e-Security | Vol: 36-12014 © CyberSecurity Malaysia 2014 - All Rights Reserved 66 strict authentication and authorisation processes. Nobody should be exempted from this requirement so that there is less chance for unauthorised individuals to do something harmful and also to ensure that actions taken by authorised individuals can later be traced back to them for accountability purposes.

8. Operational Security

There should be processes and procedures in place by the cloud service provider to ensure the operational security of the service is well-defined. The processes and procedures are important so that everybody is aware and can properly do their work during normal operating conditions as well as during security disasters.

9. Personnel security

The consumer should make sure that the cloud service provider performs adequate security screening of their personnel and ensure that those personnel undergo the correct security training for their role in the cloud provider’s organisation.

10. Secure development of services

Consumers should evaluate and decide whether the cloud service provider implement secure development practices. One way this can be verified is to insist on the latest vulnerability and security assessment reports of the services that the consumer is interested in. This can help to show whether the cloud service provider consistently identify and mitigate threats to the security of the service. Conclusion Security is the responsibility of both the consumer and the cloud service provider. This article has attempted to describe some of the security principles that both the consumer and the provider should be concerned with. There are additional security principles that will add extra layers of confidence if they are implemented by the provider but the principles described above should be a good starting point in the right direction for the consumer. ￭ References 1 . h t t p : w w w . m e r r i a m - w e b s t e r . c o m d i c t i o n a r y s e c u r i t y 2 . h t t p : w w w. a c c o u n t i n g c o a c h . c o m b l o g s e p a r a t i o n - o f - d u t i e s - i n t e r n a l - c o n t r o l 3 . h t t p : w w w . s a f e n e t - i n c . c o m d a t a - p r o t e c t i o n v i r t u a l i z a t i o n - c l o u d - s e c u r i t y s a a s - s e c u r i t y - c l o u d - a c c e s s - c o n t r o l 4 . 4 . h t t p s : d a t a t r a c k e r . i e t f . o r g d o c u m e n t s L I A I S O N f i l e 1 1 8 1 . d o c [ R e q u i r e m e n t s f o r S e r v i c e P r o t e c t i o n A c r o s s E x t e r n a l I n t e r f a c e s D r a f t 0 . 3 4 J a n u a r y 2 0 1 1 ] 5 . h t t p s : w w w . g o v . u k g o v e r n m e n t p u b l i c a t i o n s c l o u d - s e r v i c e - s e c u r i t y - principlescloud-service-security-principles e-Security | Vol: 36-12014 © CyberSecurity Malaysia 2014 - All Rights Reserved 67 I was once given a mobile phone to be analysed for a criminal case several years ago. The case objective was to extract SMS text messages from the phone and to correlate the timestamp of SMS from the sender’s phone and the SMS from the receiver’s phone. What was supposed to be a simple analysis became complex as the timestamp correlation did not make sense at all. Further analysis on the timestamp found that there were actually three possibilities of how SMS timestamp were generated on the phone. When a SMS is received, the timestamp displayed on the SMS could be: • The timestamp of the sender’s phone device time • Timestamp of the telecommunication provider’s server time network time • Timestamp of the recipient’s phone device time Figure 1: Three 3 possibilities of timestamp generated for an SMS. Have you ever wondered which timestamp is displayed on your SMS? How do we determine which timestamp is generated on the SMS? In this article, I will present a simple analysis on three phone models and provide a conclusion from the analysis. Methodology The methodology of conducting this analysis is quite simple. The steps below show how the analysis is conducted: Preliminary Study on Timestamp Before we proceed to the next section, it is important for an analyst to understand the timestamp system. Mobile phones, in general, uses the Coordinated Universal Time UTC format. It is also known as Zulu time’ or ‘Z time’. UTC is 24-hour time, which begins at 00:00 at midnight. To obtain Malaysia’s local time known as GMT, we need to add 8 hours +8 to the UTC. The example of UTC to GMT calculation is as below: Figure 2: Converting UTC time to GMT time Analysis Finding Three phone models were used for the purposes of this study. The phones have been synchronised to the SIRIM standard time. The details are as follows: A Forensic Analysis on SMS Timestamp By | Nor Zarina Zainal Abidin