Navigation section

Azure Cloud HSM Powered by Marvell LiquidSecurity FIPS 140-3 Level 3 PCIe HSMs

  • Thread Author
Microsoft has selected Marvell’s LiquidSecurity family of hardware security modules (HSMs) to power its Azure Cloud HSM offering — a move that consolidates Marvell’s role across Azure’s key management portfolio and brings FIPS 140‑3 Level 3‑certified, high‑density PCIe HSMs into Microsoft’s single‑tenant cloud HSM clusters. (prnewswire.com, investor.marvell.com)

Blue holographic server rack showing a Marvell memory module with circuit patterns and a cloud icon.Background​

Azure Cloud HSM is Microsoft’s single‑tenant, highly available HSM service that gives customers complete administrative control over cryptographic keys and operations inside a dedicated HSM cluster. The service is offered as a managed cluster that Microsoft runs and maintains while the customer retains administrative control of keys, and it meets FIPS 140‑3 Level 3 validation — a strict hardware security certification required by many government and financial customers. (learn.microsoft.com)
Marvell’s LiquidSecurity line — delivered as compact PCIe cards powered by Marvell’s OCTEON DPUs — was explicitly designed to convert the traditional, appliance‑style HSM into a dense, cloud‑optimized device. Marvell and Microsoft have worked together for years: LiquidSecurity cards already power Azure Key Vault and Azure Key Vault Managed HSM services, and the new announcement extends that relationship to Azure Cloud HSM clusters. (investor.marvell.com, marvell.com)
In addition to vendor and product communications, community archives and internal briefings shared with platform operators highlight a broader Azure strategy to integrate hardware security closer to the host, reduce cryptographic latency, and accelerate confidential computing use cases — trends that align with the Marvell selection.

What Marvell’s LiquidSecurity brings to Azure Cloud HSM​

Density and throughput engineered for cloud scale​

LiquidSecurity cards are built for hyperscale environments and make a different tradeoff from traditional 1U/2U HSM appliances. Marvell’s published specifications for LiquidSecurity2 show capacity and throughput figures that are noteworthy for cloud operators:
  • A single LiquidSecurity2 PCIe card can manage up to 100,000 pairs of encryption keys.
  • It can process more than one million cryptographic operations per second on a single card. (investor.marvell.com, marvell.com)
Those numbers translate to a much smaller physical footprint and lower power draw per cryptographic transaction compared with classic appliance HSMs — attractive economics for cloud providers that must provision huge, multi‑tenant crypto services.

FIPS 140‑3 Level 3 certification and compliance reach​

Marvell’s LiquidSecurity 1 and 2 modules achieved NIST FIPS 140‑3 Level 3 certification, which adds a physical tamper‑resistance and secure key handling layer required by many regulated customers. Microsoft’s Azure Cloud HSM uses FIPS‑validated modules to meet compliance requirements for customers in finance, government, and regulated industries. The certification opened the door for Azure to offer single‑tenant, FIPS‑validated HSM clusters built on Marvell hardware. (investor.marvell.com, learn.microsoft.com)

Cloud model and multi‑tenant efficiency​

LiquidSecurity cards are designed to be cloud native — PCIe form factor, DPU acceleration, and hardware partitioning that support dense multi‑tenant operation. The architecture enables cloud providers to host many isolated HSM partitions per card, reducing per‑customer cost while preserving key separation and administrative isolation.

Broader certifications (eIDAS) and regional compliance​

Microsoft has also worked with Marvell to validate LiquidSecurity devices against European trust frameworks; recent Microsoft announcements show Azure Managed HSM and Premium Key Vault devices using Marvell adapters have been certified for eIDAS under certain schemes. This addresses European signature and trust service requirements for qualified electronic signatures. (techcommunity.microsoft.com)

Why this matters to enterprises and cloud architects​

Performance and latency improvements​

Embedding high‑throughput HSM cards into Azure Cloud HSM clusters addresses a typical cloud tradeoff: centralized network‑attached HSMs add network latency, while host‑attached HSM functionality keeps crypto operations close to workloads. Marvell’s PCIe cards, combined with Azure’s cluster design and private link access, reduce cryptographic round‑trip time and enable higher transaction volumes for services such as TLS offload, certificate authorities, code signing, and PKI operations. This is particularly relevant for high‑frequency, low‑latency workloads like payment gateways and high‑throughput database encryption. (marvell.com, learn.microsoft.com)

Compliance and regulatory reach​

With FIPS 140‑3 Level 3 certification and eIDAS validations in the mix, Azure can present a stronger compliance posture for customers who must meet strict cryptographic device standards. This expands cloud viability for workloads that historically required on‑premises HSM appliances — banks, payment processors, government agencies, and digital‑signature providers now have a managed cloud path that aligns with regulatory rules. (investor.marvell.com, techcommunity.microsoft.com)

Cost, density, and operational simplicity​

From a procurement and operations perspective, the move allows Azure to offer HSM‑as‑a‑service with improved density and lower per‑operation cost. Cloud providers can consolidate capacity, reduce rack utilization, and lower power and cooling demands — efficiencies that typically get passed to enterprise customers through more affordable and elastic HSM offerings. Marvell’s cards were engineered with those economics in mind. (marvell.com)

Market context and financial implications​

HSM‑as‑a‑service market growth​

Market forecasts referenced in vendor materials and Microsoft/PR communications indicate the HSM‑as‑a‑service market is expected to grow strongly over the coming years; one cited projection places annual growth at roughly 8.5% through 2029, reflecting expansion in cloud cryptography demand. That macro growth supports the commercial case for hyperscalers investing in compact, high‑throughput HSM hardware. (prnewswire.com)

Marvell’s strategic positioning and corporate moves​

Marvell has been reshaping its business toward data‑center and custom silicon opportunities, and the Azure selection is a tangible endorsement of that strategy. The company completed a high‑profile divestiture of its Automotive Ethernet business to Infineon for $2.5 billion in 2025, a move that concentrates Marvell’s focus and capital on hyperscale and AI infrastructure efforts. Separately, Marvell strengthened its board with the appointment of Rajiv Ramaswami, bringing additional leadership and cloud‑software expertise to the company. These corporate events underline Marvell’s pivot toward cloud infrastructure leadership. (marvell.com, investor.marvell.com)

Wall Street and analyst signals (context and caution)​

Investor research and industry commentary — frequently summarized by services such as InvestingPro and mainstream financial outlets — point to bullish expectations for Marvell’s revenue trajectory, with some forecasts in recent reporting pointing at large year‑over‑year growth percentages driven by data‑center and AI programs. Those figures reflect analyst models and are sensitive to customer ramps, supply chain conditions, and macro demand; therefore, they should be interpreted as forward‑looking estimates rather than guarantees. (uk.investing.com, investing.com)

Technical analysis: strengths and limitations​

Strengths​

  • High throughput per card: >1M ops/sec per card gives hyperscalers the ability to consolidate many customer workloads onto fewer physical devices, improving utilization and TCO. (investor.marvell.com)
  • FIPS 140‑3 Level 3 validation: meets a strict regulatory bar for customers requiring hardware tamper protection and secure key storage. (investor.marvell.com, learn.microsoft.com)
  • Cloud‑native form factor: PCIe deployment reduces space and power overhead compared with 1U or 2U appliances, beneficial in dense server racks. (marvell.com)
  • Prior integration pedigree: LiquidSecurity already underpins Azure Key Vault and Managed HSM, reducing integration risk for Azure Cloud HSM rollout. (investor.marvell.com)

Limitations and important caveats​

  • Certification scope: FIPS 140‑3 Level 3 validates hardware security for specific cryptographic modules and modes. It does not obviate the need for holistic operational security controls, secure key lifecycle management, or customer governance practices. Relying solely on a validated HSM does not substitute for secure key management policies or access governance.
  • Supply chain and component risk: Hyperscalers depend on steady hardware supply and vendor stability. Any disruption in Marvell’s production or a wider semiconductor supply shock could impact Azure’s ability to scale HSM capacity in specific regions. The sale of non‑core assets and shifting business focus increases efficiency but also concentrates Marvell’s exposure to data‑center markets; this is strategically rational but operationally material. (marvell.com, investor.marvell.com)
  • Vendor and platform dependency: Deep integration of custom HSM hardware into a cloud provider’s platform can create implicit lock‑in effects — customers moving to another cloud or seeking on‑prem parity will need to reconcile differences in HSM architectures and supported features.
  • Cryptographic agility and future threats: Hardware HSMs have long hardware lifecycles. Ensuring agility for new algorithms (including post‑quantum cryptography) requires firmware, software, and sometimes hardware updates. Claims of “quantum readiness” should be validated for specific algorithms and migration paths; customers should demand clear timelines and cryptographic migration plans from both cloud and hardware vendors. Some vendor materials discuss quantum‑resilient pathways, but these are typically multi‑year programs and must be validated in practice.

Security risk analysis — what to watch for​

  • Supply‑chain provenance and verification
    Hardware trust depends on verified manufacturing, secure boot chains, and firmware integrity processes. Enterprises with the highest assurance requirements should probe how Azure and Marvell attest to provenance, how firmware upgrades are delivered and verified, and how the vendor responds to potential vulnerabilities.
  • Multi‑tenant partition isolation
    While LiquidSecurity is designed for dense multi‑tenant use, every multi‑tenant system introduces potential side‑channel and resource‑contention vectors. Azure’s single‑tenant Cloud HSM clusters ameliorate many risks, but customers must ensure that partitioning and administrative boundaries meet their threat model.
  • Operational transparency and key custody models
    Azure Cloud HSM gives customers administrative control of keys, but customers must confirm that key export policies, key escrow arrangements, and backup/restore mechanics align with their compliance needs. Ask for clear documentation of key ownership models and cryptographic domain separation.
  • Incident response and disclosure SLAs
    When a hardware or firmware vulnerability emerges, customers need fast, transparent remediation windows. Large cloud providers typically publish security advisories and patch schedules, but the responsiveness of hardware vendors matters greatly for critical crypto infrastructure.

