Azure HSM Expansion in Europe with Marvell LiquidSecurity Certifications

Microsoft’s cloud security footprint in Europe just broadened in a way that matters for regulated industries: Azure will now offer expanded key‑management and HSM-backed services powered by Marvell’s LiquidSecurity adapters after those modules cleared European certifications, a move that promises faster, denser cryptographic operations inside multi‑tenant clouds and tightens the compliance argument for cloud-hosted identity and document workflows.

Background​

Microsoft and Marvell have been integrating hardware security capabilities into hyperscale cloud services for several years, but the latest development is notable because it pairs Marvell’s PCIe‑based LiquidSecurity HSM adapters with European regulatory approvals—specifically eIDAS and Common Criteria EAL4+—which unlocks new European use cases for Azure Key Vault, Azure Key Vault Managed HSM and Azure Cloud HSM offerings. The announcement is documented in Marvell’s statement about expanding collaboration with Microsoft and was syndicated across major industry news wires and markets coverage. This expansion arrives at a time when cloud vendors are packaging technical assurances and governance commitments to satisfy identity, passport and cross‑border transaction use cases. For cloud customers and IT teams working under strict regulatory regimes, those assurances matter as much as raw throughput or density.

---

What Marvell’s LiquidSecurity actually is​

The product basics​

• LiquidSecurity 2 (LS2) is a family of PCIe HSM adapters built around Marvell’s OCTEON data processing units (DPUs) and cryptographic accelerators. It’s designed for hyperscale cloud environments where dense, multi‑tenant HSM services are required.
• The architecture intentionally departs from the classical 1U/2U appliance model: instead of network‑attached rack HSM appliances that sit on a separate VLAN and are managed directly by customers, LS2 is a server‑attached PCIe card that can be administered by the cloud operator and exposed to tenants as managed HSM-as-a-service. That model reduces rack space, power, and per‑tenant hardware provisioning friction.

Key advertised capabilities (vendor claims)​

• Scalability: up to 1,000,000 encryption keys per adapter and support for dozens of logical partitions (Marvell cites 45 partitions for multi‑tenant isolation).
• Performance: vendor materials and independent reporting indicate LS2 can deliver very high operation rates—Marvell cites up to 1,000,000 symmetric/GCM ops per second on an adapter and high ECC/RSA op rates depending on algorithm. Independent coverage reports similar numbers for AES/GCM throughput and specific RSA/ECC throughput figures.
• Low power: single‑adapter power envelopes are substantially lower than appliance racks, with published figures in the dozens of watts for high throughput.
• Certification roadmap: Marvell indicates support for FIPS 140‑3, Common Criteria (CC) EAL4+ and eIDAS—critical for European identity and government workflows.

Both Marvell’s product pages and independent technical reporting confirm the headline technical numbers; those sources are consistent on per‑adapter key capacity and the multi‑partition model, and they align on GCM‑oriented throughput.

---

Why the European certifications matter​

eIDAS and Common Criteria EAL4+ in plain language​

• eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation that sets rules and technical expectations for electronic identification and trust services—such as digital signatures and electronic seals—across member states. Having eIDAS‑validated cryptographic components is essential when cloud services are used for legal identity and cross‑border authentication tasks.
• Common Criteria (EAL4+) is an international evaluation standard that certifies a product’s security functionality and development rigor. An EAL4+ attestation signals that the product underwent methodical design and testing suitable for many commercial and governmental deployments.

Together, these recognitions mean that Marvell’s LiquidSecurity adapters meet technical, process and legal thresholds that European public authorities and regulated enterprises often require before trusting cloud‑hosted cryptographic services for identity verification, passport issuance workflows or legal‑binding electronic signatures. Microsoft emphasised that the certifications enabled broader Azure use cases in Europe.

Practical implications for customers​

• Public sector and passport/ID issuers can now evaluate Azure‑hosted HSM-based services with stronger cross‑border compliance assurances.
• Banks and regulated industries that need audit evidence for cryptographic control will find the certification pedigree helpful during procurement.
• Vendors building identity platforms (e‑ID, e‑notary, digital contract signing) can reduce complexity by consuming Azure’s HSM services instead of provisioning on‑prem appliances.

---

How Microsoft plans to use LiquidSecurity in Azure​

Microsoft’s cloud key management stack now includes multiple HSM service models—Azure Key Vault, Key Vault Managed HSM and Cloud HSM—and Marvell’s LiquidSecurity adapters are now certified to power those services for expanded EU use cases. Microsoft’s Cloud Security Engineering leadership framed the move as enabling secure, compliant key management for identity and passport workloads in public, sovereign or government clouds. Practically, customers should expect Azure to offer:

• Managed HSM pools backed by LS2 hardware, exposed via Key Vault APIs.
• Partitioned multi‑tenant HSM domains that keep keys in hardware and isolate cryptographic operations per customer.
• Use‑case specific services such as cross‑border contract certification, identity document verification, and other e‑government transaction workflows where eIDAS validation matters.

