Sei sulla pagina 1di 41

"The Time

Identity & Access Has Role

& Role-Based Access Control
Come" .

Matthew Collinson
Why are we here today?

Traditional models of access control consist of point or

application-specific solutions that make management,
reporting and compliance extremely costly and unwieldy.
Moving to Identity & Access Management, Role Management
(RM) and Role-Based Access Control (RBAC) brings the
focus back to the business by defining access purely in terms
of business requirements.
It streamlines the user access lifecycle, simplifies the
enforcement of Segregation of Duties (SoD) and supports the
organisation's reporting and compliance activities.

2 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

This Session’s Agenda

• Identity & Access Management – an overview

• IAM Business Case Example
• Access control – today’s business challenges
• What are RM & RBAC?
• Who are the stakeholders?
• What are the benefits?
• Do’s & Don’ts
• Deloitte Methodologies – a snapshot

3 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Identity & Access
Management – an
Definitions: Identity

• Identity (Digital Identity): the digital representation of a user, including a unique

identifier, credentials, common profiles and entitlements
• The complete digital identity of an individual may be scattered across multiple repositories
within an enterprise, with no hard links between the various pieces
Core Identity Attributes:
• First Name, Last Name, Unique Identifier

Account Credentials:
• Login ID and password
• SecurID card, other strong authentication factors

Common Profiles:
• Job Functional Roles
• Business Unit
• Office Location
• Manager/Supervisor

New in Window

Limited Contri- Full
Read Design SharePoint Services
Access* bute Control
(version 3)?
Update Personal Web
Parts ü ü ü No

Add/Remove Personal
ü ü ü No

• Permission levels, access rights

Web Parts
Manage Person al
Views ü ü ü No

Approve Items
ü ü New

Person User’s Digital ID • Access control items Delete Versions

View Versions


Cancel Checkout
ü ü No

Open Items
ü ü ü ü New

View Items
ü ü ü ü No

Delete Items
ü ü ü No

5 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Definitions: Authentication, Authorization

• Authentication: the process of establishing the validity of an identity claim

– “Gets you in the front door”

• Authorization: the process of determining the appropriate rights and privileges

for a given identity
– Determines “what you are allowed to touch/see, once inside”

• Multi-factor authentication: using a combination of two or more factors

(something you know/have/are) to authenticate a user to achieve a higher level
of authentication assurance
– Note: Username and password does not count as two-factor authentication!

6 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Definitions: SSO, Federation

• SSO (Single Sign On, a.k.a. Reduced Sign-On, Simplified Sign-On)

– Access control method which enables a user to authenticate once to gain access to
multiple systems

• Identity Federation
– Standards-based method of
exchanging identity information
across autonomous security
domains (organizations) Vendor

– Facilitates SSO across separate

enterprises or security domains

7 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Definition: Identity and Access Management

• Identity and Access Management (IAM) is a set of business processes, information, and
technology for the creation, maintenance and use of people’s digital identities within
the bank and eventual termination of that identity in a controlled and secure manner.

8 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

IAM Services – Conceptual View

9 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

IAM: Business value perspective

Business Facilitation Security & Risk Operational Efficiency Cost


Improved user experience

and business integration Managing business risks Efficient operations, high Cost and productivity
capabilities: through effective and quality services: impacts:
“Build once, deploy often” demonstrable controls “Better, faster, cheaper” “Deliver more for less”

Reduced Sign-On, Consistent security policy Improved service levels User productivity cost
registration and password enforcement and (user management and savings due to:
self-services for internal automated controls provisioning) and Quicker provisioning
users (protection of customer good quality of service processes
Consistent and data) Streamlined security Reduced time for
streamlined user Identity lifecycle administration & reporting password re-sets
provisioning processes administration (accurate Flexible infrastructure for Single Sign-On
with automated workflow and timely terminations rapid deployment of Reduced cost of:
(escalation and approval and access management) applications (enablement User Administration
points) Improved privacy and of shared services and and Provisioning
Business integration and regulatory compliance Service-Oriented Helpdesk (password
large technology roll-outs Effective logging, Architecture) management)
comprehensive auditing Security Administration
and timely reporting (auditing, reporting)
Avoiding uncoordinated
and overlapping
application development

