Azure Cloud HSM Goes Dense with Marvell LiquidSecurity (FIPS 140-3 Level 3)

Microsoft’s decision to standardize Azure Cloud HSM on Marvell’s LiquidSecurity hardware marks a decisive shift in how hyperscalers are architecting cryptographic assurance at cloud scale — pairing FIPS 140‑3 Level 3 certified, host‑attached PCIe HSM modules with a managed, customer‑owned cluster model that promises higher throughput, tighter latency, and smaller rack footprint than legacy appliance approaches. (marvell.com) (learn.microsoft.com)

Background / Overview​

Azure Cloud HSM is Microsoft’s single‑tenant, highly available HSM service that gives customers full administrative control over cryptographic keys while Microsoft manages cluster availability, patching, and lifecycle tasks. The service is validated to FIPS 140‑3 Level 3 and exposes HSM clusters to tenants over private links from their virtual networks. This model deliberately blends the compliance and tamper‑resistance properties of on‑prem appliances with cloud operational economics and managed availability. (learn.microsoft.com)
Marvell’s LiquidSecurity family — particularly the second‑generation LiquidSecurity 2 (LS2) — is a PCIe form‑factor, DPU‑accelerated HSM designed for hyperscale cloud deployments. Marvell publicly positions LS2 as a high‑density, high‑throughput card capable of storing up to one million keys, supporting tens of thousands of asymmetric operations per second and up to one million AES GCM operations per second in aggregate, while consuming a fraction of the power of traditional 1U/2U HSM appliances. Microsoft has expanded its existing Marvell relationship (which already covered Azure Key Vault and Managed HSM) to include Azure Cloud HSM, according to Marvell’s announcement. (marvell.com, investor.marvell.com)

---

What Microsoft and Marvell announced​

• Microsoft has formally selected Marvell LiquidSecurity modules as a supported hardware platform for Azure Cloud HSM clusters, extending Marvell’s role across Azure’s key management portfolio. (marvell.com)
• Azure Cloud HSM clusters built on LiquidSecurity are offered as customer‑owned, single‑tenant clusters managed by Microsoft for availability, and maintain FIPS 140‑3 Level 3 validation. (learn.microsoft.com, marvell.com)
• Marvell’s public specifications for LS2 — reiterated in company materials and trade coverage — cite high key density, multi‑partition tenancy (dozens of partitions per card), and throughput figures that are engineered for hyperscale HSM‑as‑a‑service economics. (investor.marvell.com, tomshardware.com)

These announcements are consistent across vendor release channels and Microsoft product documentation, and they crystallize a broader trend: cloud providers adopting dense, host‑attached HSM adapters to reduce per‑operation cost and latency for regulated workloads that require hardware attestation. (marvell.com, learn.microsoft.com)

---

Technical deep dive: LiquidSecurity architecture and what it means for Azure​

PCIe, DPU acceleration, and host‑attached economics​

LiquidSecurity is implemented primarily as a PCIe card (HHHL/PCIe form factor) that embeds dedicated cryptographic engines and an OCTEON DPU to offload crypto processing from host CPUs. Host‑attached HSMs differ from network‑attached rack appliances in two meaningful ways:

• They reduce network round trips for cryptographic operations, lowering latency for TLS offload, CA operations, code signing, and other high‑frequency tasks.
• They compress rack footprint and power per cryptographic transaction, improving total cost of ownership at hyperscale. (tomshardware.com, learn.microsoft.com)

Marvell’s LS2 materials and third‑party coverage describe tens of cryptographic cores and optimized engines that allow performance density not feasible in older appliance designs. That density is why Azure and other hyperscalers are moving toward PCIe HSM adapters for many cloud HSM offerings. (investor.marvell.com, tomshardware.com)

Claimed performance and partitioning​

Marvell’s published LS2 figures include:

• Up to 1,000,000 keys per card (key count depends on key types and internal storage models).
• Up to 100,000 ECC (P‑256) operations per second and ~1,000,000 AES GCM operations per second (algorithm dependent).
• 40+ virtual partitions per card to support multi‑tenant isolation inside a single physical device. (investor.marvell.com, tomshardware.com)

Those numbers are vendor‑stated engineering targets and were repeated across vendor press and trade press at launch. They matter because they directly change procurement math: one LS2 card can replace many appliance nodes for equivalent key capacity and throughput — a major efficiency win for cloud operators. But they should be treated as directional until independently benchmarked under representative workloads. Independent third‑party lab measurements published to date corroborate the architectural direction but do not yet replace a buyer’s own validation. (investor.marvell.com, techpowerup.com)

