DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present application, final filed on October 14, 2019, is accepted.
Claims 1 – 20 are being considered on the merits.

Drawings
The drawings, final filed on October 14, 2019, are accepted.

Specification
The specification, final filed on October 14, 2019, is accepted.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 - 3, 5 - 10, 12 - 16, and 18 - 20 are rejected under 35 U.S.C. 103 as being unpatentable over US 20200257815 A1 to Huang et al., (hereafter, "Huang") further in view of US 20190097791 A1 to Hersans et al., (hereafter, "Hersans").
Regarding claim 1, Huang teaches a method for secure data deletion in a multitenant environment, performed by a storage system, comprising: associating a key with a tenant, in the multitenant environment, as a result of the storage system receiving data from the tenant through a virtual local area network (VLAN) or from an Internet protocol (IP) address; [Huang, para. 63 discloses each encryption key may be specific, distinctive, or otherwise unique to a corresponding user. In some embodiments, the encryption keys may be standard encryption keys used by each of the computing devices 206 for the respective user associated with a particular tenant 204. In some embodiments, the tenant server 212 may be configured to store a copy of the encryption key for each of the users. The tenant server 212 may be configured to store the encryption key in, for instance, a secure location at the tenant 204 (such as an active directory). Para. 114 discloses the information on the service endpoint may be a port of a server, an IP address corresponding to the client service, or other address which may be used for transmitting information to the client service] storing the data, encrypted by the key, in the storage system; [Huang, para. 12 discloses storing, by the cloud service, the encrypted user data of the user to a storage indexed by the user identifier and the tenant identifier. Para. 18 discloses storing, by the first tenant server, an encryption key used for encrypting the encrypted user data], but Huang does not teach determining that the key, as retained in the storage system, is to be deleted, so that the data is to be inaccessible in unencrypted form, responsive to a request from the tenant to delete the data.
[Hersans, para. 16 discloses the user device may transmit a destruction request message corresponding to a secret or an encryption key to the data center, and the data center may destroy or mark for deletion the specified tenant secret, tenant-specific encryption key, or both, in response.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to derive the encryption key from a key derivation server, and may invalidate the encryption key based on a user command or a time-to-live (TTL) parameter of the encryption key. Once invalidated or removed from the distributed cache, an encryption key may not be visible to any application servers [Hersans, para. 30]

As per claim 2, modified Huang teaches the method for secure data deletion in a multitenant environment, performed by a storage system, of claim 1 wherein the associating the key with the tenant comprises: tagging the key with a tenant tag. [Huang, para. 63 discloses each encryption key may be specific, distinctive, or otherwise unique to a corresponding user. In some embodiments, the encryption keys may be standard encryption keys used by each of the computing devices 206 for the respective user associated with a particular tenant 204. Para. 95 discloses the server may generate an encryption key specifically associated with the user. The encryption key may be generated by the server according to an encryption or cryptographic protocol. The encryption/cryptographic protocol may be determined by the server, user operating the computing device, and so forth. In some embodiments, when the server generates the encryption key, the server may save the encryption key associated with the user identifier for the user. The server may save the encryption key in the active directory as a confidential object or attribute.]

Regarding claim 3, modified Huang teaches the method for secure data deletion in a multitenant environment, performed by a storage system, of claim 1, but Huang does not teach further comprising: deleting the key, after a data recoverability time span.
However, Hersans does teach further comprising: deleting the key, after a data recoverability time span. [Hersans, para. 37 discloses the encryption key may be associated with a user-specified or standard TTL, which may specify an amount of time or a specific time and date. The data center 210 may destroy the encryption key following the specified amount of time or at the specific time and date.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to invalidate or remove an encryption key from the distributed cache, so that an encryption key may not be visible to any application servers. [Hersans, para. 16] 

Regarding claim 5, modified Huang teaches the method for secure data deletion in a multitenant environment, performed by a storage system, of claim 1, but Huang in view of Hersans does not explicitly teach to exclude the encrypted data that is tagged with the tenant tag from garbage collection, during an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data,
However, Hersans does teach that the encryption key is not deleted during an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data. [Hersans, para. 37 discloses the user device 205 may send an explicit key destruction request message to the data center 210, and the data center 210 or distributed cache 230 may destroy the encryption key based on the message. The encryption key may be stored in the distributed cache 230 during its existence in the data center 210, and may not be stored in the central database 235 or backed up in any backup or data recovery systems. Any application server 220 may access the encryption key in the distributed cache 230 before it is destroyed based on the time-based expiry or destruction command.] This implies that encryption keys are maintained during the agreed upon time span in order to decrypt data encrypted with the encryption keys. 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Huang in view of Hersans to exclude the encrypted data that is tagged with the tenant tag from garbage collection, during an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data, the motivation is that maintaining the data encrypted with the encryption keys would yield the expected result of enabling use of the retained encryption keys to decrypt the encrypted data during the agreed upon time span.

