DETAILED ACTION
This non-final office action is in response to claims 1-22 filed on 01/04/2021 for examination. Claims 1-22 are being examined and are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Response to Amendment
The amendment filed January 4, 2021 has been entered. Claims 1-22 remain pending in the application. The claims have been amended. Applicant’s arguments and amendments to the claims have overcome each and every drawings objection and 112 rejection previously set forth in the Non-Final Office Action mailed October 2, 2020. Claims 1, 10, 15, 18-19, and 22 have been amended and have necessitated a new ground(s) of rejection in this Office Action. Therefore, Applicants’ arguments filed on 01/04/2021 have been fully considered but are moot in view of the new ground(s) of rejection because the arguments do not apply to any of the updated reference(s) being used in the current rejection.

Claim Objections
Claims 1, 10, 15, 18-19, and 22 is/are objected to because of the following informalities:  
Claim 1 recites “one or more source IP addresses and destination IP addresses” (e.g., line 11). Examiner suggests amending to “one or more source IP addresses and/or destination IP addresses” or “one or more source IP addresses, and one or more destination IP addresses”. Claims 10, 15, 18-19, and 22 recite the aforementioned limitation, and are similarly objected to.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-5, 7-13, and 15-22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al. (US20170171159, Hereinafter “Kumar”) in view of Roth et al. (US20180275765, Hereinafter) and Zuk et al. (US20150026794, Hereinafter “Zuk”).
Regarding claim 1, Kumar discloses a method for application-independent access control in a cloud- services computing environment ([0106]&[0003] – tenants own VM applications hosted on a host devise (i.e., is a cloud computing system) for access by users; [0006] – system provides access control for the hosted VMs), the method comprising: 
at a host computing device configured to operate in the cloud-services computing environment having one or more processors and memory ([0106]&[0003] – tenants own isolated VM applications hosted on a host devise for access by users; [0092-0093] – system operates using processors and memory storing instructions): 
obtaining, at a first sub-system of the host computing device ([0082] – virtual switch <i.e., first sub-system> located on host 200), a user identity for accessing the cloud-services computing environment ([0082] – virtual switch <i.e., first sub-system> receives an inbound request destined for one of the VMs of the host machine; [0046-047] – communication request includes user identification; [0059] – communications are then allowed or denied based on an identity of the user that made the request); 
receiving a user request to [[perform a task]] using an application ([0054, 0082] – clients send a network request to server application 225), wherein the application is configured to be accessed in the cloud-services computing environment ([0054, 0082] – inbound network request received from clients to access a server application); 
in response to receiving the user request, collecting process-related data for [[performing the task]] using the application ([0086] – “security agent 660 collects connection information (e.g., tuple information) regarding the network connection request packet 680 and sends the connection information, along with the gathered context information 672, to a security engine”; [0085] – context information 672 includes process information for an application that accepts the connection); 
obtaining one or more source IP addresses and destination IP addresses ([0047] –the system intercepts the request in order to capture context connection information including source/destination addresses; [0048, 0059] – the context information provided to security engine 220 which uses the information to determine whether to allow a particular request; Kumar’s dependent claim 14 notes these context addresses may comprise a source IP address and destination IP address); 
determining, based on the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses, whether the [[task is to be performed]] ([0048, 0059] – the context information is sent to the security engine 220 which uses the information to determine whether to allow a particular request based on identity of a user, source/destination addresses, and context , wherein the determining is performed at a second sub-system separate from a third sub-system configured to perform the task using the application ([0025, 0058] – security engines (i.e., a second sub-system) operate in a separate space (e.g., its own VM) from the machines (i.e., the third sub-system) they manage; [0048, 0059] – the context information is sent to the security engine 220 which uses the information to determine whether to allow a particular request); and 
in accordance with a determination that the [[task is to be performed]], causing the [[task to be performed]] using the application ([0087] – the security agent 660 receives the response from the security engine allowing the network connection request, so the network request packet 680 is forwarded on to the application 625 to establish the requested connection).
While Kumar discloses access control directed to allowing or denying a network request to a hosted application (see abstract, [0059]), Kumar appears to fail to specifically disclose the access controlled request as to a task to be performed by the application. Additionally, Kumar appears to fail to specifically disclose the determining comprising: constructing a data structure based on a representation of the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses; obtaining an access-control policy; and correlating the constructed data structure to the access-control policy.
	However, Roth discloses a multi-tenant cloud system for controlling application resource access requests (see abstract, [0022]), wherein operational instructions for cloud-based applications to perform (i.e., tasks to be performed) are requested, intercepted, and allowed/denied based on stored policies (see [0022-0024]).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the network requests access control system of Kumar with the 
While the combination of Kumar and Roth disclose access control policies for determining access to a hosted application based on destination IP address and source IP address (see Kumar at abstract, [0059]), Kumar appears to fail to specifically disclose the determining comprising: constructing a data structure based on a representation of the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses; obtaining an access-control policy; and correlating the constructed data structure to the access-control policy.
However, Zuk discloses a cloud access system for determining whether an intercepted request is to be permitted based on stored policies ([0057] – application receives a request from a device; [0056] – requests are controlled according to policies; [0031 & 0044] – system is cloud system), the determining comprising: constructing a data structure based on a representation of the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses ([0048] – Security controller analyzes packets and collects them into a table <i.e., constructs a data structure> including their source IP address, destination IP address, application information <i.e., process-related data>, user identity, etc.); obtaining an access-control policy ([0048] – security policy obtained for comparison with the user context); and correlating the constructed data structure to the access-control policy ([0048] – policy matched up with table to allow or deny access).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the policy control system of the combination of Kumar and Roth with the teachings of Zuk, the determining comprising: constructing a data structure based on a representation of the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses; obtaining an access-control policy; and correlating the constructed data 

