DETAILED ACTION
	Claims 1-20 are presented on 09/22/2022 for examination on merits.  Claims 1, 9, and 16 are independent base claims. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Applicant Arguments/Remarks or a section following the Remarks.

Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted for examination on merits is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered by the examiner. See the annotated 1449 documents.


Claim Objections
Claims 1, 9, and 16 are objected to because of the following informalities: 
Claims 1, 9, and 16 each recite “the misconfigurations” in the analyzing step while recite “the identified misconfigurations” in the causing remediation step.  The recitations of the same element in the two steps are inconsistent. For formality reasons, appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claim 1 recites the limitation "a comparison of the obtained configurations with the plurality of security policies" unclearly in the identifying step, because it is confusing which parts of the security policies are compared to the obtained configurations.
Claims 9 and 16 each recite the limitation "a comparison of the obtained configurations with the plurality of security policies" unclearly in the identifying step for the same reason as that of claim 1.
Claims 6 and 14 each recite the limitation “the underly cloud resources” without sufficient antecedent basis for this limitation in the respective claims. It is also noted that the limitation appears to mean “underlying cloud resources.”  Please clarify.
Claim 6 recites the limitation “the cloud applications” without sufficient antecedent basis for this limitation in the claim. It is noted that the base claim 1 only defines a singular cloud application.
Claims 2-8, 10-15, and 17-20 are also rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, because they depend from the rejected base claims 1, 9, and 16, respectively.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-6, 8-14, and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Soby (US 20190370468 A1) in view of Davis (US 20200252422 A1).

As per claim 1, Soby teaches a non-transitory computer-readable storage medium having computer-readable code stored thereon for programming one or more processors in a node (Soby, par. 0158 and 0161-0162) in a cloud-based system to perform a Cloud Security Posture Management (CSPM) service (par. 0061 and 0154: The security goals 110 may be application agnostic and/or platform agnostic; Cloud Access Security Broker (CASB) is another related product area. CASBs often perform functions similar to DLP) via steps of: 
obtaining a plurality of security policies and one or more compliance frameworks for a tenant of a cloud provider where the tenant has a cloud application deployed with the cloud provider (Soby, par. 0061 and 0154: the user of the system 106 is a tenant of a cloud provider; Cloud Access Security Broker), wherein each security policy defines a configuration and an expected value, and wherein each compliance framework includes one or more of the security policies (Soby, par. 0015: The security goals 110, which defines a configuration and an expected value, may include one or more rules… to determine whether any particular configuration change has been reviewed and approved before allowing that configuration change to be implemented in the system 100; see also par. 0021-0022 for the use of security goals in the rule application; note that Soby’s security rule is mapped to the security policies in the claim); 
obtaining configurations of the cloud application (Soby, par. 0016: the configuration management engine 102 receives data 118 representing a state of the computer system 118 (FIG. 2, operation 202). The state data 118 may include data representing a state of any one or more components of the computer system 106, such as a state of some or all of the configuration 108); 
identifying misconfigurations of the cloud application based on a comparison of the obtained configurations with the plurality of security policies (Soby, par. 0018-0021 and step 206 of FIG. 2 and [determining] whether to violate one or more of the security rules;  Soby discloses determines whether the state of the computer system 106 (as represented by the state data 118) violates one or more of the security rules 110 from the established perspective; par. 0020-0021); 
causing remediation of the identified misconfigurations and the determined risks, wherein the cloud-based system performs the CSPM service in addition to one or more additional cloud services (Soby, par. 0021-0022 determines that the state 118 violates one or more of the security rules 110 and preventing that potential future state from being realized wherein the preventing step in Soby is a form of remediation of the identified misconfigurations; see par. 0022 and 0118. Soby discloses a cloud-based or Software-as-a-Service (SaaS) system for security which is mapped to the CSPM service in the claim).
However, Soby does not explicitly disclose configuration analysis and prioritization of the risks based on likelihood of exposure to security breaches.  This aspect of the claim is identified as a difference.
In a related art, Davis teaches:
analyzing the misconfigurations to determine risks including prioritization of the risks based on their likelihood of exposure to security breaches (Davis, the abstract, 0027, and 0031: determining a likelihood of a given asset of the enterprise system becoming compromised responsive to compromise of a given user of the enterprise system; par. 0071-0073: risks … could be prioritized for monitoring or routine security reviews. Additionally, configuration management … could use this information to ensure preventive measures are in place to reduce risk).
Soby and Davis are analogous art, because they are in a similar field of endeavor in improving the detection and remediation of security threats.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and modify Soby with Davis likelihood determining techniques for improved risk analysis. For this combination, the motivation would have been to improve the level of security with security analysis with a likelihood indicator.