Regarding claim 6, modified Huang teaches the method for secure data deletion in a multitenant environment, performed by a storage system, of claim 1, but modified Huang does not teach further comprising: exporting the key to the tenant, responsive to the request from the tenant to delete the data; deleting the key, to fulfill the determining that the key is to be deleted; importing the key from the tenant, responsive to a request to cancel deletion of the data.
	However, Hersans does teach exporting the key to the tenant, responsive to the request from the tenant to delete the data; [Hersans, para. 49 discloses the key service 330 or the application server 310 may return a response message to the user device (e.g., including decrypted data requested by the user device, or an indication that data was encrypted using the DEK). In some cases, the key service 330 may send the DEK to a different application server, or to an application running on the user device in response to the initial request message] deleting the key, to fulfill the determining that the key is to be deleted; [Hersans, para. 16 discloses the user device may transmit a destruction request message corresponding to a secret or an encryption key to the data center, and the data center may destroy or mark for deletion the specified tenant secret, tenant-specific encryption key, or both, in response] importing the key from the tenant, responsive to a request to cancel deletion of the data. [Hersans, para. 36 discloses the user device 205 may return the encryption key or permission to access the encryption key (e.g., based on input from a user authorizing the key retrieval). In some cases, the request-based pull procedure may override security functionality of the data center 210 (e.g., security functionality that prohibits sending callouts during a transaction).]
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to derive the encryption key from a key derivation server, and may invalidate the encryption key based on a user command or a time-to-live (TTL) parameter of the encryption key. Once invalidated or removed from the distributed cache, an encryption key may not be visible to any application servers [Hersans, para. 30]

Regarding claim 7, modified Huang teaches the method for secure data deletion in a multitenant environment, performed by a storage system, of claim 1, but modified Huang does not teach further comprising: exporting the key to the tenant, responsive to the request from the tenant to delete the data; retaining the key in the storage system, as a master key for approval; delaying deletion of the key during a data recoverability time span; and supporting access by the tenant to the data, with approval by the master key, responsive to the tenant returning the exported key.
However, Hersans does teach exporting the key to the tenant, responsive to the request from the tenant to delete the data; [Hersans, para. 49 discloses the key service 330 or the application server 310 may return a response message to the user device (e.g., including decrypted data requested by the user device, or an indication that data was encrypted using the DEK). In some cases, the key service 330 may send the DEK to a different application server, or to an application running on the user device in response to the initial request message] delaying deletion of the key during a data recoverability time span; [Hersans, para. 32 discloses the application server 220 may include KEK storage 245 in a local key cache, but may not store either the DEK or encrypted DEK. Instead, the decrypted plaintext version of the DEK may exist for the duration of an encryption key request in the application server 220, and then may be destroyed. Para. 37 discloses for a time-based expiry procedure, the data center 210 (e.g., the distributed cache 230 of the data center 210) may transmit a callout to a user device 205 based on a TTL policy or explicit destruction call from a user. For example, the data center 210 may send a first callout to the user device 205, and may receive an encryption key (e.g., a DEK) in response. In some cases, the encryption key may be associated with a user-specified or standard TTL, which may specify an amount of time or a specific time and date] retaining the key in the storage system, as a master key for approval; [Hersans, para. 54 discloses the application server 410 may send an encryption key destroy call to the distributed cache 415. The encryption key destroy call may include an indication of the tenant or tenant secret. In some cases, at 435, the distributed cache 415 may search distributed cache storage for any encryption keys (e.g., DEKs) corresponding to the indicated tenant or tenant secret, and may remove the corresponding encryption keys from the distributed cache 415. In other cases, the distributed cache 415 may not destroy the corresponding encryption keys, and instead may implement key destruction markers. For example, when retrieving an encryption key, the distributed cache 415 may first determine whether the corresponding tenant secret is marked with a key destruction marker. If the tenant secret contains the key destruction marker, the distributed cache 415 may refrain from retrieving any encryption keys associated with that tenant secret, effectively destroying those encryption keys from a user access standpoint. Para. 33 discloses the key derivation function may additionally receive a master secret, a master salt, or both as inputs to determine the tenant-specific encryption key (e.g., a DEK). The key derivation server 225 may additionally generate universal, tenant-specific, or DEK-specific KEKs. The KEKs may be generated based on a same HSM, master secret, master salt, and/or key derivation function, or may be generated based on different parameters and functions than the DEKs] and supporting access by the tenant to the data, with approval by the master key, responsive to the tenant returning the exported key. [Hersans, para. 37 discloses the encryption key may be stored in the distributed cache 230 during its existence in the data center 210, and may not be stored in the central database 235 or backed up in any backup or data recovery systems. Any application server 220 may access the encryption key in the distributed cache 230 before it is destroyed based on the time-based expiry or destruction command. Additionally or alternatively, the encryption key may be encrypted using a KEK while stored in the distributed cache 230 (e.g., the encryption may occur at the key derivation server 225). Para. 36 discloses the user device 205 may return the encryption key or permission to access the encryption key (e.g., based on input from a user authorizing the key retrieval). In some cases, the request-based pull procedure may override security functionality of the data center 210 (e.g., security functionality that prohibits sending callouts during a transaction).]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to protect against such attacks, or other unauthorized attempts to read encrypted data records, the distributed cache 230 may store the encryption keys as ciphertext, rather than plaintext. [Hersans, para. 31]