10 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

IAM Program - Key Success Factors
• Recognize business ownership of IAM

• Recognize the size of the problem

 Inventory of identity objects
 High ratio of accounts to individuals

• Build a clearly defined, realistic roadmap which:

 Leads towards the target architecture: common/re-usable services
 Leverages good work already done, or in flight
 Allows for better decision making
 Results in cross pollination of strategies allowing for more enterprise-focused, scalable solutions

11 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

IAM Business
Case Example
Our analysis of business needs indicated that Identity and Access Management
problems need to be addressed and the time is right now.

Business Problems: Observations

 Delayin onboarding (user access provisioning)
causes unacceptable loss of productivity.
 BU’s are constantly asking for the ability to manage Enterprise Solution
User groups and roles for their users.
Experience  Too Provisioning Automated creation,
many IDs and passwords to remember. modification and deletion of
 Usersare frustrated with login and password issues user accounts and related
access attributes.
when dealing with externally hosted applications.

 Many applications require user profile/group Allows end users manage

management capabilities. In the absence of an Management their profile/access information
enterprise solution, they develop tactical solutions. via self-service or delegated
administration (i.e. designated
 Tacticalsolutions increase overall spent and managers) interfaces.
Delivery complicate the existing IT challenges.
 Simplified Sign-On is a common requirement for Federated Provides seamless
Sign-On authentication across
applications, but there is no enterprise solution.
organizations, where a 3rd
party application relies on
Client credentials.
 Auditfinding: current user administration processes
Web Access Provide Simplified Sign-On
are not consistent and lack effective controls. and policy-based access
 Lack control to Intranet or web
of automated role/group assignment for users resources.
Risk and results in excessive privileges (accumulated access).
Compliance  Access control mechanisms developed by individual
applications are inconsistent, difficult to manage and
report on (to demonstrate compliance).

13 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Detailed review and analysis of needs enabled us to prioritize the IAM services
based on cost benefit analysis and available alternatives. The Provisioning and
User Management Services were identified as a high priority.
IAM Services: Key Findings and Priorities
Service Key Findings Priority
Provisioning Service • Large potential for cost savings High
Identity Management

• Significant contribution to risk management & compliance

• No existing solutions or viable alternatives.

User Management Service • Large potential for cost savings High

• Significant contribution to efficient application delivery (as a key
shared service in the SOA framework)
• No existing solutions or viable alternatives.

Federated Sign-On • Some potential for cost savings, mostly in application delivery Medium
Access Management

• Enterprise-wide adoption could be challenging due to difficulties

with external application integration (multiple vendors).
• Point solutions are being considered to address immediate
Web Access Management • Low potential for cost savings. Low
• There are alternative (low cost) solutions to address SSO.
• The Intranet Strategy makes the need for this service less

14 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

The implementation of the Provisioning and User Management services will require $13.1M of investment over 5 years,

which includes $2M of one-time process/application integration costs and $0.9M of annual run costs.

Incremental Solution Costs over 5 years

Component Value ($M) Assumptions

24 Intel/Linux servers costing $20,000 will be used as a hardware/OS

Hardware 0.5

platform to run all core components of the solution

Provisioning software will be required for 50,000 users at $25 per user
Software 1.3 (based on industry average price)

Approximately 3 external consultants for 55 weeks will be required

External Consulting


Internal project team will include Project Manager, Architect and

Internal FTE Expenses 1.0 implementation/testing specialists at an average cost of $100/ hr

Integration Costs 2.0 Application integration and process integration will require involvement of
internal staff outside of the project team, estimated at 8 FTEs.
One-time Total 7.0

Hardware & Software Hardware maintenance cost is estimated at 10% of Hardware Cost and

