DETAILED ACTION
Applicant’s amendment filed 4/19/2022 has been fully considered. 
Claims 1-20 are pending and have been examined.
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
Response to Amendment
Regarding the arguments against Horvitz, Examiner points out that the instant application is drawn to applying policies to computer resources, just as Horvitz uses policies for entities’ privacy assurance based on policies associated with computing resources, i.e. mobile devices. Both, Horvitz and the instant application are in the same field of endeavor, namely managing access to resources based on policies.
Thus, policies are associated with entities by way of computing devices, the policies apply to a person or virtual entities based on the policy associated to a device (Horvitz, abstract, par.1-8), and it would have been obvious to someone of ordinary skill in the art at the time of the invention to look at references using policies in general. Security zones and policies as evidenced by Horvitz are not new, therefore using policies and security zones in other fields would have been obvious for a multitude of reasons, such as to further control and provide access to resources based on location (Horvitz, 15-57). Furthermore, Horvitz is not limited to persons being tracked, but anything that can be associated to a device (par.15-30). Horvitz further teaches that a managed entity are coupled to the network (par.16-20). 
The main reference, Jackson, teaches the infrastructure utilizing policies, Horvitz simply expands on the application of policies. 
Contrary to Applicant’s argument Horvitz already foresees applying the zone policies to “virtual entities” (par.1-8) and is not only related to a person or physical object, and apply the policies to restrict access or set access to data or information (par.3-5, 30-35).
Regarding Bryson, the application of the firewall rules enables the workload to communicate, since the communication taking place in Bryson is associated with some “workload”, a process or executing application that is permitted to communicated across different zones according to firewall rules (par.72-78) and associating applications or services, workloads, with security zones and policies (par.115-125, 145-150, 215-220).
Applicant’s arguments are not persuasive.
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Double Patenting
Claims 1-20 are provisionally rejected under the judicially created doctrine of obviousness-type double patenting as being unpatentable over claims of Patent Nos. 8931038, 9069599, 9489647, 10880189.  Although the conflicting claims are not identical, they are not patentably distinct from each other because 
“A computer-implemented method comprising: receiving, by a computing system, a computing workflow to be performed in a cloud-computing environment including a plurality of cloud-computing resources; identifying, by the computing system, a computer workload to perform the computing workflow, wherein the computer workload includes a software unit of computing processing performed via at least one of an Infrastructure-as-a-Service (IaaS), a Platform-as-a-Service (PaaS), or a Service-as-a-Service (SaaS); associating, by the computing system, a policy with the computer workload, wherein the policy is applied to the computer workload when the computer workload is deployed within a security zone assigned for the computer workload, wherein one or more boundaries of the security zone are updatable, wherein the policy is updatable for the computer workload when the computer workload is deployed within the security zone, and wherein the security zone is definable at differing levels of abstraction; deploying, by the computing system, the computer workload in a virtual private cloud within the cloud-computing environment; applying, by the computing system, the policy to the computer workload when the computer workload performs the computing workflow within the virtual private cloud; and tagging, by the computing system, the computer workload to perform communications across a plurality of security zones, each security zone in the plurality of security zones having a defined set of associated firewalls, wherein the tagging the computer workload comprises establishing firewall rules to the defined set of associated firewalls for the plurality of security zones to enable the computer workload to perform communications across the plurality of security zones” (claim 1, instant application) is analogous to 
“A non-transitory computer readable medium comprising a plurality of cloud-computing resources, and comprising a computer-readable storage medium in which program instructions are stored, the program instructions configured to cause a computer system to perform the operations of: providing a virtual private cloud configured to utilize a cloud-computing resource from the plurality of cloud-computing resources to perform a computer workload; receiving a request to perform the computer workload within the virtual private cloud; provisioning the cloud-computing resource from the plurality of cloud-computing resources based on at least one resource utilization indication, wherein the at least one resource utilization indication comprises a scoring logic further comprising at least two selected from the group consisting of a business attribute, an operational attribute and a technical attribute, wherein the group describes mission-critical requirements, legal obligation requirements, service level agreement (SLA) requirements, time of day availability requirements, and seasonality requirements; deploying the cloud-computing resource within the virtual private cloud; and using the cloud-computing resource to perform the computer workload” (claim 1, patent 8931038) and to
“A method, comprising: providing at least one processor capable of executing computing code in data communication with a nontransitory computer readable storage medium having encoded thereon computer executable instructions which, when executed on the processor, provide a virtualization environment adapted for development of a software workload to be deployed using at least one resource of a computing cloud, the software workload including a software unit of computing processing performed via at least one of an Infrastructure-as-a-Service (IaaS), a Platform-as-a-Service (PaaS), or a Service-as-a-Service (SaaS), the virtualization environment having a metamodel framework that allows for the association of at least one policy to the software workload, the policy to be applied to the software workload upon its deployment; defining a security zone including at least one of the cloud resource(s), wherein one or more boundaries of the security zone are updatable, wherein one or more updated policies are applicable to the software workload when deployed within the security zone, and wherein the security zone is definable at differing levels of abstraction; determining at least one of a plurality of security zone policy types, each type comprising at least one security policy that may be applied to the software workload using at least one resource within the security zone; including the at least one security zone policy type in the metamodel framework; associating a security policy of the at least one security zone policy type(s) with the software workload upon development of the software workload; and automatically applying the security policy to the software workload when the software workload is deployed within the security zone” (claim 1, patent 9069599) and to
