Creating a Secure, Worry-Free User Experience for Employees

The Van Gogh Museum in Amsterdam, Netherlands houses the world’s largest collection of artworks by Vincent van Gogh (1853–1890). It owns more than 200 paintings, 500 drawings and a big part of the artist’s letters. The collection includes the world-famous originals Sunflowers, Almond Blossom and The Potato Eaters. A team of around 325 dedicated staff work to preserve the unique legacy of Vincent van Gogh for generations to come.

Rob de Zwaan, Senior Systems Administrator, considers that the primary responsibility of the museum’s IT department is to make processes as easy as possible – “carefree” – for employees to do their jobs the best they can with the equipment provided. “Making their work carefree is one of the major things we strive for,” Rob said. “And as a business, we want our information to be as secure as possible.”

A customer of Ivanti solutions since 2016, the Van Gogh Museum has been employing Ivanti Automation Manager for installing laptops and the virtual desktop infrastructure (VDI) environment and Ivanti Workspace Control for desktop management. Employees benefit from the same look and feel in both VDI and laptop environments.

“Employees don’t need to look for a different icon or a different place. It all looks the same and works the same,” Rob said. “And when they receive a new application in VDI, they also receive the same application on their laptop. It’s all about a seamless experience – again, making it as easy as possible for our end-users.”

COVID19 cuts patron visits; staff members shift to remote work

The Van Gogh Museum generates 89% of its own income and relies heavily on proceeds from ticket sales. Then came the COVID-19 pandemic. Not only did it dramatically impact the museum’s visitor count, but it also drove the necessity for more staff members to work from home or other locations using laptops. This created a three-fold challenge:

1. Users weren’t accustomed to working from home for long periods.
2. The IT environment was designed with the expectation that laptops would be in the office at least once a month for patch updates; they weren’t set up to be out-of-office for extended periods.
3. Suddenly, insight into applications and Windows updates was unavailable because laptops were no longer brought into the office.

Rob explained that before the pandemic, patch updates were performed manually – by “sneaker net.” Employees either took their laptops to the service desk for the updates or a job was scheduled at employees’ desks.

“When an outdated browser is used and there’s a vulnerability in that browser, it could mean our information is no longer as secure as we would like it,” Rob said. “We started looking for a patch management solution that could perform patch updates remotely.”

Enter Ivanti Security Controls for remote patching

The museum purchased the Ivanti Security Controls (ISEC) solution and started using it within a week for patching browsers, applications and the Windows laptop operating systems remotely.

According to Rob, one of the major benefits of adding Security Controls is the ability to add newer browsers without users noticing. If there’s a critical vulnerability in one of the browsers, Rob’s team tells Workspace Control that if the browser is older than version “XYZ”, then disable it so it’s out of the start menu and unavailable to users.

ISEC patch management, having detected the older “XYZ” browser version (Chrome, for example) that’s no longer safe, installs the newer version in the background without users noticing. And Workspace Control recognizes there's an updated version and can re-enable the browser icon. In the morning, when users log on, Workspace Control notifies them that Chrome has been disabled. Users can opt to use Firefox, Microsoft Edge, etc., so they can still do their work. ISEC updates Chrome at the back-end during lunch when users step away from their laptops. When they return, Chrome has been updated and a refresh is being triggered the moment users unlock their screens.

Today, patches for all the browsers, operating systems and applications on the museum’s Windows machines are performed successfully, as well as for a large portion of its RHEL machines. Rob noted that the flexibility in patching the different OS machine types – and when to do so – is ideal.

Attention turns to desktops and servers

Once the patching of remote laptops was under control, it was time to focus on desktops and servers. This is where Ivanti Workspace Control and the Ivanti Cloud Relay came into play.

The Ivanti Cloud Relay, using an Ivanti Cloud back-end, made it easier for administrators to enable remote work environments for employees – helping them connect their devices to corporate, on premises relay services to access basic applications such as Microsoft Office, Visio and more. When new applications are installed (like Microsoft Intune), the start menu is also updated quickly, giving users access to the new application.

“It’s a big advantage for our employees that the updates in the start menu and new or adjusted settings come through immediately now. In addition, those updates are now many times faster than before,” Rob said.

Time to patch servers decreases by nearly 72%; laptops by 97.5%

In the past, updates to the server farm encompassed only Windows OS patches, not Microsoft Office applications or browsers. Rob said it'd take a four-person team working eight hours from 5:00 pm till 2:00 am once a month to patch more than 100 servers. That’s 36 person-hours each month.

“We were lucky if we finished by 2:00 AM,” Rob said. But now with Ivanti, the same job is done with two persons who start at 6:00 pm and finish by 11:00 pm. That’s 10 person-hours each month, vs 36 – a time savings of nearly 72%. Now, because the browsers are updated on the servers, they can update more.

Rob said that the Office versions needed on some servers are now also updated, which was never done before. “We’re also updating tools, some of which we didn’t even know were installed on servers,” he added. “Vendors would log onto a server and install a tool for a one-time use. We would end up with a tool that never got updated. We had a possible compromise on that server, but now that is all fixed.”

Rob estimated that over the past two years, updating just the browsers has mitigated at least 50 vulnerabilities.

“It previously took one person 10 hours each week to update the machines” said Rob about patching employee laptops. Now it takes one person just one hour each month to do this, saving 97.5% time.

Laptop security helps safeguard millions of euros in art inventory

As one of the world’s leading museums, the Van Gogh Museum works closely with other entities around the globe to share or loan art pieces valued from tens of thousands to millions of Euros. In these collaborations, information about flight transport, departure and arrival schedules, delivery times and locations must be shared.

Employees of the Van Gogh Museum are now securely working from home, making shipping arrangements and delivery appointments. “Now, they don't have to worry if their laptop is still secure or running some older software version that could be compromised,” Rob said.

He concluded, “We now know that our employees can do their jobs from anywhere on a secure machine. Even if they are in China, Australia or New York, as long as they have an internet connection, we can help them and update their systems.”

_{Note: A customer’s results are specific to its total environment/experience, of which Ivanti is a part. Individual results may vary based on each customer’s unique environment.}