DETAILED ACTION
Responsive to the Applicant reply filed on 04/27/2022, Applicant’s amendments to claims have been entered and respective arguments carefully considered and responded in the following.  Claims 1-20 are pending with claims 1, 8, and 15 being in independent form.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
The claim amendments and remarks filed by the Applicant on 04/27/2022, have been carefully considered and are responded in the following.

In response to the Applicant arguments, page(s) 8, regarding the objections to claims 5-7, 12-14 and 19-20, the amendments have resolved the issues. Therefore, the objections are withdrawn.

In response to the Applicant arguments, page(s) 8-9, regarding Claims 1-20 being rejected under 35 U.S.C. 112(b) because of each reciting a limitation that lacks sufficient antecedent basis, the amendments have resolved the issues. Therefore, the rejections are withdrawn.

Applicant’s arguments, page(s) 9-12 of the Remarks, with regards to claim 1 being rejected under 35 U.S.C. § 103 have been considered carefully. 
First, Applicant argues the cited prior art fails to disclose the combination of the limitations for “receive a data storage request comprising context information associated with storing a data element, wherein the context information identifies a target data storage device," and "determine a security level associated with the target data storage device, wherein the security level is based on security features associated with the target data storage device," and "a minimum protection level.”
As an initial note, the Applicant’s emphasizes the context information of the request identifies a target data storage device, which is alleged not taught by the Mehr reference.  In response, the Examiner respectfully disagrees because, Mehr clearly discloses a step of determining a security level based on the type of user account and security features (or permissions) associated with the target data storage device.  In particular, Mehr discloses “the client device can utilize credentials to obtain access or use of various resources in the provider environment, where the type and/or scope of access can depend upon factors such as a type of user, a type of user account, a role associated with the credentials, or a policy associated with the user and/or credentials, among other such factors”; see col. 3, lines 59-67.  Evidently, Mehr contemplated the security level is based on the type of user accounts and/or the level of permission which are security features associated with the target data storage device.  In Mehr, if a user has an account with the appropriate permissions, status, etc., the resource manager can determine whether there are adequate resources available to suit the user's request, and if so can provision the resources or otherwise grant access to the corresponding portion of those resources for use by the user for an amount specified by the request; col. 4, lines 1-18.  Mehr also discloses the user request comprises context information associated with storing a data element as Mehr discusses information for the request, which comprises types of credentials in order to authenticate an identity of the user to the provider… including, for example, a username and password pair, biometric data, a digital signature, … to access or use of various resources in the provider environment; col. 3, lines 42-67.  Therefore, the limitations in the Applicant’s arguments are met by Mehr.  The Applicant’s arguments are not persuasive.


Secondly, the Applicant argues, pages 11-12, that the Examiner performs a keyword search of the word "minimum" in the text of Kirti and then takes this word out of context to reject a portion of Claim 1 at p. 7 of the Office Action.
In response, the Examiner respectfully disagrees.  While Mehr discloses that the user request for accessing resources comprises contextual information for the type of user accounts and/or the level of permission for the portion of those resources for use by the user, as discussed earlier, Mehr does not explicitly disclose the steps for determining a protection level range (e.g., a maximum and minimum protection levels) based on the determined security level.  In other words, Mehr simply does not have a range for his level of permission.  Kirti teaches the minimum permissions or privileges necessary to configure the relevant security controls.  As such, a permission may be granted only to a user to access a portion of cloud service and not to access other portions of the cloud service; see par. 0108.  Kirti’s teaching is in a similar field of endeavor in improving security controls and therefore may be reasonably applied to Mehr’s type of accounts by one of ordinary in the art, before the effective filing date of the claimed invention, such that Mehr could specify a maximum protection level and a minimum protection level for different types of the user accounts the same way as Kirti does for his security controls.  Therefore, Applicant’s arguments are not persuasive.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-3, 5, 7-10, 12, 14-17, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Mehr (US 10496840 B1) in view of Kirti (US 20170295199 A1), and further in view of Argoety (US 20210120014 A1; hereinafter “Argo”)