“A method comprising: receiving, by a computing system, low-level resources for delivering one or more operating system instances, wherein at least first entities publish the low-level resources to a catalog presented at an electronic storefront, and wherein the low level resources comprise one or more infrastructure-as-a-service (IaaS) offerings provided via a network infrastructure; providing, by the computing system, access from the catalog at the electronic storefront to the low-level resources for consumption by at least second entities, the at least second entities being different from the at least first entities; constructing, by the computing system, mid-level resources from the low-level resources, wherein the mid-level resources are constructed based, at least in part, on one or more middle-ware components being added to the low-level resources by the at least second entities and being configured by the at least second entities, wherein the mid-level resources comprise one or more platform-as-a-service (PaaS) offerings provided via the network infrastructure, wherein the mid-level resources are republished to the catalog; providing, by the computing system, access from the catalog at the electronic storefront to the mid-level resources for consumption by at least third entities, the at least third entities being different from the at least first entities and from the at least second entities; and constructing, by the computing system, high-level resources from the mid-level resources, wherein the high-level resources deliver one or more applications constructed based, at least in part, on at least a portion of the mid-level resources and at least a portion of the low-level resources and are configured by the at least third entities, wherein the high-level resources comprise one or more software-as-a-service (SaaS) offerings provided via the network infrastructure, wherein the high-level resources are published to the catalog and the one or more applications are made available via the electronic storefront” (claim 1, patent 9489647) and to
“A method comprising: receiving, by a computing system, low-level cloud computing resources for delivering one or more operating system instances provided by a service catalog of an electronic storefront via a network infrastructure for access through an interface, the low-level cloud computing resources associated with at least one first entity; constructing, by the computing system, mid-level cloud computing resources based at least in part on one or more middle-ware components added to the low-level cloud computing resources and provided by the service catalog at the electronic storefront via the network infrastructure for access through the interface, the mid-level cloud computing resources associated with at least one second entity; constructing, by the computing system, high-level cloud computing resources as applications based at least in part on at least one of the mid-level cloud computing resources and the low-level cloud computing resources and provided by the service catalog at the electronic storefront via the network infrastructure for access through the interface, the high-level cloud computing resources associated with at least one third entity; handling, by the computing system, a payment between the at least one second entity and the at least one third entity, wherein the amount of the payment includes a cost of the low-level cloud computing resources; defining, by the computing system, a security zone including a cloud computing resource comprising at least one of the low-level cloud computing resources, the mid-level cloud computing resources, and the high-level cloud computing resources; and automatically applying, by the computing system, a security policy to the cloud computing resource when the cloud computing resource is deployed within the security zone; wherein the at least one first entity, the at least one second entity, and the at least one third entity are different organizations” (claim 1, patent 10880189).
This is a provisional obviousness-type double patenting rejection because the conflicting claims of the instant application have not in fact been patented.
The claims of the conflicting patents and/or applications contain every element of claims 1-20 of the instant application and thus anticipate the claims of the instant application. Claims 1-20 of the instant application therefore are not patently distinct from the copending application claims and as such are unpatentable for obvious-type double patenting. A later patent/application claim is not patentably distinct from an earlier claim if the later claim is anticipated by the earlier claim.
“A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species with that genus). “ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001).
“Claim 12 and Claim 13 are generic to the species of invention covered by claim 3 of the patent. Thus, the generic invention is “anticipated” by the species of the patented invention. Cf., Titanium Metals Corp. v. Banner, 778 F.2d 775, 227 USPQ 773 (Fed. Cir. 1985) (holding that an earlier species disclosure in the prior art defeats any generic claim) 4. This court’s predecessor has held that, without a terminal disclaimer, the species claims preclude issuance of the generic claim. In re Van Ornum, 686 F.2d 937, 944, 214 USPQ 761, 767 (CCPA 1982); Schneller, 397 F.2d at 354. Accordingly, absent a terminal disclaimer, claims 12 and 13 were properly rejected under the doctrine of obviousness-type double patenting.” (In re Goodman (CA FC) 29 USPQ2d 2010 (12/3/1993).

Claim Rejections - 35 USC § 103
Claims 1-20 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Jackson (7698430), and further in view of Horvitz (20080072284) and Bryson (20060056297).
