Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
The instant application having Application No. 18/595,743 is presented for examination by the examiner. Claims 1 and 11 are amended. Claims 1-3, 6-13 and 16-20 have been examined.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 04/19/2024 has been entered.
Claims 1 and 11 are independent claims. The applicant has amended claims 1 and 11. Claims 1-3, 6-13 and 16-20 have been examined and are pending. This Action is made Non-FINAL.
Response to Arguments
Applicant’s arguments with respect to claim(s) 1 and 11 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
The Examiner respectfully suggests that the claim be further amended; details in the specification be incorporated, to distinguish the claimed invention over prior art of record. Should the Applicant desire an interview to further clarify the claim interpretation/rejections, please contact the Examiner at (571) 272-1531 to schedule an interview.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 7-13 and 17-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sailer (US 2023/0177435 A1), in view of Narayanaswamy (US 20190268381 A1).
Regarding Claim 1
Sailer discloses:
A computer system for implementing controls for a cloud computing environment, comprising:
one or more processors; and
non-transitory computer-readable storage media encoding instructions which, when executed by the one or more processors, causes the computer system to create:
a repository engine programmed to consolidate the controls for the cloud computing environment (Sailer ¶5: teaches a repository engine, implemented as the compliance management tier and its associated modules, which consolidate controls by encapsulating security and compliance policies in a standardized format (e.g., OSCAL), thereby making them centrally accessible and reusable across the cloud computing environment.);
an adherence validation engine programmed to validate compliance with the controls of the cloud computing environment (Sailer ¶53: teaches an adherence validation engine, implemented as a collector component, which validates compliance with controls by gathering configuration information from the cloud computing environment and comparing it against customer-defined security standards.);
a security risk engine programmed to assess security risks associated with the workload processing and the data stored in the cloud computing environment (Sailer ¶51: teaches a security risk engine, implemented as a system component that assesses security posture, which evaluates security risks associated with workload processing and data stored in the cloud environment by identifying anomalies, vulnerabilities, and threats.); and
an adherence monitoring engine programmed to monitor compliance of the cloud computing environment with the controls and measure changes to the security risks (Sailer ¶46, 51 and 58: teaches an adherence monitoring engine, implemented as a system component responsible for continuous operations monitoring, which monitors compliance of the cloud computing environment with controls and measures changes to security risks by continuously tracking feature behavior, performance, and security posture, detecting incidents, and initiating remediation actions.).
Sailer teaches a modular cloud compliance system that includes a repository for standardized controls, a validation engine that checks configurations against security standards, a risk engine that assesses posture and detects threats, and a monitoring engine that continuously tracks compliance and security changes. However, they do not disclose the following limitation “a workload engine programmed to determine an applicability of the controls to workload processing and data stored in the cloud computing environment, including to: classify the data based upon data type and other relevant attributes in the cloud computing environment; select one or more of the controls based upon the data type and the other relevant attributes in the cloud computing environment, wherein the one or more of the controls are compliance controls; and automatically apply the one or more of the controls based upon the data type to minimize false alerts and increase scalability of the computer system by applying the one or more of the controls that are applicable to the data ”
On the other hand, Narayanaswamy teaches the claimed workload engine functionality collectively through its classification engine, content policy framework and inspective analyzer. Specifically Narayanaswamy’s classification engine classifies data in cloud services by data type and other relevant attributes by evaluating content against content profiles comprising of standard and custom data identifiers, expressly including compliance directed identifiers such as PII, PCI, ePHI and HIPAA (¶201-206). Narayanaswamy’s content policy framework then selects compliance controls based upon that classification by mapping classified data types to content policies that are explicitly directed to regulatory compliance standards including HIPAA, PCI, and PII data security requirements (¶234-244, 369-371). Narayanaswamy’s inspective analyzer operating in passive mode automatically applies those compliance controls to data already in the cloud services, using context aware detection and selective policy application to enforce only the controls applicable to the classified data, thereby minimizing false alerts and increasing scalability (¶95-96, 244, 263).
It would have been obvious to one of ordinary skill in the art to incorporate Narayanaswamy’s data classification and compliance control selection mechanism into Sailer’s cloud compliance platform. Both references are directed to cloud security and compliance management in a cloud computing environment and address the same problem of ensuring appropriate controls are applied to sensitive data in cloud environments. The combination merely applies Narayanaswamy’s known data type driven compliance control selection to Sailer’s existing framework, yielding the predictable result of context aware selective compliance enforcement. Specifically, the combination reduces false alerts through context aware detection and improve scalability through selective policy application, which are benefits recognized by Narayanaswamy and consistent with Sailer’s scalable cloud compliance management framework.
Regarding Claim 2
Sailer discloses:
The computer system of claim 1, wherein the repository engine is a centralized repository of the controls (Sailer ¶53-55: Teaches a repository engine that is a centralized repository of the controls by describing a compliance management tier that encapsulates standardized security and compliance policies implemented by underlying controls. The control-based information is maintained and shared in a machine-readable OSCAL format to facilitate centralized access, maintenance, and automation of control execution.).
Regarding Claim 3
Sailer discloses:
The computer system of claim 1, wherein the repository engine is further programmed to keep the controls current (Sailer ¶54, 60, 72: teach a repository engine, implemented as the compliance management tier and its associated modules, that is further programmed to keep the controls current by continuously aligning, updating, and integrating user-specified and regulation-specified controls through modular architecture and automated compliance processing.).