Regarding claim 2, the combination of Kumar, Roth, and Zuk discloses the method of claim 1, wherein obtaining the user identity for accessing the cloud-services computing environment comprises: at the first sub-system of the host computing device (Kumar at [0082] – virtual switch <i.e., first sub-system> located on host 200), wherein the first sub-system is configured to receive user requests from one or more client computing devices external to the cloud-services computing environment (Kumar at [0082] – virtual switch <i.e., first sub-system> receives an inbound request communication destined for one of the VMs of the host machine; [0054] – clients send a request to server application 225), receiving user credentials for accessing the cloud-services computing environment (Kumar at [0082] – virtual switch <i.e., first sub-system> receives an inbound request destined for one of the VMs of the host machine; [0047] – communication request includes user information; [0059] – communications are then allowed or denied based on an identity of the user that made the request); and forwarding a representation of the user credentials from the first sub-system to a second sub-system of the host computing device (Kumar at [0036] – virtual switch 218 <i.e., first sub-network> sends network traffic to the security engine <i.e., second sub-network>; [0059] – security engine 220 <i.e., second sub-system> allows or denies the request based on the identity of the user; [0090] – security engine performs authentication of the received information), wherein the second sub-system is separate from the first sub-system (Kumar at [0025] – security engines <i.e., a second sub-system> operate in a separate space (e.g., it’s own VM)), and  E39625wherein the second sub-system is configured to perform application-independent access control in the cloud-services computing environment (Kumar at [0036] – virtual switch 218 <i.e., first sub-network> sends network traffic to the security engine <i.e., second sub-network>; [0058-059] – security engine 220 <i.e., second sub-system> .

Regarding claim 3, the combination of Kumar, Roth, and Zuk discloses the method of claim 1, wherein receiving the user request to perform a task using the application comprises: 
at the first sub-system of the host computing device (Kumar at [0082] – virtual switch <first sub-system> located on host 200), wherein the first sub-system is configured to receive user requests from one or more client computing devices external to the cloud-services computing environment (Kumar at [0082] – virtual switch <i.e., first sub-system> receives an inbound request communication destined for one of the VMs of the host machine; [0054] – clients send a request to server application 225), receiving an application program interface (API) call to perform the task using the application (Roth at [0022-024] – users request to access resources in the cloud environment which is received  at the interface 108; [0013] – user make requests to resource provider environment, and users are external to the cloud services computing environment (see, e.g., fig. 3 at 103); [0023] – “the interface layer can include application programming interfaces (APIs) or other exposed interfaces enabling a user to submit requests to the provider environment; [0026] – “each API can be provided to receive requests for at least one specific action to be performed with respect to the data environment”); and forwarding the API call to the third sub-system separate from the first sub-system (Kumar at [0082] – virtual switch 218 (i.e., first sub-system) receives an inbound request communication destined for one of the VMs of the host machine; [0036] – virtual switch 218 routes network communications to VMs (e.g., the application resource VM 210) <i.e., third sub-systems> of the host).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the combination of Kumar, Roth, and Zuk as taught in Roth, comprising receiving an application program interface (API) call to perform the task using the 

Regarding claim 4, the combination of Kumar, Roth, and Zuk discloses the method of claim 1, wherein collecting the process-related data for performing the task using the application comprises: at the third sub-system of the host computing device (Kumar at fig. 6A – application VM 610 <i.e., third sub-system> located on host 200), wherein the third sub-system is configured to perform one or more tasks using the application (Kumar at [0037] – hosted applications are configured to, e.g., be operable as web browsers (i.e., configured to perform tasks)), receiving an application program interface (API) call from the first sub-system separate from the third sub-system (Roth at [0022-024] – users request to access resources in the cloud environment which is received at the interface 108 (which may comprise a network switch, see [0023]) <i.e., first sub-system>; [0023] – “the interface layer can include application programming interfaces (APIs) or other exposed interfaces enabling a user to submit requests to the provider environment; [0026] – “each API can be provided to receive requests for at least one specific action to be performed with respect to the data environment”; with Kumar at [0082] – VM <i.e., third sub-system> receives request communication from virtual switch <i.e., first sub-system>); in response to receiving the API call, detecting one or more process-related events (Kumar at [0048] – “The security agent 260 sends the information regarding the network connection request (e.g., context, source/destination addresses, ports, protocols, etc.) as a network event to the security engine 220. Network events are used for identity firewall and other firewall pieces to make decisions (e.g., whether to allow a particular user to make a connection to a particular IP from a particular application)”; [0085] – context includes process information; see with Roth at [0026] – requests may be API calls); and collecting the process-related data based on the detected one or more process- related events ([0086] – security agent 660 collects connection information along with gathered context information 672; 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the application VM (third sub-system) of the combination of Kumar, Roth, and Zuk as taught in Roth, comprising receiving an application program interface (API) call from the first sub-system separate from the third sub-system; in response to receiving the API call, detecting one or more process-related events, so that the security engine may use the events to enforce the access request security decisions (see, e.g., Kumar at [0086] and Roth at [0026] for API usage).