Maintenance Software maintenance cost is estimated at 20% of Software Cost

Operational Run Costs 0.9 Annual hardware capitalization and overhead are estimated at 55% of total
hardware costs. Plus 4 FTE’s at $150K/year for ongoing support.
Annual Total 1.2

One-time Total (year 0) 7.0

Annual Costs (over 5 years) 6.2

Total Notional Costs (over 5 years) 13.1

15 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Cost benefits, which are estimated at 4.3M/year, are resulted from productivity cost savings and reduction of Vendor

costs, due to the automation in access provisioning, password management and access administration.
Annual Incremental Benefits
Cost Component Value ($M) Benefits Calculations / Assumptions
At a minimum, 1 day of delay can be eliminated by implementing an automated provisioning
system resulting in an on-going productivity savings of $1.5M/year.
User Productivity Cost Approximately 13,475 non-retail employees are transferred or hired every year and on-
Savings (faster on- 1.5 – 4.5 boarding takes approximately 5-21 days.

While 50% of the time spent by new employees and transferees is on reviewing
boarding) manuals, training, orientation, etc., the remaining 50% are assumed to be unproductive.
Average employee salary is assumed to be $30 per hour.

Reduction of Vendor With the implementation of the provisioning solution, services provided by 4 FTEs (access
services at Vendor, including login ID creation) would not be required.
FTEs (Access 0.6 Currently, access provisioning team at Vendor includes 18-20 FTE’s.
Provisioning) Average fully loaded salary of Vendor staff (if billed to Client directly) is $150,000 p.a.

Using self-service password reset functionality, the request volume for help desk password
resets would reduce by 90%. This will yield approximately $2M/year in cash flow savings.
User Management

Reduction of Vendor Approximately 168,000 password reset requests per year are processed by Vendor for
Workload (Password 2.0 – 2.2 Active Directory, Email, Host, Novell, RLAN and Web Based Applications.
Average cost of processing one password request is $15.
Management) It is assumed that the benefit realization will be 50% for the first year and 75% for the
second year. From year 3 the benefit realization is assumed to be 100%.

Reduction of Vendor With the implementation of the Delegated Administration, services provided by 1 FTEs
FTEs (Access 0.2 (access administration at Vendor) would not be required.
Administration) Average fully loaded salary of Vendor (if billed to Client directly) is $150,000 per annum.

Total Annual Benefits 4.3 – 7.6 Notes:

1. For most benefits, the benefit realization for first year is assumed to be less than 100%.
Total Benefits (over 5 years) 19.1 – 33.9 2. Ranges are based on low and high estimate projections. The lower end represents a
conservative approach and the higher end represents a more optimistic calculation.

16 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

The implementation of the Provisioning and User Management services form a compelling business case: 3.5 years pay back

and Net Present Value of cash flow is estimated at $3.4M, as the most conservative estimate.

Incremental Costs and Benefits over 5 years

Component Value ($000) Cumulative
Cumulative Costs and Benefits
Costs and Benefits

Total Notional Costs $13,137 20,000,000

Total Discounted Costs1 $12,026 10,000,000
Total Benefits2 $19,139 – $33,854 -
Total Discounted Benefits1, 2 $15,466 - $27,341 (10,000,000)
Net Present Value of Cash Flow1, 2 $3,439 - $15,315 2007 2008 2009 2010 2011 2012
Cumulative Discounted Investment Cumulative Discounted Benefits
Cumulative Net Value

Discounted Cash Flow

3.5 yrs - 1.75 yrs
Payback1, 2

Return on Investment 22% - 62%

1. The Weighted Cost of Capital is assumed to be 7%
2. Ranges are based on low and high estimate projections. The lower end represents a conservative approach and the higher end represents a
more optimistic calculation.

17 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

In addition to significant financial returns, the implementation of the Provisioning and User
Management services will contribute to better business facilitation, enhance application
delivery capabilities and improve compliance and risk management posture of Client.

Qualitative Benefits
Faster on-boarding process leading to improved user experience and productivity.