Regarding Claim 7
Sailer discloses:
The computer system of claim 1, wherein the adherence validation engine is further programmed to audit the data in the cloud computing environment in near real-time (Sailer ¶51, 53 and 56: teach an adherence validation engine, implemented as the collector and associated assessment components of the compliance platform, that is further programmed to audit data in the cloud computing environment in near real-time by continuously validating security configurations and posture against customer-defined controls using automated assessments and monitoring.).
Regarding Claim 8
Sailer discloses:
The computer system of claim 1, wherein the security risk engine is further programmed to automatically calculate an aggregated risk associated with the data in the cloud computing environment (Sailer ¶51, 53, 56: teaches a security risk engine that automatically calculates aggregated risk by describing how a compliance platform assesses posture, detects vulnerabilities and threats, collects evidence, and aggregates results across components and environments for reporting.).
Regarding Claim 9
Sailer discloses:
The computer system of claim 1, wherein the security risk engine is further programmed to compare the security risks to a threshold to determine appropriate alerting (Sailer ¶58: teaches a security risk engine (Policy Validation Points (PVPs) and assessment tools) that compares security risks to defined thresholds and determines appropriate alerting by describing how compliance profiles and policy parameters are declared, validated against actual posture using automated assessment tools, and how alerts, remediations, and summarized risk postures are generated and presented to compliance officers.).
Regarding Claim 10
Sailer discloses:
The computer system of claim 1, wherein the adherence monitoring engine is further programmed to manage drift associated with the cloud computing environment (Sailer ¶46, 55, 58: teaches an adherence monitoring engine implemented as the compliance hub working with Policy Validation Points (PVPs) and assessment tools, which continuously validate compliance profiles, detect deviations in inventory components (i.e., configuration drift), and trigger remediations or reports to manage that drift within the cloud computing environment.).
Regarding Claim 11
Claim 11 is directed to a method corresponding to the computer-implemented method in claim 1. Claim 11 is similar in scope to claim 1 and is therefore rejected under similar rationale.
Regarding Claim 12
Claim 12 is directed to a method corresponding to the computer-implemented method in claim 2. Claim 12 is similar in scope to claim 2 and is therefore rejected under similar rationale.
Regarding Claim 13
Claim 13 is directed to a method corresponding to the computer-implemented method in claim 3. Claim 13 is similar in scope to claim 3 and is therefore rejected under similar rationale.
Regarding Claim 17
Claim 17 is directed to a method corresponding to the computer-implemented method in claim 7. Claim 17 is similar in scope to claim 7 and is therefore rejected under similar rationale.
Regarding Claim 18
Claim 18 is directed to a method corresponding to the computer-implemented method in claim 8. Claim 18 is similar in scope to claim 8 and is therefore rejected under similar rationale.
Regarding Claim 19
Claim 19 is directed to a method corresponding to the computer-implemented method in claim 9. Claim 19 is similar in scope to claim 9 and is therefore rejected under similar rationale.
Regarding Claim 20
Claim 20 is directed to a method corresponding to the computer-implemented method in claim 10. Claim 20 is similar in scope to claim 10 and is therefore rejected under similar rationale.
Claims 6 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sailer (US 2023/0177435 A1), in view of Narayanaswamy (US 20190268381 A1) as applied to claim 1 and 11 above, and in further view of Thomson (US 2022/0368699 A1).
Regarding Claim 6
Sailer and Narayanaswamy teach a modular cloud compliance system that includes a repository for standardized controls, a validation engine that checks configurations against security standards, a risk engine that assesses posture and detects threats, and a monitoring engine that continuously tracks compliance and security changes. However, they do not disclose the following limitation “wherein the adherence validation engine is further programmed to correlate the data from the cloud computing environment with a local datastore”.
However, in an analogous art, Thomson (¶73-82) discloses an adherence validation engine, implemented as the zone protection engine and associated intelligence modules of the cloud-based protection platform, that is further programmed to correlate data from the cloud computing environment with a local datastore by receiving cloud-based threat intelligence and mitigation updates, matching them against user-specific protection zones, and storing corresponding blocklists and alerts in a local datastore for real-time enforcement on endpoint devices. Given the teachings of Thomson, a person having ordinary skill in the art before the effective filing date of the claimed invention would have found it obvious to modify the teachings of Sailer and Narayanaswamy by implementing a zone protection engine and associated intelligence modules via external APIs , and correlate this intelligence against user-specific protection zones and endpoint data to identify relevant threats. Mitigation instructions, blocklists, and alert data derived from this cloud analysis are then sent to and stored in a local datastore on the endpoint device, enabling real-time threat mitigation and enforcement based on both cloud-derived and locally stored intelligence. These disclosures in Thomson collectively teach a correlation mechanism between cloud intelligence and local datastore content to drive policy enforcement and alerting. It would have been obvious to one of ordinary skill in the art to configure an adherence validation engine to correlate cloud-based threat data with a local datastore to improve detection accuracy and policy enforcement responsiveness, as such correlation enables more context-aware, device-specific enforcement actions and aligns with well-established cloud security practices involving hybrid intelligence synchronization and endpoint-local enforcement.
Regarding Claim 16
Claim 16 is directed to a method corresponding to the computer-implemented method in claim 6. Claim 16 is similar in scope to claim 6 and is therefore rejected under similar rationale.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD ABDULLAH whose telephone number is 571-272-1531. The examiner can normally be reached on Monday-Friday 9am-5pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, LYNN FIELD can be reached on 571-272-2092.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAAD AHMAD ABDULLAH/ Examiner, Art Unit 2431
/LYNN D FEILD/ Supervisory Patent Examiner, Art Unit 2431