As per claim 1, Mehr teaches an information security device, comprising: 
a memory operable to store security control information comprising a plurality of security controls (Mehr, col. 1, lines 14-20: one or more security controls be applied to the storage of customer data; see FIGS. 4 and 5: implementing security controls to user storage tiers), wherein: 
each security control is associated with a protection level for data security (Mehr, col. 6, lines 26-40: level of security; analyze the security controls 222, 224 that were applied to the same data 220 in the second storage tier 210 to determine whether equivalent security controls are being applied in the third storage tier 212.  Evidently, Mehr teaches there are different requirements of levels of security for different tiers.  See also col. 6, lines 62-67: In the case of an automated security control, the determination and placement can occur before access to the data); and 
a processor operably coupled to the memory (Mehr, col. 13, lines 2-9: processor 702), configured to: 
receive a data storage request comprising context information associated with storing a data element, wherein the context information identifies a target data storage device (Mehr, col. 5, lines 31-35: a request to a service provider environment 204 to have data stored in the environment on behalf of a customer; Mehr’s contextual information in the request is the type and/or scope of access depending upon factors such as a type of user, a type of user account, a role associated with the credentials, or a policy associated with the user and/or credentials, among other such factors”; see col. 3, lines 59-67); 
determine a security level associated with the target data storage device, wherein the security level is based on security features associated with the target data storage device (Mehr, col. 5, lines 36-42: analyze information for the request and determine where to store the data. This can include, for example, determining an appropriate type of storage for the data based on aspects of the data, the customer, or the request, among other such options… corresponding portion of those resources for use by the user for an amount specified by the request; col. 4, lines 1-18); 
output the identified one or more security controls (Mehr, col. 8, lines 50-56: automatically apply some or all of the recommended security controls… accept 516 the recommendations.  See FIG. 5, blocks 514 and 518).
However, Mehr does not explicitly disclose the steps for determining a protection level range (e.g., a max and min protection levels) based on the determined security level and identifying one or more security controls within the protection level range.  This aspect of the claim is a difference.
In a related art, Kirti teaches,
determine a protection level range based on the determined security level (Kirti, par. 0060: modify the security controls of a tenant account with a cloud provider to reflect a desired security posture. It should be noted that in Kirti, security controls include security policies and password settings.  See FIG. 8e for a sliding bar for user to set the level of security at the right pane of the screen), wherein the protection level range comprises: 
a maximum protection level (Kirti, par. 0113: a high level of security, which may require a stronger password; par. 0111-0112); and 
a minimum protection level (Kirti, par. 0108: the minimum permissions or privileges necessary to configure the relevant security controls. For example, permissions may be granted only to edit user accounts associated with a particular tenant's account and not to access other portions of the cloud service); 
identify one or more security controls within the protection level range (Kirti, par. 0106: security controls at a Stringent level …are identified; For example, different levels of security may be defined such that when a higher or lower level of security is selected [by user], the security controls for a tenant's accounts with different cloud services are all set to reflect a higher or lower level of security; par. 0110 and 0113 and 0116: to implement that desired level of security); and 
Mehr and Kirti are analogous art, because they are in a similar field of endeavor in improving security controls.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Mehr with Kirti’s teachings on the protection level range within which a user is enabled to select a desired security control for storage.  The rationale for this combination is to use known technique to improve similar system concerning selections of security controls.  As such, the combination would have produced predictable results with reasonable expectation of success. For this combination, the motivation would have been to improve the level of security with suitable security controls.
However, Mehr and Kirti as combined above does not explicitly disclose that each security control comprises a hardware configuration for data storage devices.  This is a secondary difference.
In a related art, Argo teaches,
each security control comprises a hardware configuration for data storage devices (Argo, par. 0047: embodiments, the security controls 107 can include hardware …components deployed on the nodes 106 and/or the network device 112).
 Argo is analogous art to the claimed invention in a similar field of endeavor in improving security controls to guard against security threats.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Mehr-Kirti’s system with Argo to include hardware configuration for data storage as a part of security controls. For this combination, the motivation would have been to improve the level of security of network storage by controlling the security of storage devices.

As per claim 2, the references as combined above teach the device of claim 1, wherein the processor is further configured to: 
receive the data element (Mehr, col. 10, lines: 63-67); 
receive a user input identifying a selected security control from among the identified one or more security controls (Mehr, col. 11, lines 28-34: recommendations 514 for the customer to apply as additional or alternative security controls for the data volume; see customer X can be prompted about the added security controls, the customer … [accepts] the recommendation to apply as additional or alternative security controls for the data volume; If the customer does not accept 516 the recommendations, then the data can be stored to the second tier using the specified controls); and in the combination, Kirti also teaches:
apply the selected security control to the target data storage device (Kirti, par. 0106: The values for various security controls at different levels of security can be defined by input on a user interface; see FIG. 8E; par. 0024-0025: storing the retrieved activity data in the analytics repository database using the cloud security system) and 
store the data element in the target data storage device after applying the selected security control (Kirti, par. 0044 and 0060-0063: selecting a security policy to implement; modify the security controls of a tenant account … for data storage).
Kirti is combined with Mehr herein for the same rationale as shown in claim 1.