Practical guidance for IT, security, and compliance teams​

  • Evaluate requirement fit: map workloads that currently require on‑premises HSMs (e.g., payment processing, CAs, document signing) and document regulatory controls that mandate hardware FIPS 140‑3 Level 3 devices.
  • Validate Azure's implementation: confirm the Cloud HSM cluster topology, private link access, backup/restore procedures, and key‑export policies for your tenant.
  • Perform workload testing: run representative signing, encryption, and TLS offload workloads to measure latency, throughput, and operational behavior under peak loads.
  • Audit cryptographic algorithms and lifecycles: inventory algorithms in use, confirm support for your required key sizes and modes, and demand a vendor roadmap for post‑quantum migration if relevant.
  • Negotiate operational SLAs: include patching windows, vulnerability disclosure obligations, and incident escalation processes in procurement or cloud subscription agreements.
  • Maintain crypto agility: plan key rotation and migration processes so that migrations can be executed without prolonged outages if hardware or algorithms change.

Strategic implications for the cloud and HSM market​

This move by Microsoft and Marvell signals a larger industry dynamic: cloud providers want hardware placards that combine the performance of locally attached cryptographic engines with the administrative guarantees of dedicated HSM clusters. The choice of compact, high‑density HSM cards supports an economics‑driven wave of “HSM‑as‑a‑service” expansion, enabling more customers to consume hardware‑backed cryptography on demand rather than buying and maintaining expensive appliances.
For Marvell, the endorsement from Microsoft is strategically useful as it promotes LiquidSecurity across a large installed base and supports Marvell’s pivot to hyperscale infrastructure. For Microsoft customers, the expanded use of LiquidSecurity in Azure Cloud HSM should offer broader compliance coverage and improved throughput for cryptographic workloads — provided they validate operational and governance details for their specific use cases. (investor.marvell.com, prnewswire.com)

Concluding analysis — strengths, risks, and what to expect next​

The selection of Marvell’s LiquidSecurity HSMs for Azure Cloud HSM is a pragmatic alignment of hyperscaler requirements and semiconductor innovation: it pairs Azure’s need for dense, compliant HSM capacity with Marvell’s PCIe‑based, DPU‑accelerated modules designed for cloud economics. This fosters improved performance, expanded compliance options for regulated customers, and lower per‑operation cost for cryptographic services. (investor.marvell.com, learn.microsoft.com)
At the same time, the decision comes with practical and strategic risks: supply‑chain dependence on a single vendor for a foundational security element; the need to maintain cryptographic agility as algorithms and threats evolve; and the perennial operational caveat that device certification is necessary but not sufficient for overall key lifecycle security. Customers and security architects should treat vendor certifications as one component of a broader security and governance program, validate Azure’s operational specifics for Cloud HSM, and insist on detailed migration and incident response commitments.
For enterprises under strict compliance regimes, the new option opens a realistic path to migrate sensitive HSM workflows to the cloud without sacrificing certifications like FIPS 140‑3 Level 3 or regionally relevant eIDAS trust requirements. For the market, it accelerates the shift to HSM services as a mainstream cloud primitive rather than a niche appliance purchase. Expect continued competition in HSM hardware and cloud integrations as other vendors and hyperscalers respond with their own validated modules, feature roadmaps for quantum‑safe transitions, and service variations that balance multi‑tenant economics with the highest levels of assurance. (techcommunity.microsoft.com, prnewswire.com)
Microsoft and Marvell’s announcement is consequential for anyone designing cryptographic infrastructure at scale: it reduces a major barrier to cloud migration for regulated workloads, tightens the intersection between hardware validation and cloud services, and shifts more of the HSM value chain into managed, hyperscale operations. The benefits are tangible — but they must be weighed against supply‑chain, vendor dependency, and long‑term cryptographic agility concerns as organizations modernize their key management architectures.
Source: Investing.com https://www.investing.com/news/company-news/microsoft-selects-marvells-liquidsecurity-hsms-for-azure-cloud-hsm-93CH-4197821/
 

Click to expand...
Microsoft’s decision to expand its use of Marvell’s LiquidSecurity hardware security modules into the Azure Cloud HSM offering marks a notable vote of confidence in cloud-optimized HSM architectures — and sharpens the competitive contours of the HSM-as-a-service market as enterprise customers and regulators raise the bar for cryptographic assurance. (marvell.com)

Blue-tinted server rack featuring a Marvell storage module and floating holographic data icons.Background​

Microsoft and Marvell have worked together for several years to underpin Azure’s key management portfolio, and the latest announcement formally extends Marvell’s footprint into Azure Cloud HSM — Microsoft’s single-tenant, customer-owned HSM cluster product validated to FIPS 140-3 Level 3. The selection is presented by Marvell as both a continuation and an expansion of an existing relationship: LiquidSecurity hardware already supports Azure Key Vault and Managed HSM, and will now be the foundation for Azure Cloud HSM as well. (marvell.com, learn.microsoft.com)
The commercial and technical claims tied to the deal are specific and consequential: Marvell states that its LiquidSecurity family — especially the second-generation LiquidSecurity2 (LS2) — delivers very high key density and throughput on a PCIe card form factor, and that Microsoft will deploy those characteristics to offer customers dedicated clusters with FIPS 140-3 Level 3 validation. Marvell’s own materials highlight metrics such as management of up to 100,000 key pairs per card and the ability to process more than one million cryptographic operations per second on the LS2 architecture. Independent industry reporting at the time of LS2’s launch cited similar figures and corroborated Marvell’s performance claims. (marvell.com, techpowerup.com)

Why this matters: the rising importance of cloud-native HSMs​

The shifting model for HSM deployment​

Historically, cryptographic hardware (HSMs) has been deployed as rack-mounted appliances in enterprise data centers. These appliances provided tamper-resistant storage for keys and on-device cryptographic operations, but required purchasers to manage availability, backup, disaster recovery, and hardware refresh cycles.
Cloud providers created a new model — HSM-as-a-service — that abstracts cluster management and availability while offering tenants strong isolation. Microsoft’s Azure Cloud HSM sits in this middle ground: customer-owned, single-tenant clusters that the cloud operator runs and maintains for availability, patching, and lifecycle tasks. Microsoft’s technical documentation and community blog posts emphasize the product’s suitability for workloads that require stringent compliance and dedicated cryptographic control. (learn.microsoft.com, techcommunity.microsoft.com)

Performance and density are strategic at hyperscale​

Cloud providers prioritize performance-per-rack-unit, power efficiency, and manageability. Marvell’s LiquidSecurity approach — a PCIe card built around OCTEON DPUs and cryptographic accelerators — is explicitly engineered for hyperscale environments where multi-tenancy, high throughput, and energy efficiency are crucial.
  • Key density: Marvell’s LS2 claims up to one million keys in secure hardware storage (manufacturer-stated). (marvell.com)
  • Throughput: LS2 is advertised to support up to one million AES GCM ops/sec and high ECC/RSA op rates, depending on algorithm and configuration. Industry coverage from multiple outlets repeated those performance targets at launch. (autos.yahoo.com, electronicsweekly.com)
For cloud operators, that translates to fewer physical devices and lower OPEX per managed HSM instance — a tangible cost argument for adopting PCIe-based HSM adapters versus 1U/2U appliance models.

Technical verification: what the public record confirms​

FIPS 140-3 Level 3 validation​

Microsoft has publicly stated that Azure Cloud HSM is validated to FIPS 140-3 Level 3, and Microsoft communications document the move of its Managed HSM and Key Vault firmware to FIPS 140-3 Level 3 validation across Azure regions. Marvell’s earlier announcements noted that LiquidSecurity 1 and 2 modules achieved FIPS 140-3 Level 3 certification in mid‑2024, and those certifications underpin the claims in the current collaboration. Those company statements are backed by Microsoft product pages describing Azure Cloud HSM’s FIPS 140-3 Level 3 status. (techcommunity.microsoft.com, marvell.com, learn.microsoft.com)

Performance and capacity claims​

Marvell’s technical bulletins and investor-facing press releases specify key limits and operation rates for LiquidSecurity modules (LS1 and LS2), and industry reporting at launch echoed these numbers. Independent coverage confirms the following as Marvell’s publicly stated specifications:
These metrics are manufacturer-supplied and have been reported by trade press and analyst outlets; they are not independent lab bench results published by third-party certifiers. Readers should therefore treat throughput numbers as engineering specifications that require validation under a buyer’s own workload and test harness to predict real-world performance precisely. Where independent, third-party benchmarking is published, it should be used to validate vendor claims; as of the public announcements, press coverage corroborated Marvell’s published numbers rather than independently reproducing them. (techpowerup.com, electronicsweekly.com)

Scalability and multi-tenancy mechanics​

Marvell’s LS2 emphasizes partitioning (multiple tenants per module) and the ability to present many cryptographic partitions to cloud orchestration layers. Marvell’s materials describe 45 partitions on LS2 and a software stack that enables API-first integration for cloud HSM orchestration. Microsoft’s Azure Cloud HSM architecture — clustering multiple HSM nodes for availability and automatic synchronization across three instances — meshes with a model where dense PCIe cards serve many virtual partitions inside a hyperscale host. Microsoft’s documentation describes automatic synchronization, migration of partitions on node failure, and load balancing inside HSM clusters. (marvell.com, learn.microsoft.com)

Commercial and strategic implications​

For Microsoft​

Microsoft gains a hardware architecture optimized for cloud-scale HSM delivery, with the promise of higher throughput per rack and lower per-key power and space costs. The FIPS 140-3 Level 3 alignment is critical for Azure’s government, sovereign cloud, and regulated-industry customers who have precise compliance needs.
Microsoft’s positioning for Azure Cloud HSM foregrounds a product that is customer-owned and administratively controlled while still relieving customers of the operational burden of cluster high availability and patching. That positioning helps Microsoft compete in scenarios where customers require dedicated HSMs but want cloud operational economics and scale. Microsoft’s own product pages and community posts underscore these differentiators. (learn.microsoft.com, techcommunity.microsoft.com)

