DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 8-9 and 16 -17 are rejected under 35 U.S.C. 102 (a)(2) as being anticipated by over Shravan et. al. (U.S. Patent Application Publication No. 20210281576 A1), hereinafter Shravan.

Regarding claim 1, Shravan discloses A system operable as a Zero Trust Network Access (ZTNA) service module (Par. [0022], The private network 104 includes a network appliance 110 (e.g., a network access control (NAC) device or a virtual private network (VPN) controller, a software defined perimeter (SDP) (i.e. ZTAN) controller, etc.)) comprising: 
a processing resource (Par. [0051], processor); 
a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource perform a method comprising (Par. [0051], Instructions embedded or encoded in a computer-readable medium may cause a programmable processor, or other processor, to perform the method, e.g., when the instructions are executed): 
receiving from an endpoint device an access request to a protected object (Par. [0025], The network appliance 110 intercepts requests to access to the private network 104 by devices such as the user device 118 (i.e. endpoint device) or other network devices.); 
verifying an identity of a user of the endpoint device via an identity management system (Par. [0025], On the first request in a predetermined time period (e.g., upon the first access request in a 24-hour period, etc.), the network appliance 110, in conjunction with the authorization server 112 (i.e. identity management system), authenticates the identity of the user of the user device 118 using user credentials (sometimes referred to as “authentication credentials”) supplied by the client 120 (sometimes referred to as performing an “authentication check”)); 
when said verifying is affirmative (Par. [0026], When authentication is successful, the network appliance 110 may permit limited access to the private network 104 without providing access to the protected resources 116. For example, the limited access may only allow layer 2 (L2) in the OSI model access. Before providing access to the protected resources 116, the network appliance 110, via the policy server 114, enforces one or more policies (sometimes referred to as performing an “authorization check”)): 
receiving from an endpoint agent running on the endpoint device, security posture information associated with one or more of the endpoint device, the user, and the protected object (Par. [0045], The client 120 (i.e. endpoint agent) collects user device details related to the requirements received from the network appliance 110 (608). Additionally, the client 120 stores the current state of the user device 118 related to the collected details (610). For example, if the compliance information requests the current version of an email client, the client 120 saves, in memory, the current version of the email client (i.e., the version of the email client that is sent to the network appliance 110). The client 120 sends the collected details (e.g., the requested compliance information) (i.e. security posture) to the network appliance 110 (612).); 
determining based on a plurality of ZTNA policies and the security posture information whether to allow the access request (Par. [0046], The network appliance 110 evaluates the compliance (sometimes referred to as “evaluating the compliance state”) of the user device 118 using the compliance information received from client 120 (614). For example, the network appliance 110 may compare the status of ports (e.g., opened or closed, etc.) included in the compliance information to the status of ports required by the corresponding policy. ); and 
when said determining is affirmative, granting access to the protected object by the user via the endpoint device (Par. [0046], The network appliance 110 provides access to the protected network zone and/or protected resources 114 of the private network 104 based on the compliance (e.g., based on the compliance state) of the user device 118 with the applicable policies (618). For example, if 616the user device 118 is compliant with all of the policies, the network appliance 110 may provide full access to the private network 104 that is afforded to the role assigned to the user device 118 (e.g., when the user device 118 is authenticated).).  