Regarding claim 8, Huang teaches a tangible, non-transitory, computer-readable media having instructions thereupon which, when executed by a processor, cause the processor to perform a method comprising: associating a key with a tenant, in a multitenant environment, as a result of a storage system receiving data from the tenant through a virtual local area network (VLAN) or from an Internet protocol (IP) address, which the storage system recognizes as associated with the tenant; [Huang, para. 63 discloses each encryption key may be specific, distinctive, or otherwise unique to a corresponding user. In some embodiments, the encryption keys may be standard encryption keys used by each of the computing devices 206 for the respective user associated with a particular tenant 204. In some embodiments, the tenant server 212 may be configured to store a copy of the encryption key for each of the users. The tenant server 212 may be configured to store the encryption key in, for instance, a secure location at the tenant 204 (such as an active directory). Para. 114 discloses the information on the service endpoint may be a port of a server, an IP address corresponding to the client service, or other address which may be used for transmitting information to the client service] encrypting the data with the key; [Huang, para. 9 discloses to store user data at the cloud services, the client may encrypt user data using the encryption key] storing the encrypted data in the storage system; [Huang, para. 12 discloses storing, by the cloud service, the encrypted user data of the user to a storage indexed by the user identifier and the tenant identifier. Para. 18 discloses storing, by the first tenant server, an encryption key used for encrypting the encrypted user data] retaining the key associated with the tenant, in the storage system, so that the key is not available external to the storage system while so retained; [Huang, para. 13 discloses the first server is configured to generate an encryption key for the user and store the encryption key as a confidential information in a user object for the user. In some embodiments, the first server is configured to provide a cloud service endpoint, the encryption key and the user data access ticket to the computing device of the user.], but Huang does not teach determining that the key, as retained in the storage system is to be deleted, so that the data is to be inaccessible in unencrypted form to all, responsive to a request from the tenant to delete the data.
However, Hersans does teach determining that the key, as retained in the storage system is to be deleted, so that the data is to be inaccessible in unencrypted form to all, responsive to a request from the tenant to delete the data. [Hersans, para. 16 discloses the user device may transmit a destruction request message corresponding to a secret or an encryption key to the data center, and the data center may destroy or mark for deletion the specified tenant secret, tenant-specific encryption key, or both, in response.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to derive the encryption key from a key derivation server, and may invalidate the encryption key based on a user command or a time-to-live (TTL) parameter of the encryption key. Once invalidated or removed from the distributed cache, an encryption key may not be visible to any application servers [Hersans, para. 30]

As per claim 9, modified Huang teaches the tangible, non-transitory, computer-readable media of claim 8, wherein the method further comprises: generating the key; [Huang, para. 13 discloses the first server is configured to generate an encryption key for the user and store the encryption key as a confidential information in a user object for the user] and tagging the key with a tenant tag for the associating the key with the tenant. [Huang, para. 63 discloses each encryption key may be specific, distinctive, or otherwise unique to a corresponding user. In some embodiments, the encryption keys may be standard encryption keys used by each of the computing devices 206 for the respective user associated with a particular tenant 204. Para. 95 discloses the server may generate an encryption key specifically associated with the user. The encryption key may be generated by the server according to an encryption or cryptographic protocol. The encryption/cryptographic protocol may be determined by the server, user operating the computing device, and so forth. In some embodiments, when the server generates the encryption key, the server may save the encryption key associated with the user identifier for the user. The server may save the encryption key in the active directory as a confidential object or attribute.]

Regarding claim 10, modified Huang teaches the tangible, non-transitory, computer-readable media of claim 8, but Huang does not teach wherein the method further comprises: deleting the key, after expiration of an agreed-upon data recoverability time span that starts with the request from the tenant to delete the data, so that the data is inaccessible to all.
However, Hersans does teach wherein the method further comprises: deleting the key, after expiration of an agreed-upon data recoverability time span that starts with the request from the tenant to delete the data, so that the data is inaccessible to all. [Hersans, para. 37 discloses the encryption key may be associated with a user-specified or standard TTL, which may specify an amount of time or a specific time and date. The data center 210 may destroy the encryption key following the specified amount of time or at the specific time and date.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to invalidate or remove an encryption key from the distributed cache, so that an encryption key may not be visible to any application servers. [Hersans, para. 16] 

Regarding claim 12, modified Huang teaches the tangible, non-transitory, computer-readable media of claim 8, wherein the method further comprises: tagging the encrypted data with a tenant tag, wherein the associating the key with the tenant comprises tagging the key with the tenant tag [Huang, para. 63 discloses each encryption key may be specific, distinctive, or otherwise unique to a corresponding user. In some embodiments, the encryption keys may be standard encryption keys used by each of the computing devices 206 for the respective user associated with a particular tenant 204. Para. 95 discloses when the server generates the encryption key, the server may save the encryption key associated with the user identifier for the user. The server may save the encryption key in the active directory as a confidential object or attribute], but Huang in view of Hersans does not teach explicitly teach excluding the encrypted data that is tagged with the tenant tag from garbage collection, during an agreed-upon data recoverability time span that starts with the request from the tenant to delete the data.
However, Hersans does teach that the encryption key is not deleted during an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data. [Hersans, para. 37 discloses the user device 205 may send an explicit key destruction request message to the data center 210, and the data center 210 or distributed cache 230 may destroy the encryption key based on the message. The encryption key may be stored in the distributed cache 230 during its existence in the data center 210, and may not be stored in the central database 235 or backed up in any backup or data recovery systems. Any application server 220 may access the encryption key in the distributed cache 230 before it is destroyed based on the time-based expiry or destruction command.] This implies that encryption keys are maintained during the agreed upon time span in order to decrypt data encrypted with the encryption keys.
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Huang in view of Hersans to exclude the encrypted data that is tagged with the tenant tag from garbage collection, during an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data, the motivation is that it that maintaining the data encrypted with the encryption keys would yield the expected result of enabling use of the retained encryption keys to decrypt the encrypted data during the agreed upon time span.