For Marvell​

This selection further legitimizes Marvell’s long-term pivot from traditional analog/mixed-signal chip markets toward data infrastructure, DPUs, and cloud-focused security products. The Azure selection is both a marquee customer win and a marketing amplifier for LiquidSecurity in the HSM-as-a-service segment.
Marvell’s investor releases and analyst coverage framed this move as part of a broader strategy to capture share in cloud infrastructure components — complementary to Marvell’s optical, networking, and custom compute plays. The company’s financial messaging and analyst notes referenced alongside the announcement reflect optimism about Marvell’s growth trajectory. These market and analyst data points are public and were referenced by commentators and financial outlets. (marvell.com, investopedia.com)

For the HSM market​

  • The adoption of PCIe-based HSM adapters by a major hyperscaler will reinforce the cloud-first trend in HSM procurement.
  • HSM-as-a-service revenue is forecast to grow, although estimates vary significantly by market research firm. Marvell cited ABI Research pointing to an 8.5% annual growth rate through 2029; other market research providers publish materially higher CAGRs. Those differences reflect disparate market definitions (cloud HSM vs. all HSM deployments), end-market assumptions, and projection horizons. Readers should treat market-growth numbers as report-specific estimates rather than universal truths. (marvell.com, grandviewresearch.com, marketsandmarkets.com)

Financial context and market reaction​

Marvell’s market value and analyst sentiment have been volatile as the company repositions toward AI and cloud compute markets. Market capitalization figures reported in public finance data hovered around the mid‑$60 billion range in recent months, a scale that reinforces Marvell’s ability to invest in R&D and execute on large-scale enterprise engagements. Analysts at Morgan Stanley and Stifel have been active in updating coverage and price targets; Morgan Stanley moved a Marvell target to $80 with an Equalweight rating in one update, and Stifel has maintained/adjusted its target in the $80 range in a series of notes. Those moves reflect the market’s reassessment of Marvell’s AI, optical, and custom silicon opportunities as well as the company’s strategic divestitures. (macrotrends.net, investopedia.com, investing.com)
Marvell also executed a major corporate divestiture in 2025, agreeing to sell its Automotive Ethernet business to Infineon for $2.5 billion in cash; the transaction was announced publicly and later completed. That sale reduces non-core exposure and frees capital to support Marvell’s data-center and AI-focused roadmap, according to company disclosures and coverage by major business news outlets. (marvell.com, investor.marvell.com, reuters.com)

Risks, caveats, and open questions​

Vendor claims vs. independent validation​

Many of the most consequential technical claims in this story originate with Marvell’s product literature and investor releases; trade press has reproduced and interpreted those claims. While those sources are standard for initial reporting, they are not substitutes for independent third‑party benchmarking under production workloads. Prospective Azure HSM customers and cloud partners should insist on workload-specific performance validation and clear SLAs for operational behavior, latency, and resilience. Industry press corroboration is useful, but buyers should still conduct their own acceptance tests. (marvell.com, techpowerup.com)

Compliance and certification timeline​

FIPS 140-3 is now central to procurement decisions in regulated industries. Microsoft’s and Marvell’s statements indicate FIPS 140-3 Level 3 compliance for the relevant HSM firmware and modules, but organizations must verify which specific Azure regions and which HSM SKUs carry those certifications, and whether any certification caveats apply to particular algorithm sets or firmware versions. Certification status can be region- and firmware-specific and typically requires careful matching of documentation with procurement and audit requirements. (marvell.com, learn.microsoft.com)

Supply chain, silicon availability, and geopolitical risk​

HSM modules rely on specialized secure processors and silicon that have experienced constrained capacity across the industry. Market research and vendor disclosures continue to highlight supply and lead-time considerations for secure-processors and FIPS‑certified devices. Customers should be aware that shipment timing and fulfillment for certified HSM modules can be affected by semiconductor production constraints, certification cycles, and export control regimes. (mordorintelligence.com, grandviewresearch.com)

Market sizing variance and expectation management​

Marvell’s press materials cite an ABI Research figure of 8.5% annual growth for HSM-as-a-service through 2029. Other research vendors provide higher growth rates — in many cases double-digit CAGRs — depending on how they define the HSM market scope and cloud vs. appliance splits. These divergent projections mean that investors and procurement teams should triangulate across multiple research providers and focus on the specific addressable segments relevant to their organization (cloud HSM services vs. on-prem appliances vs. payment-specific HSMs). Where Marvell cites ABI Research, other firms such as Grand View, MarketsandMarkets, and Mordor publish alternative forecasts that materially differ. Treat market-growth claims as directional rather than definitive. (marvell.com, grandviewresearch.com, marketsandmarkets.com)

Practical takeaways for IT leaders and security architects​

  • Validate compliance scope: Confirm FIPS 140-3 Level 3 coverage at the firmware and device level for the specific Azure Cloud HSM SKU and the region where the cluster will be deployed. Azure documentation and vendor certification statements should be matched to procurement requirements. (learn.microsoft.com, marvell.com)
  • Benchmark with representative workloads: Request performance data and, where possible, run pilot workloads to validate Marvell LiquidSecurity performance for the cryptographic profiles your applications use (AES-GCM throughput, ECC signatures, RSA operations, or KMS-style bulk key-wrapping workloads). Vendor specs are directional; measured results matter. (marvell.com, techpowerup.com)
  • Consider operational controls and SLAs: Confirm how Microsoft will handle availability, backups, key zeroization, and firmware updates for Azure Cloud HSM clusters. Understand the operational interface for administrative control, logging, and audit trails to ensure they meet compliance obligations. (learn.microsoft.com)
  • Factor in supply and lifecycle risks: For production-critical HSM deployments, evaluate supply timelines, certification roadmaps for post-quantum and new algorithm support, and the vendor’s lifecycle and field‑update capabilities. The ability to remotely update HSM firmware and add algorithm support is a material differentiation for long-lived cryptographic deployments. (marvell.com)

Conclusion​

Microsoft’s selection of Marvell’s LiquidSecurity HSMs for Azure Cloud HSM is a meaningful validation of cloud-first HSM architectures optimized for throughput, density, and operational manageability. The move tightens the alliance between a hyperscaler and a vendor that has deliberately repositioned itself into cloud infrastructure silicon and security, and it underscores the broader market pivot from appliance-based HSMs to HSM-as-a-service models.
That said, many of the most important claims driving the narrative — throughput, per-card key capacity, and market-growth projections — are vendor-supplied or cited via market-research partners. They should be interpreted as credible but provisional until independently benchmarked under representative workloads, or until third-party certification artifacts are examined by prospective buyers and auditors. Organizations that depend on HSMs for regulatory compliance, high-value keys, or high-frequency cryptographic operations should combine vendor materials with hands-on testing, SLA negotiation, and careful region/firmware verification before committing critical infrastructure to any single HSM architecture. (marvell.com, learn.microsoft.com)
Source: Investing.com UK Microsoft selects Marvell’s LiquidSecurity HSMs for Azure Cloud HSM By Investing.com
 

Microsoft has selected Marvell’s LiquidSecurity family of hardware security modules (HSMs to underpin its Azure Cloud HSM offering, a step that expands an existing Marvell–Azure relationship and brings FIPS 140‑3 Level 3‑certified, high‑density PCIe HSMs into Microsoft’s single‑tenant cloud HSM clusters. (marvell.com)

A neon-blue graphics card glows inside a server rack.Background​

Azure Cloud HSM is Microsoft’s single‑tenant, highly available HSM service that gives customers full administrative control over cryptographic keys while Microsoft manages cluster availability, patching, and lifecycle. The service is validated to FIPS 140‑3 Level 3, which is often a procurement requirement for government, finance, and regulated industries. (learn.microsoft.com) (techcommunity.microsoft.com)
Marvell’s LiquidSecurity lineup — including the second‑generation LiquidSecurity2 (LS2) — is designed as a cloud‑native, PCIe‑attached HSM module powered by Marvell’s OCTEON DPUs. The cards emphasize density and throughput for hyperscale deployments: Marvell’s published figures cite management of up to 100,000 key pairs per card and aggregate cryptographic throughput measured in the hundreds of thousands to over one million operations per second, depending on algorithm and configuration. These performance claims are vendor‑stated and were repeated in contemporaneous industry coverage. (marvell.com)

What changed — the announcement in plain terms​

  • Microsoft has formally selected Marvell LiquidSecurity HSMs to support Azure Cloud HSM clusters, extending Marvell’s existing role in Azure Key Vault and Azure Managed HSM.
  • Azure Cloud HSM clusters remain customer‑owned, single‑tenant HSM clusters managed by Microsoft for availability; the underlying HSM module choice now includes Marvell’s PCIe LiquidSecurity modules. (learn.microsoft.com)
  • The collaboration is framed around performance, density, and certification — Marvell’s cards are positioned to reduce per‑operation power and rack footprint versus traditional 1U/2U HSM appliances while meeting FIPS 140‑3 Level 3 requirements. (marvell.com)

Why this matters: technical and operational takeaways​

Density and throughput optimized for cloud scale​

Marvell built LiquidSecurity as a PCIe card rather than a rack appliance. For hyperscalers, that changes the economics:
  • Higher key density per form factor reduces the number of devices and racks required for a given capacity.
  • Higher aggregate throughput per card can reduce per‑operation latency and allow more concurrent cryptographic workloads inside the same host.
  • DPU acceleration (OCTEON family) offloads crypto processing from host CPUs and supports software partitioning for multi‑tenant isolation.
Those attributes are explicitly part of Marvell’s value proposition and are central to Microsoft’s decision to widen LiquidSecurity’s footprint in Azure. Note: throughput and key‑count figures are vendor‑provided engineering specifications—organizations should benchmark with representative workloads to determine real‑world performance. (marvell.com)

Compliance and procurement implications​

FIPS 140‑3 Level 3 certification is a major compliance milestone for cloud HSMs. Microsoft’s Cloud HSM and Azure Key Vault families moved to FIPS 140‑3 Level 3 validated HSM firmware and offerings across regions, enabling customers in regulated industries to rely on managed cloud HSMs where previously on‑prem hardware might have been required. This expands cloud viability for:
  • Financial institutions
  • Government and sovereign cloud tenants
  • Certificate authorities and regulated signature providers
However, certification scope can be firmware‑, SKU‑, and region‑specific; procurement teams must confirm the exact HSM SKU, firmware version, and region covered by the certification before relying on it for audits. (learn.microsoft.com) (techcommunity.microsoft.com)

Performance vs. latency tradeoffs​

Embedding HSMs as host‑attached PCIe devices reduces network round trips compared with network‑attached appliance HSMs, which benefits latency‑sensitive workloads such as TLS offload, payment gateways, and high‑frequency signing. This model also changes failure and recovery dynamics: Azure Cloud HSM clusters rely on synchronized partitions and automatic migration to maintain availability. Customers should validate cluster topology and failover behavior for their operational needs.

