DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Independent claims 1, 8, and 15 recite “an application executing thereon corresponding to the first logical storage unit” twice. It is unclear if these limitations are referring to a single instance of a particular application, distinct applications, or applications sharing the same first logical storage unit. For examination purposes, these limitations are interpreted as a single instance of a particular application.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 15-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claims do not fall within at least one of the four categories of patent eligible subject matter because they can be directed to signals per se. While the specifications indicate that the “computer-readable media may be non-transitory” on pg. 66, line 8, such disclosure is only exemplary (e.g. “may be”). Therefore, the computer-readable media can include signals and software under broadest reasonable interpretation.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention 

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 2019/0073318 to Vaknin et al. (hereinafter, “Vaknin”) in view of US 2003/0182501 to George et al. (hereinafter, “George”).
As per claim 1: Vaknin discloses: For a data storage network including a data storage system and a plurality of host systems having applications executing thereon (a storage system 100 in communication with a plurality of hosts 1011-n [Vaknin, ¶0110-0112; Fig. 1]), the execution of which results in data being stored on a plurality of physical storage devices of the data storage system (“Storage system 100 can further comprise an interface layer 110 comprising one or more control units (also referred to herein as control computer devices) 1051-n operatively connected to the shared physical storage space and to one or more hosts (also referred to herein as host computer devices) 1011-n…” [Vaknin, ¶0111; Fig. 1]), and including a plurality of logical storage units corresponding to the plurality of physical storage devices (“Interface layer 110 can be further configured to provide a virtual storage layer , a method comprising: assigning a first unique encryption key to a first of the plurality of logical storage units (“…target data corresponds to one or more logical data blocks of at least one logical volume accessible to the host and are encrypted with respective encryption keys assigned to the one or more logical data blocks…” [Vaknin, ¶0126]); providing the first unique encryption key to one or more of the plurality of host systems (a direct write metadata request is sent by the host computer device to the interface layer 110, wherein metadata is transmitted back to the host computer device; “the metadata includes a base key assigned to the at least one logical volume” [Vaknin, ¶0171; Fig. 6]); (“The target data corresponding to the one or more logical data blocks can be encrypted (608) using the respective encryption keys.” [Vaknin, ¶0172]).
Vaknin does not disclose “an application executing thereon corresponding to the first logical storage unit” of the host systems and that the first unique encryption keys are not provided to any host system “that do not have an application executing thereon corresponding to the first logical storage unit” (i.e. refraining from providing…). However, George is directed to analogous art of creating a plurality of virtual logical units (LUN) of storage refraining from providing”) for each of the plurality of host applications (“application executing” in the “host systems”) and the plurality of virtual LUNs [George, ¶0069-0072; Fig. 5].
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to implement an application-level access control to the logical data blocks in Vaknin, such as through the masking table disclosed in George. The granularity of access of the host systems to the storage system would have been a design choice by the developers. Any level of access, such as controlling access at the device level or by applications executing within a device, would have been implemented based on the design requirements of the storage system.

As per claim 2: Vaknin in view of George disclose all limitations of claim 1. Furthermore, Vaknin in view of George disclose: further comprising the storage system: receiving a request from a first of the plurality of host systems for the first unique encryption key (receiving a direct read/write metadata requests [Vaknin, ¶0153, 0170]); accessing a data structure that associates logical storage units with host systems to determine whether the first host system corresponds to the first logical storage unit (in view of George: the masking table provides a list of hosts and accessible virtual LUNs with permissions [George, ¶0070; Fig. 5]); and if the first host system corresponds to the first logical storage unit, providing the first encryption key to the first host system (providing the metadata that includes a base key to the host computer device in response to the read/write requests [Vaknin, ¶0153, 0171]; as discussed 

As per claim 3: Vaknin in view of George disclose all limitations of claim 1. Furthermore, Vaknin in view of George disclose: further comprising: a first of the one or more host systems accessing encryption metadata corresponding to the data portion; the first host system reading an encrypted version of the data portion from the storage system; and the host system decrypting the encrypted version to produce an unencrypted version of the data portion (“Turning now to FIG. 4, there is illustrated a generalized flowchart showing a sequence of operations performed in a direct read access of a host computer device to the shared physical storage space in a distributed storage system…” [Vaknin, ¶0149]; steps for reading and decrypting are disclosed in [Vaknin, ¶0150-0154]).

