As Indian enterprises navigate increasingly complex multi-cloud environments and regulatory demands, digital trust has become mission-critical infrastructure. With machine identities exploding and quantum computing threats looming within the decade, organizations face unprecedented challenges in managing cryptographic assets. DigiCert’s local deployment of its ONE platform in India addresses these pressures head-on, offering data residency, automated certificate lifecycle management, and post-quantum readiness. In this exclusive conversation with CISO Forum, Anant Deshpande, Regional Vice President at DigiCert India, explains how the company is helping BFSI, telecom, and other regulated sectors achieve “digital trust maturity” while preparing for a future where today’s encryption could be broken in minutes.
Regional Vice President
DigiCert India
CISO Forum: How does local delivery of DigiCert ONE from an Indian data center change the trust architecture for Indian enterprises?
Anant Deshpande: Let’s start by defining what DigiCert ONE is. It is a platform designed to deliver digital trust, with multiple components. Today, digital trust applies to machines, devices, software, content, documents, and emails. DigiCert ONE provides a consistent platform for managing identities across all these components.
This platform has been available in India for some time. What we are doing now is hosting the DigiCert ONE platform locally in India so customers can benefit from local data residency, data privacy, and related requirements, all within Indian borders.
From an architectural perspective, customers can leverage the full scope and capabilities of the platform, with the added advantage that cryptographic keys remain resident on Indian shores and do not leave the country. This becomes an additional and significant benefit for customers in India.
As a result, organizations can innovate, compete, and lead at scale without worrying about whether their data is leaving the country or creating compliance concerns. That, fundamentally, is what we are trying to achieve.
CISO Forum: What specific data-localization and regulatory challenges does this address for BFSI and telecom organizations?
Anant Deshpande: Okay, I can extend this to any regulated industry, but specifically for BFSI, where there are specific mandates—especially from a payments systems perspective. All payments and payment-related data must reside within India. Likewise, there are similar regulations across multiple industries, including the telecom industry.
With this platform, we are fully compliant. This ensures that customers can leverage the full capabilities of the product without worrying whether their data is leaving Indian shores.
In essence, we are taking compliance overhead off customers.
CISO Forum: How does DigiCert ONE simplify certificate lifecycle management in complex, multi-cloud environments?
Anant Deshpande: It is, in fact, one of the key capabilities of DigiCert ONE. Most customers today have a multi-cloud strategy. This could be public, private, or hybrid—specifically in the case of multi-cloud, where they work with multiple cloud providers such as Google, Azure, AWS, and others.
Across all these environments, identity and certificate management are required. However, each platform manages certificates differently. You cannot expect customers to learn multiple methods to manage various platforms.
What we are doing is providing two things. First, a consistent view across cloud platforms so customers do not need to manage certificates differently across environments. Second, this is supported by a rich set of native integrations with these platforms, ensuring that for the end user—the customer—the management plane is entirely transparent.
Irrespective of what they are managing on the front end, the back end remains fully transparent. This results in a significant simplification of the overall operating model.
CISO Forum: With machine identities growing rapidly, how should enterprises rethink identity and access governance?
Anant Deshpande: Identity will be critical going forward. When I say identity, it can mean different things or different form factors, depending on what you are assigning an identity to. An identity can also have different lifespans.
For example, if I am giving an identity to a mobile phone, it will have a certain lifespan. If I provide an identity for a satellite sent into space, that identity could last for 20 years until it returns. If we are talking about short-lived identities, such as a container, which is very ephemeral—here today, gone tomorrow—that means something entirely different.
The future is really about having a set of dynamic identities delivered from a digital trust fabric, depending on the use case the customer is trying to solve. On the fly, customers should—and will be able to, using the DigiCert ONE platform—to ascribe different identities, or different strokes for different blokes, essentially.
At the same time, they will have complete visibility and governance over the entire operating model—knowing who has been identified, when those identities are going to expire, and when they should be renewed. This also includes building in capabilities such as automation and post-quantum readiness across the entire platform.
CISO Forum: What role does automation play in reducing certificate-related outages and security risk?
Anant Deshpande: Yeah, to take a step back, certificates are generally invisible. But when a certificate expires, it can go down or go rogue, bringing down security across entire applications. If that application is mission-critical, it can obviously have a significant business impact.
With the explosion of machine identities, many studies and data points indicate that the number of machines is set to grow 10x, 20x, 30x, or even 100x. Regardless of the exact number, it will be a massive increase in identities and, therefore, in the certificates that organizations need to manage.
These certificates can exist in different places. They could be within your environment, in the cloud, in applications, or on platforms such as GitHub and Kubernetes. Automation, frankly speaking, is not optional. If you want to manage this level of complexity, automation is absolutely key.