Cross‑checking the record: what independent sources confirm​

  • Marvell’s official newsroom and blog confirm the product claims, FIPS 140‑3 certification, and the explicit Azure selection announcement. The Marvell newsroom page published on August 18, 2025, documents Marvell LiquidSecurity as selected for Azure Cloud HSM and repeats the advertised throughput and density metrics. (marvell.com)
  • Microsoft’s Azure documentation describes Azure Cloud HSM as a FIPS 140‑3 Level 3 validated single‑tenant HSM service and documents cluster behavior and administrative models. This is Microsoft’s authoritative product description. (learn.microsoft.com)
  • Industry reporting (investor/financial press) repeated the core claims and placed the announcement into market context; these outlets corroborate Marvell’s messaging and the Microsoft product position. Treat press repetition as corroboration of the announcement rather than independent technical validation. (investing.com)
Where vendor claims are central to the story (key counts, throughput, partition counts), the public record shows those numbers are Marvell’s published engineering specifications and investor‑facing statements; independent third‑party benchmarking results are not widely published at the time of the announcement and should be requested by buyers for procurement validation.

The strengths of the Marvell + Azure approach​

  • Cloud‑native hardware form factor: PCIe HSMs allow hyperscalers to scale HSM capacity in a more granular, rack‑efficient way than traditional appliances. (marvell.com)
  • Industry‑grade certification: FIPS 140‑3 Level 3 validation reduces a major compliance barrier for regulated workloads that previously required on‑premises HSM appliances. (learn.microsoft.com)
  • Operational simplicity for customers: Azure’s managed cluster model gives customers administrative control over keys while offloading availability and patching to Microsoft—a balance many customers want. (learn.microsoft.com)
  • Economics at scale: Higher throughput per card and higher partition density should lower per‑operation power, space, and cost for cloud providers and, by extension, for end customers.

Potential risks and caveats​

Vendor and supply‑chain concentration​

Relying heavily on a single vendor for a foundational security component creates supply and risk concentration. If Azure’s Cloud HSM fleet becomes heavily weighted toward Marvell LiquidSecurity cards, any broad vulnerability, firmware bug, or supply disruption in Marvell’s ecosystem has larger systemic impact. Procurement teams should evaluate multi‑vendor fallback plans and contractual remedies.

Performance claims require validation​

Marvell’s throughput and key capacity numbers are manufacturer‑stated. Independent benchmarking under representative workloads is necessary to validate latency, concurrency, and algorithm‑specific performance (AES‑GCM, ECC, RSA, PKCS#11 patterns). Organizations should run pilot tests and verify tail‑latency behavior under load.

Multi‑tenant partition isolation and side‑channel risks​

PCIe cards that host many partitions increase the attack surface for side‑channel or resource‑contention vectors. Although Azure Cloud HSM is single‑tenant per cluster, the underlying partitioning mechanics still matter for multi‑tenant cloud services. Customers should validate the isolation guarantees relevant to their threat model and request security architecture documentation from Microsoft.

Firmware and incident response SLAs​

HSM firmware vulnerabilities have outsized operational risk because keys are central to security. Customers should insist on clarity about:
  • Patch windows and rollback procedures
  • Disclosure policies and timelines for vulnerabilities
  • Key zeroization, backup, and recovery processes tied to firmware upgrades
Negotiate these considerations into procurement or subscription agreements where possible.

Cryptographic agility and the quantum transition​

Long‑lived key material and entrenched firmware can complicate a future transition to post‑quantum algorithms. Buyers should evaluate vendor roadmaps for post‑quantum cryptography (PQC) support, field‑upgradeability, and the ability to add new algorithm suites without disruptive hardware swaps. Treat PQC readiness as part of long‑term risk management.

Practical guidance: how IT, security, and procurement teams should act now​

  • Validate compliance scope:
  • Confirm which Azure regions and which Cloud HSM SKUs carry FIPS 140‑3 Level 3 coverage for the specific algorithms and firmware versions your audit requires. (learn.microsoft.com)
  • Run pilot benchmarks:
  • Test representative workloads (TLS offload, certificate signing, TDE, bulk key wrapping) against Azure Cloud HSM instances to measure latency, throughput, tail latency, and cluster failover behavior.
  • Request architectural documentation:
  • Ask Microsoft for details on partitioning, backup/restore, key export policies, and hardware lifecycle management for the Cloud HSM SKU you intend to use.
  • Negotiate operational SLAs:
  • Add clarity on patching windows, vulnerability disclosure, incident escalation, and key‑zeroization procedures. Ensure contractual remedies cover critical production impact.
  • Plan for crypto agility:
  • Inventory algorithms and key lifetimes. Obtain Marvell and Microsoft roadmaps for PQC support and firmware upgradeability so migrations won’t force extended downtime.
  • Evaluate supply and vendor risk:
  • For extremely sensitive or mission‑critical workloads, create contingency plans that include multi‑vendor HSM strategies or hybrid architectures combining on‑premises appliances and cloud HSM clusters.

Market and strategic implications​

For Microsoft​

Moving to an HSM model that uses dense, PCIe‑native HSM cards supports Azure’s strategy to reduce cryptographic latency close to workloads and scale HSM capacity cost‑efficiently across its regions. The addition strengthens Azure’s compliance posture for regulated customers and broadens the scenarios Microsoft can pursue in confidential computing and sovereign cloud offerings. (learn.microsoft.com)

For Marvell​

The Azure selection is a marquee validation for Marvell’s strategic pivot into cloud infrastructure silicon, DPUs, and security modules. It amplifies LiquidSecurity’s market visibility and helps position Marvell as a provider of cloud‑centric security silicon, aiding its data‑center growth narrative. (marvell.com)

For the HSM market​

Hyperscaler adoption of PCIe HSM adapters accelerates the shift from appliance‑centric procurement to HSM‑as‑a‑service. Expect competing vendors and hyperscalers to respond with their own validated modules, alternate form factors, and roadmaps addressing quantum resilience and third‑party benchmarking claims. This competition should improve choice for buyers, but also increase the importance of careful technical due diligence.

Technical deep dive: what the architecture looks like in practice​

Host‑attached PCIe model​

  • The HSM exists as a PCIe card inside a server host, communicating with host software via a driver and exposing cryptographic APIs (PKCS#11, KMIP, or vendor SDK).
  • The card contains secure processors, cryptographic accelerators, and tamper‑resistant elements that keep private keys protected in hardware.

Cluster model and synchronization​

  • Azure Cloud HSM clusters group multiple HSM nodes into a cluster that automatically synchronizes keys and policies across the cluster, supporting high availability and transparent migration in case of node failure. Customers get a dedicated security domain per cluster. (learn.microsoft.com)

Partitioning and tenancy​

  • LiquidSecurity cards advertise partitioning capabilities that enable multiple virtual HSM partitions to be presented to orchestration layers. Microsoft’s Cloud HSM topology then maps customer domains to cluster partitions to preserve isolation and administrative control. Confirm exact partition counts and isolation guarantees with Microsoft for sensitive deployments.

Areas requiring closer scrutiny and verification​

  • Throughput claims (e.g., “more than one million operations per second”) are engineering figures provided by Marvell; ask for vendor‑supplied benchmark methodology and run your own tests. (marvell.com)
  • Certification coverage may be firmware and region specific: confirm the exact firmware build and Azure region scope for FIPS 140‑3 Level 3 validation in your procurement documentation. (techcommunity.microsoft.com)
  • eIDAS and regional trust frameworks: public claims suggest further European trust validations have been pursued, but customers should validate which specific legal or qualified‑signature profiles are covered for their regulatory obligations.

Conclusion​

Microsoft’s selection of Marvell LiquidSecurity HSMs for Azure Cloud HSM is a consequential move that binds hyperscale cloud economics to certified hardware security. The combination aims to deliver higher density, lower latency, and FIPS 140‑3 Level 3 compliance for sensitive workloads that historically resisted migration to managed cloud HSMs. (marvell.com) (learn.microsoft.com)
That said, the choice is not purely technical; it carries procurement and operational considerations. Organizations that depend on HSMs for regulatory compliance, payment processing, certificate authority operations, or national‑scale trust services must validate certification scope, benchmark performance against real workloads, negotiate strong operational SLAs, and plan for long‑term cryptographic agility. Treat vendor specifications as starting points for technical validation rather than as definitive operational guarantees.
For cloud architects and security leaders, the immediate priorities are clear: confirm compliance scope, run representative pilots, and obtain concrete SLAs and incident response commitments from Microsoft. For the market, expect this announcement to accelerate competition in cloud HSM hardware and services, with vendors and hyperscalers racing to demonstrate both performance and demonstrable independent validation in the months ahead. (investing.com)
Source: AInvest Marvell LiquidSecurity HSMs Selected by Microsoft Azure for Enhanced Cloud Security.
 