As per claim 4: Vaknin in view of George disclose all limitations of claim 3. Furthermore, Vaknin in view of George disclose: wherein the first host system accessing the encryption metadata includes the host system sending a metadata read instruction the storage system (“In response to receiving the direct read request, metadata pertaining to the one or more logical data blocks can be transmitted (304) by the control computer device (e.g., by the Direct Access Control module 220) to the host computer device.” [Vaknin, ¶0141; Fig. 3]).

As per claim 5: Vaknin in view of George disclose all limitations of claim 3. Furthermore, Vaknin in view of George disclose: wherein the host system is directly connected to an internal fabric of the storage system (“…it is desired to enable direct access of hosts to the shared physical storage space, e.g., to enable them to read data directly from the shared storage space, and/or write data directly to the shared storage space, after initially consulting the control units for metadata pertaining to a certain logical address.” [Vaknin, ¶0123]), and wherein the first host system reading the encrypted version of the data portion includes the first host system sending a data read instruction to a global memory or the one or more physical storage devices on the internal fabric independent of any director of the storage system (“By way of example, direct access of the hosts can include direct read and/or direct write access to the shared storage space. In the case of direct read access control of a host to directly read target data from the shared storage space where the target data corresponds to one or more logical data blocks of at least one logical volume accessible to the host and are encrypted with respective encryption keys assigned to the one or more logical data blocks…” [Vaknin, ¶0126).

As per claim 6: Vaknin in view of George disclose all limitations of claim 3. Furthermore, Vaknin in view of George disclose: further comprising: the host system determining whether the data portion is encrypted from the encryption metadata (“The metadata includes at least physical location of the target data on the shared physical storage space and key metadata to be used for decryption of the target data.” [Vaknin, ¶0126]; i.e. the key signifies that the data is encrypted and used to decrypt the data).

As per claim 7: Vaknin in view of George disclose all limitations of claim 3. Furthermore, Vaknin in view of George disclose: wherein the data storage system sets a flag within the encryption metadata for the data portion indicating that the data portion is stored on the data storage system in encrypted form (“Information or metadata related to the keys are controlled by the control units and can be transmitted to the hosts upon receiving requests therefrom, thereby enabling secured and granular access control of the hosts, e.g., the hosts can only access what they are allowed to access.” [Vaknin, ¶0125]; each logical block can be assigned with a respective encryption key [Vaknin, ¶0140]; thus, the inclusion of keys (i.e. a flag) in the metadata would indicate that the stored data is encrypted and the key is used for decrypting).

As per claims 8-14: Claims 8-14 are different in overall scope from claims 1-7 but recite substantially similar subject matter as claims 1-7, respectively. Claims 8-14 are directed to a system performing the method corresponding to claims 1-7, respectively. Thus, the responses provided above for claims 1-7 are equally applicable to claims 8-14, respectively.

As per claims 15-20: Claims 15-20 are different in overall scope from claims 1-7 but recite substantially similar subject matter as claims 1-7. Claims 15-20 are directed to a computer-readable media having software that performs the method corresponding to claims 1-7. Thus, the responses provided above for claims 1-7 are equally applicable to claims 15-20.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2004/0054866: Discloses mapping hosts to logical storage units of data storage devices and permitting/denying access requests from hosts to the associated storage devices of the logical storage units. See Abstract.
US 2005/0097271: Discloses an access control table for each logical storage device identifier that a host computer is allowed to specify in a request. See ¶0041.
US 2005/0125538: Discloses assigning one or more logical storage units to one or more host computers. Each host computer include one or more applications that include an application identifier, which are associated with one or more logical storage units. See ¶0004-0008.
US 2007/0079097: Discloses background information about logical units in storage devices. A logical unit can be located on all or part of a single physical disk. See ¶0002-0004.
US 2007/0180239: Discloses assigning an encryption key to a logical volume, wherein the encryption key is received in write requests. See ¶0095-0098.
US 2008/0240441: Discloses an encrypted area management table that includes a field identifier of logical storage units, the assigned encryption key, and an attribute field designating whether to encrypt areas represented with an ID. See ¶0148; Fig. 10.
US 2009/0177895: Discloses a controller that determines whether or not data to be stored in a target logical volume can be used by a plurality of access devices. See Abstract.
US 2012/0151224: Discloses storage logical units that can directly correspond to volume drive, to host applications, storage devices, etc. See ¶0124.
US 8,261,068: Discloses providing an operating system independent input/output filter driver capable of encrypting at least a portion of a logical unit. See Abstract.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: 




/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        1-24-2022