DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the application filed on 10/10/2024.
Claims 1-20 are currently pending in this application.
No information disclosure statement (IDS) has been filed.
Examiner’s Note
Applicants are suggested to include information from figures 3 and 4 with related text into the claims to provide a better condition for an allowance.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(B) CONCLUSION. —The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claims 1-20 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.
Claim 1 (claims 11 and 17 include similar limitations) recites:
“… a path risk associated with a path to a resource in a computing environment …”, however, it is not clear whether the path (defined by a starting point to an ending point) is started from anywhere in the computing environment to the resource or not – it is not clear to define a boundary of the limitations/components;
“… transmitting, by the path attestation subsystem and to a client device, digital authorization data based on a threat posture associated with an application in the computing environment …”, however, it is not clear whether the application is (1) any application of the computing environment, (2) an application of the path attestation subsystem or (3) an application of the client device - or omitting necessary steps/components which causes the claimed limitations.
Claims 2-10, 12-16 and 18-20 depend from the claim 1, 11 or 17, and are analyzed and rejected accordingly.
Claim 3 recites “… the request is based on an application path, and a previous path approval …”, however, it is not clear how to define “an application path” and “a previous path approval” – it is not clear to define a boundary of the limitation/terms.
Claims 7, 15 and 20 recite “… transmitted based on the path to the resource being a previously used path to access the resource and a request for path approval is not associated with an unexpected exploitable path”, however, it is not clear how to define “a previously used path” and “an unexpected exploitable path” – it is not clear to define a boundary of the claim limitations.
Claims 10 and 16 recite “… the path is a path of potential communication and is an input … to a trust broker …”, however, it is not clear (1) how to define “a potential (e.g., possible or future) communication” and (2) how “the path” can be “an input to a trust broker” – it is not clear to define a boundary of the claim limitations.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103, which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-6, 8, 9, 11-14 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Edwards et al. (US 8,990,900 B2) in view of Devaney et al. (US 10,333,930 B2).
As per claim 1, Edwards teaches a method, comprising:
receiving, by a path attestation subsystem and from a path monitoring subsystem, an indication of a path risk (or a path authorization) associated with a path to a resource in a computing environment [figs. 1, 3; col. 1, lines 23-34; col. 3, lines 1-25; col. 4, lines 51-57; col. 5, lines 21-37 of Edwards teaches receiving, by a path attestation subsystem (e.g., a component of the authorization system) and from a path monitoring subsystem (e.g., a component of the volume management system), an indication of a path risk (e.g., unauthorized access with a notion of a path) associated with a path to a resource in a computing environment (e.g., the volume or the action on the specific resource of the cloud computing environment)]; and
transmitting, by the path attestation subsystem and to a client device, digital authorization data based on a threat posture (or a required security status) associated with an application in the computing environment, wherein the threat posture is based on the path risk associated with the path, wherein an access request by the client device to access the resource is based on the digital authorization data, and a path attestation is associated with authorizing access based on the threat posture [figs. 5, 6; col. 5, lines 55-59; col. 6, lines 46-63; col. 8, lines 28-49; col. 11, lines 4-6, 29-32 of Edwards teaches transmitting, by the path attestation subsystem (e.g., the component of the authorization system) and to a client device (e.g., the application of the user), digital authorization data (e.g., the decision information) based on a threat posture (e.g., completing a training/refresher course, the scanned and deemed virus free volume, etc.) associated with an application in the computing environment (e.g., the cloud computing environment), wherein the threat posture is based on the path risk associated with the path (e.g., completing a training/refresher course required for the application to access the resource/volume), wherein an access request by the client device to access the resource is based on the digital authorization data (e.g., the decision information), and a path attestation is associated with authorizing access based on the threat posture (e.g., completing a training/refresher course, the scanned and deemed virus free volume, etc.)].
Although Edwards teaches indication of unauthorized access with a path for a risk of the claimed limitations and checking security protections, required security status for the authorization information, for the threat posture of the claim, however, the teaching of Devaney, for a compact prosecution, is added to show the obviousness of the claimed limitation, unauthorized access as a risk and checking security protections as the threat posture [fig. 5; abstract; col. 1, lines 8-17; col. 4, lines 1-4; col. 7, lines 14-26; table 1 of Devaney teaches unauthorized access as a risk and checking security protections as the threat/security posture.
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Edwards with the teaching of Devaney to include defining the unauthorized access as the risk and security protection status as the threat/security because it provides creating a secure connection between a remote client computing device and an enterprise asset platform - see abstract of Devaney.