As per claim 2, the references as combined above teach the non-transitory computer-readable storage medium of claim 1, wherein the one or more additional cloud services include any of a cloud security service, a Cloud Access Security Broker (CASB) service, a Data Loss Prevention (DLP) service, and a Zero Trust Network Access (ZTNA) service (Soby, par. 0061 and 0154: The security goals 110 may be application agnostic and/or platform agnostic; Cloud Access Security Broker (CASB) is another related product area. CASBs often perform functions similar to DLP).

As per claim 3, the references as combined above teach the non-transitory computer-readable storage medium of claim 1, wherein the steps further include causing display of any of a security posture, a compliance posture to the one or more compliance frameworks, a risk posture, and a data privacy posture (Soby, par. 0144 and 0150-0153: display of the results of the calculations [of security risks]).

As per claim 4, the references as combined above teach the non-transitory computer-readable storage medium of claim 1, wherein the steps further include 
determining a risk matrix for the tenant (Davis, par. 0047: an adjacency matrix); and 
causing display of the risk matrix, wherein the risk matrix visualizes risk based on a combination of impact and likelihood (Davis, par. 0077: converting the adjacency matrix of the graph to a probability transition matrix; note that the graph is for display of the risk matrix; see also clm. 9).

As per claim 5, the references as combined above teach the non-transitory computer-readable storage medium of claim 1, wherein the tenant has a plurality of users that use the cloud application, and wherein the cloud application is deployed in a public cloud (Soby, par. 0061: a cloud-based or Software-as-a-Service (SaaS) system.  The cloud application of Soby used with SAAS is obviously a public cloud).

As per claim 6, the references as combined above teach the non-transitory computer-readable storage medium of claim 1, wherein the plurality of security policies relate to both cloud infrastructure and the cloud application, wherein the security policies for the cloud infrastructure relate to how the underly cloud resources should be properly configured, and wherein the security policies for the cloud application relate to how the cloud applications should be configured and used (Soby, par. 0057-0058 and 0061-0062: the desired effective access policy of the computer system 106, which is related to how the cloud resources are or should be configured).

As per claim 8, the references as combined above teach the non-transitory computer-readable storage medium of claim 1, wherein the obtaining, identifying, analyzing, and causing steps are performed during development of the cloud application and while the cloud application is operational (Soby, par. 0147 and 0155: The monitoring engine 104 may perform any of the functions disclosed herein on a continuous, periodic, or on-demand basis).

As per claim 9, Soby teaches an enforcement node in a cloud-based system configured to implement Cloud Security Posture Management (CSPM) (Soby, par. 0061 and 0154: The security goals 110 may be application agnostic and/or platform agnostic; Cloud Access Security Broker (CASB) is another related product area. CASBs often perform functions similar to DLP), the enforcement node comprising: 
one or more processors; 
a network interface communicatively coupled to the one or more processors and connected to a network for communication with one or more users and one or more cloud providers with cloud applications deployed thereon (Soby, par. 0061 and 0154: Cloud Access Security Broker (CASB)); and 
memory storing instructions that, when executed, cause the one or more processors to obtain a plurality of security policies and one or more compliance frameworks for a tenant of a cloud provider where the tenant has a cloud application deployed with the cloud provider, wherein each security policy defines a configuration and an expected value, and wherein each compliance framework includes one or more of the security policies; 
obtain configurations of the cloud application (Soby, par. 0016: the configuration management engine 102 receives data 118 representing a state of the computer system 118 (FIG. 2, operation 202). The state data 118 may include data representing a state of any one or more components of the computer system 106, such as a state of some or all of the configuration 108); 
identify misconfigurations of the cloud application based on a comparison of the obtained configurations with the plurality of security policies (Soby, par. 0018-0021 and step 206 of FIG. 2 and [determining] whether to violate one or more of the security rules;  Soby discloses determines whether the state of the computer system 106 (as represented by the state data 118) violates one or more of the security rules 110 from the established perspective; par. 0020-0021); 
cause remediation of the identified misconfigurations and the determined risks, wherein the node in the cloud-based system performs the CSPM service in addition to one or more additional cloud services (Soby, par. 0021-0022 determines that the state 118 violates one or more of the security rules 110 and preventing that potential future state from being realized wherein the preventing step in Soby is a form of remediation of the identified misconfigurations; see par. 0022 and 0118. Soby discloses a cloud-based or Software-as-a-Service (SaaS) system for security which is mapped to the CSPM service in the claim).
However, Soby does not explicitly disclose configuration analysis and prioritization of the risks based on likelihood of exposure to security breaches.  This aspect of the claim is identified as a difference.
In a related art, Davis teaches:
analyze the misconfigurations to determine risks including prioritization of the risks based on their likelihood of exposure to security breaches (Davis, the abstract, 0027, and 0031: determining a likelihood of a given asset of the enterprise system becoming compromised responsive to compromise of a given user of the enterprise system; par. 0071-0073: risks … could be prioritized for monitoring or routine security reviews. Additionally, configuration management … could use this information to ensure preventive measures are in place to reduce risk).
Soby and Davis are analogous art, because they are in a similar field of endeavor in improving the detection and remediation of security threats.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and modify Soby with Davis likelihood determining techniques for improved risk analysis. For this combination, the motivation would have been to improve the level of security with security analysis with a likelihood indicator.