Regarding claim 5, the combination of Kumar, Roth, and Zuk discloses the method of claim 4, wherein the one or more process-related events comprise at least one of: an event indicating a request for initiating a process of the application; and an event indicating a request for accessing at least a portion of a data object associated with the process of the application (Kumar at [0028] – network requests are captured as events; Roth at [0040] – “a request is received 402 from a user to a resource environment, where the request generally will be a request to access a page, application, or other object provided by a customer of the resource environment using one or more resources of the environment.”; [0026] – “each API can be provided to receive requests for at least one specific action to be performed with respect to the data environment”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Kumar, Roth, and Zuk with the teachings of Roth, wherein the one or more process-related events comprise at least one of: an event indicating a request for initiating a process of the application; and an event indicating a request for accessing at least a portion of a data object associated with the process of the application, so that the security engine may 

Regarding claim 7, the combination of Kumar, Roth, and Zuk discloses the method of claim 4, wherein collecting the process-related data based on the detected one or more process-related events comprises: identifying at least a portion of a data object associated with a process for performing the task using the application (Roth at [0040] – the received request from a user will generally be a request to access a page, application or object (i.e., object associated with the request is identified)); and obtaining a representation of the data object associated with the process for performing the task using the application (Roth at [0040] – the received request from a user will generally be a request to access a page, application or object (i.e., object identified associated with the request), [0041] – user obtains the type of access associated with the request; [0052] – system operates via Simple Object Access Protocol instructions).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention implement the collected process information in the combination of Kumar, Roth, and Zuk (see [0028],[0048]) with the teachings of Roth, comprising identifying at least a portion of a data object associated with a process for performing the task using the application; and obtaining a representation of the data object associated with the process for performing the task using the application, so that requests pertaining to specific objects may be controlled based on stored policies (see, e.g., Roth at [0040]).

Regarding claim 8, the combination of Kumar, Roth, and Zuk discloses the method of claim 4, further comprising: forwarding the process-related data from the third sub-system to the second sub-system separate from the third sub-system (Kumar at [0048] – “The security agent 260 <which is part of 220 <i.e., second sub-system>. Network events are used for identity firewall and other firewall pieces to make decisions (e.g., whether to allow a particular user to make a connection to a particular IP from a particular application). The policies will be filtered on the security engine 220; [0085] – context includes process information), wherein the second sub-system is configured to perform application-independent access control in the cloud-services computing environment (Kumar at [0048] – “The security agent 260 <which is part of the application VM (i.e., third sub-system), see fig. 2> sends the information regarding the network connection request (e.g., context, source/destination addresses, ports, protocols, etc.) as a network event to the security engine 220 <i.e., second sub-system>. Network events are used for identity firewall and other firewall pieces to make decisions (e.g., whether to allow a particular user to make a connection to a particular IP from a particular application). The policies will be filtered on the security engine 220; [0085] – context includes process information; [0025] – security engine VM is separate VM from the application VM).  

Regarding claim 9, the combination of Kumar, Roth, and Zuk discloses the method of claim 1, further comprising: obtaining one or more source ports and one or more destination ports associated with the user request (Kumar at [0048, 0059] – “The security agent 260 sends the information regarding the network connection request (e.g., context, source/destination addresses, ports, protocols, etc.) as a network event to the security engine 220. Network events are used for identity firewall and other firewall pieces to make decisions”; Kumar’s dependent claim 14 notes these context addresses may comprise a source port and destination port).  

