DETAILED ACTION

This communication is in response to Application No. 16/970,529 filed on 8/17/2020.  Claims 1-15 have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 8/17/2020 is being considered by the examiner.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-3, 6-8, 12, and 15 are rejected under 35 U.S.C. 102(a)(1) as being anticipated Narayanaswamy et al. (hereinafter Narayanaswamy)(US 2017/0264640).
Regarding claims 1, 8, and 12, Narayanaswamy teaches as follows:
a content management system (interpreted as the network security system 120 in figure 1A), comprising: 

receive a call regarding a transfer of data between a plurality of services (the method includes detecting an attempt to transfer a content file from a sanctioned cloud computing service (CCS) to an unsanctioned CCS, see, paragraph [0437])(at action 1710, a content file upload, download, or modification activity is detected, see, paragraph [0400] and figure 17); 
verify metadata corresponding to the data (determining sensitivity of the first content file based on corresponding object metadata, see, paragraph [0437])(process 1700 continues at action 1720 where a determination is made whether the content file type being attempted to share is sensitive.  This determination is made by retrieving metadata about the content file from metadata store 196 that confirms if the content file type is prohibited from being uploaded, downloaded, or modified, see, paragraph [0401] and figure 17); and 
determine whether the transfer can be completed based on the metadata applied to a privacy policy (triggering a security action based on the multi-part policy, see, paragraph [0437])(at action 1750, a security action is triggered based on the multi-part policy responsive to finding that the retrieved true file type matches the prohibited file type, see, paragraph [0404] and figure 17)(examples of multi-part policies includes "prevent sharing of a file, if file is sensitive"(equivalent to applicant’s privacy), see, paragraph [0137]).

wherein the metadata is stored in a metadata repository (interpreted as the metadata store 196 in figure 1A)(a multi-part policy is defined as a policy that applies to a single transaction but at least one policy condition of the multi-part policy requires evaluation of data or metadata available in an external data or metadata store, see, paragraph [0137] and [0271]).
Regarding claim 3, Narayanaswamy teaches as follows:
wherein the metadata repository includes a key value (as content metadata are aggregated, they are stored in a NoSQL key-value column store distributed storage system 196 such as Cassandra 198, see, paragraph [0164]) store that includes metadata about data records used by the services (metadata includes structured data and functionality targets specific data constructs provided by the cloud services 140. Non-structured data, such as free text, can also be provided by, and targeted back to, the cloud services 140, see, paragraph [0163]).
Regarding claims 6 and 7, Narayanaswamy teaches as follows:
enforcing an action regarding the transfer of data based on the privacy policy, wherein enforcing the action includes completing the transfer of data (security engine 128 accesses content policies 181 to identify security actions to be performed. The quarantine sub-engine 176 temporarily holds the transmitted data in a quarantine folder at the cloud service pending a quarantine approver's ratification or rejection.  Based on the quarantine approver's decision, the content is either transmitted to the cloud service or not, see, paragraph [0182]-[0183]).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 4, 5, 9, 10, 13, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Narayanaswamy et al. (hereinafter Narayanaswamy)(US 2017/0264640) in view of Panchal et al. (hereinafter Panchal)(US 10,355,989).
Regarding claims 4 and 9, Narayanaswamy teaches all limitations as presented above except for the service mesh.
Panchal teaches as follows:
cloud exchange 100 includes a programmable network platform 120 for dynamically programming cloud exchange 100 to responsively and assuredly fulfill service requests that encapsulate business requirements for services provided by cloud exchange 100 and/or cloud service providers 110 coupled to the cloud exchange 100 (see, col. 7, lines 6-17 and figure 1); and
a customer 108 may request an L3 instance to link multiple cloud service providers by the L3 instance, for example (e.g., for transferring the customer's data between two cloud service providers, or for obtaining a mesh of services from multiple cloud service providers)(see, col. 7, lines 35-43 and figure 1).
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Narayanaswamy with Panchal to include the cloud exchange 
Regarding claim 5, Narayanaswamy teaches as follows:
a data plane (interpreted as data plane 130 in figure 1A) to intercept the call regarding the transfer of data and a control plane (interpreted management plane 129 in figure 1A) to evaluate the privacy policy (the network security system 120 provides a variety of functionalities 125 via a management plane 129 and a data plane 130.  Data plane 130 includes an extraction engine 126, a classification engine 127, and a security engine 128, according to one implementation.  Other functionalities, e.g. control plane, can also be provided.  These functionalities 125 collectively provide secure interfacing with the cloud services 140 by client devices 150, see, paragraph [0155]).
Regarding claim 10, Narayanaswamy teaches as follows:
wherein the services are included in a cloud native application (independent Data Store: As used herein, a hosted service or a cloud service or a cloud application or a cloud storage provider or a cloud storage application or a cloud computing service (CCS) is referred to as an "independent data store", and vice-versa.  Also as used herein, a cloud service, sometimes also referred to as a cloud computing service (CCS), or a hosted service or a cloud application refers to a network cloud service or application, web-based (e.g. accessed via a uniform resource locator (URL)) or native, such as sync clients, see, paragraph [0134]).
Regarding claims 13 and 14, Narayanaswamy in view of Panchal teaches similar limitations as presented above in the rejections regarding claims 4 and 5.

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Narayanaswamy et al. (hereinafter Narayanaswamy)(US 2017/0264640) in view of Ritchie (US 2017/0270318).
Regarding claim 11, Narayanaswamy teaches as follows:

shared publicly via a link.  In yet other implementations, inspective analyzer 
194 discovers content against set DLP policies, inventories and classifies content, content owners, and collaborators as well as provides content sharing status (private, shared or public).  Additionally, it enables users to download files for review, and perform a variety of security actions such as restrict access, revoke sharing, encrypt content, quarantine content for review, notify content owners, and place content on legal hold (see, paragraph [0160]).
Narayanaswamy’s metadata does not include the legal zone.
Ritchie teaches as follows:
the system may receive a data flow identifier associated with the privacy metadata test, and may use that data flow identifier to retrieve an associated privacy metadata test from the privacy architecture, if the system detects a match between a relevant jurisdiction (equivalent to applicant’s legal zone) from the privacy metadata test and the jurisdiction of interest of the legal metadata test, the system may retrieve the legal metadata test associated with the jurisdiction of interest from the legal architecture.  The system may use the privacy metadata test and the legal metadata test to determine an outstanding risk to privacy information used by a data flow present in the privacy metadata test, and may create a privacy impact assessment report highlighting the outstanding risk (see, paragraph [0030]).
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Narayanaswamy with Ritchie to include jurisdiction 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeong S Park whose telephone number is (571)270-1597.  The examiner can normally be reached on Monday through Friday 8:00-4:30 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton B Burgess can be reached on 571-272-3949.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 






/JEONG S PARK/Primary Examiner, Art Unit 2454                                                                                                                                                                                                        
February 26, 2021