DETAILED ACTION
This Office Action is in response to the communication filed on 11/09/2020. 
Claims 1-22 are pending. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 11/09/2020 has been entered.
Response to Arguments
Applicant's Remarks filed on 11/09/2020 have been fully considered.  Although there might be differences between Applicant's invention and the cited references, the current claims have not successfully captured these differences to render the claims distinguishable from the cited references. In response to Applicant's argument on pages 8-9 of Remarks that claim 1 is distinguishable over 
Johnson does not describe the credentialing service 122 as being a storage of security credentials associated with a given service platform ("the service platform" in the claims) and capable of maintaining security credentials assigned to be available for the service platform when needed and ready for use by new virtual computing instances belonging to different classes of virtual computing instances. The Johnson credentialing service 122 is only described in general as serving new cloud based VMs, i.e., a single class of VMs," Examiner respectfully disagrees. Examiner appreciates Applicant's amendments of the claims for further clarification, however, upon further consideration, it was determined that the amendments to the claims do not include features that distinguish from the cited prior arts. Firstly, it should be noted that the claim does not further clarify the type or structure of the claimed "service platform." The term "service platform" is a broad term that covers any one or more of hardware, software, operating system, environment, domain, context, etc. on a device. Moreover, the language  (e.g. fig. 2A, [0056], "Referring to FIGS. 2A-2B, additional details regarding initialization and operation of cloud-based virtual machines, such as 110, are provided" [0057], "The method 200 is described…a virtual machine being initialized at startup detection operation…This can occur, for example, based on detection of that virtual machine transmitting a request for addition to a vLAN or otherwise indicating its presence to an overall computing arrangement" [0059], "Continuing with method 200, each virtual machine that is instantiated can be added to one or more communities of interest…communities of interest refer generally to like-situated systems that are intended to be allowed to share data and to view each other"). Thus, Johnson teaches virtual machines belonging to different classes of virtual machines. Moreover, Johnson teaches maintaining a credential service storing different COI keys for different COI groups for use by virtual machines belonging to the different COI groups created and  (e.g. [0060], "it is determined whether the virtual machine to be instantiated is a cloud-based virtual machine…If a cloud-based virtual machine, the virtual machine is configured for communication with a virtual gateway (e.g., gateway 114) that is defined to allow communication with the cloud-based VM as if it were a part of a community of interest that is maintained within the private domain. This can be accomplished in a variety of ways. In example embodiments, a cloud-based VM can obtain a VM COI key and associated filters by first requesting a service mode key and filters, thereby allowing the cloud-based VM (e.g., applet 130 of that VM) to access a credentialing service 122 to obtain VM credentials (credentials used directly by the cloud-based VM) and/or VPN credentials (credentials used by the vDR to communicate with private domain VMs on behalf of the cloud-based VM), allowing for (1) secured communication, via Stealth, within the cloud-based vLAN using a VM COI key(s) and associated filter(s), (2) secured communication, via IPsec, with the gateway 114, and (3) secured communications from the vDR to private-domain VMs via the VPN COI key(s) and associated filters.  Additional details regarding assignment of different community of interest keys to ensure privacy of COI keys for a community of interest are described below in connection with FIGS. 5A-5D"). Thus, Johnson teaches maintaining, in a storage of security 
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