Microsoft has selected Marvell’s LiquidSecurity family of hardware security modules (HSMs) to power Azure Cloud HSM, extending an existing Marvell–Azure relationship and bringing PCIe‑attached, FIPS 140‑3 Level 3‑validated HSM technology into Microsoft’s single‑tenant cloud HSM clusters for regulated and high‑assurance workloads. (marvell.com)

Blue-lit data center racks with open doors and rising white steam.Background​

Azure Cloud HSM is Microsoft’s customer‑owned, highly available, single‑tenant HSM service that gives tenants full administrative control of cryptographic keys while Microsoft manages cluster availability, patching, and lifecycle operations. The service is validated to FIPS 140‑3 Level 3, which is often a procurement requirement for government, financial, and other regulated customers. Azure documents its cluster model as redundant, synchronized HSM nodes grouped to provide automatic migration and high availability. (learn.microsoft.com)
Marvell’s LiquidSecurity line is a cloud‑focused departure from the traditional 1U/2U appliance approach: delivered as dense, PCIe‑form‑factor cards and powered by optimized OCTEON DPUs, LiquidSecurity emphasizes high key density, high cryptographic throughput, and power and rack efficiency for hyperscale cloud deployments. Marvell’s announcement states a single LiquidSecurity2 card can manage 100,000 pairs of encryption keys and process more than one million operations per second (algorithm dependent). These metrics are presented as engineering targets for hyperscale usage. (marvell.com)

What Microsoft and Marvell announced​

  • Marvell LiquidSecurity HSMs will be a supported hardware platform for Microsoft Azure Cloud HSM, expanding Marvell’s existing role in Azure Key Vault and Azure Key Vault Managed HSM. (marvell.com)
  • The collaboration is positioned as a modernization of the HSM market toward cloud‑native, PCIe‑attached modules aimed at reducing rack footprint, power draw, and operational overhead for cloud HSM services. (marvell.com)
  • Marvell cites ABI Research and frames the HSM‑as‑a‑service segment as a growth area, pointing to a projected compound annual growth rate (CAGR) figure used in vendor materials (reported by Marvell as ~8.5% per year through 2029). That market figure is vendor‑referenced and is one of several published estimates from research firms. (marvell.com, lucintel.com)

Why this matters: the technical and operational case​

Density and throughput at cloud scale​

Marvell designed LiquidSecurity to trade the larger footprint of classic HSM appliances for a PCIe‑card model that pushes compute and crypto acceleration into the server chassis. For cloud operators, that delivers:
  • Increased key density per rack unit, lowering the number of physical devices required.
  • Higher aggregate throughput per card, which can reduce per‑operation latency and allow more concurrent cryptographic work in the same physical footprint.
  • Lower power consumption per cryptographic operation compared with many appliance models, improving TCO at hyperscale. (marvell.com)
These properties align with Azure’s objectives for Cloud HSM: offer appliance‑class assurance (FIPS 140‑3 Level 3) while maintaining cloud operational advantages such as managed availability and private network access for tenant clusters. (learn.microsoft.com)

Compliance: FIPS 140‑3 Level 3 and regulatory reach​

Both Microsoft and Marvell have emphasized the importance of meeting FIPS 140‑3 Level 3 requirements. Microsoft documented upgrades of HSM firmware across Key Vault and Managed HSM to FIPS 140‑3 Level 3, and Marvell’s LiquidSecurity modules were validated to that standard prior to broader Azure adoption. For regulated customers, FIPS 140‑3 Level 3 provides usable evidence that the underlying cryptographic boundary meets tamper‑response and physical security expectations. That alignment reduces a common barrier for migrating sensitive, compliance‑driven workloads to managed cloud HSM services. (techcommunity.microsoft.com, investor.marvell.com)

Cluster model and tenant control​

Azure Cloud HSM clusters group HSM instances to provide availability and automated migration of partitions. The service preserves customer administrative control of keys while shifting operational responsibility for availability and lifecycle to Microsoft. This hybrid of customer‑controlled keys + managed infrastructure is central to Azure’s pitch for regulated and sovereign cloud use cases. (learn.microsoft.com)

Claims that require close verification​

The most consequential numbers in the announcement — 100,000 key pairs per LS2 card and >1,000,000 operations/sec — are vendor‑stated engineering specifications. They are meaningful if validated under representative workloads, but prospective buyers and architects should treat them as directional until independently benchmarked under their own test harnesses and operational profiles. Multiple industry analyses of the announcement flagged these claims as vendor‑supplied and recommended pilot testing. (marvell.com, nasdaq.com)
Similarly, the HSM‑as‑a‑service market growth figure quoted by Marvell (8.5% CAGR to 2029, per ABI Research in Marvell’s release) is one of several projections from market research firms. Independent market reports publish materially different CAGRs and market sizes depending on scope and definitions; buyers and investors should triangulate across multiple research sources when sizing opportunity. Examples of alternate forecasts show significantly higher growth rates for cloud‑HSM segments in some analyst reports. (marvell.com, futuremarketinsights.com, marketsandmarkets.com)

Security analysis — strengths​

  • Strong certification footprint: FIPS 140‑3 Level 3 validation is an important compliance milestone for cloud HSMs and helps Azure present a managed option for workloads that historically required on‑premises appliances. This reduces a major audit barrier for finance, government, and sovereign cloud scenarios. (techcommunity.microsoft.com, investor.marvell.com)
  • Cloud‑native form factor: PCIe cards with integrated DPUs (OCTEON) enable host‑attached crypto acceleration that reduces network round trips versus external, networked appliance HSMs — a clear latency and throughput advantage for TLS offload, CA operations, code/document signing, and high‑frequency signing workloads. (marvell.com, learn.microsoft.com)
  • Operational simplicity for customers: Azure Cloud HSM’s model of customer‑owned clusters managed by Microsoft keeps administrative key control with the customer while offloading patching, high availability, and lifecycle management to the cloud provider — attractive for teams that want to avoid appliance lifecycle burdens. (learn.microsoft.com)
  • Economics at scale: Higher per‑card throughput and partition density can lower per‑operation power, space, and cost for cloud operators and, by extension, their customers — an important lever in hyperscale economics. (marvell.com)

Security analysis — risks and caveats​

  • Vendor and supply‑chain concentration: Heavy reliance on a single HSM supplier for a major hyperscaler raises systemic risk. A wide fleet footprint of one hardware SKU increases the blast radius of firmware bugs or supply disruptions. Procurement teams should evaluate multi‑vendor fallback and contractual remediation SLAs.
  • Certification scope and firmware specificity: FIPS 140‑3 Level 3 certifications apply to specific combinations of hardware, firmware, and SKUs. Firmware updates can alter the certification posture; customers must confirm the precise firmware/software version and region coverage that apply to their deployed HSM SKU. (techcommunity.microsoft.com)
  • Partitioning and side‑channel concerns: Dense multi‑partition use increases attack surface for contention or side‑channel vectors. Azure’s single‑tenant Cloud HSM model mitigates many of these risks at the cluster level, but customers with stringent threat models should validate partition isolation guarantees and cloud provider mitigations.
  • Performance reality vs. published specs: Vendor throughput figures are valuable directional indicators. Real‑world performance (tail latency, concurrency limits, algorithmic behavior for ECC vs RSA vs AES) must be measured under representative workloads. Independent third‑party benchmarks were not widely available at announcement; buyers should demand vendor benchmarking methodology and run pilots. (marvell.com, nasdaq.com)
  • Long‑term cryptographic agility: HSMs are long‑lived components tied to key lifetimes. Customers should mandate vendor roadmaps for post‑quantum cryptography (PQC) support, field‑upgradeability, and rollback procedures so algorithmic transitions do not force disruptive hardware migrations.

Market context and competitive dynamics​

The selection of LiquidSecurity by Microsoft is both strategic and symbolic: it validates the cloud‑native PCIe HSM model as a viable path to deliver FIPS‑validated HSM‑as‑a‑service at hyperscale. Analysts view the move as accelerating the broader industry transition from appliance‑centric procurement to HSM‑as‑a‑service models. Market growth projections vary widely — some reports show double‑digit CAGRs for cloud HSM/subsegments, while vendor‑cited analyst figures may be more conservative. That variance stems from different definitional boundaries (cloud‑only vs. total HSM market), end‑use segmentation, and forecast periods. Procurement and strategy teams should triangulate estimates and stress‑test assumptions before making long‑term capacity or investment decisions. (marvell.com, futuremarketinsights.com, marketsandmarkets.com)
For Marvell, the Azure win spotlights its pivot into cloud infrastructure silicon and security, reinforcing its position in DPUs and cloud‑optimized security modules. For Microsoft, adding high‑density PCIe HSM cards supports Azure’s roadmaps in confidential computing, government/sovereign cloud offerings, and low‑latency cryptographic services. Expect competitors and other hyperscalers to respond with alternative validated modules, third‑party benchmarking, and roadmaps emphasizing PQC readiness.

Practical checklist for IT, security, and procurement teams​

  • Confirm certification scope:
  • Obtain the exact SKU, firmware version, and region coverage for FIPS 140‑3 Level 3 validation for the Azure Cloud HSM cluster you plan to use. Certifications can be SKU‑ and firmware‑specific. (techcommunity.microsoft.com)
  • Request vendor test methodology:
  • Ask Marvell and Microsoft for the benchmark methodology used to produce per‑card throughput and key capacity numbers. Validate with your own representative workloads (AES‑GCM bulk encryption, ECC signing, RSA operations, KMS key wrapping).
  • Run a production‑like pilot:
  • Execute pilot tests focused on tail latency, concurrency, failover, and key lifecycle workflows to measure real‑world behavior under expected load patterns.
  • Negotiate operational SLAs:
  • Require explicit SLAs for patching windows, vulnerability disclosure timelines, firmware rollback, and emergency zeroization procedures. These are material for cryptographic infrastructure.
  • Validate key custody and export policies:
  • Confirm how backups, exports, and disaster recovery are handled, including whether keys can be exported and under what controls. Align these mechanics with audit and regulatory requirements.
  • Plan for cryptographic agility:
  • Insist on vendor roadmaps for PQC support and field‑upgradeability so key migrations can be scheduled in a controlled way without extended outages.
  • Consider multi‑vendor or hybrid strategies:
  • For extremely sensitive or mission‑critical workloads, include contingency plans that combine on‑prem appliances and cloud‑HSM clusters or multiple HSM vendors to mitigate supplier concentration risk.