Certification and compliance posture​

LiquidSecurity modules have progressed through FIPS 140‑3 Level 3 certification paths and related compliance milestones (Marvell has publicized these certifications for LS2), and Microsoft has aligned Azure Key Vault and Managed HSM firmware to FIPS 140‑3 Level 3 across regions. The alignment of certified module, firmware, and cloud service is essential for regulated customers (financial, government, sovereign cloud), since procurement audits rely on clear certification scope and firmware SKUs. (marvell.com, techcommunity.microsoft.com, learn.microsoft.com)
Important caveat: certification scope is often firmware‑, SKU‑, and region‑specific; buyers must confirm the exact firmware build, SKU, and Azure region included in any FIPS artifact before relying on it for audits.

---

Practical implications for enterprise architects and security teams​

Immediate benefits​

• Lower latency and higher throughput for cryptographic services used in TLS, CA signing, code signing, and payment processing, because crypto engines are host‑attached. (tomshardware.com, learn.microsoft.com)
• Compliance alignment for workloads requiring FIPS 140‑3 Level 3 hardware, potentially easing migration of regulated workloads to managed cloud HSMs. (techcommunity.microsoft.com, learn.microsoft.com)
• More compact data‑center economics for Azure: fewer rack units and lower power per operation for equivalent HSM capacity, reducing OPEX at hyperscale. (investor.marvell.com)

What teams must do before migrating critical workloads​

• Map current workloads that mandate FIPS 140‑3 Level 3 or other hardware attestations (payment processing, CAs, qualified e‑signatures).
• Confirm the exact Azure Cloud HSM SKU, firmware version, and region covered by FIPS artifacts and any eIDAS/PCI scope your audit requires. (learn.microsoft.com, marvell.com)
• Request vendor benchmark methodology and run representative pilot tests to measure latency, throughput, failover behavior, and partition isolation under expected workloads.
• Negotiate robust operational SLAs covering patch windows, vulnerability disclosure, incident response, key zeroization, and migration support.
• Maintain cryptographic agility: plan for key rotation, firmware upgrade paths for post‑quantum algorithms, and migration procedures if hardware or firmware needs replacement. (investor.marvell.com)

These steps reduce the risk that vendor engineering numbers and certification headlines obscure operational realities during production rollout.

---

Financial and market context​

Marvell’s LiquidSecurity selection by Microsoft is both a technical validation and a commercial accelerant for Marvell’s cloud‑infrastructure narrative. The timing intersects with several company developments:

• Marvell announced completion of the sale of its Automotive Ethernet business to Infineon for $2.5 billion in cash, a transaction that closed in mid‑August 2025. That deal refocuses Marvell’s portfolio on data‑center silicon and security offerings and strengthens the company’s financial flexibility. (investor.marvell.com, marvell.com)
• Marvell appointed Rajiv Ramaswami (President & CEO of Nutanix) to its Board of Directors, adding seasoned cloud infrastructure leadership to the company’s governance team. (investor.marvell.com, prnewswire.com)
• Analyst coverage has reacted positively: Morgan Stanley raised its price target for Marvell to $80 (maintaining an Equalweight rating) and Stifel reiterated a Buy at $80 target, citing the company’s expanding data‑center and optical opportunities alongside recent customer wins. These notes underline investor confidence tied to hyperscaler partnerships and Marvell’s pivot to high‑value infrastructure silicon. (investing.com)

From a market sizing perspective, Marvell cited an ABI Research estimate that HSM‑as‑a‑service will grow at roughly 8.5% CAGR through 2029; independent market firms publish a range of forecasts depending on definition and scope, so buyers and investors should treat single‑figure CGARs as directional rather than definitive. (marvell.com)

---

Security strengths — what’s genuinely positive​

• FIPS 140‑3 Level 3 validation: This certification raises the bar for tamper resistance and hardware assurance, enabling cloud migration for workloads that historically required on‑prem HSMs. Microsoft’s Azure firmware alignment closes a compliance loop many regulated customers demanded. (techcommunity.microsoft.com, learn.microsoft.com)
• Hyperscale economics with host‑attached performance: PCIe HSM adapters deliver density that materially reduces rack footprint and operational cost per cryptographic transaction at hyperscale. For cloud providers, that equals improved TCO for HSM services. (investor.marvell.com)
• Operational model that preserves customer control: Azure Cloud HSM clusters keep key administrative control with customers while offloading high‑availability and lifecycle tasks to Microsoft — a balance attractive to compliance‑focused organizations. (learn.microsoft.com)

