Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 7/26/2022 has been entered. Claims 1, 9 and 15 are amended. Claims 1-20 are pending.
 Response to Arguments
Examiner’s Remarks - - 35 USC § 103
Applicant’s arguments have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 7-9, 13-15, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Thapliyal et al. (US Patent Publication No. 2016/0057211 and Thapliyal hereinafter) in view of Kumar et al. (US Patent Publication No. 2012/0216244 and Kumar hereinafter).

As to claims 1 and 9, Thapliyal teaches a method comprising:
responsive to a request from a user for one or more Business-to-Business (B2B) applications (i.e. …teaches in their Abstract the following: “The cloud DMZ server communicates with the enterprise through its firewall (for example via one or more web sockets). In order for the API requests to be made and fulfilled, the enterprise does not need to keep open and inbound port. Because only outbound ports are used on the enterprise side for application layer communication,”. …teaches in par. 0016 the following: “This payload carries the REQUEST coming from the web/mobile client 102.”.), 
creating a first tunnel from the B2B application to the cloud-based system (i.e., …teaches as part of their claim 1 limitation the following: “a cloud DMZ receiving an application programming interface (API) call from a mobile device; the cloud DMZ transmitting the API call through a web socket server; the web socket server transmitting the API call through an enterprise firewall to an enterprise application server using a standard protocol; a web socket client receiving the request and determining whether it is an API call, wherein determining comprises interpreting signals of the protocol in a way that is not standard), 
stitching the first tunnel between the B2B application and the cloud-based system with a second tunnel between the user and the cloud-based system (i.e., …teaches as part of their claim 1 limitation the following: “a cloud DMZ receiving an application programming interface (API) call from a mobile device; the cloud DMZ transmitting the API call through a web socket server; the web socket server transmitting the API call through an enterprise firewall to an enterprise application server using a standard protocol; a web socket client receiving the request and determining whether it is an API call, wherein determining comprises interpreting signals of the protocol in a way that is not standard.”. The various transmittal connections is representative of a stitched together because there is no direct connection.), 
wherein the B2B application can only communicate with the cloud based system (i.e., …teaches in par. 0016 the following: “On the side of server 304, no in-bound ports are required in order to communicate with the web/mobile client 102. Therefore, it is not possible for malicious attackers to bypass the FaaS cloud servers (without going through the FaaS cloud DMZ 302). Only an out-bound connection is needed on the customer server 304 side.”), 
and the user can only communicate with the cloud-based system (i.e., …teaches in par. 0015 the following: “The FaaS enables customer-side servers to be completely hidden from the perspective of the public Internet.”. The customer communicates with the cloud and not the application.), 
and wherein application segmentation is achieved without network segmentation through user to application micro tunnels (i.e., …teaches as part of their claim 1 limitation the following: “a cloud DMZ receiving an application programming interface (API) call from a mobile device; the cloud DMZ transmitting the API call through a web socket server; the web socket server transmitting the API call through an enterprise firewall to an enterprise application server using a standard protocol; a web socket client receiving the request and determining whether it is an API call, wherein determining comprises interpreting signals of the protocol in a way that is not standard.” The various transmittal routings are representative of micro channels.). 

Thapliyal does not expressly teach:
redirecting the request, by a cloud-based system, to an identity provider to authorize the user:
displaying the one or more B2B applications that the user is authorized to access;
responsive to a selection of a B2B application of the one or more B2B applications, 
wherein the tunnel is an inside-out encrypted tunnel.
In this instance the examiner notes the teachings of prior art reference Kumar.
With regards to applicant’s claim limitation element of, “redirecting the request, by a cloud-based system, to an identity provider to authorize the user”, teaches in par. 0064 the following: “The identity provider 112 may receive, for example, a web redirect from web application 103 to perform brokered authentication ceremonies to login a user (e.g., an interactive user) 115.”.
With regards to applicant’s claim limitation element of, “displaying the one or more B2B applications that the user is authorized to access”, teaches in par. 0089 the following: “may selectively grant access to the user 300 for the target application on the instrumented platform 301 or may selectively block access by the user 300 to the target application on the instrumented platform 301 based on the application statements or reports 316 received from the attestation broker 304 and pre-established or system administrator established access or attestation policies.”. 
With regards to applicant’s claim limitation element of, “responsive to a selection of a B2B application of the one or more B2B applications”, teaches in par. 00142 the following: “a web browser may render an icon indicating that the first attestation result has been sent and responsive to user selection of the icon, may render the attestation result about the first application which is a web application accessed via the web browser.”.
With regards to applicant’s claim limitation element of, “wherein the tunnel is an inside-out encrypted tunnel”, Kumar teaches in par. 0061 the following: “the communication channel 106 may be a secure communication channel and/or the communication may be secured via known encryption/decryption methods.”.
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Thapliyal with the teachings of Kumar by having their system comprise an identity provider. One would have been motivated to do so to provide a simple and effective means to secure the system before access, wherein the identity provider helps identify questionable users to make it easier to ensure system security.