User Increased end-user productivity and better user experience (due to delegation and self-service)

Reduced cost of tactical solutions development and avoiding unnecessary support costs.

Application Flexible SOA infrastructure for rapid deployment of applications.


Improved compliance and risk management posture due to automated and effective controls for
identity life cycle administration (timely de-provisioning).

Streamlined security administration and audit/compliance reporting.

Risk and
Compliance Improved data quality and integrity for identity information.

Improved application access controls due to more accurate and timely role/group assignment in

18 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

In order to maximize business benefits and achieve quick wins, our recommendation is to start with the Provisioning Service,

then proceed with the Password Self-service and continue with the Role-based Access Provisioning and Delegated


Implementation Roadmap

Provisioning: User Management: Provisioning: User Management:

Core User Provisioning Password & Identity Self-Service Role-based Access Provisioning Delegated Administration

Reduced FTE (Vendor costs) for

Access Administration - $0.2M/yr
Reduced cost of application
development (SOA services).
Reduced FTE (Vendor costs) for Reduced FTE (Vendor costs) for
Access Provisioning - $0.5M/yr Access Provisioning - $0.5M
Automated controls for Identity Automated controls for Identity

Lifecycle administration. Lifecycle administration.

Streamlined reporting; improved Streamlined reporting; improved
regulatory compliance posture. regulatory compliance posture.
Reduced FTE (Vendor costs) for Reduced FTE (Vendor costs) for Reduced FTE (Vendor costs) for
Password Management - $0.5M/yr Password Management - $0.5M Password Management - $0.5M
Improved User Experience. Improved User Experience. Improved User Experience.
Faster on-boarding process – Faster on-boarding process – Faster on-boarding process –
Faster on-boarding process –
Productivity Gain $1.5M Productivity Gain $1.5M Productivity Gain $1.5M
Productivity Gain $1.5M/yr
Increased productivity and Increased productivity and Increased productivity and
Increased productivity and
employee satisfaction. employee satisfaction. employee satisfaction.
employee satisfaction.

Integration with (connectors to): Password synchronization for all Job codes from PeopleSoft are Administrative roles are defined
ACF2 connected platforms, initiated mapped to enterprise roles. to allow for multiple tiers of
AD from the provisioning engine. Multiple BU-specific roles are administration.

ED Password change Self-service. defined and mapped to specific Delegated Administration UI.
Novell Password re-set Self-service access entitlements (e.g. AD Access controls are defined to all
Feed from PeopleSoft (events) (forgotten password function). groups, ED groups, etc.). delegated administrators to
Basic workflows, basic roles Identity Self-service to update Complex workflows for approval, manage only users (and
UI only for Administrators basic attributes (contact info). RFI and notification attributes) in their scope.

19 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

It was identified that many projects and initiatives across Client are asking for Identity Management and
Access Management capabilities.

IAM Business Needs

Service Specific Business Needs
Provisioning Service Current provisioning & de-provisioning processes are not consistent, not timely and lack
Identity Management

Core User Auditing &

automation as reported in audit findings.
Provisioning Reporting Access provisioning processes require automation to eliminate manual steps and
Role-based access resulting high set-up costs.
provisioning Workflow
Business units are asking for faster on-boarding process for their employees.

User Management Service Multiple applications require User Profile & Group Management capabilities. Role-based Access
Delegated Identity Control is strategic vision at Client.
Administration Self-service Business units want to control assignment of roles/groups to their users, hence require
Password delegated administration.

Federated Sign-On Over 150 external applications deliver some sensitive data that can be accessed from home
Access Management

without involving Client authentication. Robust authentication controls are required.

Authentication Secure
Token Svc Risk and audit concerns related to gaps in de-provisioning processes for externally hosted
applications (e.g. Iron Mountain).
Users are frustrated with numerous credentials required for externally-hosted applications.