Another essential point, which you may or may not be aware of, is that the CA/Browser Forum has mandated that certificate lifecycles will be reduced over the next few years. Currently, certificate validity is approximately 398 days. Effective March this year, this will reduce to 200 days, then to 100 days, and eventually to 47 days.
So imagine something you do once a year now having to be done eight times a year. A closely related process, by the way, is domain validation, which is typically done once a year today. In the future, that will need to be done roughly every 10 days—about 36 times a year. So the operational tasks you perform today will need to be multiplied by 8x or 36x, depending on the number of certificates and domains you manage.
You can see how this will place significant pressure on operations teams. That is precisely why automation is so critical. If this has to be done at scale, it must be automated—it cannot be managed manually.
CISO Forum: How does DigiCert ONE support post-quantum readiness and future cryptographic agility?
Anant Deshpande: Again, thank you for asking that question, because this plays into one of the key capabilities of our platform. Now, maybe a question back to you—how long do you think, based on current algorithms such as RSA 2048, it would take to break that encryption using today’s computing power? Take a guess. It’s much, much more than that. If you Google it, the answer is probably a few hundred million years, maybe even a billion years.
That’s why when you do something like a WhatsApp transaction or a UPI transaction, it is secured by today’s cryptographic standards, which are extremely difficult—almost impossible—to break. This is why there is an element of implicit digital trust when you do anything online.
When quantum comes in—and that’s not too far away, by the way, this is not a 2035 scenario—we’re talking about within the decade. When quantum computing arrives, a reasonably powerful quantum computer will be able to break current cryptographic algorithms, maybe within days, weeks, or even minutes. And you can see where this is going.
Everything you rely on from a digital trust perspective could suddenly, overnight, be potentially compromised. An email you sent a year ago could be rewritten, a document you signed could be altered, or software code you wrote could be changed at the source.
The good news is that quantum is also very powerful and solves real-world problems—drug discovery, cancer research, earthquake prediction, seismic modeling, logistics challenges, and classic problems like the traveling salesperson problem. The flip side, of course, is that once bad actors gain access to these technologies, things could play out in not-so-good ways.
But the good news is that there are now quantum-safe algorithms. You may have heard of names like SPHINCS, Falcon, and others. These have now been formalized into standards through FIPS standards released by NIST. DigiCert has been a pioneer in this space, and the products we are releasing are compliant with these quantum-safe standards.
So if you are on a quantum journey, you can partner with DigiCert to introduce quantum-safe cryptography into your business. Another way we help, primarily through the DigiCert ONE platform, is that it is built from the ground up to provide complete visibility and automation. Organizations can take a more nuanced approach by first gaining complete visibility into their cryptographic estate.
They can then determine what is business-critical, where they need to be quantum-safe, and where they need to prioritize action. This is not something where you flip a switch when quantum arrives—it requires planning and nuance. With visibility in place, organizations can make informed business decisions about what to act on now, what to prioritize, and what can come later, ultimately building a comprehensive quantum-safe roadmap alongside the DigiCert ONE platform.
In summary, we are ready for quantum with algorithms embedded in certificates, while also enabling management of the entire cryptographic estate through the DigiCert ONE platform.
CISO Forum: From your perspective, what defines “digital trust maturity” for Indian enterprises in 2025?
Anant Deshpande: There are a few things that are important from a readiness standpoint. The first is the ability to move from devices to identities, as we discussed earlier. In today’s world, managing at the device level is no longer sufficient—it has to be identity-driven. And that identity needs to be tailored to a specific form factor or use case. So moving from device-based to identity-based is, in my view, the first key step.
The second is the ability to identify blind spots within the organization. This is a visibility function because you cannot manage or protect what you cannot see. Having the ability to identify, scan, and inventory all cryptographic assets is highly critical. Visibility, coupled with automation, is the second primary requirement for Indian enterprises—not just in 2025, but beyond.
This is no longer a nice-to-have; it is table stakes. As we discussed earlier, enterprises need the ability to manage everything consistently, irrespective of whether a cryptographic asset resides on-premise, in the cloud, within a virtual machine, or in a container. Complete visibility, and therefore access and control, is foundational.
In the future, effective governance will also require a clear set of metrics that indicate where an organization stands on its cryptographic journey. For example, organizations already track metrics such as mean time to respond and mean time to repair. But how do you trend and govern these capabilities from a PKI and certificate lifecycle management perspective? That becomes extremely important.
Another aspect is aligning these metrics with business processes. Organizations run on applications, so what percentage of applications are compliant with hygiene and regulatory standards? That is a critical measure. Finally, again linked to visibility, enterprises need to understand how many open CVEs exist and how many remain unpatched.
Once organizations have a complete, dashboard-level view of all this, it becomes beneficial not only from a compliance standpoint but also from an innovation perspective. Compliance gets taken care of, allowing enterprises to focus on their core business—innovating and delivering value to customers.