---

Risks and limits — what to watch closely​

• Vendor‑supplied performance claims require validation. The most consequential numbers driving the narrative — per‑card key counts and ops‑per‑second metrics — are engineering specifications published by Marvell and repeated in trade press. Prospective buyers should demand methodology and run pilots; vendor specs are directional, not contractual performance SLAs. (investor.marvell.com)
• Certification scope and firmware dependencies. FIPS certificates typically bind to specific firmware and SKUs; cloud providers must ensure the certified firmware is what’s deployed in the customer’s region and that firmware update paths don’t invalidate compliance for running workloads. (techcommunity.microsoft.com)
• Supply‑chain and vendor concentration risk. Relying heavily on a single HSM supplier for a hyperscaler’s HSM fleet increases exposure to component shortages, firmware vulnerabilities, and political/supply constraints. Large tenants and national‑scale trust services should include contingency plans or multi‑vendor strategies.
• Long‑term cryptographic agility. HSM designs must support field upgrades for new algorithms (notably post‑quantum) without breaking certifications or causing prolonged outages. Buyers should verify Marvell’s field update capabilities and Microsoft’s processes for safely rolling firmware across clusters. (investor.marvell.com)

---

Strategic implications for cloud and HSM markets​

• Hyperscalers will increasingly prefer host‑attached, DPU‑backed HSM adapters when they can match certification and operational rigor of appliances — this announcement is a market signal that such architectures are production ready for the most regulated workloads. (marvell.com, tomshardware.com)
• Expect competitive responses: other HSM vendors and hyperscalers will accelerate certification roadmaps, partition mechanics, and post‑quantum timelines to avoid ceding platform advantage. Buyers should benefit from improved options but must retain due diligence discipline.
• For Marvell, the Azure selection and the financial reshaping following the Infineon divestiture sharpen the company’s pitch as a specialized infrastructure silicon supplier — a strategic reframing that investors and partners are rewarding with revised coverage and price targets. (investor.marvell.com, investing.com)

---

Recommended checklist for migration pilots (concise, operational)​

• Confirm FIPS 140‑3 Level 3 certificate number, firmware build, SKU, and region. (techcommunity.microsoft.com, marvell.com)
• Negotiate SLAs: patch cadence, zeroization procedures, incident response timelines, and financial remedies.
• Run representative workloads: TLS handshakes, CA signing, code signing, and KMS bulk key‑wraps; measure latency, throughput, and failover.
• Validate partitioning/isolation model with real multi‑tenant patterns and audit logs. (investor.marvell.com)
• Inventory algorithms and key lifetimes; ensure roadmaps for PQC and firmware updateability are documented. (investor.marvell.com)

---

What’s likely next​

• Rapid third‑party benchmarking will appear as security and procurement teams demand independent validation of Marvell’s claims; expect both vendor‑friendly and independent lab reports in the coming months.
• Competition over quantum‑resilient roadmaps will accelerate, with vendors publishing PQC firmware paths and migration guides to reassure long‑lived key custodians. (investor.marvell.com)
• Cloud providers will solidify procurement language around certification scope and firmware governance, making those contractual elements a standard part of regulated‑workload RFPs.

---

Conclusion​

Microsoft’s adoption of Marvell LiquidSecurity HSMs for Azure Cloud HSM is a pragmatic, technically coherent development: it brings certified, dense, host‑attached cryptographic hardware into a managed, customer‑controlled cluster model that lowers latency and operational cost for regulated workloads. The move materially expands Azure’s compliance story and validates Marvell’s cloud‑native HSM architecture, while also sharpening the market dynamic between appliance vendors, HSM specialists, and hyperscalers. That said, the headlines rest on vendor engineering claims and certification linkages that require careful, procurement‑grade verification — firmware SKUs, regional coverage, independent benchmarks, and robust SLAs must be confirmed before moving high‑value key management into production on any single hardware family. (marvell.com, investor.marvell.com, learn.microsoft.com)
For technology leaders and security architects, the right next step is a disciplined pilot: validate performance against representative loads, verify the precise certification footprint for your region and firmware, and insist on contractual guarantees that cover firmware governance, incident response, and key lifecycle management. Done well, the Azure + Marvell combination can unlock cloud migration for workloads that previously required on‑prem HSMs; done without sufficient verification, it risks swapping one set of operational burdens for another.

---

Source: Investing.com Canada Microsoft selects Marvell’s LiquidSecurity HSMs for Azure Cloud HSM By Investing.com