Web Access Management Seamless authentication and access control mechanisms are required to provide granular and
selective access to Intranet and web resources.
Authentication Authorization Intranet Portal roadmap requires SSO and Access Management

Monitoring & Secure Simplified Sign-On from desktop is a business requirement for many application projects.
Reporting Token Svc

20 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

The Identity and Access Management services have various sets of associated benefits, however some services have less

compelling costs benefits and already have alternative strategies in place to address the priority needs.

IAM Services: Analysis of Benefit Drivers and Alternatives

Service Drivers / Benefit Categories Alternatives Solution Costs
Cost Savings – One Time - $3.4M
Provisioning Service
Identity Management

Annual Run - $0.8M

Core User Auditing & User Productivity –
Provisioning Reporting Process Integration -
Risk / Compliance – $1.1M
Role-based access
provisioning Workflow • No viable alternatives to perform
automated identity lifecycle.

Cost Savings – • Some tactical solutions in Retail, One Time =

User Management Service
Wealth and Intranet Portal to manage Provisioning + $1.6M
Delegated Identity User Productivity – user profiles and group information. Annual Run =
Administration Self-service Provisioning + $0.4M
Risk / Compliance –
Password Application Integration
• No alternatives at the Enterprise level.
Self-Service - $0.9

Cost Savings – • Some proprietary mechanisms are One Time - $2.5M

Federated Sign-On
Access Management

currently in use to achieve SSO across Annual Run - $0.7M

Secure User Productivity – external domains.
Authentication • Point solutions are being considered to
Application Integration
Token Svc
Risk / Compliance – ` address immediate needs.
- $0.7M

Web Access Management Cost Savings – • The current strategy is to use One Time - $2.7M
Kerberos/SPNEGO. Annual Run - $0.6M
Authentication Authorization User Productivity – • The Intranet Portal strategy will be able
Application Integration
to provide access control to Web
Risk / Compliance – - $1.1M
applications and resources at the
Monitoring & Secure
portal level.
Reporting Token Svc

Low Degree of Medium Degree of High Degree of

21 "The Time Has Come" compelling benefits ©benefits
compelling 2008 Deloitte Touche Tohmatsu
compelling benefits
Access Control –
Today’s Business
Today’s Business Challenges

Operational Compliance IT & Business

Inefficiencies Management Alignment

• Delay in getting • Challenges in • Multiple reporting

“required and establishing the systems
correct”access – right access to the
leading to loss of right people • Inconsistency in
productivity application of
• Resource intensive Enterprise Security
• Complex approval attestation process policies, processes
processes requiring across disparate
multiple personnel • Challenges in systems
and manual identifying job
workarounds – functions and • Effective Change
increased cost of enforcement of SoD Management

23 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

What are RM
and RBAC?
How do we define “role”?

A role defines functions performed by and access privileges

granted to a group of users, sharing the same job, position or
performing the same tasks.
Access Privileges


Employees Role Functions

• Approve
Supervisor Invoices
• Monitor Staff Database
• Base Access



25 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Types of Roles: Job vs. Function

Job Roles Function Roles

– Roles based on Job Title – eg. - Roles based on Job Function eg.
– Supervisor Role – Approve Invoices Role
– Service Associate Role – Monitor Staff Role
– Analyst Role – Report Status Role
– Example: Many Users to One Job Role – Example: Many Users to Many Function

User 1 User A

User 2 Supervisor User B Monitor Staff

User 3 User C

26 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Role-Based Access Control (1)

A method of defining, managing and enforcing access control privileges

through the use of roles between end user and permission assignments.

Process 1 Permissions
Process 2
Access Control:
by process Process 3

User(s) Direct

Access Control: Role(s)

27 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Role-Based Access Control (2)

RBAC is a mechanism which limits resource access (system, application

etc) based on a user’s job functions.
– Users do not “own” objects for which they are allowed access.
– Access rights are granted via roles, which serves as layer of
abstraction between users and IT objects.
– Protection policies are unavoidably imposed on all users – there is
no concept of a “superuser”.