Regarding claim 13, modified Huang teaches the tangible, non-transitory, computer-readable media of claim 8, but modified Huang does not teach further comprises: exporting the key to the tenant, responsive to the request from the tenant to delete the data; deleting the key as retained in the storage system; retaining the encrypted data in the storage system; and importing the key from the tenant to the storage system, responsive to a request by the tenant, within an agreed-upon data recoverability time span that starts with the request from the tenant to delete the data, to cancel deletion of the data.
	However, Hersans does teach exporting the key to the tenant, responsive to the request from the tenant to delete the data; [Hersans, para. 49 discloses the key service 330 or the application server 310 may return a response message to the user device (e.g., including decrypted data requested by the user device, or an indication that data was encrypted using the DEK). In some cases, the key service 330 may send the DEK to a different application server, or to an application running on the user device in response to the initial request message] deleting the key as retained in the storage system; [Hersans, para. 16 discloses the user device may transmit a destruction request message corresponding to a secret or an encryption key to the data center, and the data center may destroy or mark for deletion the specified tenant secret, tenant-specific encryption key, or both, in response] retaining the encrypted data in the storage system; [Hersans, para. 54 discloses the application server 410 may send an encryption key destroy call to the distributed cache 415. The encryption key destroy call may include an indication of the tenant or tenant secret. In some cases, at 435, the distributed cache 415 may search distributed cache storage for any encryption keys (e.g., DEKs) corresponding to the indicated tenant or tenant secret, and may remove the corresponding encryption keys from the distributed cache 415. In other cases, the distributed cache 415 may not destroy the corresponding encryption keys, and instead may implement key destruction markers. For example, when retrieving an encryption key, the distributed cache 415 may first determine whether the corresponding tenant secret is marked with a key destruction marker. If the tenant secret contains the key destruction marker, the distributed cache 415 may refrain from retrieving any encryption keys associated with that tenant secret, effectively destroying those encryption keys from a user access standpoint. Para. 33 discloses the key derivation function may additionally receive a master secret, a master salt, or both as inputs to determine the tenant-specific encryption key (e.g., a DEK). The key derivation server 225 may additionally generate universal, tenant-specific, or DEK-specific KEKs. The KEKs may be generated based on a same HSM, master secret, master salt, and/or key derivation function, or may be generated based on different parameters and functions than the DEKs] importing the key from the tenant to the storage system, responsive to a request by the tenant, within an agreed-upon data recoverability time span that starts with the request from the tenant to delete the data, to cancel deletion of the data. [Hersans, para. 36 discloses the user device 205 may return the encryption key or permission to access the encryption key (e.g., based on input from a user authorizing the key retrieval). In some cases, the request-based pull procedure may override security functionality of the data center 210 (e.g., security functionality that prohibits sending callouts during a transaction).]
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to derive the encryption key from a key derivation server, and may invalidate the encryption key based on a user command or a time-to-live (TTL) parameter of the encryption key. Once invalidated or removed from the distributed cache, an encryption key may not be visible to any application servers [Hersans, para. 30]