Regarding claim 10, the combination of Kumar, Roth, and Zuk discloses the method of claim 1, wherein determining whether the task is to be performed comprises: 
at the second sub-system of the host computing device (Kumar at [0059] – security engine 220 <i.e., second sub-system> located on host 200), wherein the second sub-system is configured to perform application-independent access control in the cloud-services computing environment (Kumar at [0054] – clients send a request to server application 225; [0058-059] – security engine 220 <i.e., second sub-system> performs access control for the requests separate the application VM; [0025] – security engine VM is separate VM from the application VM), constructing the data structure based on the representation of the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses as data entries in a context table that represents a totality of circumstances associated with the user request (Zuk at [0048] – Security controller analyzes packets and collects them into a table including their source IP address, destination IP address, application information <i.e., process-related data>, and user identity. Then security policy obtained for comparison with the user context, and policy matched up with table to allow or deny access); and 
determining, based on a result of correlating the data structure to the access-control policy (Kumar at [0059] – “the security engine 220 is used to authorize network connection requests of the VMs based on the identity of a user and/or application that makes the request and on other information associated with the request (e.g., source/destination addresses, ports, protocols, etc.; see also [0048] – rights determined based on the context/tuple information), whether the task is to be performed using the application at the third sub-system separate from the second sub-system (Kumar at [0058] – “The security agent 260 operates on the guest machine and passes the captured network event information (e.g., user, application, tuple information) to the security engine 220, but does not directly interact with the packets (other than tagging). When a packet exits the guest machines, the security engine 220 of some embodiments captures the packet and enforces the security policies (based on the updated 210.”; [0059] – “the security engine 220 is used to authorize network connection requests of the VMs based on the identity of a user and/or application that makes the request and on other information associated with the request (e.g., source/destination addresses, ports, protocols, etc.)”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the policy control system of the combination of Kumar and Roth with the teachings of Zuk, constructing the data structure based on the representation of the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses as data entries in a context table that represents a totality of circumstances associated with the user request, to ensure only specific users are permitted to access specific applications in the cloud system (see, e.g., Zuk at [0017], [0057]).

Regarding claim 11, the combination of Kumar, Roth, and Zuk discloses the method of claim 1, wherein causing the task to be performed using the application comprises at least one of: initiating a process associated with the application to perform the task (Kumar at [0091] – “When the process 700 determines (at 730) that the connection is allowed, the process 700 sends (at 740) the packet to server application to initiate the connection.”); and enabling access to at least a portion of a data object used by the process associated with the application (Roth at [0040] – “a request is received 402 from a user to a resource environment, where the request generally will be a request to access a page, application, or other object provided by a customer of the resource environment using one or more resources of the environment”; [0041] – when a stored policy is located access may be provided to the requested resources).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the combination of Kumar, Roth, and Zuk with the teachings of 

Regarding claim 12, the combination of Kumar, Roth, and Zuk discloses the method of claim 1, further comprising in accordance with a determination that the task is not to be performed, denying the user request (Kumar at [0059] – “The security engine 220 receives communications (e.g., packets intended for transmission to or received from other end machines in the network) and determines an action (e.g., allow, deny, redirect, etc.) to perform on the packet with respect to security policies of the network. For example, in some cases, the security engine 220 is used to authorize network connection requests of the VMs based on the identity of a user and/or application that makes the request and on other information associated with the request (e.g., source/destination addresses, ports, protocols, etc.).”).

Regarding claim 13, the combination of Kumar, Roth, and Zuk discloses the method of claim 12, wherein denying the user request comprises at least one of: preventing initiating of a process associated with the application to perform the task; and denying access to at least a portion of a data object used by the process associated with the application (Kumar at [0059] – “The security engine 220 receives communications (e.g., packets intended for transmission to or received from other end machines in the network) and determines an action (e.g., allow, deny, redirect, etc.) to perform on the packet with respect to security policies of the network. For example, in some cases, the security engine 220 is used to authorize network connection requests of the VMs based on the identity of a user and/or application that makes the request and on other information associated with the request (e.g., .  

Regarding claim 15, Kumar discloses a host computing device operating in the cloud-services computing environment ([0106]&[0003] – tenants own VM applications hosted on a host devise (i.e., is a cloud computing system) for access by users; [0006] – system provides access control for the hosted VMs), the host computing device comprising: 
one or more processors; and memory storing one or more programs configured to be executed by the one or more processors ([0092-0093] – system operates using processors and memory storing instructions for processor execution), the one or more programs including instructions for: 
obtaining, at a first sub-system of the host computing device ([0082] – virtual switch <i.e., first sub-system> located on host 200), a user identity for accessing the cloud-services computing environment ([0082] – virtual switch <i.e., first sub-system> receives an inbound request destined for one of the VMs of the host machine; [0046-047] – communication request includes user identification; [0059] – communications are then allowed or denied based on an identity of the user that made the request); 
receiving a user request to [[perform a task]] using an application ([0054, 0082] – clients send a network request to server application 225), wherein the application is configured to be accessed in the cloud-services computing environment ([0054, 0082] – inbound network request received from clients to access a server application); 
in response to receiving the user request, collecting process-related data for [[performing the task]] using the application ([0086] – “security agent 660 collects connection information (e.g., tuple information) regarding the network connection request packet 680 and sends the connection 672, to a security engine”; [0085] – context information 672 includes process information for an application that accepts the connection); 
obtaining one or more source IP addresses and destination IP addresses ([0047] –the system intercepts the request in order to capture context connection information including source/destination addresses; [0048, 0059] – the context information provided to security engine 220 which uses the information to determine whether to allow a particular request; Kumar’s dependent claim 14 notes these context addresses may comprise a source IP address and destination IP address); 
determining, based on the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses, whether the [[task is to be performed]] ([0048, 0059] – the context information is sent to the security engine 220 which uses the information to determine whether to allow a particular request based on identity of a user, source/destination addresses, and context information; dependent claim 14 notes these context addresses may comprise a source IP address and destination IP address; [0085] – context information includes process information), wherein the determining is performed at a second sub-system separate from a third sub-system configured to perform the task using the application ([0025, 0058] – security engines (i.e., a second sub-system) operate in a separate space (e.g., its own VM) from the machines (i.e., the third sub-system) they manage; [0048, 0059] – the context information is sent to the security engine 220 which uses the information to determine whether to allow a particular request); and 
in accordance with a determination that the [[task is to be performed]] responding to the user request, causing the task to be performed using the application ([0087] – the security agent 660 receives the response from the security engine allowing the network connection request, so the network request packet 680 is forwarded on to the application 625 to establish the requested connection).
 