Claims 1-5, 10-14, 16-18, and 20-22 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Johnson et al. (US 2015/0381596 A1).
Claim 1, Johnson teaches:
A method of securing data in virtualized environment where virtual computing instances interface a service platform operated on a physical computing apparatus, the method comprising: (e.g. figs. 1-4, 7-8, [0021], "initializing a virtual machine within a secure hybrid cloud…establishing secure communications at the cloud-based virtual machine based on the role cloud credentials, including receiving a role cloud community of interest key at the cloud-based virtual machine used for secure communication among the cloud-based virtual machine and other cloud-based virtual machines")
maintaining, in a storage of security credentials associated with the service platform, security credentials that are assigned to be available for the service platform when needed and ready for use by new virtual computing instances interfacing the service platform and belonging to different classes of virtual computing instances, (e.g. [0059], "Continuing with method 200, each virtual machine that is instantiated can be added to one or more communities of interest…communities of interest refer generally to like-situated systems that are 
 (e.g. [0056], "Referring to FIGS. 2A-2B, additional details regarding initialization and operation of cloud-based virtual machines, such as 110, are provided" [0057], "The method 200 is described…a virtual machine being initialized at startup detection operation…This can occur, for example, based on detection of that virtual machine transmitting a request for addition to a vLAN or otherwise indicating its presence to an overall computing arrangement, as discussed above in connection with FIG. 1" [0058], "When a cloud VM is commissioned…certain tenant-specific configuration information is provided to initialize the VM…the format and contents of the commissioning information is across all cloud platforms within the supported OS levels…In particular, Stealth software should be commissioned with a URL of the authorization service 133 used for authentication and authorization of the VM, and the IPsec VPN client configuration information, including the IP address of the gateway 114 and service mode credentials useable to access the credentialing service 122")
determining, by the computing apparatus and for the new virtual computing instance, a class of virtual computing instances, (e.g. [0035], "the virtual machines may be logically organized into a number of community-of-
selecting, by the computing apparatus and based on the class of virtual computing instances determined for the new virtual computing instance, at least one of the security credentials assigned to be available for the service platform, in the storage of security credentials, and for selection for the determined class of virtual computing instances, (e.g. [0059], "Continuing with method 200, each virtual machine that is instantiated can be added to one or more communities of interest…communities of interest refer generally to like-situated systems that are intended to be allowed to share data and to view each other" [0060], "it is determined whether the virtual machine to be instantiated is a cloud-based virtual machine…If a cloud-based virtual machine, the virtual machine is configured for communication with a virtual gateway (e.g., gateway 114) that is defined to allow communication with the cloud-based VM as if it were a part of a community of interest that is maintained within the private domain. This can be accomplished in a variety of ways. In example embodiments, a cloud-based VM 
obtaining, by the computing apparatus and from the storage of security credentials, the selected at least one security credential, and (e.g. [0060], "a cloud-based VM can obtain a VM COI key and associated filters by first requesting a service mode key and filters, thereby allowing the cloud-based VM (e.g., applet 130 of that VM) to access a credentialing service 122 to obtain VM credentials (credentials used directly by the cloud-based VM) and/or VPN credentials (credentials used by the vDR to communicate with private domain VMs on behalf of the cloud-based VM), allowing for (1) secured communication, via Stealth, within the cloud-based vLAN using a VM COI key(s) and associated filter(s), (2) secured communication, via IPsec, with the gateway 114, and (3) secured 
securing, by the computing apparatus, data communicated with at least one other computing instance based on the selected at least one security credential obtained from the storage of security credentials. (e.g. [0060], "a cloud-based VM can obtain a VM COI key and associated filters by first requesting a service mode key and filters, thereby allowing the cloud-based VM (e.g., applet 130 of that VM) to access a credentialing service 122 to obtain VM credentials (credentials used directly by the cloud-based VM) and/or VPN credentials (credentials used by the vDR to communicate with private domain VMs on behalf of the cloud-based VM), allowing for (1) secured communication, via Stealth, within the cloud-based vLAN using a VM COI key(s) and associated filter(s), (2) secured communication, via IPsec, with the gateway 114, and (3) secured communications from the vDR to private-domain VMs via the VPN COI key(s) and associated filters" [0061], "Upon configuring the VM for communication with a 
Claim 2, Johnson teaches:
determining the class of virtual computing instances after creation of the new virtual computing instance. (e.g. fig. 2a, [0059])
Claim 3, Johnson teaches:
assigning an identifier for the new virtual computing instance and using the assigned identifier in obtaining the selected at least one security credential from the storage of security credentials. (e.g. fig. 2a, [0035], [0052], [0060], [0073], [0075])
Claim 4, Johnson teaches:
determining the identifier based on the class of virtual computing instances determined for the new virtual computing instance. (e.g. fig. 2a, [0035], [0049], [0052], [0060])
Claim 5, Johnson teaches:
wherein the storage of security credentials is provided in connection with the service platform or the storage of security credentials is provided remotely from the service platform. (e.g. figs. 1, 3, 4, [0046]-[0047], [0049], [0060])
Claim 10, Johnson teaches:

Claim 11, Johnson teaches:
wherein the selected at least one security credential comprises one of a key, a Secure Shell (SSH) key, a certificate, or a private key - public key pair. (e.g. [0021], [0049], [0052], [0060])
Claim 12, Johnson teaches:
wherein the securing comprises at least one of an encrypting operation, an authentication operation, and/or a signing operation based on the selected at least one security credential. (e.g. [0035], [0050], [0052])
Claim 13, Johnson teaches:
wherein the class of virtual computing instances is determined for the new virtual computing instance based on at least one of a grouping of virtual computing instances, a type of virtual computing instances, a type of access rights of virtual computing instances, ownership of a relevant computing resource, or information about a host opening the new virtual computing instance and/or a host calling for the new virtual computing instance. (e.g. [0021], [0035], [0059])
Claim 14, Johnson teaches:

