Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 5/20/21 has been entered.
 
Claims 1, 12, 18, 20, and 23 have been amended.  Claim numbering of claim 23 has been corrected.  

Response to Amendment


Claim Objections
Claim objection to the numbering of claim 23 has been withdrawn.  



Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 18, and 20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.


Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-23 are rejected under 35 U.S.C. 103 as being unpatentable over USP Application Publication 2014/0237545 to applicant Marble in view of USP Application Publication 2014/0359777 to Lam et al., hereinafter Lam and in further view of USP Application Publication 2010/0281388 to Kane et al., hereinafter Kane.

As per claim 1, Marble teaches a system, comprising:
 a memory or other data storage device configured to store one or both of enterprise mobility management (EMM) data associated with a set of enterprise users of mobile devices (0072) associated with an enterprise and cloud service data associated with use of a cloud service by users associated with the enterprise (0091 and 0103); and the cloud service data includes usage data generated by a cloud service (0103, service behavior on the service is logged, user behavior in logging into Marble Service;  
a processor coupled to the memory or other data storage device (0084) and configured to correlate the EMM data and the cloud service data to analyze usage of the cloud service by said users associated with the enterprise (0105 and 0131 [received log feeds]), including one or both of access of the cloud service using one or more unmanaged devices (0088) and access of the cloud service using one or more unmanaged mobile apps (0052, 0055, and 0120).
Marble does not explicitly teach the EMM data includes usage data generated by an EMM server.  On the other hand Lam teaches this limitation as the mobile server creates and stores usage data received by sensors from mobile devices (0028-30).  This data is used to calculate risk scores.  Marble uses data from many sources to calculate risk scores (Figs. 5 and 15).  Knowing what users are doing on their mobile phone is another source the system of Marble would be interested in because Marble explicitly treats devices that user’s connect to its service as bound to such service (0072).  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.  
The combined system of Marble and Lam does not explicitly teach that correlating the EMM data and the cloud service data includes creating a uniform data scheme by mapping and normalizing the EMM data and the cloud service data.  The combination of Marble and Lam teaches correlating the EMM data and the cloud service data to analyze usage of the cloud service by said users associated with the enterprise (Marble: 0105 and 0131 [received log feeds]) .  Lam teaches the EMM data is stored in logs as well to report activities by the mobile devices (0028-0030).  Thus the combination correlates user data and mobile data.  Kane creates uniform data scheme by mapping and normalizing network data about customers from different sources (0099).  The end result is a uniform profile for a customer that takes into account various network usages to present a graphical presentation of the customer’s usage that can be compared to other customers (Fig. 4a-c).  Thus it was known before the effective filing data of the invention to normalize and map different datasets as taught by Kane.  Combining this with the system of Marble and Lam would thus take the correlated data (EMM data and cloud service data) and normalize it into a user profile dataset that represents the usage patterns of the user on the network.  Marble already teaches calculating risk score from a plurality of data sources (0103) and normalizing those scores to create a vulnerability event (0096 and 0127).  Taking the end result of such calculations would present a clear illustration of what a user does on the network and could be easily compared to other users under normalized conditions.  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.  Creating a uniform data scheme by mapping and normalizing the EMM data and cloud service data does not yield an unpredictable result.  One such predictable result is a data presentation for a customer’s use of the network which could then be compared to other risk based models or normal behavior to detect risky behavior.  Marble explicitly teaches monitoring and profile user behavior (0091 and 0103) from multiple sources.

As per claim 2, Marble teaches to determine a level of risk associated with said access of the cloud service using one or more unmanaged devices and access of the cloud service using one or more unmanaged mobile apps (0107).

As per claim 3, Marble teaches to determine the level of risk at least in part by determining an extent across the enterprise users of said access of the cloud service using one or more unmanaged devices and access of the cloud service using one or more unmanaged mobile apps (0120).

As per claim 4, Marble teaches to determine the level of risk at least in part by determining an application reputation score for one or more of said one or more unmanaged apps (0119).

As per claim 5, Marble teaches to determine the level of risk based on data correlated across multiple cloud service providers (0119 and 0120).

As per claim 6, Marble teaches taking a responsive action determined based at least in part on the determined level of risk (0119).
As per claim 7, Marble teaches to block said one or more unmanaged devices from accessing the cloud service (0057 and 0113).

As per claim 8, Marble teaches to block said one or more unmanaged devices by blocking access to the cloud service by blocking one or more users associated with said one or more unmanaged devices (0057 and 0059).
As per claim 9, Marble teaches to block said one or more unmanaged devices from accessing the cloud service (0057 and 0059).

As per claim 10, Marble teaches to perform one or more of the following with respect to each unmanaged device: quarantine the device, warn the user to use a managed device, and require a further authentication factor (0057, 0059, 0013, and 0129).

As per claim 11, Marble teaches to migrate users of an unmanaged app that is a sanctioned app to use of a managed version of the sanctioned app to access the cloud service (0076).

As per claim 12, Marble teaches to map said cloud service provider log data to one or more associated mobile apps (0094 and 0103).

As per claim 13, Marble teaches to generate a dashboard, report, event, alert, or other output reflecting a level of risk associated with said access of the cloud service using one or more unmanaged devices and access of the cloud service using one or more unmanaged mobile apps (0113 and 0126).

As per claim 14, Marble teaches the dashboard, report, event, alert, or other output is consumed by a receiving system configured to take action in response to the output (0113 and 0126).

As per claim 15, Marble teaches 	the dashboard, report, or other output aggregates risk information by one or more of user, user group, role, sensitivity of enterprise data accessible via the cloud service, unmanaged app, unsanctioned app, and unmanaged device (0129).

As per claim 16, Marble teaches the processor is further configured to assign a risk score to each of a plurality of component risks identified by said analysis of usage of the cloud service and to combine the component risk scores to determine a consolidated risk score (0119 and 0126).
As per claim 17, Marble teaches the EMM data is received from a plurality of EMM data sources (0119).
As per claim 18 and 20, they are rejected for the same reasons as claim 1.

As per claim 19, Marble teaches taking action without human intervention in response to said analysis [step 1103; paragraph 0129].

As per claim 21, the combined system of Marble and Lam teaches correlating the EMM data [usage data from mobile] and the cloud service data [user usage data of the service] includes comparing a pattern of usage [Lam: 222 Fig. 2 and 0029 and 0030] indicated by the EMM data with a pattern of usage indicated by the cloud service data [history of user logging into the service; Marble: 0103 and 0130]  to determine a level of risk associated with said access of the cloud service using one or more unmanaged devices (Marble: 0088) and access of the cloud service using one or more unmanaged mobile apps (Marble: 0052, 0055, and 0120).
As per claim 22, the combined system of Marble and Lam teaches correlating the EMM data and the cloud service data includes joining and comparing the EMM data and the cloud service data [all data feeds are aggregated and compared; Marble: Fig. 15, Fig. 5 all fed into the facility; 0120]; the cloud service data includes at least one of: application identity and user (0103); and the EMM data includes at least one of: user identity, device disposition, app identity, app disposition, device type, timestamp, and location [Lam: 0030].
As per claim 23, the combined system of Marble, Kane, and Lam teaches mapping and normalizing the EMM data and the cloud service data is based at least in part on at least one of: application knowledge (0072) and device knowledge (Marble: 0103) to determine an application granted access to the cloud service. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Thursday, 7:30am - 5:00pm, EST.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431