As per claim 3, the references as combined above teach the device of claim 1, wherein determining the maximum protection level comprises: 
determining a physical location of the target data storage device (Mehr, col. lines: the storage tiers in this example can include different storage services or storage offerings in different zones or geographic locations; customer data is caused 602 to be stored to a determined data storage location); and 
selecting a maximum protection level value based on the physical location of the target storage device (Mehr, col. 5, lines 56-67: The storage tiers in this example can include different storage services or storage offerings in different zones or geographic locations, among other such options. As illustrated, the data instances each have a pair of security controls 216, 218 and 222, 224, respectively, applied. These security controls can have been specified by the customer, for example, and applied by the relevant security components or services of the provider environment. These security controls can designate various security aspects of the data, such as may include access control and usage control, among other such options. Examples of security controls that can be applied include controls providing fine-grained access control).

As per claim 5, the references as combined above teach the device of claim 1.  While Mehr discusses examples of security controls that can be applied include controls providing fine-grained access control and MFA, Kirti best teaches the limitation wherein determining the security level associated with the target data storage device is based at least in part on authentication protocols used by the target data storage device (Kirti, par. 0116: The notification can include a request or recommendation for a higher level of security controls, such as elevated authentication or OTP. In Kirti, the notification and/or alert helps selecting a security policy to implement in response to the identified threat using the cloud security system, and identifying cloud security controls).
Kirti is combined with Mehr herein for the same rationale as shown in claim 1.

As per claim 7, the references as combined above teach the device of claim 1, wherein determining the security level associated with the target data storage device is based at least in part on encryption protocols used by the target data storage device (Kirti, par. 0070: Security controls are mechanisms that restrict access to the … data housed by the cloud. Software defined security configuration data can include data describing: encryption keys, tokens … and many other types of security controls). 
Kirti is combined with Mehr herein for the same rationale as shown in claim 1.

As per claim 8, Mehr teaches an information security method, comprising: 
receiving a data storage request comprising context information associated with storing a data element, wherein the context information identifies a target data storage device (Mehr, col. 5, lines 31-35: a request to a service provider environment 204 to have data stored in the environment on behalf of a customer; Mehr’s contextual information in the request is the type and/or scope of access depending upon factors such as a type of user, a type of user account, a role associated with the credentials, or a policy associated with the user and/or credentials, among other such factors”; see col. 3, lines 59-67); 
determining a security level associated with the target data storage device, wherein the security level is based on security features associated with the target data storage device (Mehr, col. 5, lines 36-42: analyze information for the request and determine where to store the data. This can include, for example, determining an appropriate type of storage for the data based on aspects of the data, the customer, or the request, among other such options… corresponding portion of those resources for use by the user for an amount specified by the request; col. 4, lines 1-18.); 
outputting the identified one or more security controls (Mehr, col. 8, lines 50-56: automatically apply some or all of the recommended security controls… accept 516 the recommendations.  See FIG. 5, blocks 514 and 518).
However, Mehr does not explicitly disclose the steps for determining a protection level range (e.g., a max and min protection levels) based on the determined security level and identifying one or more security controls within the protection level range.  This aspect of the claim is a difference.
In a related art, Kirti teaches,
determining a protection level range based on the determined security level (Kirti, par. 0060: modify the security controls of a tenant account with a cloud provider to reflect a desired security posture. It should be noted that in Kirti, security controls include security policies and password settings.  See FIG. 8e for a sliding bar for user to set the level of security at the right pane of the screen), wherein the protection level range comprises: 
a maximum protection level (Kirti, par. 0113: a high level of security, which may require a stronger password; par. 0111-0112); and 
a minimum protection level (Kirti, par. 0108: the minimum permissions or privileges necessary to configure the relevant security controls. For example, permissions may be granted only to edit user accounts associated with a particular tenant's account and not to access other portions of the cloud service); 
identifying one or more security controls within the protection level range (Kirti, par. 0106: security controls at a Stringent level …are identified; For example, different levels of security may be defined such that when a higher or lower level of security is selected [by user], the security controls for a tenant's accounts with different cloud services are all set to reflect a higher or lower level of security; par. 0110 and 0113 and 0116: to implement that desired level of security); and 
Mehr and Kirti are analogous art, because they are in a similar field of endeavor in improving security controls.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Mehr with Kirti’s teachings on the protection level range within which a user is enabled to select a desired security control for storage.  The rationale for this combination is to use known technique to improve similar system concerning selections of security controls.  As such, the combination would have produced predictable results with reasonable expectation of success. For this combination, the motivation would have been to improve the level of security with suitable security controls.
However, Mehr and Kirti as combined above does not explicitly disclose that each security control comprises a hardware configuration for data storage devices.  This is a secondary difference.
In a related art, Argo teaches,
each security control comprises a hardware configuration for data storage devices (Argo, par. 0047: embodiments, the security controls 107 can include hardware …components deployed on the nodes 106 and/or the network device 112).
 Argo is analogous art to the claimed invention in a similar field of endeavor in improving security controls to guard against security threats.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Mehr-Kirti’s system with Argo to include hardware configuration for data storage as a part of security controls. For this combination, the motivation would have been to improve the level of security of network storage by controlling the security of storage devices.