Implementation scenarios and guidance​

Good fit​

  • Payment processors, certificate authorities, and high‑frequency signing services that need FIPS 140‑3 Level 3 assurance but benefit from lower latency and managed availability.
  • Confidential computing and sovereign cloud customers who require managed HSM clusters with demonstrable certification and private network access. (learn.microsoft.com, marvell.com)

Cases needing extra caution​

  • Extremely sensitive, long‑lived key material where organizational risk tolerance prohibits reliance on a single vendor’s hardware without a verified fallback.
  • Environments requiring bespoke side‑channel resistance or internal lab certification; such tenants should insist on independent benching and code signing of firmware before large‑scale deployments.

What to watch next​

  • Independent third‑party benchmark publications: Look for vendor‑neutral lab reports that reproduce or refute per‑card throughput and key‑density claims under realistic workloads.
  • Firmware lifecycle disclosures: Monitor how Marvell and Microsoft publish firmware update schedules, re‑certifications, and rollback mechanisms for FIPS 140‑3 coverage. (techcommunity.microsoft.com)
  • PQC roadmaps: Track vendor announcements about field‑upgradable PQC algorithm support and how those upgrades will be validated within FIPS/region frameworks.

Conclusion​

Microsoft’s decision to adopt Marvell LiquidSecurity HSMs for Azure Cloud HSM is a consequential vote of confidence in cloud‑native, PCIe‑attached HSM architectures: it marries appliance‑class certification (FIPS 140‑3 Level 3) with host‑attached performance economics and managed cloud convenience. For enterprises, the move opens a feasible path to migrate many regulated HSM workflows to a managed cloud model while preserving administrative key control and compliance posture. However, the technical claims that drive the narrative — especially per‑card key counts and operations‑per‑second figures — are vendor‑stated engineering targets and must be validated by buyers through pilot testing and contractual assurances. Procurement and security teams should verify certification scope, demand benchmark transparency, negotiate robust SLAs, and plan for crypto agility and vendor contingency to ensure a secure, scalable migration to cloud‑based HSMs. (marvell.com, learn.microsoft.com)
Source: AInvest Marvell LiquidSecurity HSMs Power Microsoft Azure Cloud HSM Service
 

Microsoft has expanded a major backend partnership with Marvell: the Marvell LiquidSecurity family of hardware security modules (HSMs will now power Microsoft Azure Cloud HSM in addition to their existing role behind Azure Key Vault and Azure Key Vault Managed HSM. The move extends Marvell’s cloud-optimized, PCIe-based HSM architecture into Microsoft’s single-tenant, FIPS 140-3 Level 3 validated Cloud HSM offering and marks another step in the industry shift from bulky 1U/2U appliances to dense, card-based HSM-as-a-service at hyperscale.

Blue neon cloud icon above stacked microchips on a circuit board, symbolizing cloud computing.Background / Overview​

Hardware security modules (HSMs) are the cryptographic anchors that protect keys used for encryption, digital signing, PKI, payment systems and high-assurance authentication. Historically they arrived as standalone 1U or 2U appliances managed by organizations in their own datacenters. Over the last decade cloud providers and HSM vendors have pursued an alternative model: host HSM functionality inside cloud infrastructure and expose it as a service — HSM-as-a-service — so customers get hardware-protected keys with the simplicity of a subscription model.
Marvell’s LiquidSecurity product line is one of the most visible examples of that evolution. First introduced as a cloud-optimized, PCIe HSM adapter, LiquidSecurity was later updated with the LiquidSecurity 2 (LS2) generation that emphasizes higher density, performance and cryptographic agility. LS2 and related LiquidSecurity modules have been positioned explicitly for hyperscale providers and multi-tenant cloud HSM deployments.
Microsoft and Marvell have been collaborating for years. Microsoft previously integrated Marvell LiquidSecurity modules into Azure Key Vault and Azure Key Vault Managed HSM; the latest announcement (August 18, 2025) confirms the LiquidSecurity family will also be used to support Azure Cloud HSM, Microsoft’s single-tenant, administratively controlled HSM cluster offering. The LS2 family is FIPS 140-3 Level 3 validated as a cryptographic module (certificate entry and validation activity dates show an initial validation in June 2024 and subsequent updates), which is key for customers in regulated sectors such as finance, healthcare and government.

What Microsoft’s choice actually means​

Azure Cloud HSM — the product context​

Azure Cloud HSM is Microsoft’s single-tenant HSM-as-a-service product that provides customers with a dedicated HSM cluster they control. The service emphasizes:
  • Customer administrative control of HSMs while the platform handles high availability, synchronization and patching.
  • Single-tenant security domains: clusters are cryptographically isolated and dedicated to the individual customer.
  • FIPS 140-3 Level 3 validation: a requirement for many regulated workloads.
  • IaaS-focused integration: designed for migrations from on-prem HSMs and workloads requiring PKCS#11, OpenSSL, JCE/JCA and similar interfaces.
By selecting Marvell LiquidSecurity for Azure Cloud HSM, Microsoft is standardizing an internal HSM platform across multiple offerings (Key Vault, Managed HSM, Cloud HSM), enabling a common hardware and firmware baseline for HSM-backed services.

Marvell LiquidSecurity — the technical baseline​

Marvell’s LiquidSecurity family is distinct from traditional HSM appliances in three ways:
  • Form factor: LiquidSecurity modules are PCIe cards (HHHL/adapter form factors) optimized for integration into standard server hosts rather than rack appliances.
  • Processor architecture: the cards are powered by Marvell’s OCTEON data processing units (DPU), designed and tuned for cryptographic acceleration and offload at cloud scale.
  • Density and efficiency: Marvell advertises LS2 class modules that support very high key counts and high transaction throughput while consuming modest power budgets compared to appliance-class HSMs.
Key vendor claims for the LS2 generation include:
  • Support for up to one million keys (or variants described as up to 100,000 key pairs in some statements) within the FIPS boundary depending on configuration.
  • High cryptographic throughput targets — algorithm-dependent performance ranging from tens of thousands of RSA/ECC operations per second to over a million symmetric (GCM) operations per second for AES-GCM-style workloads.
  • Low power draw for the performance delivered (vendor materials indicate operational power often in the mid‑tens of watts).
Important note on metrics: vendor marketing and technical briefs use multiple, sometimes non-identical, metrics (e.g., “100,000 ECC ops/sec” vs “1,000,000 GCM ops/sec” vs “1M keys”). These are not interchangeable and describe different workloads (asymmetric ECC vs symmetric AES-GCM vs raw key storage). When deciding on a platform, match the vendor’s measured operation (algorithm, key size and test conditions) to your real-world workload rather than taking headline numbers at face value.

Verification of the key technical and compliance claims​

  • The LS2 family has undergone formal FIPS 140-3 Level 3 validation as a cryptographic module. That validation is publicly recorded with an active certificate entry; the initial validation activity is dated June 2024 with subsequent updates in 2025 for the LS2 firmware/variants. FIPS 140-3 Level 3 implies a tamper-evident and tamper-responsive boundary and specific physical and logical protections appropriate for high-assurance use.
  • Marvell’s product briefs and vendor announcements consistently describe Octeon DPU-based LS2 adapters capable of high key counts and very high per‑algorithm throughput. Independent technical press coverage that evaluated Marvell’s LS2 claims reported algorithm-specific performance numbers consistent with the vendor’s published figures (for example, measured ECC and GCM operation rates and RSA throughput metrics).
  • Microsoft documentation and managed HSM/Key Vault materials list Marvell LiquidSecurity as an HSM vendor supported in Azure Key Vault and Managed HSM flows, and Azure Cloud HSM documentation emphasizes the FIPS 140-3 Level 3 validated single-tenant model that these modules enable.
Where vendor claims extend beyond verifiable facts (for example: “six of the ten largest cloud service providers use LiquidSecurity”), that is a competitive/market statement that is not easily independently verifiable from public filings and should be treated as a vendor claim.

Why this matters: benefits and practical impact​

For enterprises and regulated customers​

  • Direct path to FIPS 140-3 Level 3: customers subject to FIPS-driven compliance regimes can now consume an Azure Cloud HSM service with a validated hardware boundary and administrative control.
  • Single-tenant administrative model: the Cloud HSM cluster model preserves the operational controls organizations require (exclusive admin access, direct network attachments) without the overhead of managing physical appliances and HA clusters on-prem.
  • Higher density and lower TCO: PCIe card-based HSM adapters promise a smaller footprint, lower power draw and lower per-key and per-op cost compared to 1U/2U appliance models — which matters at hyperscale and for workloads with millions of operations/month.
  • Cryptographic agility: vendor roadmaps emphasize in-field updates for new algorithms, including anticipated support for post-quantum primitives — a forward-looking capability for customers planning multi-year cryptographic lifecycles.

For cloud providers and service architects​

  • Consolidated HSM platform across multiple Azure key management services reduces operational complexity and helps Microsoft provide consistent SLAs and security baselines.
  • Performance headroom: the LS2 architecture claims high per-card throughput and partitions designed for strong multi-tenancy, which reduces the number of physical devices needed to service large tenant bases.

Risks, limitations and unanswered questions​

No vendor or cloud-backed security platform is risk-free. The Marvell–Azure arrangement addresses many needs, but it also raises several technical, operational, and governance concerns organizations must weigh.

1. Metrics and workload fit​

  • Headline numbers reporting thousands or millions of operations per second are algorithm specific. Symmetric AES-GCM operations are inherently far faster than RSA or ECC signatures. Organizations must benchmark realistic mixes (TLS handshakes, code signing, payment signatures) rather than rely on single-algorithm peak figures.

2. Attestation and customer visibility​

  • For many customers — especially those requiring sovereign attestations — the ability to cryptographically attest hardware identity, firmware version and key-hosting provenance directly from the HSM to the customer is crucial. Not all managed HSM services currently provide an on-demand hardware attestation flow that satisfies the strictest auditors. Evaluate whether the service provides attestation, and whether the attestation covers the firmware and module versions you require.

3. Firmware update model and supply-chain trust​

  • LS2 devices are designed to be field-updatable (a helpful capability for algorithm agility), but field updates introduce risk: firmware patch processes must include cryptographic signing, secure delivery channels, reproducible build provenance and transparent audit trails. Organizations should investigate Microsoft’s and Marvell’s firmware change control, rollback behaviors and update attestations.

