Azure Cloud HSM Adopts Marvell LiquidSecurity for High-Density Security

Microsoft's Azure Cloud HSM service will now run on Marvell’s LiquidSecurity hardware security modules (HSMs), a move that extends an existing Marvell–Azure relationship and brings PCIe‑based, FIPS 140‑3 Level 3‑certified, high‑density cryptographic hardware into Microsoft’s single‑tenant HSM clusters. (marvell.com)

Background​

Azure Cloud HSM is Microsoft’s single‑tenant, highly available HSM offering that gives customers administrative control over cryptographic keys and operations while Microsoft manages cluster availability and lifecycle tasks. The service is positioned for regulated and high‑assurance workloads that require hardware tamper resistance and strong auditability. Microsoft has publicly moved key Vault and Managed HSM firmware toward FIPS 140‑3 Level 3 validation across Azure regions, a prerequisite for many government and financial procurements. (techcommunity.microsoft.com, nasdaq.com)
Marvell’s LiquidSecurity family — including LiquidSecurity 1 (LS1) and LiquidSecurity 2 (LS2) — is a purpose‑built, PCIe form‑factor HSM designed for cloud providers and hyperscale deployments. Marvell says the cards are powered by optimized OCTEON DPUs and cryptographic accelerators to deliver high per‑card throughput and key density, enabling cloud operators to reduce rack footprint and power consumption compared with legacy 1U/2U HSM appliances. Those product specifications and Marvell’s certification milestones underpin Microsoft’s decision to adopt LiquidSecurity for Azure Cloud HSM. (marvell.com)

---

What Microsoft announced — the technical headline​

• Microsoft has selected Marvell LiquidSecurity HSMs as a supported hardware platform for Azure Cloud HSM, expanding an existing deployment footprint that already included Azure Key Vault and Azure Key Vault Managed HSM. (marvell.com)
• Azure Cloud HSM instances using LiquidSecurity modules are offered as customer‑owned, single‑tenant HSM clusters with FIPS 140‑3 Level 3 validation, and customers access the clusters over private links from their virtual networks. (marvell.com, techcommunity.microsoft.com)
• Marvell’s published engineering figures for the LiquidSecurity2 card include management of 100,000 pairs of encryption keys per card and the ability to process more than one million cryptographic operations per second (aggregate, algorithm‑dependent). These are vendor‑stated performance targets intended for hyperscale scenarios. (marvell.com, nasdaq.com)

These three points change how procurement and architecture teams evaluate cloud‑backed HSM options: certification parity with on‑prem appliances, host‑attached performance economics, and a cloud service model that preserves customer administrative control while shifting operational burden to Microsoft.

---

Why Marvell’s LiquidSecurity fits the hyperscale HSM story​

Density, throughput, and power efficiency​

Marvell designed LiquidSecurity as a dense, PCIe‑attached HSM to address hyperscaler economics: more keys and more operations per rack‑unit means fewer devices, lower power draw, and reduced OPEX for cloud operators running millions of cryptographic transactions. The LS2 architecture specifically emphasizes high AES‑GCM throughput, high ECC/RSA signature rates, and multi‑partition support for virtualized tenant isolation. These characteristics are central to the vendor’s claim that cloud providers can deliver HSM‑as‑a‑service more economically than with traditional appliance‑centric models. (marvell.com)

Certification: FIPS 140‑3 Level 3 and compliance reach​

FIPS 140‑3 Level 3 includes tamper‑evident/tamper‑response protections and strong hardware assurances that many financial, government, and sovereign cloud customers require. Marvell announced that LiquidSecurity modules achieved FIPS 140‑3 Level 3 certification and Microsoft has aligned Azure Key Vault and Managed HSM firmware to FIPS 140‑3 — a combination that permits Azure to present a managed cloud path for workloads that historically required on‑prem HSM appliances. This expands the pool of cloud‑eligible regulated workloads. (marvell.com, techcommunity.microsoft.com)

Latency and architectural tradeoffs​

Host‑attached PCIe HSMs reduce network round‑trips versus external, networked appliance HSMs and can therefore lower cryptographic operation latency — a meaningful benefit for TLS offload, certificate authorities, code signing, payment gateways, and real‑time signing pipelines. Azure’s cluster design couples that host‑local performance with synchronization and automatic migration mechanics to maintain high availability at the cluster level. The result is a hybrid advantage: appliance‑class certifications and compliance with the latency profile closer to integrated HSM usage patterns.