As per claim 2, Edwards in view of Devaney teaches the method of claim 1.
Edwards further teaches wherein the path risk is based on a request, from the client device to the path monitoring subsystem, for a path approval for the path to the resource in the computing environment, and the digital authorization data is transmitted based on the request [fig. 6; col. 3, lines 1-9; col. 10, lines 25-53 of Edwards teaches wherein the path risk (e.g., the path authorization) is based on a request, from the client device (e.g., the user or application of the entity 301) to the path monitoring subsystem (e.g., the component of the volume management system), for a path approval for the path to the resource (e.g., the authorization of the entity for accessing the volume) in the computing environment (e.g., the cloud computing environment), and the digital authorization data (e.g., the decision information) is transmitted based on the request – see also rejections to the claim 1].
As per claim 3, Edwards in view of Devaney teaches the method of claim 2.
Edwards further teaches wherein the request is based on an application path, and a previous path approval is no longer valid based on the application update [col. 5, lines 14-22; col. 9, lines 38-44 of Edwards teaches wherein the request is based on an application path (e.g., the path from a particular application), and a previous path approval is no longer valid based on the application update (e.g., the bespoke privileges)].
As per claim 4, Edwards in view of Devaney teaches the method of claim 1.
Edwards further teaches wherein the access request indicates the digital authorization data or a substitute for the digital authorization data [fig. 6; col. 3, lines 1-18; col. 4, lines 10-13; col. 11, lines 29-32; col. 12, lines 61-67 of Edwards teaches wherein the access request indicates the digital authorization data or a substitute for the digital authorization data (e.g., authorization of the action in relation to volumes) – see also rejections to the claim 1].
As per claim 5, Edwards in view of Devaney teaches the method of claim 1.
Edwards further teaches wherein the resource is an asset that is protected for purposes of confidentiality, integrity, or availability [fig. 3; col. 3, lines 1-18 of Edwards teaches wherein the resource is an asset that is protected for purposes of confidentiality, integrity, or availability (e.g., the available volume)].
As per claim 6, Edwards in view of Devaney teaches the method of claim 1.
Edwards further teaches receiving, by the path attestation subsystem and from the client device, information associated with the threat posture, wherein the information includes one or more of: a credential score, an identity score, a trusted execution status, a device posture score, or a device intrusion score, and wherein the digital authorization data is received based on the information [figs. 3, 6; col. 10, lines 10-49 of Edwards teaches receiving, by the path attestation subsystem and from the client device (e.g., the entity of the application), information (e.g., the particular attribute) associated with the threat posture (e.g., security protection status), wherein the information includes one or more of: a credential score, an identity score, a trusted execution status (e.g., completing a training/refresher course, the scanned and deemed virus free volume, etc.), a device posture score, or a device intrusion score, and wherein the digital authorization data (e.g., the decision information) is received based on the information (e.g., the particular attribute) – see also rejections to the claim 1].
As per claim 8, Edwards in view of Devaney teaches the method of claim 1.
Edwards further teaches wherein the digital authorization data is transmitted based on the threat posture satisfying a threshold [figs. 3, 6; col. 10, lines 10-49 of Edwards teaches wherein the digital authorization data (e.g., the decision information) is transmitted based on the threat posture satisfying a threshold (e.g., completing a training/refresher course)].
As per claim 9, Edwards in view of Devaney teaches the method of claim 1.
Edwards further teaches wherein the digital authorization data is transmitted based on a comparison of the threat posture to a previous deployment of the application [figs. 3, 6; col. 9, lines 16-27, 58-62; col. 10, lines 10-49 of Edwards teaches wherein the digital authorization data (e.g., the decision information) is transmitted based on a comparison of the threat posture (e.g., security protection status) to a previous deployment of the application (e.g., the previously completing of the training course)].
Claims 11-14 are device claims that correspond to the method claims (a part of) 1, 2, 5 and 6, and are analyzed and rejected accordingly – see column 13 for the component (e.g., processor) of the device.
Claims 17-20 are medium claims that correspond to the method claims (a part of) 1, 2, 6 and 8, and are analyzed and rejected accordingly – see column 13 for the component of the medium.
Allowable Subject Matter
Claims 7, 10, 15 and 16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and amended to overcome the 112(b) rejections stated above.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAUNG T LWIN whose telephone number is (571)270-7845. The examiner can normally be reached on Monday - Friday 10:00 am - 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MAUNG T LWIN/Primary Examiner, Art Unit 2495