As per claim 10, the references as combined above teach the enforcement node of claim 9, wherein the one or more additional cloud services include any of a cloud security service, a Cloud Access Security Broker (CASB) service, a Data Loss Prevention (DLP) service, and a Zero Trust Network Access (ZTNA) service (Soby, par. 0061 and 0154: The security goals 110 may be application agnostic and/or platform agnostic; Cloud Access Security Broker (CASB) is another related product area. CASBs often perform functions similar to DLP).

As per claim 11, the references as combined above teach the enforcement node of claim 9, wherein the instructions that, when executed, cause the one or more processors to cause display of any of a security posture, a compliance posture to the one or more compliance frameworks, a risk posture, and a data privacy posture (Soby, par. 0144 and 0150-0153: display of the results of the calculations [of security risks]).

As per claim 12, the references as combined above teach the enforcement node of claim 9, wherein the instructions that, when executed, 
cause the one or more processors to determine a risk matrix for the tenant (Davis, par. 0047: an adjacency matrix); and 
cause display of the risk matrix, wherein the risk matrix visualizes risk based on a combination of impact and likelihood (Davis, par. 0077: converting the adjacency matrix of the graph to a probability transition matrix; note that the graph is for display of the risk matrix; see also clm. 9).

As per claim 13, the references as combined above teach the enforcement node of claim 9, wherein the tenant has a plurality of users that use the cloud application, and wherein the cloud application is deployed in a public cloud  (Soby, par. 0061: a cloud-based or Software-as-a-Service (SaaS) system.  The cloud application of Soby used with SAAS is obviously a public cloud).

As per claim 14, the references as combined above teach the enforcement node of claim 9, wherein the plurality of security policies relate to both cloud infrastructure and the cloud application, wherein the security policies for the cloud infrastructure relate to how the underly cloud resources should be properly configured, and wherein the security policies for the cloud application relate to how the cloud applications should be configured and used (Soby, par. 0057-0058 and 0061-0062: the desired effective access policy of the computer system 106, which is related to how the cloud resources are or should be configured).

