Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
2.	This action is in response to the application filed May 31, 2019.

3.	Claims 1-20 have been examined and are pending with this action.

4.	The Information Disclosure Statements filed on February 25, 2020 and August 12, 2020 have been considered.


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the 

5.	Claim(s) 1-3, 5-13, and 15-20 is/are rejected under 35 U.S.C. 102(a)(1) and 102(a)(2) as being anticipated by Ladnai et al. (US 2017/0302685).
INDEPENDENT:
As per claim 1, Ladnai teaches a computer-implemented method for validating security policy in a cloud computing environment, the method comprising: 
providing a graph database, the graph database representing workloads of the cloud computing environment as nodes and relationships between the workloads as edges (see Ladnai, [0092]: “The analysis facility 340 may create an event graph. In general, the event graph may represent information in the data log 322 in a graph where objects 312 are nodes and events 314 are edges connecting the nodes to one another based on causal or other relationships as generally contemplated herein”; and [0126]: “It also will be understood that the figure illustrates a graphical depiction of an event graph 500, which may be stored in a database or other suitable data structure”); 
receiving a security policy, the security policy logically describing rules for the relationships between the workloads (see Ladnai, [0109]: “a security policy may be used to detect a security event. This may include, for example, whitelists or blacklists of known computing objects and events, or reputations and signatures thereof. For example, a security policy may include rules that allow computing objects and events that are provided by a known, trusted source (e.g., a trusted user, endpoint, network, company, vendor, and so forth). The rules may be more complex, for example, where originating from a trusted source is only one factor in determining whether to whitelist computing objects and events. In general, the security policy may include any suitable rules, logic, prioritizing, etc., as desired to detect a security event”; and [0110]: “Although referred to herein in terms of `security,` one skilled in the art will recognize that a security policy may also or instead include other types of policies. For example, a security policy may include a corporate or network policy having a list of approved computing objects and events, where computing objects and events outside of this list may not necessarily be security risks, but are otherwise unwanted in the network. Thus, the security policy may intend to detect malware and the like, while also detecting other types of unwanted computing objects and events that do not qualify as malware”); 
determining, based on the security policy and the graph database, a list of violations, the list of violations including at least one relationship from the relationships between the workloads in the graph database, the at least one relationship being not allowed by at least one of the rules in the security policy (see Ladnai, [0029]: “In an embodiment, a policy database may be a block list, a black list, an allowed list, a white list, or the like that may provide a list of enterprise facility 102 external network locations/applications that may or may not be accessed by the client facility”; [0051]: “The personal firewall may permit or deny communications based on a security policy”; and [0106]: “each software object may be individually analyzed for its compliance with a security policy or the like using signatures or other objective characteristics”); and 
providing the list of violations to a user (see Ladnai, [0027]: “Feedback of information may also be associated with behaviors of individuals within the enterprise, such as being associated with most common violations of policy, network access, unauthorized application loading, unauthorized external device use, and the like. In embodiments, this type of information feedback may enable the evaluation or profiling of client actions that are violations of policy that may provide a predictive model for the improvement of enterprise policies”; [0029]: “In an embodiment, a policy database may be a block list, a black list, an allowed list, a white list, or the like that may provide a list of enterprise facility 102 external network locations/applications that may or may not be accessed by the client facility”; [0044]: “Remedial action may be taken for any of the client facility computing facilities as determined by the administration facility 134; remedial action may be taken by the administration facility 134 or by the user of the client facility”; and [0056]: “Remedial action may be taken for any of the client facility computing facilities as determined by the administration facility 134; remedial action may be taken by the administration facility 134 or by the user of the client facility.”).