Claim 16, this claim is directed to an apparatus containing similar limitations as recited in claim 1 and is rejected for similar rationale. Johnson additional teaches connect to a storage of security credentials (e.g. [0059]-[0060]).
Claim 17, Johnson teaches:
further configured to at least one of determine the class of the new virtual computing instance after creation thereof, select a security credential based on the class of the new virtual computing instance, select a storage of security credentials based on knowledge of at least one security credential associated with the class of the new virtual computing instance, select a storage of security credentials based on the class of the new virtual computing instance, assign an identifier for the new virtual computing instance and use the assigned identifier in obtaining the at least one security credential from the storage of security credentials, and determine an identifier for the new virtual computing instance based on the class of the new virtual computing instance. (e.g. fig. 2a, [0035], [0049], [0052], [0059], [0060], [0073], [0075])

Claim 20, this claim is directed to an apparatus containing similar limitations as recited in claim 10 and is rejected for similar rationale.
Claim 21, this claim is directed to an apparatus containing similar limitations as recited in claim 13 and is rejected for similar rationale.
Claim 22, this claim is directed to a non-transitory computer media containing similar limitations as recited in claim 1 and is rejected for similar rationale. Johnson additional teaches connect to a storage of security credentials (e.g. [0059]-[0060]).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention 

Claims 6, 7, 9, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson et al. (US 2015/0381596 A1) in view of Powers et al. (US 9,501,304 B1).
Claim 6, Johnson teaches:
the method comprising encrypting data communicated with at least one further virtual computing instance based on the selected at least one security credential. (e.g. fig. 1, 2a, 3, 4, [0021], [0035], [0049], [0052], [0060])
Johnson teaches the new virtual computing instance and data communicated (see above) and does not appear to explicitly teach but Powers teaches: 
a container, and (e.g. col. 5 lines 39-53, col. 8 lines 32-46)
data communicated by the container. (e.g. col. 18 lines 38-50)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Powers into the invention of Johnson. The motivation for such an implementation would be for the purpose of proving higher performance and lower overhead in the implementation of cloud computing platform, while 
Claim 7, Johnson-Powers combination teaches: 
wherein the at least one further virtual computing instance comprises a further container. (e.g. Powers col. 18 lines 38-50)
Claim 9, Johnson-Powers combination teaches:
wherein the further container runs on a different service platform provided at least in part by a different shared operating system resource. (e.g. Powers col. 8 lines 32-46, col. 11 lines 22-27)
Claim 19, this claim is directed to an apparatus containing similar limitations as recited in claim 6 and is rejected using the same rationale to combine the references.
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Johnson et al. (US 2015/0381596 A1) in view of Powers et al. (US 9,501,304 B1) further in view of Woolward (US 2017/0374101 A1).

runs on the same service platform provided at least in part by a shared operating system resource. (e.g. [0033])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Woolward into the invention of Johnson-Powers combination. The motivation for such an implementation would be for the purpose of maintaining security in virtualization environments to prevent attackers from breaching internal networks to steal critical data (Woolward [0002]-[0005]).
Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Johnson et al. (US 2015/0381596 A1) in view of Vokorokos et al. (Secure Web Server System Resources Utilization).
Claim 15, Johnson teaches the control group identifier (see above) and does not appear to explicitly teach but Vokorokos teaches:  
a cgroup id. (e.g. p. 10 last para.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by .
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US 2014/0019745 discloses virtual machines in a network may be isolated by encrypting transmissions between the virtual machines with keys possessed only by an intended recipient. Within a network, the virtual machines may be logically organized into a number of community-of-interest (COI) groups.
US 2014/0282889 discloses a cloud computing system configured to run virtual machine instances is disclosed. The cloud computing system assigns an identity to each virtual machine instance. When the virtual machine instance accesses initial configuration resources, it provides this identity to the resources to authenticate itself.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMIE C LIN whose telephone number is (571)272-7752.  The examiner can normally be reached on M-F 9:00AM -5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on 5712724219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service 






/AMIE C. LIN/Examiner, Art Unit 2436