Regarding claim 9, Shravan discloses A method performed by a processing resource of a Zero Trust Network Access (ZTNA) service module (Par. [0022], The private network 104 includes a network appliance 110 (e.g., a network access control (NAC) device or a virtual private network (VPN) controller, a software defined perimeter (SDP) (i.e. ZTAN) controller, etc.)), the method comprising: 
receiving from an endpoint device an access request to a protected object (Par. [0025], The network appliance 110 intercepts requests to access to the private network 104 by devices such as the user device 118 (i.e. endpoint device) or other network devices.); 
verifying an identity of a user of the endpoint device via an identity management system (Par. [0025], On the first request in a predetermined time period (e.g., upon the first access request in a 24-hour period, etc.), the network appliance 110, in conjunction with the authorization server 112 (i.e. identity management system), authenticates the identity of the user of the user device 118 using user credentials (sometimes referred to as “authentication credentials”) supplied by the client 120 (sometimes referred to as performing an “authentication check”)); 
when said verifying is affirmative (Par. [0026], When authentication is successful, the network appliance 110 may permit limited access to the private network 104 without providing access to the protected resources 116. For example, the limited access may only allow layer 2 (L2) in the OSI model access. Before providing access to the protected resources 116, the network appliance 110, via the policy server 114, enforces one or more policies (sometimes referred to as performing an “authorization check”)): 
receiving from an endpoint agent running on the endpoint device, security posture information associated with one or more of the endpoint device, the user, and the protected object (Par. [0045], The client 120 (i.e. endpoint agent) collects user device details related to the requirements received from the network appliance 110 (608). Additionally, the client 120 stores the current state of the user device 118 related to the collected details (610). For example, if the compliance information requests the current version of an email client, the client 120 saves, in memory, the current version of the email client (i.e., the version of the email client that is sent to the network appliance 110). The client 120 sends the collected details (e.g., the requested compliance information) (i.e. security posture) to the network appliance 110 (612).); 
determining based on a plurality of ZTNA policies and the security posture information whether to allow the access request (Par. [0046], The network appliance 110 evaluates the compliance (sometimes referred to as “evaluating the compliance state”) of the user device 118 using the compliance information received from client 120 (614). For example, the network appliance 110 may compare the status of ports (e.g., opened or closed, etc.) included in the compliance information to the status of ports required by the corresponding policy. ); and 
when said determining is affirmative, granting access to the protected object by the user via the endpoint device (Par. [0046], The network appliance 110 provides access to the protected network zone and/or protected resources 114 of the private network 104 based on the compliance (e.g., based on the compliance state) of the user device 118 with the applicable policies (618). For example, if 616the user device 118 is compliant with all of the policies, the network appliance 110 may provide full access to the private network 104 that is afforded to the role assigned to the user device 118 (e.g., when the user device 118 is authenticated).).  

Regarding claim 17,  Shravan discloses A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processing resources of a computer system (Par. [0051]) operable as a - 29 -Zero Trust Network Access (ZTNA) service module (Par. [0022], The private network 104 includes a network appliance 110 (e.g., a network access control (NAC) device or a virtual private network (VPN) controller, a software defined perimeter (SDP) (i.e. ZTAN) controller, etc.)), causes the one or more processing resources to perform a method comprising:
receiving from an endpoint device an access request to a protected object (Par. [0025], The network appliance 110 intercepts requests to access to the private network 104 by devices such as the user device 118 (i.e. endpoint device) or other network devices.); 
verifying an identity of a user of the endpoint device via an identity management system (Par. [0025], On the first request in a predetermined time period (e.g., upon the first access request in a 24-hour period, etc.), the network appliance 110, in conjunction with the authorization server 112 (i.e. identity management system), authenticates the identity of the user of the user device 118 using user credentials (sometimes referred to as “authentication credentials”) supplied by the client 120 (sometimes referred to as performing an “authentication check”)); 
when said verifying is affirmative (Par. [0026], When authentication is successful, the network appliance 110 may permit limited access to the private network 104 without providing access to the protected resources 116. For example, the limited access may only allow layer 2 (L2) in the OSI model access. Before providing access to the protected resources 116, the network appliance 110, via the policy server 114, enforces one or more policies (sometimes referred to as performing an “authorization check”)): 
receiving from an endpoint agent running on the endpoint device, security posture information associated with one or more of the endpoint device, the user, and the protected object (Par. [0045], The client 120 (i.e. endpoint agent) collects user device details related to the requirements received from the network appliance 110 (608). Additionally, the client 120 stores the current state of the user device 118 related to the collected details (610). For example, if the compliance information requests the current version of an email client, the client 120 saves, in memory, the current version of the email client (i.e., the version of the email client that is sent to the network appliance 110). The client 120 sends the collected details (e.g., the requested compliance information) (i.e. security posture) to the network appliance 110 (612).); 
determining based on a plurality of ZTNA policies and the security posture information whether to allow the access request (Par. [0046], The network appliance 110 evaluates the compliance (sometimes referred to as “evaluating the compliance state”) of the user device 118 using the compliance information received from client 120 (614). For example, the network appliance 110 may compare the status of ports (e.g., opened or closed, etc.) included in the compliance information to the status of ports required by the corresponding policy. ); and 
when said determining is affirmative, granting access to the protected object by the user via the endpoint device (Par. [0046], The network appliance 110 provides access to the protected network zone and/or protected resources 114 of the private network 104 based on the compliance (e.g., based on the compliance state) of the user device 118 with the applicable policies (618). For example, if 616the user device 118 is compliant with all of the policies, the network appliance 110 may provide full access to the private network 104 that is afforded to the role assigned to the user device 118 (e.g., when the user device 118 is authenticated).).  

