SYSTEMS AND METHODS FOR SECURE, SCALABLE ZERO TRUST SECURITY PROCESSING

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION This is a Final Office action in response to communications received November 12, 2025. Claims 1, 8, 15 have been amended. Therefore, claims 1-20 are pending and addressed below. Response to Argument’s Applicant’s arguments, see Pages 7-9, filed November 12, 2025, with respect to the rejection(s) of claim(s) 1-20 under 35 USC 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of newly found prior art reference, Veereshwara et al. (US2021/0273918 A1, publish date 09/02/2021). Based on claim’s amendments, the Examiner rejects claims 1-20 with the new ground of rejections. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Shravan et al. (US2021/0281576 A1, file date 03/04/2020) in view of Veereshwara et al. (US2021/0273918 A1, publish date 09/02/2021) further in view of Levin et al. (US2022/0029988 A1, file date 07/27/2020). Claims 1, 8, 15: With respect to claims 1, 8, 15, Shravan et al. discloses a method/system for zero trust security processing for an endpoint device in a network (The network appliance (or a server associated with the network appliance) requests compliance details from the user device based on the configured policies. 0010) (The private network 104 includes a network appliance 110 (e.g., a network access control (NAC) device or a virtual private network (VPN) controller, a software defined perimeter (SDP) controller, etc.), 0022)(Figures 1 and 6)/ non-transitory computer readable medium having stored thereon instructions (Instructions embedded or encoded in a computer-readable medium may cause a programmable processor, or other processor, to perform the method, e.g., when the instructions are executed. Computer-readable media may include non-transitory computer-readable storage media, 0051) that, when executed, cause one or more processing devices to/ the method comprising: a memory device (the network appliance 110 includes a device operating system 302 for controlling device resources 304 (e.g., processor(s), memory, network interfaces, etc.), 0035, Figure 3); a hardware processor coupled with the memory device (Figure 1), the hardware processor configurable to: receiving, by a first processing device, an indication that a security posture of an endpoint device has changed to a new security posture (The client 120 monitors for changes on the user device 118 related to the compliance information, the client 120 detects that at least one setting related to the requested compliance information has changed on the user device 118 (622). Based on the updated compliance information, the client 120 provides only compliance information that has changed since the compliance information was last sent to the network appliance 110 (624), 0047) (Figure 6, 620, 622, 624), wherein the endpoint device includes an endpoint agent executing on the endpoint device (client 120 makes an initial request for access to a protected network zone and/or protected resource 116 within the private network 104 (602), 0043) (Figure 6, 602); acquiring, by the first processing device, information corresponding to at least one change in the security posture (Based on the updated compliance information, the client 120 provides only compliance information that has changed since the compliance information was last sent to the network appliance 110 (624), 0047) (Figure 6, 620, 622, 624). Shravan et al. does not disclose selecting, with the first processing device, one of a plurality of endpoint management systems based on availability or location of the endpoint device; transmitting, by the first processing device, a message to the selected endpoint management system; receiving a new security certificate generated by the selecting endpoint management system based at least on the new security posture of the endpoint device; installing the new security certificate in at least one directory corresponding to the endpoint agent; and utilizing the new security certificate to access a secure resource as claimed. Veereshwara et al. teaches identity certificate 300 used of authenticating identity of the service, the PII posture 302 can be embedded into the identity certificate 300, e.g. as x509 extensions (0038), Figure 3), selecting, with the first processing device, one of a plurality of endpoint management systems based on availability or location of the endpoint device (one or more fog nodes 162 can be mobile fog nodes. The mobile fog nodes can move to different geographic locations, logical locations or networks, and/or fog instances while maintaining connectivity with the cloud layer 154 and/or the endpoints 116, the particular fog node may connect to a particular physical and/or logical connection point with the cloud 154 while located at the starting location and switch to a different physical and/or logical connection point with the cloud 154 while located at the destination location, 0031); transmitting, by the first processing device, a message to the selected endpoint management system; receiving a new security certificate generated by the selecting endpoint management system based at least on the new security posture of the endpoint device; installing the new security certificate in at least one directory corresponding to the endpoint agent; and utilizing the new security certificate to access a secure resource (can exchange such identity certificates with each other to authenticate the identity of the other micro service, to exchange the embedded PII postures, and to further authenticate the validity of the embedded PII postures at the sidecars, the identity certificate 200 would need to be regenerated with the updated PII posture 302, The sidecars 204 and 214 can also selectively apply one or more of the different postures, include to the location of one or both micro services, when both micro services engaged in the same PII communication are at the same network environment, premise, or enterprise, send alert for the transmission, when both microservices engaged in the same PII communication are not at the same network environment, premise, or enterprise, at least one sidecar would drop or anonymize, 0042). Shravan et al. and Veereshwara et al. are analogous art because they are from the same field of endeavor of security posture networks. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Veereshwara et al. in Shravan et al. for selecting, with the first processing device, one of a plurality of endpoint management systems based on availability or location of the endpoint device; transmitting, by the first processing device, a message to the selected endpoint management system; receiving a new security certificate generated by the selecting endpoint management system based at least on the new security posture of the endpoint device; installing the new security certificate in at least one directory corresponding to the endpoint agent; and utilizing the new security certificate to access a secure resource as claimed for purposes of providing security in the communication of personally identifiable information (PII) in network environments and for preventing PII leakage (see 0021, 0032) Levin et al. teaches providing zero-trust network security, The intermediate CA certificates are distributed among nodes, authorized entities are allowed to communicate pursuant to a network firewall policy to be enforced (0018), receiving a new security certificate based at least on the new security posture; installing the new security certificate in at least one directory corresponding to the endpoint agent (Each entity receives a unique intermediate CA certificate, new intermediate CA certificates are sent, for example, periodically (e.g., when the current period of time is about to expire), 0028); and utilizing the new security certificate to access a secure resource (a host certificate is valid if it is a non-expired CA certificate issued by the same central authority, where communications with the other entity are allowed, 0036, 0041). Shravan et al., Veereshwara et al. and Levin et al. are analogous art because they are from the same field of endeavor of network security. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Levin et al. in Shravan et al. and Veereshwara et al. for purposes of enforcing identity-based network firewall policies in a seamless manner which does not require modifying entities or network infrastructure. By distributing CA certificates to and deploying agents at each node, the central authority can cause enforcement of the firewall policy in a distributed manner and without requiring modifying the underlying infrastructure and improve security by providing techniques for preventing unauthorized use of stolen certificates (see Levin et al. 0021) Claims 2, 9, 16: With respect to claims 2, 9, 16, the combination of Shravan et al., Veereshwara et al. and Levin et al. discloses the limitations of claims 1, 8, 15, as addressed. Levin et al. teaches wherein transmitting, by the first processing device, a message to the selected endpoint management system comprises a request to register the endpoint device with the selected endpoint management system (the central authority is able to distribute the load of creating identity data (e.g., identity tokens) among the nodes based on the certificates issued by the central authority, 0030) (a host certificate is valid if it is a non-expired CA certificate issued by the same central authority. In a further embodiment, S340 includes determining whether the certificate of the host certificate includes a valid host signature (e.g., a valid signature of a cloud provider), 0036). Shravan et al., Veereshwara et al. and Levin et al. are analogous art because they are from the same field of endeavor of network trust security. The motivation for combining Shravan et al., Veereshwara et al. and Levin et al. is recited in claims 1, 8, 15. Claims 3, 10, 17: With respect to claims 3, 10, 17, Shravan et al. discloses wherein transmitting, by the first processing device, a message to the selected endpoint management system comprises a request indicating the new security posture (The client 120 monitors for changes on the user device 118 related to the compliance information, the client 120 detects that at least one setting related to the requested compliance information has changed on the user device 118 (622). Based on the updated compliance information, the client 120 provides only compliance information that has changed since the compliance information was last sent to the network appliance 110 (624), 0047) (Figure 6, 620, 622, 624). Claims 4, 11, 18: With respect to claims 4, 11, 18, Shravan et al. discloses a security certificate for the endpoint device (The authentication credentials include one or more of (ii) a digital certificate, (iii) a cryptographic token, 0025). Levin et al. teaches providing zero-trust network security, The intermediate CA certificates are distributed among nodes, authorized entities are allowed to communicate pursuant to a network firewall policy to be enforced (0018), wherein transmitting, by the first processing device, a message to the selected endpoint management system comprises a request having the new security certificate (Each entity receives a unique intermediate CA certificate, new intermediate CA certificates are sent, for example, periodically (e.g., when the current period of time is about to expire), 0028) Shravan et al., Veereshwara et al. and Levin et al. are analogous art because they are from the same field of endeavor of zero trust security. The motivation for combining Shravan et al., Veereshwara et al. and Levin et al. is recited in claims 1, 8, 15. Claims 5, 12, 19: With respect to claims 5, 12, 19, Shravan et al. discloses wherein the security posture includes at least one of: an indication of an out of date operating system executing on the endpoint device, an insecure application executing on the endpoint device, a vulnerable hardware element included as part of the endpoint device, or an up to date virus detection and mitigation application executing on the endpoint device (a policy may require that the user device 118 have a certain antivirus product, settings of the antivirus product, a certain firewall product, settings of the firewall product, a certain patch management product, settings of the patch management product, a certain status of an application (e.g., the application is open, etc.), a certain a file on the device, a certain status of one or more ports, and/or settings of registry keys, etc. The network appliance 110 requests all compliance information related to the identified requirements (606), 0044). Claims 6, 13, 20: With respect to claims 6, 13, 20, Shravan et al. discloses further comprising: determining, by the processing device, an owner of the endpoint device based at least in part on information received as part of the request from the endpoint device (identifying information checks (e.g., username and password checks and/or certificate checks) to authenticate a user and/or a device, 0004) (authenticates the identity of the user of the user device 118 using user credentials (sometimes referred to as “authentication credentials”) supplied by the client 120 (sometimes referred to as performing an “authentication check”). The authentication credentials include one or more of (i) a username and password that relate to a particular user of user device 118, (ii) a digital certificate, (iii) a cryptographic token, (iv) a biometric token, and/or (v) two-device authorization information, user account, 0025). Claims 7, 14: With respect to claims 7, 14, Shravan et al. discloses wherein accessing the secure resource occurs until a network session disconnect (the network appliance 110 may determine that the updated compliance information is not within the proper timeframe, 0048). Levin et al. teaches wherein accessing the secure resource occurs until a network session disconnect (execution continues with S380, where communications with the other entity are blocked, 0041). Veereshwara et al. teaches indicate dropping the PII from the sidecar if the microservice that transmitted the PII is not allowed to transmit the PII, e.g. according to rules for controlling communication of PII. (0040) Shravan et al., Veereshwara et al. and Levin et al. are analogous art because they are from the same field of endeavor of zero trust security. The motivation for combining Shravan et al., Veereshwara et al. and Levin et al. s recited in claims 1, 8, 15. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468. The examiner can normally be reached on Monday - Friday from 9 am to 5 pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). /HELAI SALEHI/Examiner, Art Unit 2433 /JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433