As per claim 11, Ladnai teaches a system for managing security in a cloud computing environment, the system comprising: 
a processor (see Ladnai, [0065]: “The processor 212 may be any processor or other processing circuitry capable of processing instructions for execution within the computing device 210 or computer system 200”); and 
a memory communicatively coupled to the processor, the memory storing instructions executable by the processor to perform a method (see Ladnai, [0066]: “The memory 214 may store program instructions, program data, executables, and other software and data useful for controlling operation of the computing device 210 and configuring the computing device 210 to perform functions for a user”) comprising: 
providing a graph database, the graph database representing workloads of the cloud computing environment as nodes and relationships between the workloads as edges (see Ladnai, [0092]: “The analysis facility 340 may create an event graph. In general, the event graph may represent information in the data log 322 in a graph where objects 312 are nodes and events 314 are edges connecting the nodes to one another based on causal or other relationships as generally contemplated herein”; and [0126]: “It also will be understood that the figure illustrates a graphical depiction of an event graph 500, which may be stored in a database or other suitable data structure”); 
receiving a security policy, the security policy logically describing rules for the relationships between the workloads (see Ladnai, [0109]: “a security policy may be used to detect a security event. This may include, for example, whitelists or blacklists of known computing objects and events, or reputations and signatures thereof. For example, a security policy may include rules that allow computing objects and events that are provided by a known, trusted source (e.g., a trusted user, endpoint, network, company, vendor, and so forth). The rules may be more complex, for example, where originating from a trusted source is only one factor in determining whether to whitelist computing objects and events. In general, the security policy may include any suitable rules, logic, prioritizing, etc., as desired to detect a security event”; and [0110]: “Although referred to herein in terms of `security,` one skilled in the art will recognize that a security policy may also or instead include other types of policies. For example, a security policy may include a corporate or network policy having a list of approved computing objects and events, where computing objects and events outside of this list may not necessarily be security risks, but are otherwise unwanted in the network. Thus, the security policy may intend to detect malware and the like, while also detecting other types of unwanted computing objects and events that do not qualify as malware”); 
determining, based on the security policy and the graph database, a list of violations, the list of violations including at least one relationship from the relationships between the workloads in the graph database, the at least one relationship being not allowed by at least one of the rules in the security policy (see Ladnai, [0029]: “In an embodiment, a policy database may be a block list, a black list, an allowed list, a white list, or the like that may provide a list of enterprise facility 102 external network locations/applications that may or may not be accessed by the client facility”; [0051]: “The personal firewall may permit or deny communications based on a security policy”; and [0106]: “each software object may be individually analyzed for its compliance with a security policy or the like using signatures or other objective characteristics”); and 
providing the list of violations to a user (see Ladnai, [0027]: “Feedback of information may also be associated with behaviors of individuals within the enterprise, such as being associated with most common violations of policy, network access, unauthorized application loading, unauthorized external device use, and the like. In embodiments, this type of information feedback may enable the evaluation or profiling of client actions that are violations of policy that may provide a predictive model for the improvement of enterprise policies”; [0029]: “In an embodiment, a policy database may be a block list, a black list, an allowed list, a white list, or the like that may provide a list of enterprise facility 102 external network locations/applications that may or may not be accessed by the client facility”; [0044]: “Remedial action may be taken for any of the client facility computing facilities as determined by the administration facility 134; remedial action may be taken by the administration facility 134 or by the user of the client facility”; and [0056]: “Remedial action may be taken for any of the client facility computing facilities as determined by the administration facility 134; remedial action may be taken by the administration facility 134 or by the user of the client facility.”).

As per claim 20, Ladnai teaches a non-transitory processor-readable medium having embodied thereon a program being executable by at least one processor (see Ladnai, [0067]: “The memory 214 may, in general, include a non-volatile computer readable medium containing computer code that, when executed by the computing device 210 creates an execution environment for a computer program in question”) to perform a method for validating security policy in a cloud computing environment, the method comprising: 
providing a graph database, the graph database representing workloads of the cloud computing environment as nodes and relationships between the workloads as edges (see Ladnai, [0092]: “The analysis facility 340 may create an event graph. In general, the event graph may represent information in the data log 322 in a graph where objects 312 are nodes and events 314 are edges connecting the nodes to one another based on causal or other relationships as generally contemplated herein”; and [0126]: “It also will be understood that the figure illustrates a graphical depiction of an event graph 500, which may be stored in a database or other suitable data structure”); 
(see Ladnai, [0109]: “a security policy may be used to detect a security event. This may include, for example, whitelists or blacklists of known computing objects and events, or reputations and signatures thereof. For example, a security policy may include rules that allow computing objects and events that are provided by a known, trusted source (e.g., a trusted user, endpoint, network, company, vendor, and so forth). The rules may be more complex, for example, where originating from a trusted source is only one factor in determining whether to whitelist computing objects and events. In general, the security policy may include any suitable rules, logic, prioritizing, etc., as desired to detect a security event”; and [0110]: “Although referred to herein in terms of `security,` one skilled in the art will recognize that a security policy may also or instead include other types of policies. For example, a security policy may include a corporate or network policy having a list of approved computing objects and events, where computing objects and events outside of this list may not necessarily be security risks, but are otherwise unwanted in the network. Thus, the security policy may intend to detect malware and the like, while also detecting other types of unwanted computing objects and events that do not qualify as malware”); 
determining, based on the security policy and the graph database, a list of violations, the list of violations including at least one relationship from the relationships between the workloads in the graph database, the at least one relationship being not allowed by at least one of the rules in the security policy (see Ladnai, [0029]: “In an embodiment, a policy database may be a block list, a black list, an allowed list, a white list, or the like that may provide a list of enterprise facility 102 external network locations/applications that may or may not be accessed by the client facility”; [0051]: “The personal firewall may permit or deny communications based on a security policy”; and [0106]: “each software object may be individually analyzed for its compliance with a security policy or the like using signatures or other objective characteristics”); and 
(see Ladnai, [0027]: “Feedback of information may also be associated with behaviors of individuals within the enterprise, such as being associated with most common violations of policy, network access, unauthorized application loading, unauthorized external device use, and the like. In embodiments, this type of information feedback may enable the evaluation or profiling of client actions that are violations of policy that may provide a predictive model for the improvement of enterprise policies”; [0029]: “In an embodiment, a policy database may be a block list, a black list, an allowed list, a white list, or the like that may provide a list of enterprise facility 102 external network locations/applications that may or may not be accessed by the client facility”; [0044]: “Remedial action may be taken for any of the client facility computing facilities as determined by the administration facility 134; remedial action may be taken by the administration facility 134 or by the user of the client facility”; and [0056]: “Remedial action may be taken for any of the client facility computing facilities as determined by the administration facility 134; remedial action may be taken by the administration facility 134 or by the user of the client facility.”).