---

Cross‑checking the claims: what independent sources confirm (and where to be cautious)​

• Marvell’s official newsroom and product blogs confirm the Azure selection and the LS2 engineering claims: 100k key‑pairs per card and >1M ops/sec figures appear in Marvell’s Aug 18, 2025 announcement and related materials. Those numbers are engineering specifications provided by the vendor. (marvell.com)
• Microsoft’s documentation and community posts independently confirm the service model and FIPS 140‑3 Level 3 posture for Azure’s HSM portfolio — a necessary compliance anchor for the announcement to carry practical procurement weight. (techcommunity.microsoft.com)
• Market research and analyst commentary place the announcement in context: ABI Research and other industry analysts have documented the shift toward HSM‑as‑a‑service and quantified service‑segment growth. Marvell cited ABI Research to justify an 8.5% annual growth figure for HSM‑as‑a‑service through 2029, though independent research firms produce a range of CGAR estimates depending on scope and definitions (MarketsandMarkets, Mordor, Grand View, ABI Research). Those differences matter when sizing opportunity and should be treated as directional. (abiresearch.com, marketsandmarkets.com, mordorintelligence.com)

Cautionary note: many of the most consequential numbers in the announcement — per‑card key limits, ops/sec, partition counts — are vendor‑supplied engineering figures that have not, at the time of the announcement, been widely reproduced in independent bench reports. Prospective buyers should request vendor test methodologies and run representative pilot workloads under their own conditions.

---

Practical implications for enterprise architects and security teams​

• Compliance mapping: Confirm FIPS 140‑3 Level 3 coverage for the exact Azure Cloud HSM SKU, firmware version, and region you plan to deploy into. Certification is often firmware and SKU specific. (techcommunity.microsoft.com)
• SLA and operational terms: Negotiate clarity on patch windows, firmware rollbacks, zeroization procedures, and vulnerability disclosure timelines. HSM firmware vulnerabilities carry outsized operational risk.
• Benchmarking: Run pilot tests for your representative workloads (AES‑GCM bulk encryption, ECC signing, RSA operations, KMS key‑wrapping patterns) to validate throughput, latency, tail latency, and cluster failover behaviour. Vendor numbers are directional; measured performance matters.
• Key lifecycle and export policies: Verify how key backup, export, and disaster‑recovery functions operate within Azure Cloud HSM clusters. Procurement teams must match these mechanics to audit and regulatory controls.
• Cryptographic agility and PQC planning: For long‑lived key material, require vendor roadmaps for post‑quantum algorithm support and field‑upgradeability so future protocol migrations do not force disruptive hardware swaps.
• Supply‑chain planning: Evaluate lead times and multi‑vendor fallback plans for mission‑critical workloads to avoid concentration risk if a single hardware design becomes a single point of failure.

---

Strategic and market impact​

For Microsoft​

Bringing a cloud‑optimized PCIe HSM option into the Azure Cloud HSM portfolio helps Microsoft present a more complete compliance story to regulated customers and enables denser HSM deployments across regions. This supports Azure’s push into confidential computing, sovereign cloud offerings, and high‑assurance services where hardware certification is a procurement must. (techcommunity.microsoft.com)

For Marvell​

The Azure selection is a high‑visibility customer win that validates Marvell’s strategic pivot away from legacy markets toward cloud infrastructure silicon, DPUs, and security modules. The arrangement amplifies LiquidSecurity’s market footprint at hyperscale providers and strengthens Marvell’s enterprise narrative. (marvell.com, investor.marvell.com)

For the HSM market​

Hyperscaler adoption of PCIe‑native HSM modules accelerates the shift from appliance procurement to HSM‑as‑a‑service. Expect competing vendors to respond with their own validated modules, alternate form factors, and roadmaps for PQC support and third‑party benchmarking. That competition should increase choice for buyers but heightens the importance of due diligence. (abiresearch.com, marketsandmarkets.com)

---

Financial and corporate context (what investors and procurement managers should note)​

• Marvell has concurrently executed strategic portfolio moves that refocus capital on data‑center and infrastructure products: in 2025 the company announced the divestiture of its Automotive Ethernet business to Infineon for $2.5 billion in cash — a transaction that closed and further concentrates Marvell’s addressable market on hyperscale and AI infrastructure. This capital event reduces automotive revenue contribution in Marvell’s near‑term reporting and reallocates balance‑sheet flexibility. (investor.marvell.com)
• Wall Street analysts have reacted to Marvell’s broader cloud and AI positioning with mixed but generally constructive notes: some firms have raised or maintained price targets while framing multiples and expectations around Marvell’s data‑center momentum. These analyst views underline how vendor customer wins — especially with a major hyperscaler — are treated as commercially material. Investors should interpret these moves alongside concrete customer ramp signals and supply metrics. (investopedia.com, investing.com)
• Market forecasts for HSM‑as‑a‑service vary. Marvell cites ABI Research’s projection of an approximately 8.5% annual growth rate through 2029 for the HSM‑as‑a‑service segment, while other research houses publish higher CAGRs depending on definitions and scope. These differences mean that market sizing should be triangulated across multiple independent sources before forming revenue or procurement assumptions. (abiresearch.com, marketsandmarkets.com)