Regarding claim 14, modified Huang teaches the tangible, non-transitory, computer-readable media of claim 8, but modified Huang does not teach wherein the method further comprises: exporting the key to the tenant, responsive to the request from the tenant to delete the data; retaining the key in the storage system, as a master key for approval; delaying deletion of the key during an agreed-upon data recoverability time span that starts with the request from the tenant to delete the data; and supporting access by the tenant to the data, using the key that was exported, with approval by the master key, responsive to a request by the tenant within the data recoverability time span to undelete the data, accompanied by the tenant returning the exported key to the storage system.
However, Hersans does teach exporting the key to the tenant, responsive to the request from the tenant to delete the data; [Hersans, para. 49 discloses the key service 330 or the application server 310 may return a response message to the user device (e.g., including decrypted data requested by the user device, or an indication that data was encrypted using the DEK). In some cases, the key service 330 may send the DEK to a different application server, or to an application running on the user device in response to the initial request message] delaying deletion of the key during an agreed-upon data recoverability time span that starts with the request from the tenant to delete the data; [Hersans, para. 32 discloses the application server 220 may include KEK storage 245 in a local key cache, but may not store either the DEK or encrypted DEK. Instead, the decrypted plaintext version of the DEK may exist for the duration of an encryption key request in the application server 220, and then may be destroyed. Para. 37 discloses for a time-based expiry procedure, the data center 210 (e.g., the distributed cache 230 of the data center 210) may transmit a callout to a user device 205 based on a TTL policy or explicit destruction call from a user. For example, the data center 210 may send a first callout to the user device 205, and may receive an encryption key (e.g., a DEK) in response. In some cases, the encryption key may be associated with a user-specified or standard TTL, which may specify an amount of time or a specific time and date] retaining the key in the storage system, as a master key for approval; [Hersans, para. 54 discloses the application server 410 may send an encryption key destroy call to the distributed cache 415. The encryption key destroy call may include an indication of the tenant or tenant secret. In some cases, at 435, the distributed cache 415 may search distributed cache storage for any encryption keys (e.g., DEKs) corresponding to the indicated tenant or tenant secret, and may remove the corresponding encryption keys from the distributed cache 415. In other cases, the distributed cache 415 may not destroy the corresponding encryption keys, and instead may implement key destruction markers. For example, when retrieving an encryption key, the distributed cache 415 may first determine whether the corresponding tenant secret is marked with a key destruction marker. If the tenant secret contains the key destruction marker, the distributed cache 415 may refrain from retrieving any encryption keys associated with that tenant secret, effectively destroying those encryption keys from a user access standpoint. Para. 33 discloses the key derivation function may additionally receive a master secret, a master salt, or both as inputs to determine the tenant-specific encryption key (e.g., a DEK). The key derivation server 225 may additionally generate universal, tenant-specific, or DEK-specific KEKs. The KEKs may be generated based on a same HSM, master secret, master salt, and/or key derivation function, or may be generated based on different parameters and functions than the DEKs] and supporting access by the tenant to the data, using the key that was exported, with approval by the master key, responsive to a request by the tenant within the data recoverability time span to undelete the data, accompanied by the tenant returning the exported key to the storage system. [Hersans, para. 37 discloses the encryption key may be stored in the distributed cache 230 during its existence in the data center 210, and may not be stored in the central database 235 or backed up in any backup or data recovery systems. Any application server 220 may access the encryption key in the distributed cache 230 before it is destroyed based on the time-based expiry or destruction command. Additionally or alternatively, the encryption key may be encrypted using a KEK while stored in the distributed cache 230 (e.g., the encryption may occur at the key derivation server 225). Para. 36 discloses the user device 205 may return the encryption key or permission to access the encryption key (e.g., based on input from a user authorizing the key retrieval). In some cases, the request-based pull procedure may override security functionality of the data center 210 (e.g., security functionality that prohibits sending callouts during a transaction).]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to protect against such attacks, or other unauthorized attempts to read encrypted data records, the distributed cache 230 may store the encryption keys as ciphertext, rather than plaintext. [Hersans, para. 31]

Regarding claim 15, Huang teaches a storage system having secure data deletion in a multitenant environment, comprising: storage memory; a communication interface; and one or more processors, [Huang, para. 33 discloses computer 101 may include one or more processors 103, volatile memory 122 (e.g., random access memory (RAM)), non-volatile memory 128 (e.g., one or more hard disk drives (HDDs) or other magnetic or optical storage media, one or more solid state drives (SSDs) such as a flash drive or other solid state storage media, one or more hybrid magnetic and solid state drives, and/or one or more virtual storage volumes, such as a cloud storage, or a combination of such physical storage volumes and virtual storage volumes or arrays thereof), user interface (UI) 123, one or more communications interfaces 118, and communication bus 150. User interface 123 may include graphical user interface (GUI) 124 (e.g., a touchscreen, a display, etc.)] to: encrypt data with a key; [Huang, para. 9 discloses to store user data at the cloud services, the client may encrypt user data using the encryption key] tag the key with a tenant tag, [Huang, para. 11 discloses storing, by the cloud service responsive to validating the user data access ticket, the encrypted user data of the user associated with the user identifier and a tenant identifier corresponding to the tenant service key] to associate the key to a tenant in a multitenant environment, as a result of the storage system receiving the data from the tenant through the communication interface from a virtual local area network (VLAN) or from an Internet protocol (IP) address and recognizing that the VLAN or the IP address is associated with the tenant; [Huang, para. 63 discloses each encryption key may be specific, distinctive, or otherwise unique to a corresponding user. In some embodiments, the encryption keys may be standard encryption keys used by each of the computing devices 206 for the respective user associated with a particular tenant 204. In some embodiments, the tenant server 212 may be configured to store a copy of the encryption key for each of the users. The tenant server 212 may be configured to store the encryption key in, for instance, a secure location at the tenant 204 (such as an active directory). Para. 114 discloses the information on the service endpoint may be a port of a server, an IP address corresponding to the client service, or other address which may be used for transmitting information to the client service] store the encrypted data in the storage memory; [Huang, para. 12 discloses storing, by the cloud service, the encrypted user data of the user to a storage indexed by the user identifier and the tenant identifier. Para. 18 discloses storing, by the first tenant server, an encryption key used for encrypting the encrypted user data] retain the key associated with the tenant, in the storage system, so that the key is not available external to the storage system while so retained; [Huang, para. 13 discloses the first server is configured to generate an encryption key for the user and store the encryption key as a confidential information in a user object for the user. In some embodiments, the first server is configured to provide a cloud service endpoint, the encryption key and the user data access ticket to the computing device of the user.], but Huang does not teach determine that the key, as retained in the storage system is to be deleted, so that the data is to be inaccessible in unencrypted form to all, responsive to receiving a request from the tenant to delete the data.
However, Hersans does teach determine that the key, as retained in the storage system is to be deleted, so that the data is to be inaccessible in unencrypted form to all, responsive to receiving a request from the tenant to delete the data. [Hersans, para. 16 discloses the user device may transmit a destruction request message corresponding to a secret or an encryption key to the data center, and the data center may destroy or mark for deletion the specified tenant secret, tenant-specific encryption key, or both, in response.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to derive the encryption key from a key derivation server, and may invalidate the encryption key based on a user command or a time-to-live (TTL) parameter of the encryption key. Once invalidated or removed from the distributed cache, an encryption key may not be visible to any application servers [Hersans, para. 30]