As per claim 16, Soby teaches a method, implemented in a node in a cloud-based system, comprising: 
obtaining a plurality of security policies and one or more compliance frameworks for a tenant of a cloud provider where the tenant has a cloud application deployed with the cloud provider (Soby, par. 0061 and 0154: the user of the system 106 is a tenant of a cloud provider; Cloud Access Security Broker), wherein each security policy defines a configuration and an expected value, and wherein each compliance framework includes one or more of the security policies (Soby, par. 0015: The security goals 110, which defines a configuration and an expected value, may include one or more rules… to determine whether any particular configuration change has been reviewed and approved before allowing that configuration change to be implemented in the system 100; see also par. 0021-0022 for the use of security goals in the rule application; note that Soby’s security rule is mapped to the security policies in the claim); 
obtaining configurations of the cloud application (Soby, par. 0016: the configuration management engine 102 receives data 118 representing a state of the computer system 118 (FIG. 2, operation 202). The state data 118 may include data representing a state of any one or more components of the computer system 106, such as a state of some or all of the configuration 108); 
identifying misconfigurations of the cloud application based on a comparison of the obtained configurations with the plurality of security policies (Soby, par. 0018-0021 and step 206 of FIG. 2 and [determining] whether to violate one or more of the security rules;  Soby discloses determines whether the state of the computer system 106 (as represented by the state data 118) violates one or more of the security rules 110 from the established perspective; par. 0020-0021); 
causing remediation of the identified misconfigurations and the determined risks, wherein the cloud-based system performs the CSPM service in addition to one or more additional cloud services (Soby, par. 0021-0022 determines that the state 118 violates one or more of the security rules 110 and preventing that potential future state from being realized wherein the preventing step in Soby is a form of remediation of the identified misconfigurations; see par. 0022 and 0118. Soby discloses a cloud-based or Software-as-a-Service (SaaS) system for security which is mapped to the CSPM service in the claim).
However, Soby does not explicitly disclose configuration analysis and prioritization of the risks based on likelihood of exposure to security breaches.  This aspect of the claim is identified as a difference.
In a related art, Davis teaches:
analyzing the misconfigurations to determine risks including prioritization of the risks based on their likelihood of exposure to security breaches (Davis, the abstract, 0027, and 0031: determining a likelihood of a given asset of the enterprise system becoming compromised responsive to compromise of a given user of the enterprise system; par. 0071-0073: risks … could be prioritized for monitoring or routine security reviews. Additionally, configuration management … could use this information to ensure preventive measures are in place to reduce risk).
Soby and Davis are analogous art, because they are in a similar field of endeavor in improving the detection and remediation of security threats.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and modify Soby with Davis likelihood determining techniques for improved risk analysis. For this combination, the motivation would have been to improve the level of security with security analysis with a likelihood indicator.

As per claim 17, the references as combined above teach the method of claim 16, wherein the one or more additional cloud services include any of a cloud security service, a Cloud Access Security Broker (CASB) service, a Data Loss Prevention (DLP) service, and a Zero Trust Network Access (ZTNA) service (Soby, par. 0061 and 0154: The security goals 110 may be application agnostic and/or platform agnostic; Cloud Access Security Broker (CASB) is another related product area. CASBs often perform functions similar to DLP).

As per claim 18, the references as combined above teach the method of claim 16, further comprising causing display of any of a security posture, a compliance posture to the one or more compliance frameworks, a risk posture, and a data privacy posture (Soby, par. 0144 and 0150-0153: display of the results of the calculations [of security risks]).

As per claim 19, the references as combined above teach the method of claim 16, further comprising 
determining a risk matrix for the tenant (Davis, par. 0047: an adjacency matrix); and 
causing display of the risk matrix, wherein the risk matrix visualizes risk based on a combination of impact and likelihood (Davis, par. 0077: converting the adjacency matrix of the graph to a probability transition matrix; note that the graph is for display of the risk matrix; see also clm. 9).

As per claim 20, the references as combined above teach the method of claim 16, wherein the tenant has a plurality of users that use the cloud application, and wherein the cloud application is deployed in a public cloud (Soby, par. 0061: a cloud-based or Software-as-a-Service (SaaS) system.  The cloud application of Soby used with SAAS is obviously a public cloud).

Claims 7 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Soby and Davis, as applied to claim 1, and further In view of Sahai (US 20110289588 A1).

As per claim 7, the references of Soby and Davis as combined above teach the non-transitory computer-readable storage medium of claim 1, but do not explicitly disclose that the security policies include a combination of out of the box policies that are pre-defined and tenant- defined policies. This aspect of the claim is identified as a further difference.
In a related art, Sahai teaches:
wherein the plurality of security policies include a combination of out of the box policies that are pre-defined and tenant- defined policies (Sahai, par. 0045-0046: the solution … configurable as per the security policies and.. support "out of the box).
Sahai is analogous art in a similar field of endeavor in improving security policies for configurations.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Sahai to determine how to incorporate out-of-the-box security policies into user defined security policies.  For this combination, the motivation would have been to improve the level of security with reduced cost by using out-of-the-box security policies.

As per claim 15, the references of Soby and Davis as combined above teach the enforcement node of claim 9, but do not explicitly disclose that the security policies include a combination of out of the box policies that are pre-defined and tenant- defined policies. This aspect of the claim is identified as a further difference.
In a related art, Sahai teaches:
wherein the plurality of security policies include a combination of out of the box policies that are pre-defined and tenant- defined policies (Sahai, par. 0045-0046: the solution … configurable as per the security policies and support "out of the box).
Sahai is analogous art in a similar field of endeavor in improving security policies for configurations.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Sahai to determine how to incorporate out-of-the-box security policies into user defined security policies.  For this combination, the motivation would have been to improve the level of security with reduced cost by using out-of-the-box security policies.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        07/19/2022