	However, Roth discloses a multi-tenant cloud system for controlling application resource access requests (see abstract, [0022]), wherein operational instructions for cloud-based applications to perform (i.e., tasks to be performed) are requested, intercepted, and allowed/denied based on stored policies (see [0022-0024]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the network requests access control system of Kumar with the teachings of Roth, wherein access control is further directed to a received task to be performed by an application, to ensure users have appropriate access permissions and the system has appropriate resources for the specific task (see, e.g., at Roth [0024]).

Regarding claim 16, the combination of Kumar, Roth, and Zuk discloses the host computing device of claim 15, wherein obtaining the user identity for accessing the cloud-services computing environment comprises: at the first sub-system of the host computing device (Kumar at [0082] – virtual switch <i.e., first sub-system> located on host 200), wherein the first sub-system is configured to receive user requests from one or more client computing devices external to the cloud-services computing environment (Kumar at [0082] – virtual switch <i.e., first sub-system> receives an inbound request communication destined for one of the VMs of the host machine; [0054] – clients send a request to server application 225), receiving user credentials for accessing the cloud-services computing environment (Kumar at [0082] – virtual switch <i.e., first sub-system> receives an inbound request destined for one of the VMs of the host machine; [0047] – communication request includes user information; [0059] – communications are then allowed or denied based on an identity of the user that ; and forwarding a representation of the user credentials from the first sub-system to a second sub-system of the host computing device (Kumar at [0036] – virtual switch 218 <i.e., first sub-network> sends network traffic to the security engine <i.e., second sub-network>; [0059] – security engine 220 <i.e., second sub-system> allows or denies the request based on the identity of the user; [0090] – security engine performs authentication of the received information), wherein the second sub-system is separate from the first sub-system (Kumar at [0025, 0058] – security engines <i.e., a second sub-system> operate in a separate space (e.g., it’s own VM)), and wherein the second sub-system is configured to perform application-independent access control in the cloud-services computing environment (Kumar at [0036] – virtual switch 218 <i.e., first sub-network> sends network traffic to the security engine <i.e., second sub-network>; [0058-059] – security engine 220 <i.e., second sub-system> allows or denies the request based on the identity of the user outside of the application’s VM; [0090] – security engine performs authentication of the received information).

Regarding claim 17, the combination of Kumar, Roth, and Zuk discloses the host computing device of claim 15, wherein collecting the process-related data for performing the task using the application comprises: at the third sub-system of the host computing device (Kumar at fig. 6A – application VM 610 <i.e., third sub-system> located on host 200), wherein the third sub-system is configured to perform one or more tasks using the application (Kumar at [0037] – hosted applications are configured to, e.g., be operable as web browsers (i.e., configured to perform tasks)), receiving an application program interface (API) call from the first sub-system separate from the third sub-system (Roth at [0022-024] – users request to access resources in the cloud environment which is received at the interface 108 (which may comprise a network switch, see [0023]) <i.e., first sub-system>; [0023] – “the interface layer can include application programming interfaces (APIs) or other exposed interfaces enabling a user to submit requests to the provider environment; [0026] – “each API can be provided to ; in response to receiving the API call, detecting one or more process-related events (Kumar at [0048] – “The security agent 260 sends the information regarding the network connection request (e.g., context, source/destination addresses, ports, protocols, etc.) as a network event to the security engine 220. Network events are used for identity firewall and other firewall pieces to make decisions (e.g., whether to allow a particular user to make a connection to a particular IP from a particular application)”; [0085] – context includes process information; see with Roth at [0026] – requests may be API calls); and collecting the process-related data based on the detected one or more process-related events ([0086] – security agent 660 collects connection information along with gathered context information 672; [0085] – context includes process information; [0048] – see connection request as network event used to make security determination).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the application VM (third sub-system) of the combination of Kumar, Roth, and Zuk with the teachings of Roth, comprising receiving an application program interface (API) call from the first sub-system separate from the third sub-system; in response to receiving the API call, detecting one or more process-related events, so that the security engine may use the events to enforce the access request security decisions (see, e.g., Kumar at [0086] and Roth at [0026] for API usage).