As per claim 9, the references as combined above teach the method of claim 8, further comprising: 
receiving the data element (Mehr, col. 10, lines: 63-67); 
receiving a user input identifying a selected security control from among the identified one or more security controls (Mehr, col. 11, lines 28-34: recommendations 514 for the customer to apply as additional or alternative security controls for the data volume; see customer X can be prompted about the added security controls, the customer … [accepts] the recommendation to apply as additional or alternative security controls for the data volume; If the customer does not accept 516 the recommendations, then the data can be stored to the second tier using the specified controls); and in the combination, Kirti also teaches:
applying the selected security control to the target data storage device (Kirti, par. 0106: The values for various security controls at different levels of security can be defined by input on a user interface; see FIG. 8E; par. 0024-0025: storing the retrieved activity data in the analytics repository database using the cloud security system) and 
storing the data element in the target data storage device after applying the selected security control (Kirti, par. 0044 and 0060-0063: selecting a security policy to implement; modify the security controls of a tenant account … for data storage).
Kirti is combined with Mehr herein for the same rationale as shown in claim 8.

As per claim 10, the references as combined above teach the method of claim 8, wherein determining the maximum protection level comprises: 
determining a physical location of the target data storage device (Mehr, col. lines: the storage tiers in this example can include different storage services or storage offerings in different zones or geographic locations; customer data is caused 602 to be stored to a determined data storage location); and 
selecting a maximum protection level value based on the physical location of the target storage device (Mehr, col. 5, lines 56-67: The storage tiers in this example can include different storage services or storage offerings in different zones or geographic locations, among other such options. As illustrated, the data instances each have a pair of security controls 216, 218 and 222, 224, respectively, applied. These security controls can have been specified by the customer).

As per claim 12, the references as combined above teach the method of claim 8, wherein determining the security level associated with the target data storage device is based at least in part on authentication protocols used by the target data storage device (Kirti, par. 0116: The notification can include a request or recommendation for a higher level of security controls, such as elevated authentication or OTP. In Kirti, the notification and/or alert helps selecting a security policy to implement in response to the identified threat using the cloud security system, and identifying cloud security controls).
Kirti is combined with Mehr herein for the same rationale as shown in claim 8.

As per claim 14, the references as combined above teach the method of claim 8, wherein determining the security level associated with the target data storage device is based at least in part on encryption protocols used by the target data storage device (Kirti, par. 0070: Security controls are mechanisms that restrict access to the … data housed by the cloud. Software defined security configuration data can include data describing: encryption keys, tokens … and many other types of security controls). 
Kirti is combined with Mehr herein for the same rationale as shown in claim 8.