---

Technical and security risks to watch​

• Vendor and supply concentration risk: Heavy reliance on a single HSM hardware supplier at hyperscale raises systemic risk from firmware vulnerabilities or supply interruptions. Contract teams should require remediation SLAs, inventory of affected firmware SKUs, and multi‑vendor contingency plans.
• Certification scope and patch management: FIPS 140‑3 certification applies to specific hardware/firmware combinations — which can change after updates. Buyers must ensure the certification scope matches the deployed firmware and region. Negotiate clear procedures for re‑certification, patch validation, and rollback. (marvell.com)
• Multi‑tenant partition isolation and side‑channel vectors: While Azure Cloud HSM offers single‑tenant clusters for customer isolation, the underlying cards support many partitions for density. Partitioning increases the attack surface for side‑channel or contention‑based vectors; customers should validate isolation guarantees against their threat models.
• Performance reality vs. published specs: Vendor throughput numbers are valuable as directional input but require empirical validation. Benchmarking under representative workloads is essential to understand tail latency, concurrency, and algorithm‑specific behaviour (ECC vs RSA vs AES).
• Long‑term cryptographic agility: Roadmaps for post‑quantum cryptography (PQC) support and the ability to field‑upgrade algorithm suites without extensive downtime should be contractual deliverables for long‑lived HSM use cases.

---

Recommended action plan for IT, security, and procurement teams​

• Inventory current HSM‑dependent workloads and classify by regulatory requirement (FIPS level required, eIDAS profiles, PCI expectations).
• Map which workloads are good candidates to migrate to Azure Cloud HSM (single‑tenant clusters) versus those that should remain on‑prem for control or multi‑vendor redundancy.
• Request detailed certification matrices from Microsoft and Marvell showing SKU/firmware/region coverage for FIPS 140‑3 Level 3 and any other applicable trust frameworks.
• Negotiate explicit operational SLAs covering patch cadence, vulnerability disclosure timelines, rollback procedures, and key zeroization steps.
• Run a representative pilot with production‑like workloads to validate latency, throughput, tail latency, and cluster failover behaviour.
• Require roadmaps for PQC, firmware field‑upgradeability, and long‑term lifecycle support in contractual appendices.
• Maintain an alternate vendor or hybrid architecture for mission‑critical keys if single‑vendor risk is unacceptable.

These practical steps will help organizations realize the benefits of Azure’s new hardware option while mitigating the operational, certification, and supply risks that accompany any foundational security dependency.

---

Final analysis: strengths, risks, and what to expect next​

The selection of Marvell LiquidSecurity HSMs for Azure Cloud HSM is a pragmatic alignment: it pairs Microsoft’s need for certified, highly available HSM clusters with Marvell’s cloud‑optimized, high‑density PCIe HSM architecture. The combination promises improved throughput, lower per‑operation power and space costs, and expanded compliance coverage for regulated workloads that previously required on‑prem appliances. For cloud customers, this widens the managed options for production cryptography and key management. (marvell.com, techcommunity.microsoft.com)
At the same time, the announcement reminds practitioners that certification is necessary but not sufficient. Vendor‑supplied performance numbers should be validated through representative testing; firmware and SKU coverage must be confirmed against audit requirements; and procurement should mitigate the risk of vendor and supply‑chain concentration. Finally, long‑term resilience depends on cryptographic agility and PQC readiness — both areas organizations must treat as strategic, contractual properties of any HSM deployment.
Expect competing vendors and cloud providers to accelerate their HSM roadmaps in response: the industry will push for alternative validated modules, transparent benchmarking, and clearer lifecycle guarantees. For enterprises and security architects, this development is important — it lowers a major barrier to cloud migration for regulatory workloads — but it must be approached with the same diligence applied to any foundational cryptographic infrastructure purchase. (abiresearch.com, marketsandmarkets.com)
The Azure–Marvell alignment changes the procurement and technical calculus for hardware‑backed cloud cryptography; its benefits are tangible, but so are the tradeoffs. Robust testing, contractual clarity, and supply‑chain planning will determine whether this becomes a practical accelerant for sensitive cloud migrations or a cautionary tale in vendor lock‑in.

---

---

Source: Investing.com Nigeria Microsoft selects Marvell’s LiquidSecurity HSMs for Azure Cloud HSM By Investing.com