Regarding claim 8, Shravan discloses the system of claim 1, 
Shravan further discloses wherein the endpoint agent comprises an endpoint protection platform (Par. [0033], The client 120 (i.e. endpoint agent) monitors the operating system 204 and/or the user applications 210. For example, the client 120 may monitor the versions of the OS 204 and/or the user applications 210, the settings of the user applications 210, and/or the presence and absence of user applications.).

Method claim 16 relates to the method using the system as claimed in system claim 8. Therefore, claim 16 is rejected for the same reason of obviousness as claim 8 above.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-6, 10-14 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Shravan in view of Bosch et. al. (U.S. Patent Application Publication No. 20210044623 A1), hereinafter Bosch.

Regarding claim 2, Shravan discloses the system of claim 1, 
Sharvan discloses that the applicable policies are based on user behavior (Par. [0027]), but fails to disclose that security posture information associated with the user is observed by the endpoint agent.
However, Bosch  teaches wherein the security posture information associated with the user is based on a user behavior anomaly observed by the endpoint agent (Par. [0045], The client 120 collects user device details related to the requirements received from the network appliance 110 (608)) (Par. [0087], At block 604, telemetry data associated with the client device is obtained from at least one of an agent running locally on the client device or from the network-based resource of the enterprise, the telemetry data indicating a state/posture of a communication session between an application on the client device and an application service. Both telemetry data local to the client device and telemetry data about the network, the user, the application service being connected to, and other contextual telemetry of the communication session are gathered to determine a comprehensive security posture of the communication session.).  
Sharvan and Bosch are analogous references to the claimed invention as they both pertain to receiving a request to access a protected resource, applying ZTNA (SDP) polies to give access to the user. Therefore, it would have been obvious to one of ordinary skill before the effective filing date of the invention to modify Sharvan by observing user behavior using the agent installed on the user device. This will provide a complete security posture information about the requester and improves the security of the system.

Regarding claim 3, the combination of Shravan  and Bosch teaches the system of claim 2, 
Shravan further discloses s wherein the protected object comprises an application (Par. [0029], The protected resources 116 may include a user email account, a file server for storing documents, an application server for sharing network-enabled versions of common software applications with many user devices, a network printer, a communications server for handling e-mail exchanges, fax communications, remote access to the network, firewalls and/or other internet services, a database server for storing data and for managing requests to store or access data, or the like, to which user device 118 or the user of user device 118 attempts to gain access.) and wherein the user behavior anomaly relates to one or more of usage of the application, a communication origin of the access request, use of a new communication protocol, use of a new port, irregular working hours by the user over a particular timeframe (Par. [0041], The policies include characteristics that, when true, make the policy applicable and requirements to satisfy the policy. The characteristics, for example, may be based on the characteristics of the user (e.g., security clearance, job title, location, etc.) of the user device 118 (e.g., associated with the credential supplied during the authentication check), the protected resources 116 that the user device 118 will access, the time of day, general policies of the private network 104, etc.).  

Regarding claim 4, Shravan discloses the system of claim 1, 
Sharvan discloses that the applicable policies are based on user behavior (Par. [0027]), but fails to disclose that security posture information associated with the user is observed by the endpoint agent.
However, Bosch further teaches wherein the security posture information associated with the endpoint device is based on an endpoint device behavior anomaly observed by the endpoint agent (Par. [0087], At block 604, telemetry data associated with the client device (i.e. endpoint device) is obtained from at least one of an agent running locally on the client device or from the network-based resource of the enterprise, the telemetry data indicating a state/posture of a communication session between an application on the client device and an application service).  
Sharvan and Bosch are analogous references to the claimed invention as they both pertain to receiving a request to access a protected resource, applying ZTNA (SDP) polies to give access to the user. Therefore, it would have been obvious to one of ordinary skill before the effective filing date of the invention to modify Sharvan by including the endpoint behavior anomalies taught by Bosch. Such modification will add more information to what is taught by Sharvan and consequently increases the security of the system.

Regarding claim 5, the combination of Shravan  and Bosch teaches the system of claim 4,
Sharvan discloses endpoint device behaviors in Par. [0034], but fails to explicitly disclose the claimed endpoint device behavior anomalies. 
However, Bosch teaches wherein the endpoint device behavior anomaly relates to one or more of consumption of processing, storage, or memory resources of the endpoint device, installation of a new driver, or modification of a serial number of a hardware component of the endpoint device (Par. [0088], Examples of telemetry data include a security state of a hosting environment, authentication of the hosting environment, security states of virtual machines on the client device, evidences of tampering, security postures of system calls executed on the client device, socket maintenance metrics, an operating system release, availability of a trusted platform module (TPM), verification of a secure boot function, DNS information, the ambient environment of the client device, an SSID, cellular network identities, and so forth.).  
Sharvan and Bosch are analogous references to the claimed invention as they both pertain to receiving a request to access a protected resource, applying ZTNA (SDP) polies to give access to the user. Therefore, it would have been obvious to one of ordinary skill before the effective filing date of the invention to modify Sharvan by including the endpoint behavior anomalies taught by Bosch. Such modification will add more information to what is taught by Sharvan and consequently increases the security of the system.