Regarding claim 18, the combination of Kumar, Roth, and Zuk discloses the host computing device of claim 15, wherein determining whether the task is to be performed comprises: 
at the second sub-system of the host computing device (Kumar at [0059] – security engine 220 <i.e., second sub-system> located on host 200), wherein the second sub-system is configured to perform application-independent access control in the cloud-services computing environment (Kumar 225; [0058-059] – security engine 220 <i.e., second sub-system> performs access control for the requests separate the application VM; [0025] – security engine VM is separate VM from the application VM), 
constructing the data structure based on the representation of the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses as data entries in a context table that represents a totality of circumstances associated with the user request (Zuk at [0048] – Security controller analyzes packets and collects them into a table including their source IP address, destination IP address, application information <i.e., process-related data>, and user identity. Then security policy obtained for comparison with the user context, and policy matched up with table to allow or deny access); and 
determining, based on a result of correlating the data structure to the access-control policy (Kumar at [0059] – “the security engine 220 is used to authorize network connection requests of the VMs based on the identity of a user and/or application that makes the request and on other information associated with the request (e.g., source/destination addresses, ports, protocols, etc.; see also [0048] – rights determined based on the context/tuple information), whether the task is to performed using the application at the third sub-system separate from the second sub-system (Kumar at [0058] – “The security agent 260 operates on the guest machine and passes the captured network event information (e.g., user, application, tuple information) to the security engine 220, but does not directly interact with the packets (other than tagging). When a packet exits the guest machines, the security engine 220 of some embodiments captures the packet and enforces the security policies (based on the updated network event information) from outside of the guest VM 210.”; [0059] – “the security engine 220 is used to authorize network connection requests of the VMs based on the identity of a user and/or application that makes the request and on other information associated with the request (e.g., source/destination addresses, ports, protocols, etc.)”).  


Regarding claim 19, Kumar discloses a non-transitory computer-readable storage medium storing one or more programs configured to be executed by a host computing device operating in a cloud- services computing environment having one or more processors and memory, the one or more programs including instructions ([0106]&[0003] – tenants own VM applications hosted on a host devise (i.e., is a cloud computing system) for access by users; [0006] – system provides access control for the hosted VMs; [0092-0093] – system operates using processors and memory storing instructions) for: 
obtaining, at a first sub-system of the host computing device ([0082] – virtual switch <i.e., first sub-system> located on host 200), a user identity for accessing the cloud-services computing environment ([0082] – virtual switch <i.e., first sub-system> receives an inbound request destined for one of the VMs of the host machine; [0046-047] – communication request includes user identification; [0059] – communications are then allowed or denied based on an identity of the user that made the request); 
receiving a user request to [[perform a task]] using an application ([0054, 0082] – clients send a network request to server application 225), wherein the application is configured to be accessed in the cloud-services computing environment ([0054, 0082] – inbound network request received from clients to access a server application); 
in response to receiving the user request, collecting process-related data for [[performing the task]] using the application ([0086] – “security agent 660 collects connection information (e.g., tuple information) regarding the network connection request packet 680 and sends the connection information, along with the gathered context information 672, to a security engine”; [0085] – context information 672 includes process information for an application that accepts the connection); 
obtaining one or more source IP addresses and destination IP addresses ([0047] –the system intercepts the request in order to capture context connection information including source/destination addresses; [0048, 0059] – the context information provided to security engine 220 which uses the information to determine whether to allow a particular request; Kumar’s dependent claim 14 notes these context addresses may comprise a source IP address and destination IP address); 
determining, based on the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses, whether the [[task is to be performed]] ([0048, 0059] – the context information is sent to the security engine 220 which uses the information to determine whether to allow a particular request based on identity of a user, source/destination addresses, and context information; dependent claim 14 notes these context addresses may comprise a source IP address and destination IP address; [0085] – context information includes process information), wherein the determining is performed at a second sub-system separate from a third sub-system configured to perform the task using the application ([0025, 0058] – security engines (i.e., a second sub-system) operate in a separate space (e.g., its own VM) from the machines (i.e., the third sub-system) they manage; [0048, 0059] – the context information is sent to the security engine 220 which uses the information to determine whether to allow a particular request); and 
in accordance with a determination that the [[task is to be performed]] responding to the user request, causing the [[task to be performed]] using the application ([0087] – the security agent 660 receives the response from the security engine allowing the network connection request, so the 680 is forwarded on to the application 625 to establish the requested connection).
While Kumar discloses access control directed to allowing or denying a network request to a hosted application (see abstract, [0059]), Kumar appears to fail to specifically disclose the access controlled request as to a task to be performed by the application. Additionally, Kumar appears to fail to specifically disclose the determining comprising: constructing a data structure based on a representation of the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses; obtaining an access-control policy; and correlating the constructed data structure to the access-control policy.
	However, Roth discloses a multi-tenant cloud system for controlling application resource access requests (see abstract, [0022]), wherein operational instructions for cloud-based applications to perform (i.e., tasks to be performed) are requested, intercepted, and allowed/denied based on stored policies (see [0022-0024]).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the network requests access control system of Kumar with the teachings of Roth, wherein access control is further directed to a received task to be performed by an application, to ensure users have appropriate access permissions and the system has appropriate resources for the specific task (see, e.g., at Roth [0024]).
While the combination of Kumar and Roth disclose access control policies for determining access to a hosted application based on destination IP address and source IP address (see Kumar at abstract, [0059]), Kumar appears to fail to specifically disclose the determining comprising: constructing a data structure based on a representation of the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses; obtaining an access-control policy; and correlating the constructed data structure to the access-control policy.
the determining comprising: constructing a data structure based on a representation of the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses ([0048] – Security controller analyzes packets and collects them into a table including their source IP address, destination IP address, application information <i.e., process-related data>, and user identity); obtaining an access-control policy ([0048] – security policy obtained for comparison with the user context); and correlating the constructed data structure to the access-control policy ([0048] – policy matched up with table to allow or deny access).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the policy control system of the combination of Kumar and Roth with the teachings of Zuk, the determining comprising: constructing a data structure based on a representation of the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses; obtaining an access-control policy; and correlating the constructed data structure to the access-control policy, to ensure specific users are permitted to access specific applications in the cloud system (see, e.g., Zuk at [0017], [0057]).