As per claim 15, Mehr teaches a computer program comprising executable instructions stored in a non-transitory computer readable medium that when executed by a processor causes the processor to: 
receive a data storage request comprising context information associated with storing a data element, wherein the context information identifies a target data storage device (Mehr, col. 5, lines 31-35: a request to a service provider environment 204 to have data stored in the environment on behalf of a customer; Mehr’s contextual information in the request is the type and/or scope of access depending upon factors such as a type of user, a type of user account, a role associated with the credentials, or a policy associated with the user and/or credentials, among other such factors”; see col. 3, lines 59-67); 
determine a security level associated with the target data storage device with the target data storage device, wherein the security level is based on security features associated with the target data storage device (Mehr, col. 5, lines 36-42: analyze information for the request and determine where to store the data. This can include, for example, determining an appropriate type of storage for the data based on aspects of the data, the customer, or the request, among other such options… corresponding portion of those resources for use by the user for an amount specified by the request; col. 4, lines 1-18.); 
output the identified one or more security controls (Mehr, col. 8, lines 50-56: automatically apply some or all of the recommended security controls… accept 516 the recommendations.  See FIG. 5, blocks 514 and 518).
However, Mehr does not explicitly disclose the steps for determining a protection level range (e.g., a max and min protection levels) based on the determined security level and identifying one or more security controls within the protection level range.  This aspect of the claim is a difference.
In a related art, Kirti teaches,
determine a protection level range based on the determined security level (Kirti, par. 0060: modify the security controls of a tenant account with a cloud provider to reflect a desired security posture. It should be noted that in Kirti, security controls include security policies and password settings.  See FIG. 8e for a sliding bar for user to set the level of security at the right pane of the screen), wherein the protection level range comprises: 
a maximum protection level (Kirti, par. 0113: a high level of security, which may require a stronger password; par. 0111-0112); and 
a minimum protection level (Kirti, par. 0108: the minimum permissions or privileges necessary to configure the relevant security controls. For example, permissions may be granted only to edit user accounts associated with a particular tenant's account and not to access other portions of the cloud service); 
identify one or more security controls within the protection level range (Kirti, par. 0106: security controls at a Stringent level …are identified; For example, different levels of security may be defined such that when a higher or lower level of security is selected [by user], the security controls for a tenant's accounts with different cloud services are all set to reflect a higher or lower level of security; par. 0110 and 0113 and 0116: to implement that desired level of security); and 
Mehr and Kirti are analogous art, because they are in a similar field of endeavor in improving security controls.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Mehr with Kirti’s teachings on the protection level range within which a user is enabled to select a desired security control for storage.  The rationale for this combination is to use known technique to improve similar system concerning selections of security controls.  As such, the combination would have produced predictable results with reasonable expectation of success. For this combination, the motivation would have been to improve the level of security with suitable security controls.
However, Mehr and Kirti as combined above does not explicitly disclose that each security control comprises a hardware configuration for data storage devices.  This is a secondary difference.
In a related art, Argo teaches,
each security control comprises a hardware configuration for data storage devices (Argo, par. 0047: embodiments, the security controls 107 can include hardware …components deployed on the nodes 106 and/or the network device 112).
 Argo is analogous art to the claimed invention in a similar field of endeavor in improving security controls to guard against security threats.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Mehr-Kirti’s system with Argo to include hardware configuration for data storage as a part of security controls. For this combination, the motivation would have been to improve the level of security of network storage by controlling the security of storage devices.

As per claim 16, the references as combined above teach the computer program of claim 15, further comprising instructions that when executed by the processor causes the processor to: 
receive the data element (Mehr, col. 10, lines: 63-67); 
receive a user input identifying a selected security control from among the identified one or more security controls (Mehr, col. 11, lines 28-34: recommendations 514 for the customer to apply as additional or alternative security controls for the data volume; see customer X can be prompted about the added security controls, the customer … [accepts] the recommendation to apply as additional or alternative security controls for the data volume; If the customer does not accept 516 the recommendations, then the data can be stored to the second tier using the specified controls); and in the combination, Kirti also teaches:
apply the selected security control to the target data storage device (Kirti, par. 0106: The values for various security controls at different levels of security can be defined by input on a user interface; see FIG. 8E; par. 0024-0025: storing the retrieved activity data in the analytics repository database using the cloud security system) and 
store the data element in the target data storage device after applying the selected security control (Kirti, par. 0044 and 0060-0063: selecting a security policy to implement; modify the security controls of a tenant account … for data storage).
Kirti is combined with Mehr herein for the same rationale as shown in claim 15.

As per claim 17, the references as combined above teach the computer program of claim 15, wherein determining the maximum protection level comprises: 
determining a physical location of the target data storage device (Mehr, col. lines: the storage tiers in this example can include different storage services or storage offerings in different zones or geographic locations; customer data is caused 602 to be stored to a determined data storage location); and 
selecting a maximum protection level value based on the physical location of the target storage device (Mehr, col. 5, lines 56-67: The storage tiers in this example can include different storage services or storage offerings in different zones or geographic locations, among other such options. As illustrated, the data instances each have a pair of security controls 216, 218 and 222, 224, respectively, applied. These security controls can have been specified by the customer, for example, and applied by the relevant security components or services of the provider environment. These security controls can designate various security aspects of the data, such as may include access control and usage control, among other such options. Examples of security controls that can be applied include controls providing fine-grained access control).