Regarding claims 1, 11, and 16, Jackson teaches 1. A computer-implemented method comprising: /11. A system comprising: at least one processor; and a memory storing instructions that, when executed by the at least one processor, cause the system to perform:/ 16. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computing system, cause the computing system to perform (abstract):
receiving, by a computing system, a computing workflow to be performed in a cloud-computing environment including a plurality of cloud-computing resources  (11, 25-67, resources needed from on-demand center); 
identifying, by the computing system, a computer workload to perform the computing workflow, 
wherein the computer workload includes a software unit of computing processing performed via at least one of an Infrastructure-as-a-Service (IaaS), a Platform-as-a-Service (PaaS), or a Service-as-a-Service (SaaS) (12, 1-67, jobs assigned based on workloads);
associating, by the computing system, a policy with the computer workload, wherein the policy is applied to the computer workload when the computer workload is deployed within a zone assigned for the computer workload, wherein one or more boundaries of the zone are updatable, wherein the policy is updatable for the computer workload when the computer workload is deployed within the zone, and wherein the zone is definable at differing levels of abstraction (9, 30-67, 12, 45-67, assign policy to cluster); 
deploying, by the computing system, the computer workload in a virtual private cloud within the cloud-computing environment (15, 25-67, assign workload to cluster): and
applying, by the computing system, the policy to the computer workload when the computer workload performs the computing workflow within the virtual private cloud (9, 30-67, 10, 1-40, policy for workload and cluster).
Jackson does not expressly disclose, however Horvitz teaches security zones with associated policies (15-23, 30-57) and Bryson teaches tagging, by the computing system, the computer workload to perform communications across a plurality of security zones, each security zone in the plurality of security zones having a defined set of associated firewalls, 
wherein the tagging the computer workload comprises establishing firewall rules to the defined set of associated firewalls for the plurality of security zones to enable the computer workload to perform communications across the plurality of security zones (par 245-255, 275-295).
Therefore, it would have been obvious to one having ordinary skill in the art at the time the invention was made to use zones and policies as taught by Horvitz with the system of Jackson and to perform communications across zones as taught by Bryson.
One of ordinary skill in the art would have been motivated to perform such a modification to further control and provide access to resources based on location (Horvitz, 15-57) and to further manage security (Bryson, 200-290).
Regarding claims 2, 12, and 17, Jackson/Horvitz/Bryson teaches testing the computer workload in a second virtual private cloud within the cloud-computing environment prior to deploying the computer workload (Jackson 8, 15-85, 9, 5-80, Horvitz, 20-40).
Regarding claims 3, 13, and 18, Jackson/Horvitz/Bryson teaches wherein the virtual private cloud corresponds to a production virtual private cloud, and wherein the second virtual private cloud corresponds to a pre-production virtual private cloud (Jackson 15, 25-65, Horvitz, 23-40).
Regarding claims 4, 14, and 19, Jackson/Horvitz/Bryson teaches wherein the security zone is definable by a developer, and wherein the policy is applicable, by the developer, with respect to the security zone (Horvitz 47-55, Bryson, 36-50, 78-95).
Regarding claims 5, 15, and 20, Jackson/Horvitz/Bryson teaches tagging the computer workload based on the security zone to enable the computer workload to perform operations in the security zone (Jackson associates workload to zone/policy 8, 15-65, Horvitz provides the sensors defining each zone 47-55, Bryson, 30-50, 78-95).
Regarding claim 6, Jackson/Horvitz/Bryson teaches wherein the cloud-computing environment is associated with a virtualization environment, and wherein the virtualization environment has a metamodel framework that allows the policy to be associated with the computer workload (Jackson, 13, 30-65, Bryson, 30-50, 78-95),
Regarding claim 7, Jackson/Horvitz/Bryson teaches wherein the computer workload is included in an identified plurality of computer workloads configured to perform the computing workflow (Jackson, 14,1-55, Bryson, 30-560, 78-95).
Regarding claim 8, Jackson/Horvitz/Bryson teaches wherein the security zone is associated with at least one of a geographic zone, a network zone, an enterprise zone, an operational zone, or an organizational zone (Horvitz 15-20, 47-55, Bryson, 30-50, 78-95).
Regarding claim 9, Jackson/Horvitz/Bryson teaches wherein the policy includes a security policy, and wherein the security policy is associated with at least one of an access policy, a write-permission policy, a resource utilization policy, or an editing permission policy (Jackson, 13, 60-65, Bryson, 30-50, 78-95).
Regarding claim 10, Jackson/Horvitz/Bryson teaches receiving, at a central policy server, a definition for the security policy, wherein the central policy server is configured to associate the security policy to at least one of the computer workload or a particular cloud-computing resource, out of the plurality of cloud-computing resources, that performs the computer workload; and pushing the security policy to the particular cloud-computing resource (Jackson, 4, 1-50, Horvitz, 23-35, Bryson, 68-75, 204- 254).
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Varadhan (20100043067) teaches different zones for firewall rules. Huang (8650299) teaches cloud computing with different security zones and firewalls. Neystadt (20110138441) teaches different virtual machines (workloads) associated with policies and firewalls associated with zones.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to David Garcia Cervetti whose telephone number is (571)272-5861. The examiner can normally be reached Monday-Friday 8AM-5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, HADI ARMOUCHE can be reached on (571)270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/David Garcia Cervetti/Primary Examiner, Art Unit 2419