Regarding claim 16, modified Huang teaches the storage system having secure data deletion in a multitenant environment of claim 15, but Huang does not teach further comprising the one or more processors to: delete the key, after expiration of an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data, so that the data is inaccessible to all.
However, Hersans does teach wherein the method further comprising the one or more processors to: delete the key, after expiration of an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data, so that the data is inaccessible to all. [Hersans, para. 37 discloses the encryption key may be associated with a user-specified or standard TTL, which may specify an amount of time or a specific time and date. The data center 210 may destroy the encryption key following the specified amount of time or at the specific time and date.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to invalidate or remove an encryption key from the distributed cache, so that an encryption key may not be visible to any application servers. [Hersans, para. 16] 

Regarding claim 18, modified Huang teaches the storage system having secure data deletion in a multitenant environment of claim 15, further comprising the one or more processors to: tag the encrypted data with a tenant tag, wherein the associating the key with the tenant comprises tagging the key with the tenant tag; [Huang, para. 63 discloses each encryption key may be specific, distinctive, or otherwise unique to a corresponding user. In some embodiments, the encryption keys may be standard encryption keys used by each of the computing devices 206 for the respective user associated with a particular tenant 204. Para. 95 discloses when the server generates the encryption key, the server may save the encryption key associated with the user identifier for the user. The server may save the encryption key in the active directory as a confidential object or attribute], but Huang does not teach exclude the encrypted data that is tagged with the tenant tag from garbage collection, during an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data.
However, Hersans does teach that the encryption key is not deleted during an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data. [Hersans, para. 37 discloses the user device 205 may send an explicit key destruction request message to the data center 210, and the data center 210 or distributed cache 230 may destroy the encryption key based on the message. The encryption key may be stored in the distributed cache 230 during its existence in the data center 210, and may not be stored in the central database 235 or backed up in any backup or data recovery systems. Any application server 220 may access the encryption key in the distributed cache 230 before it is destroyed based on the time-based expiry or destruction command.] This implies that encryption keys are maintained during the agreed upon time span in order to decrypt data encrypted with the encryption keys.. 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Huang in view of Hersans to exclude the encrypted data that is tagged with the tenant tag from garbage collection, during an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data, the motivation is that maintaining the data encrypted with the encryption keys would yield the expected result of enabling use of the retained encryption keys to decrypt the encrypted data during the agreed upon time span.

Regarding claim 19, modified Huang teaches the storage system having secure data deletion in a multitenant environment of claim 15, but modified Huang does not teach further comprising the one or more processors to: export the key to the tenant, responsive to the request from the tenant to delete the data; delete the key as retained in the storage system; retain the encrypted data in the storage system; and import the key from the tenant to the storage system, responsive to receiving a request to cancel deletion of the data.
	However, Hersans does teach export the key to the tenant, responsive to the request from the tenant to delete the data; [Hersans, para. 49 discloses the key service 330 or the application server 310 may return a response message to the user device (e.g., including decrypted data requested by the user device, or an indication that data was encrypted using the DEK). In some cases, the key service 330 may send the DEK to a different application server, or to an application running on the user device in response to the initial request message] delete the key as retained in the storage system; [Hersans, para. 16 discloses the user device may transmit a destruction request message corresponding to a secret or an encryption key to the data center, and the data center may destroy or mark for deletion the specified tenant secret, tenant-specific encryption key, or both, in response] retain the encrypted data in the storage system; [Hersans, para. 54 discloses the application server 410 may send an encryption key destroy call to the distributed cache 415. The encryption key destroy call may include an indication of the tenant or tenant secret. In some cases, at 435, the distributed cache 415 may search distributed cache storage for any encryption keys (e.g., DEKs) corresponding to the indicated tenant or tenant secret, and may remove the corresponding encryption keys from the distributed cache 415. In other cases, the distributed cache 415 may not destroy the corresponding encryption keys, and instead may implement key destruction markers. For example, when retrieving an encryption key, the distributed cache 415 may first determine whether the corresponding tenant secret is marked with a key destruction marker. If the tenant secret contains the key destruction marker, the distributed cache 415 may refrain from retrieving any encryption keys associated with that tenant secret, effectively destroying those encryption keys from a user access standpoint. Para. 33 discloses the key derivation function may additionally receive a master secret, a master salt, or both as inputs to determine the tenant-specific encryption key (e.g., a DEK). The key derivation server 225 may additionally generate universal, tenant-specific, or DEK-specific KEKs. The KEKs may be generated based on a same HSM, master secret, master salt, and/or key derivation function, or may be generated based on different parameters and functions than the DEKs] import the key from the tenant to the storage system, responsive to receiving a request to cancel deletion of the data. [Hersans, para. 36 discloses the user device 205 may return the encryption key or permission to access the encryption key (e.g., based on input from a user authorizing the key retrieval). In some cases, the request-based pull procedure may override security functionality of the data center 210 (e.g., security functionality that prohibits sending callouts during a transaction).]
	Therefore, it would have been obvious to one of ordinary skill in the art before the derive the encryption key from a key derivation server, and may invalidate the encryption key based on a user command or a time-to-live (TTL) parameter of the encryption key. Once invalidated or removed from the distributed cache, an encryption key may not be visible to any application servers [Hersans, para. 30]