Regarding claim 6, Shravan  teaches the system of claim 1, 
Sharvan discloses security posture information relating to the endpoint device in Par. [0027], but fails to explicitly disclose the claimed security posture information. 
However, Bosch teaches wherein the security posture information associated with the endpoint device is based on information indicative of (I) potential attacks relating to the endpoint device or inconclusive audited incidents over a particular timeframe, (ii) software or hardware vulnerabilities of the endpoint device, or (iii) regulation or compliance issues of the endpoint device (Par. [0088], Examples of telemetry data include a security state of a hosting environment, authentication of the hosting environment, security states of virtual machines on the client device, evidences of tampering (i.e. i), security postures of system calls executed on the client device, socket maintenance metrics, an operating system release, availability of a trusted platform module (TPM), verification of a secure boot function, DNS information, the ambient environment of the client device, an SSID, cellular network identities, and so forth.).  
Sharvan and Bosch are analogous references to the claimed invention as they both pertain to receiving a request to access a protected resource, applying ZTNA (SDP) polies to give access to the user. Therefore, it would have been obvious to one of ordinary skill before the effective filing date of the invention to modify Sharvan by including the security posture information of the user device as taught by Bosch. Such modification will add more information to what is taught by Sharvan and consequently increases the security of the system.

Method claim 10 relates to the method using the system as claimed in system claim 2. Therefore, claim 10 is rejected for the same reason of obviousness as claim 2 above.

Method claim 11 relates to the method using the system as claimed in system claim 3. Therefore, claim 11 is rejected for the same reason of obviousness as claim 3 above.

Method claim 12 relates to the method using the system as claimed in system claim 4. Therefore, claim 12 is rejected for the same reason of obviousness as claim 4 above.

Method claim 13 relates to the method using the system as claimed in system claim 5. Therefore, claim 13 is rejected for the same reason of obviousness as claim 5 above.

Method claim 14 relates to the method using the system as claimed in system claim 6. Therefore, claim 14 is rejected for the same reason of obviousness as claim 6 above.

Apparatus claim 18 relates to the method using the system as claimed in system claim 2. Therefore, claim 16 is rejected for the same reason of obviousness as claim 2 above.

Apparatus claim 19 relates to the method using the system as claimed in system claim 3. Therefore, claim 16 is rejected for the same reason of obviousness as claim 3 above.
Apparatus claim 20 relates to the method using the system as claimed in system claim 4. Therefore, claim 16 is rejected for the same reason of obviousness as claim 4 above.

Claims 7 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Shravan in view of Begun et. al (U.S. Patent Application Publication No 20210273937 A1), hereinafter Begun.
Regarding claim 7, Shravan  discloses the system of claim 1,
Sharvan discloses all the claimed features except the ZTNA broker (trust broker).
However, Begun teaches wherein the ZTNA service module (Fig. 2, Operating environment 200) comprises a ZTNA broker (Trust broker 300) and wherein the system comprises a network security appliance (Infrastructure Manager 402).  
Sharvan and Begun are analogous references to the claimed invention as they both pertain to receiving a request to access a protected resource, applying ZTNA (SDP) polies to give access to the user. Therefore, it would have been obvious to one of ordinary skill before the effective filing date of the invention to modify Sharvan by adding a trust broker to facilitate communication between the user and the protected object. Such modification will allow a more secure connection since the user can not independently verify the trust of the protected object and vice versa (Begun, Par. [0017]).

Method claim 15 relates to the method using the system as claimed in system claim 7. Therefore, method claim 15 is rejected for the same reason of obviousness as used for claim 7.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Dupont ( U.S. Patent Application Publication No. 20090307753 A1) teaches a based scanning and assessment of network connections. 
Mahaja  ( U.S. Patent Application Publication No. 20200336484 A1) intercepting network connection request and verifying the connection by using applicable policies. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Dawit Woldemariam whose telephone number is (571)272-2560. The examiner can normally be reached on 7:30 AM - 5:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado, can be reached on (571)272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/Dawit Woldemariam/
Art Unit 2496

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496