Regarding claim 20, the combination of Kumar, Roth, and Zuk discloses the computer-readable storage medium of claim 19, wherein obtaining the user identity for accessing the cloud-services computing environment comprises:  E39630at the first sub-system of the host computing device (Kumar at [0082] – virtual switch <i.e., first sub-system> located on host 200), wherein the first sub-system is configured to receive user requests from one or more client computing devices external to the cloud-services computing environment (Kumar at [0082] – virtual switch <i.e., first sub-system> receives an 225), receiving user credentials for accessing the cloud-services computing environment (Kumar at [0082] – virtual switch <i.e., first sub-system> receives an inbound request destined for one of the VMs of the host machine; [0047] – communication request includes user information; [0059] – communications are then allowed or denied based on an identity of the user that made the request); and forwarding a representation of the user credentials from the first sub-system to a second sub-system of the host computing device (Kumar at [0036] – virtual switch 218 <i.e., first sub-network> sends network traffic to the security engine <i.e., second sub-network>; [0059] – security engine 220 <i.e., second sub-system> allows or denies the request based on the identity of the user; [0090] – security engine performs authentication of the received information), wherein the second sub-system is separate from the first sub-system (Kumar at [0025, 0058] – security engines <i.e., a second sub-system> operate in a separate space (e.g., it’s own VM)), and wherein the second sub-system is configured to perform application-independent access control in the cloud-services computing environment (Kumar at [0036] – virtual switch 218 <i.e., first sub-network> sends network traffic to the security engine <i.e., second sub-network>; [0058-059] – security engine 220 <i.e., second sub-system> allows or denies the request based on the identity of the user outside of the application’s VM; [0090] – security engine performs authentication of the received information).  

Regarding claim 21, the combination of Kumar, Roth, and Zuk discloses the computer-readable storage medium of claim 19, wherein collecting process-related data for performing the task using the application comprises: at the third sub-system of the host computing device (Kumar at fig. 6A – application VM 610 <i.e., third sub-system> located on host 200), wherein the third sub-system is configured to perform one or more tasks using the application (Kumar at [0037] – hosted applications are configured to, e.g., be operable as web browsers (i.e., configured to perform tasks)), receiving an application program interface (API) call from the first sub-system separate from the third sub-system (Roth at [0022-024] – users request to access resources in the cloud environment which is received at the interface 108 (which may comprise a network switch, see [0023]) <i.e., first sub-system>; [0023] – “the interface layer can include application programming interfaces (APIs) or other exposed interfaces enabling a user to submit requests to the provider environment; [0026] – “each API can be provided to receive requests for at least one specific action to be performed with respect to the data environment”; with Kumar at [0082] – VM <i.e., third sub-system> receives request communication from virtual switch <i.e., first sub-system>); in response to receiving the API call, detecting one or more process-related events (Kumar at [0048] – “The security agent 260 sends the information regarding the network connection request (e.g., context, source/destination addresses, ports, protocols, etc.) as a network event to the security engine 220. Network events are used for identity firewall and other firewall pieces to make decisions (e.g., whether to allow a particular user to make a connection to a particular IP from a particular application)”; [0085] – context includes process information; see with Roth at [0026] – requests may be API calls); and collecting the process-related data based on the detected one or more process-related events ([0086] – security agent 660 collects connection information along with gathered context information 672; [0085] – context includes process information; [0048] – see connection request as network event used to make security determination).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the application VM (third sub-system) of the combination of Kumar, Roth, and Zuk with the teachings of Roth, comprising receiving an application program interface (API) call from the first sub-system separate from the third sub-system; in response to receiving the API call, detecting one or more process-related events, so that the security engine may use the events to enforce the access request security decisions (see, e.g., Kumar at [0086] and Roth at [0026] for API usage).  