As to claims 7, 13 and 19, the system of Thapliyal and Kumar as applied to claim 1 above teaches application segmentation, specifically Thapliyal method of claim 1, wherein the one or more B2B applications are web-based applications and the request is a Uniform Resource Locator (URL) (i.e. …teaches in par. 0016 the following: “This payload carries the REQUEST coming from the web/mobile client 102.”).

As to claims 8, 14 and 20, the system of Thapliyal and Kumar as applied to claim 1 above teaches application segmentation, specifically Thapliyal teaches a method of claim 1, wherein the user provides the request via a web browser executed on a user device (i.e. …teaches in par. 0016 the following: “This payload carries the REQUEST coming from the web/mobile client 102.”).

As to claim 15, Thapliyal teaches a cloud-based system comprising:
a plurality of enforcement nodes interconnected to one another (i.e., …illustrates in figure 4, enforcement type nodes); and
a central authority interconnected to the plurality of enforcement nodes (i.e., …illustrates in figure 5, figure element 403 a central authority),
wherein any of the plurality of enforcement nodes are connected to one or more Business-to-Business (B2B) applications, via corresponding connectors, and to a user (i.e., …illustrates in figure 5, multiple application server, connected to enforcement node(s) and customer);
wherein the cloud-based system is configured to responsive to a request from the user for the one or more Business-to- Business (B2B) applications (teaches in par. 0016 the following: “This payload carries the REQUEST coming from the web/mobile client 102.), 
and responsive to creation of a first tunnel from the B2B application to a broker in the cloud-based system (i.e., …teaches as part of their claim 1 limitation the following: “a cloud DMZ receiving an application programming interface (API) call from a mobile device; the cloud DMZ transmitting the API call through a web socket server; the web socket server transmitting the API call through an enterprise firewall to an enterprise application server using a standard protocol; a web socket client receiving the request and determining whether it is an API call, wherein determining comprises interpreting signals of the protocol in a way that is not standard),
 stitch the first tunnel between the B2B application and the cloud- based system with a second tunnel between the user and the cloud-based system (i.e., …teaches as part of their claim 1 limitation the following: “a cloud DMZ receiving an application programming interface (API) call from a mobile device; the cloud DMZ transmitting the API call through a web socket server; the web socket server transmitting the API call through an enterprise firewall to an enterprise application server using a standard protocol; a web socket client receiving the request and determining whether it is an API call, wherein determining comprises interpreting signals of the protocol in a way that is not standard.”. The various transmittal connections are representative of a stitched together because there is no direct connection.).

Thapliyal does not expressly teach:
redirect the request, by a cloud-based system, to an identity provider to authorize the user;
cause a display of the one or more B2B applications that the user is authorized to access; 
and responsive to a selection of a B2B application of the one or more B2B applications,
wherein the tunnel is an inside-out encrypted tunnel.
In this instance the examiner notes the teachings of prior art reference Kumar.
With regards to applicant’s claim limitation element of, “redirect the request, by a cloud-based system, to an identity provider to authorize the user”, teaches in par. 0064 the following: “The identity provider 112 may receive, for example, a web redirect from web application 103 to perform brokered authentication ceremonies to login a user (e.g., an interactive user) 115.”.
With regards to applicant’s claim limitation element of, “cause a display of the one or more B2B applications that the user is authorized to access”, teaches in par. 0089 the following: “may selectively grant access to the user 300 for the target application on the instrumented platform 301 or may selectively block access by the user 300 to the target application on the instrumented platform 301 based on the application statements or reports 316 received from the attestation broker 304 and pre-established or system administrator established access or attestation policies.”. 
With regards to applicant’s claim limitation element of, “and responsive to a selection of a B2B application of the one or more B2B applications”, teaches in par. 00142 the following: “a web browser may render an icon indicating that the first attestation result has been sent and responsive to user selection of the icon, may render the attestation result about the first application which is a web application accessed via the web browser.”.
With regards to applicant’s claim limitation element of, “wherein the tunnel is an inside-out encrypted tunnel”, Kumar teaches in par. 0061 the following: “the communication channel 106 may be a secure communication channel and/or the communication may be secured via known encryption/decryption methods.”.
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Thapliyal with the teachings of Kumar by having their system comprise an identity provider. One would have been motivated to do so to provide a simple and effective means to secure the system before access, wherein the identity provider helps identify questionable users to make it easier to ensure system security.

Claim(s) 2-6, 10-12 and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Thapliyal in view of Kumar as applied to claims 1, 9 and 15 above and further in view of Hames et al. (US Patent Publication No. 2008/0004886 and Hames hereinafter).