Users Roles Operations Resource

n:n n:n n:n

28 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Who are the
Stakeholder Groups
End Users
Risk Assessors

Application IT Audit


Help Desk
Support User

30 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu
What are the
In the Board Room…

Allows the enterprise to address “Pain Points”and business initiatives –

from the IT Manager to the CxO

ü  $ 
Regulatory Governance Increased Increased Business
Compliance & Security Productivity Service Level Facilitation
• SOD • Consistent & Cost • User self
• Reach global
requirements security policy Reduction service
• Immediate customers
• Role-based • Focused,
system-wide • Eliminate
access personalized • Tighter
access redundant
• Least privilege content supplier
updates administration
access tasks • Delegated relationships
• Real-time • Consistent Administration
identity data • Reduce • More
visibility and helpdesk • Comprehensive productive
disclosure • Automated risk profile view
burden partnerships
• Basic mitigation • Password
• Fast employee
compliance • Enterprise SoD management

32 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

At the coal face…

Before After

Request for one user, one Reduced set of access –

application at a time but approved

Role pre-approved – easier to use,

Model role after access provided
streamlined process for access

SOD between application Easier reporting

Multiple options to select from

Access defined in business terms
to provide user access

33 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Do’s & Don’ts
Do’s & Don’ts

The effectiveness of an RM / RBAC implementation is dependent upon your

ability to get the project moving, successfully completing development, and
institutionalising RBAC in your culture.
– Accept the fact that all the information may not be there to start
– Plan up front – with as much detail as you can
– Implementing RBAC requires the convergence of business and
technology – with the emphasis on business
– Take advantage of communication opportunities with various groups in
the organisation
– Implementing RBAC is a culture-changing event
– Maintain management support throughout the project

and finally…
It’s a Journey – you’ll learn along the way!

35 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Deloitte Methodologies
– a snapshot
IAMethodsTM – overview

IAMethodsTM is an iterative, architecture-centric and use case-driven set of processes,

procedures, and accelerators for transforming business requirements into delivered
solutions. The methodology defines a project lifecycle with phases, threads, work packages
and milestones with decision points for aligning the delivered solution with business needs.
Emphasis is placed on collaborative definition and validation of stakeholder requirements via
early delivery of working prototypes which are developed through iterative steps into the
deployed IAM solution.

37 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

The IAMethodsTM Framework

38 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Role Management for Enterprise (RM4E) Methodology
Inception Elaboration Construction Transition
Solution Design

Define RM4E Vision Establish RM4E

Governance Model Develop enterprise
RM4E Pilot Results
roles for the
business units
Design RM4E
Conceptual Pilot Group
selection Deploy roles, RM4E Organization
Architecture processes and Deployment
technology roadmap
RM4E Process and
Evaluate/Select Role Design

• Deploy roles, processes

Solution Delivery

• Build Development • Test Processes and

environment technology and technology in
production environment
• Develop RM4E Deployment • Prepare Test Report
• Prepare deployment design
• Develop Knowledge transfer
plan • Conduct Knowledge transfer
Project & Change Management

Project/Change Management Framework

• Project Management • Detailed Schedule • Project closure

• Change Management

39 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

RM4E Implementation
Key activities: Build roles for organizational groups (standard, repeatable process)

3 Development

 Conduct detailed role


Role Validation
Jumpstart  Design RM4E processes & Approval
 Design technology solution
 Begin RM4E  Test roles, processes and
implementation  Provide training technology
 Understand LOB functions  Identify exception
and system access  Finalize roles with all
 Initiate role design appropriate individuals and
 Select technology (Role
Engineering, Role Lifecycle  Obtain approval on roles

1 5
 Set stage for RBAC  Deploy enterprise roles
 Deploy RBAC processes,
 Gather and review LOB Methodology procedures, and guidelines
 Deploy technology
 Gather, review & assess
 Finalize LOB RBAC
LOB system access

40 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

© Deloitte Touche Tohmatsu, 2008. All rights reserved.
Liability limited by a scheme approved under Professional Standards Legislation.
Confidential This document and the information contained in it are confidential and should not be used
or disclosed in any way without our prior consent.