As per claim 19, the references as combined above teach the computer program of claim 15, and Kirti also teaches wherein determining the security level associated with the target data storage device is based at least in part on authentication protocols used by the target data storage device (Kirti, par. 0116: The notification can include a request or recommendation for a higher level of security controls, such as elevated authentication or OTP. In Kirti, the notification and/or alert helps selecting a security policy to implement in response to the identified threat using the cloud security system, and identifying cloud security controls).
Kirti is combined with Mehr herein for the same rationale as shown in claim 15.

Claims 6, 13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Mehr and Kirti and Argo, as applied to claim 1, and further in view of Shadbolt (US 20210385129 A1; hereinafter “Shad”).
As per claim 6, the references of Mehr and Kirti and Argo as combined above teach the device of claim 1, but do not explicitly disclose using tamper protection level for the target data storage device as a factor to determining the security level.  This aspect of the claim is identified as a further difference.
In a related art, Shad teaches:
wherein determining the security level associated with the target data storage device is based at least in part on a tamper protection level for the target data storage device (Shad, par. 00021, 0042, 51-53, and 0062: deploying a tamper protection policy modification to one or more target devices; the security admin 410 has selected the option for enabling tamper protection; For example, in one implementation, changes in management and deployment of the desired tamper protection state may only be made through a designated cloud -based enterprise mobility management tool (MMT), par. 0004: A method of deploying a tamper protection policy modification).
Shad is analogous art to the claimed invention in a similar field of endeavor in improving security controls (i.e., security policies) to guard against security threats.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Mehr-Kirti-Argo system with Shad to include anti-tamper security controls for protection. For this combination, the motivation would have been to improve the level of security of network storage by implementing anti-tamper storage devices.

As per claim 13, the references of Mehr and Kirti and Argo as combined above teach the method of claim 8, , but do not explicitly disclose using tamper protection level for the target data storage device as a factor to determining the security level.  This aspect of the claim is identified as a further difference.
In a related art, Shad teaches:
wherein determining the security level associated with the target data storage device is based at least in part on a tamper protection level for the target data storage device (Shad, par. 00021, 0042, 51-53, and 0062: deploying a tamper protection policy modification to one or more target devices; the security admin 410 has selected the option for enabling tamper protection; For example, in one implementation, changes in management and deployment of the desired tamper protection state may only be made through a designated cloud -based enterprise mobility management tool (MMT), par. 0004: A method of deploying a tamper protection policy modification).
Shad is analogous art to the claimed invention in a similar field of endeavor in improving security controls (i.e., security policies) to guard against security threats.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Mehr-Kirti-Argo system with Shad to include anti-tamper security controls for protection. For this combination, the motivation would have been to improve the level of security of network storage by implementing anti-tamper storage devices.

As per claim 20, the references of Mehr and Kirti and Argo as combined above teach the computer program of claim 15, , but do not explicitly disclose using tamper protection level for the target data storage device as a factor to determining the security level.  This aspect of the claim is identified as a further difference.
In a related art, Shad teaches:
wherein determining the security level associated with the target data storage device is based at least in part on a tamper protection level for the target data storage device (Shad, par. 00021, 0042, 51-53, and 0062: deploying a tamper protection policy modification to one or more target devices; the security admin 410 has selected the option for enabling tamper protection; For example, in one implementation, changes in management and deployment of the desired tamper protection state may only be made through a designated cloud -based enterprise mobility management tool (MMT), par. 0004: A method of deploying a tamper protection policy modification).
Shad is analogous art to the claimed invention in a similar field of endeavor in improving security controls (i.e., security policies) to guard against security threats.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Mehr-Kirti-Argo system with Shad to include anti-tamper security controls for protection. For this combination, the motivation would have been to improve the level of security of network storage by implementing anti-tamper storage devices.

Allowable Subject Matter
Claim 4, 11, and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

The claims 4, 11, and 18 each recite a limitation for “determining the maximum protection level further comprises determining the maximum protection level is less than a highest protection level associated with the plurality of security controls”.  When considered in combination with the other limitations in the claims 4, 11, and 18, the limitation is not anticipated by, nor made obvious over the prior art of record.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Don Zhao whose telephone number is (571)272-9953.  The examiner can normally be reached on 9 am to 5 pm Monday thru Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/Don G Zhao/
Examiner, Art Unit 2493
05/27/2022