This is not the same as giving Microsoft operational access to keys; managed HSM models still provide configurable ownership and control patterns (including customer key control) though the exact custody model varies by service tier.

---

Technical analysis: throughput, density, DPU integration​

Performance claims and independent verification​

Marvell’s product literature and investor press materials assert that a single LiquidSecurity 2 adapter can manage up to 1 million keys and perform more than 1 million cryptographic operations per second under favorable conditions. Independent technical reporting corroborates the high throughput figures, and drills into per‑algorithm results: for example, measured ceilings differ by algorithm—GCM/AES shows the highest raw ops/s while RSA and ECC have lower op/s ceilings as expected. These independent accounts align with Marvell’s published metrics. Key takeaway: the LS2 adapter is optimized for high‑volume symmetric crypto and large multi‑tenant scaling. For asymmetric (RSA/ECC) workloads, throughput is still high compared with many appliance HSMs but naturally varies by algorithm and key size.

OCTEON DPUs and why they matter​

LS2’s compute plane uses Marvell’s OCTEON DPU cores to offload and accelerate cryptographic workloads. The DPU approach:

• Enables many dedicated crypto engines on a single silicon die, helping reach high op/s rates at modest power budgets.
• Provides programmability and field‑upgradability for cryptographic algorithms, which is useful for adopting post‑quantum or algorithmic updates without replacing hardware.

From an operational perspective, DPUs also allow cloud operators to colocate HSM throughput directly on the server host, reducing network hops and latency compared with a remote appliance model.

---

Cloud HSM vs traditional on‑prem HSM appliances: tradeoffs​

• Density and cost: LS2-style PCIe adapters improve rack density and lower per‑key TCO for cloud providers compared with 1U/2U HSM appliances. That reduces the capital and operational footprint for large multi‑tenant services.
• Operational model: cloud HSMs shift hardware management to the cloud operator, which simplifies tenant operations but raises governance questions about custody patterns and independent auditability.
• Latency and throughput: server‑attached HSM adapters typically expose lower latency and higher raw throughput for symmetric crypto due to local PCIe bandwidth and DPU acceleration.
• Certification scope: an appliance can be physically controlled by a customer (useful for sovereign deployments that mandate on‑prem control), while a cloud HSM must be evaluated in the context of the provider’s operational controls and contractual commitments—even if the hardware itself is certified. Certifications of the hardware (eIDAS, CC EAL4+) are an important piece but not the entire assurance story.

---

Business and market implications for Marvell and Microsoft​

For Marvell​

Marvell’s timing is strategic. The company is positioned as a silicon and systems vendor that benefits from hyperscale cloud investment in AI and infrastructure. Recent financial and market coverage shows investor interest in Marvell’s data center momentum: S&P’s upgrade, analyst price‑target movements and coverage changes reflect divergent views about the sustainability of a data‑center‑led growth cycle. Public reporting ties Marvell’s stronger rating to a rapidly growing data center segment and improved profitability. Analyst actions are mixed: while some firms raised price targets or coverage (for example, UBS raising its price target and Raymond James initiating coverage), others (notably Barclays) have expressed caution about execution risk against aggressive data center targets—an acknowledgment that revenue concentration in hyperscaler purchases introduces both upside and calendar/supply risk.

For Microsoft​

Partnering with Marvell to integrate certified server‑attached HSMs helps Microsoft deliver differentiated Azure security services in Europe at hyperscale. For Microsoft Azure the benefits include:

• Faster, hardware‑anchored key services for regulated customers.
• The ability to promote stronger compliance narratives (e.g., eIDAS‑based identity workflows).
• Reduced capital burden for customers who would otherwise procure and manage on‑prem HSM appliances.

Operationally, Microsoft must still reconcile contractual controls, data‑residency commitments and legal exposures that cross borders. The technical certification reduces one layer of compliance friction but does not eliminate legal and governance work for sovereign or highly regulated customers.

---

Risks, caveats and unanswered questions​

• Certification limits: Hardware certification (e.g., eIDAS/CC) is necessary but not sufficient for legal or procurement acceptance. Customers will still require contractual guarantees, audit rights, key custody models and evidence that Microsoft’s operational controls meet national standards. Treat hardware certification as one element in a broader compliance matrix.
• Legal and jurisdictional exposures: Technical controls can reduce risk but cannot fully negate legal processes that compel data access under foreign statutes. For customers with the strictest sovereignty requirements, a certified cloud HSM may not substitute for locally owned and governed infrastructure. Independent legal counsel remains essential.
• Multi‑tenant isolation and side‑channel risk: High‑density, server‑attached HSM architectures rely on software and partitioning mechanisms to provide tenant isolation. Customers should insist on attestation, independent penetration testing and continuous monitoring to confirm isolation is effective at scale.
• Firmware and supply‑chain management: DPUs and programmable accelerators raise the importance of authenticated firmware update channels and supply‑chain attestations. Customers should request firmware signing policies and incident reporting commitments from the provider.
• Auditability and forensics: Access logs, tamper evidence, and third‑party audit reports matter. Organizations should verify that provider audit artifacts map to their compliance needs and that notification/forensics procedures are in the contract.