Regarding claim 20, modified Huang teaches the storage system having secure data deletion in a multitenant environment of claim 15, but modified Huang does not teach further comprising the one or more processors to: export the key to the tenant, responsive to the request from the tenant to delete the data; retain the key in the storage system, as a master key for approval; delay deletion of the key during an agreed-upon data recoverability time span that starts with the request from the tenant to delete the data; and support access by the tenant to the data, using the key that was exported, with approval by the master key, responsive to receiving a request from the tenant within the data recoverability time span to undelete the data, with the tenant returning the exported key to the storage system.
However, Hersans does teach export the key to the tenant, responsive to the request from the tenant to delete the data; [Hersans, para. 49 discloses the key service 330 or the application server 310 may return a response message to the user device (e.g., including decrypted data requested by the user device, or an indication that data was encrypted using the DEK). In some cases, the key service 330 may send the DEK to a different application server, or to an application running on the user device in response to the initial request message] teach delay deletion of the key during an agreed-upon data recoverability time span that starts with the request from the tenant to delete the data; [Hersans, para. 32 discloses the application server 220 may include KEK storage 245 in a local key cache, but may not store either the DEK or encrypted DEK. Instead, the decrypted plaintext version of the DEK may exist for the duration of an encryption key request in the application server 220, and then may be destroyed. Para. 37 discloses for a time-based expiry procedure, the data center 210 (e.g., the distributed cache 230 of the data center 210) may transmit a callout to a user device 205 based on a TTL policy or explicit destruction call from a user. For example, the data center 210 may send a first callout to the user device 205, and may receive an encryption key (e.g., a DEK) in response. In some cases, the encryption key may be associated with a user-specified or standard TTL, which may specify an amount of time or a specific time and date] retain the key in the storage system, as a master key for approval; [Hersans, para. 54 discloses the application server 410 may send an encryption key destroy call to the distributed cache 415. The encryption key destroy call may include an indication of the tenant or tenant secret. In some cases, at 435, the distributed cache 415 may search distributed cache storage for any encryption keys (e.g., DEKs) corresponding to the indicated tenant or tenant secret, and may remove the corresponding encryption keys from the distributed cache 415. In other cases, the distributed cache 415 may not destroy the corresponding encryption keys, and instead may implement key destruction markers. For example, when retrieving an encryption key, the distributed cache 415 may first determine whether the corresponding tenant secret is marked with a key destruction marker. If the tenant secret contains the key destruction marker, the distributed cache 415 may refrain from retrieving any encryption keys associated with that tenant secret, effectively destroying those encryption keys from a user access standpoint. Para. 33 discloses the key derivation function may additionally receive a master secret, a master salt, or both as inputs to determine the tenant-specific encryption key (e.g., a DEK). The key derivation server 225 may additionally generate universal, tenant-specific, or DEK-specific KEKs. The KEKs may be generated based on a same HSM, master secret, master salt, and/or key derivation function, or may be generated based on different parameters and functions than the DEKs] and support access by the tenant to the data, using the key that was exported, with approval by the master key, responsive to receiving a request from the tenant within the data recoverability time span to undelete the data, with the tenant returning the exported key to the storage system. [Hersans, para. 37 discloses the encryption key may be stored in the distributed cache 230 during its existence in the data center 210, and may not be stored in the central database 235 or backed up in any backup or data recovery systems. Any application server 220 may access the encryption key in the distributed cache 230 before it is destroyed based on the time-based expiry or destruction command. Additionally or alternatively, the encryption key may be encrypted using a KEK while stored in the distributed cache 230 (e.g., the encryption may occur at the key derivation server 225). Para. 36 discloses the user device 205 may return the encryption key or permission to access the encryption key (e.g., based on input from a user authorizing the key retrieval). In some cases, the request-based pull procedure may override security functionality of the data center 210 (e.g., security functionality that prohibits sending callouts during a transaction).]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to protect against such attacks, or other unauthorized attempts to read encrypted data records, the distributed cache 230 may store the encryption keys as ciphertext, rather than plaintext. [Hersans, para. 31]