As to claims 2, 10 and 16, the system of Thapliyal and Kumar as applied to claim 1 above teaches application segmentation, specifically Thapliyal does not expressly teach a method of claim 1, further comprising,
responsive to the user being unauthorized for any of the one or more B2B applications.
In this instance the examiner notes the teachings of prior art reference Kumar.
With regards to applicant’s claim limitation element of, “responsive to the user being unauthorized for any of the one or more B2B applications”, Kumar teaches par. 0089 the following: “The web application 302 may selectively grant access to the user 300 for the target application on the instrumented platform 301 or may selectively block access by the user 300 to the target application on the instrumented platform 301 based on the application statements or reports 316 received from the attestation broker 304 and pre-established or system administrator established access or attestation policies”.
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Thapliyal with the teachings of Kumar by having their system comprise an identity provider. One would have been motivated to do so to provide a simple and effective means to secure the system before access, wherein the identity provider helps identify questionable users to make it easier to ensure system security.

The system of Thapliyal and Kumar does not expressly teach:
omitting the one or more B2B applications from the displaying, such that the one or more B2B applications are invisible to the user.
In this instance the examiner notes the teachings of prior art reference Hames.
Hames teaches in par. 0063 the following: “Thus the interface module 9 acts as a simple user interface to allow user access to the applications for which they have subscribed.”. Registered applications are only displayed (i.e., authorized).
 Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Thapliyal and Kumar with the teachings of Hames by having their system comprise comprehensive software access control. One would have been motivated to do so to provide a simple and effective means to secure the software before access, wherein the comprehensive software access control helps control access to make it easier to ensure software security.

As to claims 3, 11 and 17, the system of Thapliyal and Kumar as applied to claim 1 above teaches application segmentation, specifically neither reference expressly teaches a method of claim 1, further comprising
logging activity of the user with the one or more B2B applications and storing the activity with a plurality of users associated with the one or more B2B applications.
In this instance the examiner notes the teachings of prior art reference Hames.
Hames teaches in par. 0064 the following: “A log file can be created containing the start and stop notifications and this is stored in the application usage file 15 for upload to the server.”.
 Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Thapliyal and Kumar with the teachings of Hames by having their system comprise comprehensive software access control. One would have been motivated to do so to provide a simple and effective means to secure the software before access, wherein the comprehensive software access control helps control access to make it easier to ensure software security.

As to claim 4, the system of Thapliyal and Kumar as applied to claim 1 above teaches application segmentation, specifically neither reference expressly teaches a method of claim 3, further comprising
providing a Graphical User Interface including visualizations related to user transactions with the one or more B2B applications.
In this instance the examiner notes the teachings of prior art reference Hames.
Hames illustrates in figure 1, a rental application for the user transactions.
 Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Thapliyal and Kumar with the teachings of Hame by having their system comprise comprehensive software access control. One would have been motivated to do so to provide a simple and effective means to secure the software before access, wherein the comprehensive software access control helps control access to make it easier to ensure software security.

As to claim 5, the system of Thapliyal and Kumar as applied to claim 1 above teaches application segmentation, specifically neither reference expressly teaches a method of claim 3, further comprising analyzing the activity of the user and the plurality of users to detect usage patterns and providing an alert responsive to any deviating behavior, for both security and operational reasons.
In this instance the examiner notes the teachings of prior art reference Hames.
Hames teaches in par. 0045 the following: “usage information indicating the number of simultaneous connections permitted for the user”. Teaches in par. 0058 the following: “the serial number, PC ID and usage data is transmitted to the server (step S24) and the monitoring process waits for the next monitoring period”. Teaches in par. 0064 the following: “A log file can be created containing the start and stop notifications and this is stored in the application usage file 15 for upload to the server.”. Teaches in par. 0073 the following: “If the current date is outside the grace period (step S81) an alert is displayed to the user to inform the user that they must reconnect their computer to the network in order to reactivate the application (step S82) and execution of the DLL is terminated without passing control back to the stub code. Thus execution of the application is prevented (step S75).”.
 Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Thapliyal and Kumar with the teachings of Hames by having their system comprise comprehensive software access control. One would have been motivated to do so to provide a simple and effective means to secure the software before access, wherein the comprehensive software access control helps control access to make it easier to ensure software security.

As to claims 6, 12 and 18, the system of Thapliyal and Kumar as applied to claim 1 above teaches application segmentation, specifically neither reference expressly teaches a method of claim 1, wherein the one or more B2B applications include business facing applications including any of Supply Chain Management (SCM) applications, inventory management applications, ordering applications, financial applications, and payroll applications. 
In this instance the examiner notes the teachings of prior art reference Hames.
Hames teaches in par. 0038 the following: “a word processing application, a database application, an email client application, a photo-editing application, or a spreadsheet application.”.
 Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Thapliyal and Kumar with the teachings of Hames by having their system comprise comprehensive software access control. One would have been motivated to do so to provide a simple and effective means to secure the software before access, wherein the comprehensive software access control helps control access to make it easier to ensure software security.
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN F WRIGHT whose telephone number is (571)270-3826.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/BRYAN F WRIGHT/Examiner, Art Unit 2497