---

What IT teams and procurement leaders should do now​

Quick evaluation checklist (technical + compliance)​

• Confirm the custody model: Is the HSM operated entirely by the cloud provider, or can keys be customer‑held (BYOK / external key management)? Which Azure HSM tier offers customer‑managed keys versus managed keys?
• Request certification packages: Obtain the eIDAS and Common Criteria evaluation reports, scope documents and validation numbers to confirm coverage matches your use case.
• Ask for attestation and test results: Demand independent penetration tests and partition isolation reports for multi‑tenant HSM deployments.
• Validate algorithm support and upgrade paths: Confirm support for the cryptographic algorithms you need today and the means to upgrade to post‑quantum or new standards without replacing hardware.
• Incorporate legal review: Verify contract language around notification, audit rights, jurisdictional obligations and law enforcement requests.

Practical pilot steps (numbered)​

• Identify a non‑production workload that mirrors the cryptographic profile of a mission‑critical system (e.g., document signing or PKI issuance).
• Request temporary access to an Azure HSM pool backed by LiquidSecurity and run performance and compliance checks (latency, p99, throughput by algorithm).
• Require evidence of certification artifacts and a third‑party attestation of partition isolation.
• Measure operational telemetry (e.g., key lifecycle events, logs, update windows) and integrate those feeds into your SIEM/audit pipeline.
• Make a procurement decision only after legal and security teams validate contractual guarantees and after successful pilot validation.

---

Market signals and investor context​

Marvell’s product push comes against a backdrop of sharp investor interest in AI and data‑center infrastructure. Market reporting around Marvell highlights strong recent revenue growth and analyst repositioning: S&P upgraded Marvell’s credit rating to BBB citing improved scale and margins, while several brokerages (including UBS and Raymond James) have adjusted targets and ratings based on optics and data‑center opportunity. Conversely, some firms like Barclays have warned about execution risks against lofty data‑center targets—an acknowledgment that the same opportunity also concentrates execution risk in hyperscaler supply cycles. Those mixed analyst signals are visible in recent market coverage and analyst notes. Operational calendar note: public filings and market coverage indicate Marvell’s next quarterly results and investor events are proximate to this announcement cycle—market participants will watch revenue recognition and data‑center bookings for confirmation of momentum.

---

Community and practitioner reaction (synthesised)​

WindowsForum and industry community threads reflect cautious optimism: practitioners welcome higher‑density cloud HSMs for scaling PKI and identity services, but many emphasize the continued need for transparent attestation and legal protections when moving sovereignty‑sensitive workloads to public cloud services. Community discussion points echo the public risk themes: legal jurisdiction, supply‑chain attestations, and independent third‑party validation remain top of mind.

---

Final assessment — strengths, weaknesses, and the practical verdict​

Strengths​

• High density and performance: LiquidSecurity 2’s architecture delivers impressive per‑adapter key capacity and GCM‑oriented throughput, enabling cloud providers to offer HSM services at scale with lower hardware footprint and power draw. Vendor and independent technical reporting agree on the headline numbers.
• Certification alignment with European needs: eIDAS and Common Criteria EAL4+ certifications materially lower a common procurement barrier for identity and passport use cases in Europe.
• Operational convenience: Offering HSM as a managed cloud service reduces customer hardware overhead and simplifies lifecycle management for many organizations.

Weaknesses and risks​

• Governance and legal exposure remain: Hardware certifications do not remove the need for contractual, legal and operational safeguards—customers must still negotiate custody models, audit rights and incident response commitments.
• Concentration risk in hyperscaler cycles: Marvell’s revenue and analyst attention are increasingly correlated with hyperscaler investment patterns—which can amplify both upside and downside volatility. Analyst coverage is mixed and reflects possible execution risk.
• Dependence on provider transparency: The value of a certified cloud HSM depends on the cloud operator’s willingness to provide audits, attestations and timely incident information—things that must be contractually enforceable.

Practical verdict​

For organizations that need to modernize identity workflows, implement cloud native PKI, or scale signing and verification operations across borders, Azure’s newly expanded, Marvell‑powered HSM services provide a compelling technical and compliance option—provided procurement teams demand and receive the operational and legal artifacts that convert hardware certification into actionable trust. For buyers whose sovereignty risk tolerances are highest, an on‑prem solution or a locally controlled partner cloud may still be required.

---

The expansion of Marvell‑powered HSM services in Europe is a meaningful step in the evolution of cloud cryptography: it demonstrates how silicon innovation (DPUs, on‑server adapters) and targeted certifications (eIDAS, EAL4+) combine to enable new, regulated workloads in the cloud. That combination will accelerate cloud adoption in regulated sectors—but only for customers who pair the new technical capabilities with the contractual and governance controls necessary to translate certification into operational trust.

---

Source: Investing.com Australia Microsoft expands cloud security offerings in Europe with Marvell HSMs By Investing.com