Regarding claim 22, the combination of Kumar, Roth, and Zuk discloses the computer-readable storage medium of claim 19, wherein determining whether the task is to be performed comprises: 
at the second sub-system of the host computing device (Kumar at [0059] – security engine 220 <i.e., second sub-system> located on host 200), wherein the second sub-system is configured to perform application-independent access control in the cloud-services computing environment (Kumar at [0054] – clients send a request to server application 225; [0058-059] – security engine 220 <i.e., second sub-system> performs access control for the requests separate the application VM; [0025] – security engine VM is separate VM from the application VM), constructing the data structure based on the representation of the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses as data entries in a context table that represents a totality of circumstances associated with the user request (Zuk at [0048] – Security controller analyzes packets and collects them into a table including their source IP address, destination IP address, application information <i.e., process-related data>, and user identity. Then security policy obtained for comparison with the user context, and policy matched up with table to allow or deny access); and 
determining, based on a result of correlating the data structure to the access-control policy (Kumar at [0059] – “the security engine 220 is used to authorize network connection requests of the VMs based on the identity of a user and/or application that makes the request and on other information associated with the request (e.g., source/destination addresses, ports, protocols, etc.; see also [0048] – rights determined based on the context/tuple information), whether the task is to performed using the application at the third sub-system separate from the second sub-system (Kumar at [0058] – “The security agent 260 operates on the guest machine and passes the captured network event information (e.g., user, application, tuple information) to the security engine 220, but does not directly interact with the packets (other than tagging). When a packet exits the guest machines, the security engine 220 of some embodiments captures the packet and enforces the security policies (based on the updated 210.”; [0059] – “the security engine 220 is used to authorize network connection requests of the VMs based on the identity of a user and/or application that makes the request and on other information associated with the request (e.g., source/destination addresses, ports, protocols, etc.)”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the policy control system of the combination of Kumar and Roth with the teachings of Zuk, constructing the data structure based on the representation of the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses as data entries in a context table that represents a totality of circumstances associated with the user request, to ensure only specific users are permitted to access specific applications in the cloud system (see, e.g., Zuk at [0017], [0057]).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Kumar in view of Roth and Zuk, further in view of Ferox et al. (US20160191413, Hereinafter “Ferox”).
Regarding claim 6, the combination of Kumar, Roth, and Zuk discloses the method of claim 4, wherein collecting the process-related data based on the detected one or more process-related events comprises: E39626determining a process for performing the task using the application (Kumar at [0086] – security agent 660 collects connection information along with gathered context information 672; [0085] – context includes process information; [0048] – see connection request as network event used to make security determination). 
While the combination of Kumar, Roth, and Zuk disclose collecting process information based on the event (see, e.g., Kumar at [0028, 0048]), the combination of Kumar, Roth, and Zuk appear to fail to disclose similarly obtaining a process identification associated with the determined process.  
obtaining a process identification associated with the determined process ([0035] – contextual information is made for every new connection request for the application (e.g., both incoming and outgoing connection requests); [0050, 0078] – contextual information includes the process identifier, and is used by a security agent to determine whether to forward the request).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Kumar, Roth, and Zuk with the teachings of Feroz, comprising obtaining a process identification associated with the determined process, so that particular incoming connection processes may be allowed or denied based on stored policies (see, e.g., Feroz at [0042], [0078]).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Kumar in view of Roth and Zuk, further in view of Messerli et al. (US20140059226, Hereinafter “Messerli”).
Regarding claim 14, the combination of Kumar, Roth, and Zuk discloses the method of claim 12, wherein denying the user request comprises: denying a user request for [[uploading of a data object]] to the cloud-services computing environment, wherein the denying is performed prior to receiving the data object (Kumar at [0059] – “The security engine 220 receives communications (e.g., packets intended for transmission to or received from other end machines in the network) and determines an action (e.g., allow, deny, redirect, etc.) to perform on the packet with respect to security policies of the network. For example, in some cases, the security engine 220 is used to authorize network connection requests of the VMs based on the identity of a user and/or application that makes the request and on other information associated with the request (e.g., source/destination addresses, ports, protocols, 625 until security engine denies or allows the request).  
While the combination of Kumar, Roth, and Zuk disclose access control for requests directed to data objects (see Roth [0040-041] with Kumar at [0048]), the combination appears to fail to specifically disclose the access control also being directed to requests for uploading of the data object.
However, Casals Andreu discloses an access control system for a cloud computing environment receiving API request from a user (see abstract, [0247]), comprising allowing or denying a user’s request for uploading of a data object to the cloud-services environment based on stored policies ([0247] – a request is received and filtered according to user permissions to specific VM images; [0221] – “When a request arrives directed to that resource, the tenant-defined rules and filters are applied to the request and the appropriate object is uploaded, downloaded, edited, or redirected accordingly”; [0036] – the resources are part of cloud computing system).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Kumar, Roth, and Zuk with the teachings of Casals Andreu, to include providing access control to user requests for uploading of a data object to the cloud-services computing environment, so that only authenticated users may interact with the resource to store information for later use (see, e.g., Casals Andreu at [0170], [0221], [0245]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Handa et al. (US10362059) discloses a reverse proxy system for controlling access to application resources within a cloud-computing environment based on user permissions associated with a received API request (see, e.g., abstract, column 15, lines 42-66, and column 27, line 37-column28, line 2). Sarukkai et al. (US9137131) discloses a network traffic monitoring system controlling access to .
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSHUA RAYMOND WHITE whose telephone number is (571)272-4365.  The examiner can normally be reached on Monday-Thursday, & Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available 






/J.R.W./Examiner, Art Unit 2438                                                                                                                                                                                         /TAGHI T ARANI/Supervisory Patent Examiner, Art Unit 2438