Case Study

Van Gogh Museum, Amsterdam

Creating a Secure, Worry-Free User Experience for Employees

Industry: Non-profit


The Van Gogh Museum in Amsterdam, Netherlands houses the world’s largest collection of artworks by Vincent van Gogh (1853 – 1890). It owns more than 200 paintings, 500 drawings and a big part of the artist’s letters. The collection includes the world-famous originals Sunflowers, Almond Blossom and The Potato Eaters. A team of around 325 dedicated staff work to preserve the unique legacy of Vincent van Gogh for generations to come.

Rob de Zwaan, Senior Systems Administrator, considers that the primary responsibility of the museum’s IT department is to make processes as easy as possible — “carefree” — for employees to do their jobs the best they can with the equipment provided. “Making their work carefree is one of the major things we strive for,” Rob said. “And as a business, we want our information to be as secure as possible.”

A customer of Ivanti® solutions since 2016, the Van Gogh Museum has been employing Ivanti Automation Manager for installing laptops and the virtual desktop infrastructure (VDI) environment, and Ivanti Workspace Control for desktop management. Employees benefit from the same look and feel on both VDI and laptop environments.

“Employees don’t need to look for a different icon or a different place. It all looks the same and works the same,” Rob said. “And when they receive a new application in VDI, they also receive the same application on their laptop. It’s all about a seamless experience — again, making it as easy as possible for our end-users.”

COVID-19 Cuts Patron Visits; Staff Members Shift to Working Remotely

The Van Gogh Museum generates 89% of its own income and relies heavily on proceeds from ticket sales. Then came the COVID-19 pandemic. Not only did it impact the museum’s visitor count dramatically, but it also drove the necessity for more and more staff members to work from home or other locations using laptops. This in turn created a three-fold challenge:

  1. Users weren’t accustomed to working from home for long periods of time
  2. The IT environment was designed with the expectation that laptops would be in the office at least once a month for patch updates; they weren’t set up to be out-of-office for extended periods
  3. Suddenly, insight into applications and Windows updates was unavailable because laptops were no longer brought into the office

Rob explained that prior to the COVID-19 pandemic, patch updates were performed manually — by “sneaker net.” Employees either took their laptops to the service desk for the updates or a job was scheduled at employees’ desks.

“When an outdated browser is used and there’s a vulnerability in that browser, it could mean our information is no longer as secure as we would like it,” Rob said. “We started looking for a patch management solution that could perform patch updates remotely.”

Remote Patching — Enter Ivanti Security Controls

The museum purchased the Ivanti Security Controls (ISEC) solution and started using it within a week for the purpose of patching browsers, applications and the Windows laptop operating systems remotely.

According to Rob, one of the major benefits of adding Security Controls is the ability to add newer browsers without users noticing. If there’s a critical vulnerability in one of the browsers, Rob’s team tells Workspace Control that if the browser is older than version “XYZ”, then disable it so it’s out of the Start menu and unavailable to users.

ISEC patch management — having detected the older “XYZ” browser version (Chrome for example) that’s no longer safe — installs the newer version in the background without users noticing. And Workspace Control recognizes there is an updated version and can re-enable the browser icon. In the morning, when users log on, Workspace Control notifies them that Chrome has been disabled. Users can opt to use Firefox, Microsoft Edge, etc., so they can still do their work. ISEC updates Chrome at the back end during lunch when users step away from their laptops. When they return, Chrome has been updated and a refresh is being triggered the moment users unlock their screens.

Today, patches of all the browsers, operating systems and applications on the museum’s Windows machines are performed successfully, as well as for a large portion of its RHEL machines. Rob noted that the flexibility in patching the different OS machine types — and when to do so — is ideal.

Attention Turns to Desktops and Servers

Once the patching of remote laptops was under control it was time to focus on desktops and servers. This is where Ivanti Workspace Control and the Ivanti Cloud Relay came into play.

The Ivanti Cloud Relay uses an Ivanti Cloud back end to make it easier for administrators to enable employees working from home or anywhere else to connect their devices to corporate, on-premises Relay Servers in order to access basic applications such as Microsoft Office Suite, Visio and so on. When new applications are installed (for example via Microsoft Intune), the start menu is also updated quickly, and users have access to the new application.

“It’s a big advantage for our employees that the updates in the start menu and new or adjusted settings come through immediately now. In addition, those updates are now many times faster than before,” Rob said.

Time to Patch Servers Decreases by Nearly 72%; Laptops by 97.5%

In the past, updates to the server farm encompassed only Windows OS patches, not Microsoft Office applications or browsers. Rob said it would take a four-person team working eight hours from 5:00 pm till 2:00 am once a month to patch more than 100 servers. That’s 36 person-hours each month.

“We were lucky if we finished by 2:00 am,” Rob said. But now with Ivanti, the same job is done with two persons who start at 6:00 pm and finish by 11:00 pm. That’s 10 person-hours each month, vs 36 — a time savings of nearly 72%. And they can update more because the browsers are now updated on the servers.

Rob said that the Office versions needed on some servers are now also updated, which was never done before. “We’re also updating tools, some of which we didn’t even know were installed on servers,” he added. “Vendors would log onto a server and install a tool for a one-time use. We would end up with a tool that never got updated. We had a possible compromise on that server, but now that is all fixed.”

Rob estimated that over the past two years, updating just the browsers has mitigated at least 50 vulnerabilities.

“It previously took one person 10 hours each week to update the machines” said Rob about patching employee laptops. Now it takes one person just one hour each month to do this, saving 97.5% time.

Laptop Security Helps Safeguard Millions of Euros in Art Inventory

As one of the world’s leading museums, the Van Gogh Museum works closely with other entities around the globe to share or loan art pieces valued from tens of thousands of Euros to millions. In these collaborations, information about flight transport, departure and arrival schedules, delivery times and locations, etc. must be shared.

Employees of the Van Gogh Museum are now securely working from home, making shipping arrangements and delivery appointments. “Now they don't have to worry if their laptop is still secure or running some older software version that could be compromised,” Rob said.

He concluded, “We now know that our employees can do their jobs from anywhere on a secure machine. Even if they are in China, Australia, or New York, as long as they have an internet connection, we can help them and update their systems.”

Note: A customer’s results are specific to its total environment/experience, of which Ivanti is a part. Individual results may vary based on each customer’s unique environment.