DEPENDENT:
As per claims 2 and 12, which respectively depend on claims 1 and 11, Ladnai further teaches wherein the graph database is created and updated based on a data concerning the cloud computing environment, the data including at least one of streaming telemetry from network logs, events from a cloud control plane, and inventory from a configuration management database (see Ladnai, [0043]: “Remedial action may be provided as a result of a detection of a threat or violation. The detection techniques facility 130 may include monitoring the enterprise facility 102 network or endpoint devices, such as by monitoring streaming data through the gateway, across the network, through routers and hubs, and the like”; and [0091]: “The analysis facility 340 may be an external facility, or it may reside in a virtual appliance (e.g., which could be run by a protected set of systems on their own network systems), a private cloud, a public cloud, and so forth”).
As per claim 3, which depends on claim 1, Ladnai further teaches wherein the security policy is a programmatically readable document including one or more of the following: a JavaScript Object Notation document, a Language (YAML) document, and an Open Policy Agent (OPA) rules document (see Ladnai, [0047]: “Programming environments for thin clients 144 may include JavaScript/AJAX, ASP, JSP, Ruby on Rails, Python's Django, PHP, and the like”).
As per claims 5 and 15, which respectively depend on claims 1 and 11, Ladnai further teaches wherein the security policy is created by the user based upon manually declared requirements (see Ladnai, [0018]: “A corporation or other entity may institute a policy that prevents certain people (e.g. employees, groups of employees, types of employees, guest of the corporation, etc.) from accessing certain types of computer programs”; and [0035]: “As threats are identified and characterized, the threat management facility 100 may create definition updates that may be used to allow the threat management facility 100 to detect and remediate the latest malicious software, unwanted applications, configuration and policy changes, and the like”; and [0044]: “remedial action may be taken by the administration facility 134 or by the user of the client facility”).
As per claims 6 and 16, which respectively depend on claims 1 and 11, Ladnai further teaches wherein the determining the list of violations includes: traversing the nodes and the edges of the graph database; and while traversing: determining a type of connection between at least two nodes; and determining that the type of connection between the at least two nodes is not permitted by the rules of the security policy (see Ladnai, [0030]: “The policies may be defined for application type, subset of application capabilities, organization hierarchy, computer facility type, user type, network location, time of day, connection type, or the like”; and [0077]: “Forensic analysis for computer processes may include a root cause analysis--e.g., determining and analyzing an origin or root cause of a piece of malware. Techniques may include monitoring activity for one or more endpoints and recording the activity in a data recorder or the like”).
As per claims 7 and 17, which respectively depend on claims 1 and 11, Ladnai further teaches wherein the providing the list of violations to the user includes: displaying a visual representation of the nodes and the edges of the graph database, wherein the edges correspond to connections not allowed by the at least one of the rules in the security policy; or a tabular representation using JSON (see Ladnai, [0047]: “Thin clients 144 may offer minimal processing capabilities, for instance, the thin client facility may primarily provide a graphical user interface provided by an application server facility 142”; and [0092]: “The event graph may also or instead be displayed to a user of the system 300 or endpoint 310, e.g., using an interactive user interface or the like”).
As per claims 8 and 18, which respectively depend on claims 7 and 17, Ladnai teaches further comprising: receiving, from the user, a user input indicative of allowing or disallowing the at the least one relationship not allowed by the at least one of the rules of the security policy; and modifying the security policy based on the user input (see Ladnai, [0027]: “Feedback of information may also be associated with behaviors of individuals within the enterprise, such as being associated with most common violations of policy, network access, unauthorized application loading, unauthorized external device use, and the like. In embodiments, this type of information feedback may enable the evaluation or profiling of client actions that are violations of policy that may provide a predictive model for the improvement of enterprise policies”).
As per claims 9 and 19, which respectively depend on claims 8 and 18, Ladnai further teaches further comprising: deploying the security policy to the cloud computing environment (see Ladnai, [0078]: “An analysis facility 340 may be coupled in a communicating relationship with the endpoint 310 over a data network 350 such as any of the networks described above. It will be appreciated that, while illustrated as components of the endpoint 310, certain components of the system 300 such as the data recorder 320 and the monitoring facility 330 and the analysis facility may also or instead be realized as remote services instantiated on a virtual appliance, a public or private cloud, or the like, any of which may be coupled to the endpoint 310 through the data network 350 or another communication channel (not shown)”).
As per claim 10, which depends on claim 1, Ladnai further teaches wherein the cloud computing environment is hosted by a plurality of different cloud services (see Ladnai, [0078]: “An analysis facility 340 may be coupled in a communicating relationship with the endpoint 310 over a data network 350 such as any of the networks described above. It will be appreciated that, while illustrated as components of the endpoint 310, certain components of the system 300 such as the data recorder 320 and the monitoring facility 330 and the analysis facility may also or instead be realized as remote services instantiated on a virtual appliance, a public or private cloud, or the like, any of which may be coupled to the endpoint 310 through the data network 350 or another communication channel (not shown)”).
As per claim 13, which depends on claim 11, Ladnai further teaches wherein the security policy is a JavaScript Object Notation document (see Ladnai, [0047]: “Programming environments for thin clients 144 may include JavaScript/AJAX, ASP, JSP, Ruby on Rails, Python's Django, PHP, and the like”).


