Certification, Regulations, and War: Compromise Without Compromises

In times of stability, regulations are the foundation of security. In times of war, they often begin to work against the very systems they are meant to protect. The Ukrainian public sector and businesses have faced a paradox: adherence to outdated certification procedures can lead to the loss of critical time, while complete disregard for rules can lead to chaos and uncontrolled vulnerabilities.

The key problem lies in the incompatibility between the pace of war and the pace of classical certification. When changes in an information system are needed «yesterday,» a typical several-month cycle for obtaining КСЗІ becomes operationally unacceptable.

Regulatory Trap: Peacetime Rules in a Wartime Environment

Most current information security requirements were formed in a predictable environment, where the main threat was considered to be a regulated error or an internal human factor. These requirements logically lean towards a Waterfall model: lengthy design, lengthy development, a separate certification cycle.

In wartime conditions, this creates two equally dangerous extremes:

1. Complete abandonment of regulations — rapid «field» solutions without proper protection, accumulating technical debt and systemic vulnerabilities.
2. Literal adherence to all procedures — paralysis of processes due to waiting for every approval, which in wartime conditions effectively means a loss of control.

Obviously, neither of these extremes is viable.

Engineering Compromise: Changing the Architectural Paradigm

The real way out of this trap lies not in legal workarounds, but in an architectural solution. The IQusion team has applied an approach that changes the very logic of certification: instead of re-certifying each individual application solution, the focus shifts to using a base platform with confirmed compliance with security requirements.

In other words, it’s not every «wheel» that gets certified, but the «engine» on which these wheels are assembled.

UnityBase: The Platform as a Baseline Security Level

UnityBase is a high-performance, web-oriented, open-source Enterprise-level platform designed for creating complex information systems.

The platform has been used as part of solutions that have undergone certification and are operated in the public sector and at facilities with increased information protection requirements. In typical configurations, its architecture meets the requirements of protection level G3, which allows a significant part of technical security requirements to be moved to the system’s core level.

This means that critical elements such as authentication and access control, event logging, integrity control, and cryptographic protection are implemented centrally, rather than being recreated anew in each project.

In terms of performance, the platform demonstrates metrics sufficient for high-load enterprise systems: tens of thousands of transactions per minute, tens of thousands of responses to requests per second, and support for tens of thousands of concurrent users in industrial configurations.

Importantly, the low-code approach and automatic generation of a significant part of the application logic allow for accelerated development without compromising the basic security architecture.

Division of Responsibility: Platform and Integrator

This approach changes the implementation process itself and allows it to be divided into two parallel levels:

1. Technical level (platform). Basic protection mechanisms and architectural constraints are already embedded in the platform and do not require re-implementation when creating new functionality within a typical configuration.
2. Organizational level (integrator). During implementation, IQusion specialists focus on configuring business processes, roles, access regulations, and operational procedures specific to the particular customer.

It is at this level that compliance with organizational requirements, threat models, and actual operating conditions is formed.

This is the practical compromise: instead of repeatedly proving the basic security of the tool, resources are directed towards adapting the system to a specific environment and tasks.

Why This Approach Works for Enterprise

Using UnityBase allows changing not only the code but also the logic of processes without compromising system integrity. Open source ensures architectural transparency, while modularity and scalability provide the ability to develop without complete re-engineering. The platform supports working with common DBMS (PostgreSQL, MS SQL, Oracle) and allows for efficient use of available server resources, which is a critical factor in conditions of limited infrastructure and an unstable environment.

The compromise between regulation and speed lies in modularity and architectural responsibility. When a base platform takes on a significant portion of technical security requirements (Compliance by Design), the state and businesses gain the ability to quickly create manageable, legitimate, and resilient information systems.

The practice of IQusion’s implemented projects — from individual solutions to large-scale information systems — shows that in wartime conditions, victory goes not to those who endlessly rewrite regulations, but to those who certify the tools and skillfully manage their application.