4. Multi-tenancy and isolation​

  • The LS2 partition model supports multiple logical partitions per physical adapter and is designed to cryptographically isolate tenants. However, high-assurance isolation requires robust boundary enforcement and resistance to microarchitectural attacks. Customers with ultra-high security needs will want to validate partition isolation guarantees and understand recovery/backup semantics for cross-partition incidents.

5. Vendor concentration and lock-in​

  • Standardizing on a single HSM hardware family across multiple cloud services simplifies operations — but it also concentrates risk. If a hardware or firmware vulnerability emerges, broad classes of services and customers could be impacted simultaneously. Mitigation includes strong vendor SLAs, multi-provider or multi‑module strategies, and contractual security commitments.

6. Geopolitical and procurement considerations​

  • Depending on regulatory or government procurement requirements, the physical origin of the components, warranty/support geographies and supply‑chain visibility may matter. Customers with stringent data‑sovereignty or national-security requirements should validate regional availability and local qualification rules.

Competition and market dynamics​

The HSM market is evolving rapidly. Key incumbent and competing options include:
  • Traditional appliance vendors (Thales Luna, Utimaco, nCipher) with mature appliance SKUs and long-standing FIPS certifications.
  • Cloud-native HSM-as-a-service alternatives (Thales HSM service, Fortanix HSM offerings, vendor-oblivious approaches with trusted execution technologies).
  • Emerging silicon and DPU-accelerated HSMs that emphasize density and cloud integration.
Analyst market projections for HSMs and HSM-as-a-service vary across firms and report vintages: some research houses cite double-digit CAGR forecasts for the market over the coming 3–5 years while others show more moderate growth depending on adoption rates and macroeconomic headwinds. Vendor and analyst estimates differ; treat projections as directional rather than absolute.

Practical guide: when to choose Azure Cloud HSM with Marvell LiquidSecurity​

Azure offers a portfolio of key management options — from Key Vault (multi-tenant) to Managed HSM (single-tenant logical HSM in a managed service) to Dedicated HSM (predecessor physical appliance model) and Azure Cloud HSM (single-tenant cluster). Use the following decision guidance:
  • If you need platform-integrated key management for PaaS and SaaS services, start with Azure Key Vault or Managed HSM.
  • If you require exclusive administrative control, FIPS 140-3 Level 3 validation and a single-tenant cluster, Azure Cloud HSM is the right fit.
  • If you need hardware-level multi-region appliances under your exclusive physical control (and have the staff to manage them), evaluate dedicated on-prem appliances or Azure Dedicated HSM depending on procurement and scale constraints.
  • For payment workloads, verify PCI/PED/PTS compliance requirements and whether the selected HSM variant provides the necessary payment‑grade attestations and certifications.
  • For post-quantum readiness, look for explicit vendor roadmaps showing validated PQC primitives or at least a clear forward‑update path with cryptographically authenticated firmware.

Migration and operational checklist​

  • Inventory: catalog all keys, algorithms, and workloads that will depend on HSM services.
  • Compliance mapping: confirm your regulatory requirements (FIPS level, eIDAS, PCI, government sovereign restrictions).
  • Performance validation: simulate production transaction mixes against the target HSM service to validate latency, throughput and concurrency.
  • Attestation and auditing: request attestation capabilities, firmware version disclosures and audit log access contracts.
  • Backup and recovery: verify secure backup, restore mechanics for HSM clusters and cross-region disaster recovery options.
  • Change management: confirm firmware update processes, notification windows and rollback/mitigation procedures.
  • Dual-sourcing plan: if feasible, create a fallback using a second vendor or on-prem alternative for critical keys to minimize single‑point-of-failure risk.

Strategic implications for the cloud HSM market​

  • The selection validates the card-based, DPU-accelerated HSM approach as production ready for the largest cloud provider workloads.
  • Consolidation toward a smaller set of cloud-optimized HSM platforms can accelerate service feature parity across public cloud HSM products — but it also centralizes potential systemic risk.
  • The interplay of performance, density, FIPS/standards compliance and operational transparency will determine which HSM models succeed beyond pure vendor marketing.

Strengths and notable positives​

  • Industry-standard compliance: FIPS 140-3 Level 3 validation of the LS2 family removes an important barrier for government and regulated workloads.
  • Cloud-first architecture: the PCIe card form factor and DPU offload align well with cloud operator economics — higher density, lower energy per op, simpler datacenter integration.
  • Scale and performance: vendor and independent reports show LS2 can deliver high asymmetric and symmetric throughput at low power — beneficial for TLS frontends, large-scale signing, and payment switch workloads.
  • Operational simplicity: customers gain single-tenant, admin-controlled clusters without the capital and operational burden of running physical HA appliance fleets.

Cautions and open items​

  • Verify measured performance against your workload; asymmetric and symmetric operations behave differently and headline numbers can be misleading.
  • Confirm attestation and audit needs; not all managed HSM services provide the same level of hardware attestation customers sometimes require.
  • Watch firmware and supply-chain controls; field-updatable modules are necessary for future-proofing but must be managed tightly.
  • Understand the migration path; moving keys into a cloud HSM is operationally significant and often triggers audits and validation activities.

Conclusion​

Microsoft’s decision to extend Marvell LiquidSecurity into Azure Cloud HSM represents a meaningful endorsement of the cloud‑optimized, DPU-accelerated HSM model. For organizations that must balance regulatory compliance, high performance and cloud operational simplicity, the combination of Azure Cloud HSM’s single-tenant model and Marvell’s FIPS 140-3 validated LiquidSecurity platform offers a compelling option.
At the same time, enterprises should approach procurement and migration pragmatically: validate algorithm‑level performance for your actual workloads, demand strong attestation and firmware/change control guarantees, and plan for fallback strategies to limit concentration risk. The move also sharpens the broader market dynamics: cloud service providers will increasingly prefer dense, energy‑efficient HSM hardware that scales with tenant demand — but the industry must maintain rigorous transparency and verification to preserve trust in the cryptographic foundations that underpin modern digital commerce.
Source: TechPowerUp Marvell LiquidSecurity Selected for Microsoft Azure Cloud HSM
 

Microsoft’s Azure Cloud HSM service will now run on Marvell’s LiquidSecurity family of hardware security modules (HSMs), a move that extends Marvell’s existing footprint across Azure Key Vault and Managed HSM and brings PCIe‑attached, FIPS‑validated, cloud‑optimized HSM hardware into Microsoft’s single‑tenant HSM clusters. (marvell.com)

Close-up of a blue-lit server motherboard with multiple integrated circuits.Background / Overview​

Azure Cloud HSM is Microsoft’s customer‑owned, single‑tenant HSM-as-a-service offering that provides tenants administrative control of cryptographic keys while Microsoft manages cluster availability, patching and lifecycle operations. The service is represented as validated to FIPS 140‑3 Level 3, making it suitable for many finance, government and regulated workloads that require a hardware cryptographic boundary. Microsoft’s product documentation describes the cluster model, automatic synchronization and migration between nodes, and private network access from a customer’s virtual network. (learn.microsoft.com)
Marvell’s LiquidSecurity platform is a deliberately different approach to HSMs: rather than shipping as 1U/2U rack appliances, LiquidSecurity is delivered as PCIe host‑attached modules built around Marvell’s OCTEON Data Processing Units (DPUs). Marvell’s August 18, 2025 announcement confirms Microsoft has selected LiquidSecurity modules to power Azure Cloud HSM — expanding on earlier integrations with Azure Key Vault and Azure Managed HSM. The vendor claims per‑card density and throughput figures for the LiquidSecurity2 (LS2) module that are engineered for hyperscale cloud economics. (marvell.com, investor.marvell.com)

Why this matters now​

  • Compliance gate opened for cloud migration. FIPS 140‑3 Level 3 is a procurement check for many regulated workloads; having a validated HSM platform inside Azure’s managed single‑tenant clusters lowers a major barrier to migrating PKI, payment, CA and signature workloads to the cloud. (learn.microsoft.com)
  • Hyperscale economics for HSM-as-a-service. PCIe host‑attached HSM cards aim to reduce rack footprint, power and per‑operation cost relative to legacy 1U/2U appliances — attractive for cloud operators that must service large volumes of transactions. (marvell.com)
  • Operational model that balances control and convenience. Azure Cloud HSM preserves customer administrative control over keys while Microsoft assumes operational duties like high availability and patching — a compromise many enterprises prefer to either fully self‑manage appliances or fully trust multitenant HSM services. (learn.microsoft.com)

Technical deep dive​

LiquidSecurity architecture (what’s different)​

Marvell’s LiquidSecurity line (LS1 and LS2) is built as a PCIe adapter with integrated DPU and cryptographic accelerators. The architecture emphasizes:
  • Host‑attached cryptographic execution with a reduced network round trip compared with external networked appliances.
  • Hardware partitioning to expose multiple logical HSM partitions per card for multi‑tenant use.
  • Offload of crypto work to dedicated silicon (OCTEON DPUs) to reduce CPU contention and lower latency for high‑frequency operations.
These architectural choices are explicitly aimed at the hyperscale HSM use case: dense key storage, high aggregate operations/sec and low per‑operation energy/rack cost. (marvell.com, techpowerup.com)

Published specifications and verification notes​

Marvell’s public materials state the following for the LiquidSecurity2 (LS2):
  • Manage up to 100,000 pairs of encryption keys per card (vendor statement).
  • Process more than one million cryptographic operations per second (aggregate, algorithm‑dependent, vendor statement).
  • Support for multiple partitions (Marvell previously published 45 partitions as a design target).
  • FIPS 140‑3 Level 3 validation for LS1/LS2 hardware boundaries (announced in mid‑2024), and Microsoft’s firmware updates for Key Vault/Managed HSM to FIPS 140‑3 Level 3. (marvell.com, investor.marvell.com, techpowerup.com)
Important verification caveat: these throughput and key‑density figures are vendor‑stated engineering specifications that have been repeated in press coverage. They should be treated as directional until buyers obtain vendor test methodology or run representative benchmarks on their specific workloads and algorithm mixes. Independent third‑party benchmark reports reproducing Marvell’s exact numbers are not widely available at the time of the announcement — procurement teams should insist on transparent benchmarking or run pilot tests.