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


6.	Claims 4 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ladnai et al. (US 2017/0302685) in view of Ashley et al. (US 2016/0234250).
As per claims 4 and 14, which respectively depend on claims 1 and 11, although Ladnai teaches generating a security policy in cloud computing environment (see Ladnai, [0078]: “An analysis facility 340 may be coupled in a communicating relationship with the endpoint 310 over a data network 350 such as any of the networks described above. It will be appreciated that, while illustrated as components of the endpoint 310, certain components of the system 300 such as the data recorder 320 and the monitoring facility 330 and the analysis facility may also or instead be realized as remote services instantiated on a virtual appliance, a public or private cloud, or the like, any of which may be coupled to the endpoint 310 through the data network 350 or another communication channel (not shown)”; and [0106]: “For example, each software object may be individually analyzed for its compliance with a security policy or the like using signatures or other objective characteristics”), Ladnai does not explicitly teach that a policy generated based on a security template and the security template including protected workloads.
Ashley teaches a policy generated based on a security template (see Ashley, [0001]: “it provides a virtual security appliance deployment tool that makes use of a library of security policy templates enabling automatic creation, configuration, and deployment of security appliances for workloads in cloud and virtualized environments without requiring that a user configure the security policy and other parameters of the instantiated security appliances”)and the security template including protected workloads (see Ashley, [0003]: “the network security controls are not automatically configured with appropriate security policies providing optimal protection for the workload”).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the system of Ladnai in view of Ashley so that a policy is generated based on a security template and the security template including protected workloads.  One would be motivated to do so because such “re-usable security policy templates that can be automatically linked with the type of workload being deployed in a cloud, customized for deployment in specific cloud environments, and can even be dynamically adapted as security policies change, for example, due to detected anomalies” (see Ashley, [0005]).


Conclusion
7.	For the reasons above, claims 1-20 have been rejected and remain pending.

8.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL Y WON whose telephone number is (571)272-3993.  The examiner can normally be reached on Wk.1: M-F: 8-5 PST & Wk.2: M-Th: 8-7 PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  Please note, the examiner generally will not hold interviews after a Final Office Action has been issued.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on 571-272-7304.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


MICHAEL WON
Primary Examiner
Art Unit 2449



/Michael Won/
Primary Examiner, Art Unit 2449
April 21, 2021