environment hosting the resource (see Pearce, Paragraph 39; the techniques provided herein preserve cloud-service customer privacy as the data within the IP and/or cloud-based environment may remain encrypted and private). Claim(s) 4-5 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Deshpande (US Patent Pub. 2022/0417279) in view of Kozlowski (US Patent Pub 2023/0153150) and in view of Pearce (US Patent Pub. 2017/0214721) and Merrell (US Patent 7801811). As per claims 4 and 14: The method of claim 1, receiving a request to access a resource from a device (Paragraph 28; identifying a user and one or more devices associated with the user, collecting information identifying applications used by the user on the one or more devices). Deshpande in view of Kozlowski and in view of Pearce do not specifically disclose wherein the determining is based on any of an original risk score and an override risk score, and wherein the override risk score takes precedence over the original risk score (See Merrell, claim 1; replacing the calculated money-laundering risk score with a maximum of the respective determined trump scores of each determined overriding risk attribute when at least one of the respective trump scores exceeds the calculated money-laundering risk score). Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Deshpande, Kozlowski, Pearce and Merrell in it’s entirety, to modify the technique of Deshpande for computing an overall security score for the user based, at least in part, on an aggregation of the security sub-scores, and creating a user profile based on the overall security score by adopting Merrell's teaching for overriding risk attribute. The motivation would have been to improve enforcing policy based on assigned user risk scores in a cloud system. As per claims 5 and 15: The method of claim 4, wherein the steps comprise receiving the override risk score from an admin User Interface (UI) prior to the determining (See Merrell; fig. 2; Col 10, lines 22-34; The server 200 may be coupled via the bus 218 to a display 210, such as a cathode ray tube (CRT), for displaying information to a user. An input device 212, including, for example, alphanumeric and other keys, is coupled to the bus 218 for communicating information and command selections to the processor 202). Claim(s) 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Deshpande (US Patent Pub. 2022/0417279) in view of Kozlowski (US Patent Pub 2023/0153150) and in view of Pearce (US Patent Pub. 2017/0214721) and Abilay (US Patent Publication 2021/0203600). As per claims 8 and 18: The method of claim 1, wherein the steps further comprise: determining, based on the risk score, the user is not allowed to access the resource; and notifying the user that the resource does not exist (see Deshpande, Paragraph 62 In some embodiments, the exemplary Security Alerts in table 800 may be specifically tailored to the SPS value scenarios described herein. For example, different alerts and/or actions may be prescribed depending on whether the SPS value is abnormally high (versus abnormally low). In a normal industrial scenario, abnormally high or abnormally low scores may be equally distressing, but, in the context of security scores, only an abnormally low score (i.e., a very insecure environment) may require further action or input from the user). However, Deshpande, Kozlowski and Pearce do not specifically disclose notifying the user that the resource does not exist wherein the notification is generated by the cloud-based system to maintain resource invisibility by suppressing network layer or application layer information that would otherwise expose the resource (See Abilay; Paragraph 23; conceal a network layer address of the local application). Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Deshpande, Kozlowski, Pearce and Abilay in it’s entirety, to modify the technique of Deshpande for computing an overall security score for the user based, at least in part, on an aggregation of the security sub-scores, and creating a user profile based on the overall security score by adopting Abilay's teaching for conceal a network layer address of the local application. The motivation would have been to improve enforcing policy based on assigned user risk scores in a cloud system. Relevant Prior Art References The following prior art is cited as being of interest to the claimed invention but has not been applied in any of the current rejections. Mahabir et al.- US Patent Publication 2017/0346824- the prior art teaches techniques for mobile device risk management systems. Fukisawa et al.- US Patent Pub. 2017/0251007 - the prior art teaches techniques for securing computing environments. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Contact Information Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANTHONY D BROWN whose telephone number is (571)270-1472. The examiner can normally be reached 730-330pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards can be reached at 5712705440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /ANTHONY D BROWN/Primary Examiner, Art Unit 2408