Claims 4, 11 , and 17 are rejected under 35 U.S.C. 103 as being unpatentable over US 20200257815 A1 to Huang et al., (hereafter, "Huang") in view of US 20190097791 A1 to Hersans et al., (hereafter, "Hersans") further in view of US 20160275277 A1 to Huang et al., (hereafter, “Huan”).
Regarding claim 4, modified Huang teaches the method for secure data deletion in a multitenant environment, performed by a storage system, of claim 1, but modified Huang does not teach further comprising: canceling a direction to delete the key, responsive to a request from the tenant to cancel deleting the data.
However, Huan does teach further comprising: canceling a direction to delete the key [Huan, para. 39 discloses if the data is soft deleted as a data protection response, the data may later be recovered by the OS. When data is soft deleted, only the links to the data (e.g., files) are deleted. The data can be recovered/restored by restoring the links from a safe store. In one embodiment, the restoration of the data can be automatic, such as the next time that the user logs in with the correct password and correct password entering context. Para. 37 discloses the data may be hidden, soft deleted, or hard deleted discretely, such that the person is not even aware that the data is or was ever present on the device. Additionally, or alternatively, displayed windows may be rearranged before the person has seen the prior arrangement of the windows, an alert may be transmitted to an owner or administrator of the device without the person's knowledge, and/or other data protection responses may be performed in a discrete manner], responsive to a request from the tenant to cancel deleting the data. [Huan, para. 28 discloses Context-based data protection enables a user to set up policies to protect data on devices against undesired access, such as in situations where a device has been stolen, where the device is being used against the user's will (e.g., the user has been forced to give out the device password, the device has been taken away while in active operation, etc.), and in other situations. Predefined actions are automatically executed to protect the data when a risky external context is detected so as to prevent the data from being compromised.] 
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Huan’s system with modified Huang’s system, with a motivation to define sensitive data to be protected via a content attribute, data protection that covers the data on the device for all accounts. [Huan, para. 40]

Regarding claim 11, modified Huang teaches the tangible, non-transitory, computer-readable media of claim 8, but modified Huang does not teach wherein the method further comprises: canceling a direction to delete the key, responsive to a request from the tenant to cancel deleting the data, so that the key continues to be retained in the storage system.
However, Huan does teach wherein the method further comprises: canceling a direction to delete the key, responsive to a request from the tenant to cancel deleting the data, so that the key continues to be retained in the storage system. [Huan, para. 39 discloses if the data is soft deleted as a data protection response, the data may later be recovered by the OS. When data is soft deleted, only the links to the data (e.g., files) are deleted. The data can be recovered/restored by restoring the links from a safe store. In one embodiment, the restoration of the data can be automatic, such as the next time that the user logs in with the correct password and correct password entering context. Para. 37 discloses the data may be hidden, soft deleted, or hard deleted discretely, such that the person is not even aware that the data is or was ever present on the device. Additionally, or alternatively, displayed windows may be rearranged before the person has seen the prior arrangement of the windows, an alert may be transmitted to an owner or administrator of the device without the person's knowledge, and/or other data protection responses may be performed in a discrete manner. Para. 28 discloses Context-based data protection enables a user to set up policies to protect data on devices against undesired access, such as in situations where a device has been stolen, where the device is being used against the user's will (e.g., the user has been forced to give out the device password, the device has been taken away while in active operation, etc.), and in other situations. Predefined actions are automatically executed to protect the data when a risky external context is detected so as to prevent the data from being compromised.]  
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Huan’s system with modified Huang’s system, with a motivation to define sensitive data to be protected via a content attribute, data protection that covers the data on the device for all accounts. [Huan, para. 40]

Regarding claim 17, modified Huang teaches the storage system having secure data deletion in a multitenant environment of claim 15, but modified Huang does not teach further comprising the one or more processors to: cancel a direction to delete the key, responsive to receiving a request from the tenant to cancel deleting the data, so that the key continues to be retained in the storage system.
However, Huan does teach further comprising the one or more processors to: cancel a direction to delete the key, responsive to receiving a request from the tenant to cancel deleting the data, so that the key continues to be retained in the storage system. [Huan, para. 39 discloses if the data is soft deleted as a data protection response, the data may later be recovered by the OS. When data is soft deleted, only the links to the data (e.g., files) are deleted. The data can be recovered/restored by restoring the links from a safe store. In one embodiment, the restoration of the data can be automatic, such as the next time that the user logs in with the correct password and correct password entering context. Para. 37 discloses the data may be hidden, soft deleted, or hard deleted discretely, such that the person is not even aware that the data is or was ever present on the device. Additionally, or alternatively, displayed windows may be rearranged before the person has seen the prior arrangement of the windows, an alert may be transmitted to an owner or administrator of the device without the person's knowledge, and/or other data protection responses may be performed in a discrete manner. Para. 28 discloses Context-based data protection enables a user to set up policies to protect data on devices against undesired access, such as in situations where a device has been stolen, where the device is being used against the user's will (e.g., the user has been forced to give out the device password, the device has been taken away while in active operation, etc.), and in other situations. Predefined actions are automatically executed to protect the data when a risky external context is detected so as to prevent the data from being compromised.]  
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Huan’s system with modified Huang’s system, with a motivation to define sensitive data to be protected via a content attribute, data protection that covers the data on the device for all accounts. [Huan, para. 40]

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Phuc Pham whose telephone number is (571)272-8893.  The examiner can normally be reached on Monday - Thursday 7:30 AM - 4:30 PM; Friday 8:00 AM - 12:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/P.P./Patent Examiner, Art Unit 2434                                                                                                                                                                                                        
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434