FIPS 140‑3 Level 3: what that actually changes​

FIPS 140‑3 Level 3 requires tamper‑evidence/tamper‑response protections, robust role separation, and physical security features not mandated at lower levels. For cloud HSMs, Level 3 validation means:
  • The module implements tamper mechanisms and responds to physical attacks.
  • Cryptographic keys are protected inside a validated hardware boundary.
  • The certification applies to a particular module/firmware combination, and scope matters — the certification must be confirmed for the exact Azure Cloud HSM SKU, firmware build and region you plan to use. Microsoft’s documentation and community posts confirm that Azure Cloud HSM is represented as FIPS 140‑3 Level 3 validated. (learn.microsoft.com, investor.marvell.com)

Operational implications for Azure customers​

Latency, throughput and workload fit​

Host‑attached HSM cards reduce the network hop between workload and cryptographic hardware. That improves latency for workloads such as TLS termination, certificate authority signing, code signing pipelines, and high‑frequency transaction signing (payment gateways, device attestation). However, the real benefit depends on workload characteristics:
  • If your workloads are latency‑sensitive and perform many small signature operations, the PCIe model can yield measurable gains.
  • If your workload uses bulk symmetric encryption or low‑rate key usage, the economic benefits may be less stark.
Measure using representative end‑to‑end tests and request vendor‑provided test rigs or methodology before large migrations.

Administrative control, logging, backups​

Azure Cloud HSM offers a single‑tenant security domain per cluster and automatic synchronization/partition migration across cluster nodes for high availability. Customers retain administrative key control, but they must verify:
  • Backup/restore semantics — who controls backups, encryption of backups, and restore processes.
  • Key export policies — confirm whether keys are exportable and under what conditions.
  • Audit and logging access — ensure logs meet regulatory audit trail requirements.
Negotiate these details in procurement and validate them in pilot tests. (learn.microsoft.com)

Patch management and firmware updates​

Firmware and cryptographic algorithm support (including future post‑quantum updates) are critical. Customers should require:
  • Clear firmware update procedures and SLAs that preserve key continuity.
  • Roadmaps for algorithm additions and PQC migration support.
  • A vulnerability disclosure and remediation timeline.
Because FIPS certification is firmware‑ and SKU‑specific, confirm the certified firmware version and the process for updating firmware without breaking compliance.

Market and strategic analysis​

What Microsoft gains​

  • Higher density for HSM capacity inside Azure regions, allowing Microsoft to scale Cloud HSM offerings with lower physical footprint and energy costs.
  • Better platform parity for regulated, sovereign and government customers that require FIPS 140‑3 Level 3 hardware.
  • A hardware architecture optimized to accelerate confidential computing and other cloud security primitives.

What Marvell gains​

  • A marquee hyperscaler endorsement that validates LiquidSecurity’s cloud‑native HSM strategy and supports Marvell’s positioning as a provider of security silicon and DPUs for hyperscale clouds.
  • Market momentum in a growing HSM-as-a-service segment — Marvell cites ABI Research projections and has been working with major cloud providers for several years. (marvell.com, investor.marvell.com)

Competitive and market dynamics​

Hyperscaler adoption of PCIe‑based HSM adapters accelerates the market shift from appliance purchases to HSM-as-a-service. Expect:
  • Competing vendors to pursue similar validated modules and to publish independent benchmark results.
  • Greater emphasis on cryptographic agility and roadmaps for post‑quantum migration.
  • Procurement teams to demand multi‑vendor options or contractual fallback to mitigate concentration risk.
Analyst commentary positions the move as both a validation of cloud‑optimized HSM form factors and a sign of the category’s maturation; however, market growth figures (e.g., Marvell’s quoted 8.5% CAGR through 2029) vary among research houses and should be triangulated. (marvell.com)

Strengths — what’s compelling about the Marvell + Azure pairing​

  • FIPS 140‑3 Level 3 alignment removes one of the main audit and procurement barriers for migrating high‑assurance workloads into a managed cloud HSM service. (learn.microsoft.com)
  • Hyperscale efficiency: PCIe cards with DPU offload promise much higher density and lower power/rack cost at scale, which translates to lower OPEX for cloud providers and potentially lower costs for customers. (marvell.com)
  • Operational convenience: Customers get administrative control of their HSM clusters without having to run appliance fleets and handle hardware lifecycle tasks. (learn.microsoft.com)

Risks and caveats — what to watch for​

  • Vendor and supply‑chain concentration. Relying heavily on a single HSM vendor for a hyperscale cloud provider creates systemic risk; a widespread firmware vulnerability or supply disruption in a single vendor’s modules would have outsized impacts. Procurement should evaluate multi‑vendor fallback options and contractual protections.
  • Vendor‑stated performance claims need independent validation. Key counts and ops/sec numbers are engineering claims from Marvell and have been repeated in press. Independent third‑party benchmarking under representative workloads is essential before sizing capacity for production SLAs.
  • Certification scope and firmware specificity. FIPS 140‑3 Level 3 applies to particular module/firmware combinations and sometimes to specified physical SKUs. Customers must confirm the exact certified configuration for their region and expected firmware build. (investor.marvell.com)
  • Crypto agility and PQC readiness. HSMs are long‑lived infrastructure. Ensure vendor roadmaps include post‑quantum algorithm support, in‑field firmware upgradeability and a clear migration path that preserves key security during transitions.
  • Operational SLAs and incident response. The managed model increases dependence on cloud provider processes for patching and incident handling. Negotiate defined SLAs for patch windows, disclosure timelines and key‑zeroization procedures.

Practical procurement checklist (for security architects and IT buyers)​

  • Confirm certification scope
  • Get the exact HSM SKU and firmware version that are FIPS 140‑3 Level 3 validated for the Azure Cloud HSM offering and the region you plan to use.
  • Verify performance for your workload
  • Request vendor test methodology, request or run pilot benchmarks (AES GCM throughput, ECC/RSA signature rates, KMIP/PKCS#11 behavior) using representative traffic.
  • Validate operational controls
  • Confirm backup/restore, key‑export rules, audit log access, and cluster failover behavior.
  • Negotiate SLAs and incident commitments
  • Include patching windows, vulnerability disclosure timelines, and remediation SLAs tied to critical production impact.
  • Assess cryptographic agility
  • Demand a roadmap for PQC support and field firmware updateability; test the update process in non‑production before production rollout.
  • Plan for vendor risk
  • Build contingency plans: multi‑vendor or hybrid architectures, defined timelines for migration, and contractual remedies for supply or security incidents.

How to evaluate Marvell’s claims — a short testing playbook​

  • Define representative workloads: TLS offload, CA signing bursts, bulk key‑wrapping, and any proprietary signature patterns your environment uses.
  • Measure these workloads end‑to‑end in Azure Cloud HSM public preview or pilot environment:
  • Latency percentiles (p50, p95, p99) for signing/verification.
  • Throughput for parallel signing operations.
  • CPU utilization on host versus operations/sec on the HSM card.
  • If possible, obtain vendor‑run test harness specs and reproduce results in your environment; document differences.
  • Require runnable, auditable test artifacts from the vendor showing how they measured “1M ops/sec” and “100k key pairs” to establish comparable baselines.

What this means for the broader HSM market​

The Marvell–Microsoft move strengthens the narrative that HSMs are transitioning from appliance purchases to a cloud‑native, subscription service model. Hyperscalers benefit from denser form factors and improved per‑operation economics, while enterprises gain managed paths to hardware‑backed cryptography in the public cloud. That said, this is just one step in a market-wide evolution: competing hardware modules, independent lab benchmarks, and clear PQC roadmaps will be decisive differentiators over the next 18–36 months. Expect more vendor announcements, certification milestones and published third‑party benchmarks as providers compete for regulated workloads. (marvell.com, techpowerup.com)

Final analysis and recommendation​

Microsoft’s selection of Marvell LiquidSecurity HSMs for Azure Cloud HSM is an important validation of the cloud‑native, PCIe‑attached HSM model. It delivers a credible path for regulated, latency‑sensitive and high‑throughput cryptographic workloads to move to a managed cloud model while retaining administrative control. The combination of FIPS 140‑3 Level 3 validation, host‑attached performance economics and Azure’s cluster model is powerful for customers that need both assurance and scale. (marvell.com, learn.microsoft.com)
At the same time, the story is not purely settled on technical facts: the most load‑bearing performance and capacity numbers are vendor‑stated and require validation in representative conditions. Organizations with high‑value keys or strict compliance regimes should treat Marvell’s published figures as starting points, insist on transparent testing, confirm certification scope and firmware versions for their region, and negotiate operational SLAs that cover patching, disclosure and key continuity.
For IT leaders and security architects planning to adopt Azure Cloud HSM with LiquidSecurity modules, recommended immediate actions are clear:
  • Validate the exact FIPS certification scope for the SKU/firmware in your region. (investor.marvell.com)
  • Run a pilot with representative workloads to confirm latency and throughput claims.
  • Negotiate SLAs and verify firmware‑update procedures and PQC roadmaps.
This announcement signals a maturation of HSM-as-a-service: the platform and compliance pieces are converging, but pragmatic operational validation will determine how quickly and how broadly organizations migrate mission‑critical cryptographic workloads to the cloud.
Source: TechPowerUp Marvell LiquidSecurity Selected for Microsoft Azure Cloud HSM
 

You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
Azure Cloud HSM Goes Dense with Marvell LiquidSecurity (FIPS 140-3 Level 3)
Replies
0
Views
102
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Azure Cloud HSM Adopts Marvell LiquidSecurity for High-Density Security
Replies
0
Views
146
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Marvell LiquidSecurity Drives Azure Cloud HSM for AI-Ready Data Centers
Replies
0
Views
125
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Azure Cloud HSM expands with Marvell LiquidSecurity PCIe cards
Replies
0
Views
244
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Azure Hardware Security: Host HSMs and Caliptra RoT
Replies
0
Views
194
ChatGPT
ChatGPT
Back
Top