Navigation section

Microsoft and Marvell Expand European Azure HSM with LiquidSecurity

  • Thread Author
Microsoft and Marvell have quietly widened a strategic security partnership, bringing Marvell’s LiquidSecurity hardware security modules (HSMs) deeper into Azure’s European cloud footprint and expanding the range of compliant key-management services available to organizations across the region.

A MARVELL LiquidSecurity PCIe HSM card floats in a neon blue data center with cloud and key icons.Background​

Microsoft and Marvell have worked together for several years to provide HSM-based key management and cryptographic acceleration inside Azure’s key vault and managed HSM services. That collaboration has now been broadened to explicitly extend Marvell-powered, cloud-based security use cases into Europe, complementing existing deployments across North America and Asia. The public announcement was published in early December 2025 as part of a press release distribution that cites new European certifications for Marvell’s LiquidSecurity product family. The move is framed around enabling Azure customers in Europe to run identity, document verification, and cross-border contract certification workloads using HSM-backed cryptographic services that meet regional compliance frameworks. Marvell’s messaging emphasizes lower power, smaller footprint, and higher density key storage compared with traditional appliance-based HSMs — attributes cloud providers prize when offering HSM-as-a-service at hyperscale.

What Marvell announced (plain facts)​

  • Microsoft will expand the use cases for Azure cloud security offerings that leverage Marvell LiquidSecurity HSM hardware for customers in Europe, in addition to Asia and North America.
  • Marvell recently secured European certifications for LiquidSecurity under eIDAS (electronic IDentification, Authentication and trust Services) and Common Criteria EAL4+, which the company and its partners highlight as critical to enabling identity and sovereign use cases in the EU.
  • Marvell’s LiquidSecurity family — and specifically the LiquidSecurity 2 (LS2) adapter — is designed as a PCIe-based, high-density HSM adapter optimized for multi-tenant cloud environments, with Marvell quoting up to 1 million hardware-secured keys and performance metrics ranging into tens to hundreds of thousands of cryptographic operations per second depending on algorithm.
  • Microsoft has selected Marvell LiquidSecurity for Azure Cloud HSM in a recent expansion, with the Azure Cloud HSM service described as a single-tenant, highly available offering that already carries FIPS 140-3 Level 3 certification for relevant deployments.
These are company-confirmed facts drawn from the Marvell and press-distribution materials and corroborated by coverage in multiple trade and financial outlets.

Why this matters: practical benefits for Azure customers in Europe​

Marvell’s announcement is pitched as a practical upgrade to what Azure can offer European customers who require both cloud-scale HSM services and strong regional compliance.
  • Sovereign and regulated workloads: eIDAS and Common Criteria are central to many European public-sector, identity, and cross-border digital services. Having HSM hardware that is explicitly certified helps Azure position these services for government, eID, and regulated industries that typically insist on regionally recognized attestations.
  • Higher density, lower TCO: By moving the HSM functionality from 1U/2U appliances to PCIe-based adapters optimized for datacenter DPUs, cloud providers can offer HSM-as-a-service at scale with lower rack space, power and capital expense. Marvell’s LS2 marketing positions the product as delivering improved performance-per-watt and performance-per-dollar compared with legacy HSM appliances. Independent technical write-ups and product pages highlight the LS2’s ability to store up to a million keys and deliver high operation throughput, which materially affects cost models for large-scale HSM services.
  • Service breadth: With LiquidSecurity powering Azure Key Vault, Managed HSM, and now Cloud HSM services, Microsoft can present a consistent hardware-backed cryptographic substrate across multiple customer experiences — from multi-tenant managed HSMs to single-tenant dedicated HSM clusters for customers with the strictest isolation requirements. This simplifies migration paths and can reduce friction for customers who need to move between service tiers.

Technical breakdown: LiquidSecurity and Azure HSM capabilities​

LiquidSecurity architecture and specs​

Marvell’s LiquidSecurity platform is a family of PCIe HSM adapters built around Marvell OCTEON DPUs and cryptographic accelerators, aimed at cloud-scale HSM-as-a-service deployments. Key technical claims from Marvell include:
  • Up to 1,000,000 keys stored in hardware-secured storage on LS2 cards.
  • High cryptographic throughput: Marvell advertises ECC performance up to 100,000 ops/sec and very high AES/GCM performance figures (public technical briefings and reviews list up to hundreds of thousands to millions of symmetric ops per second under different test conditions).
  • Multi-tenancy via partitions: LS2 supports dozens of isolated partitions (Marvell cites 45 partitions) so that a single physical adapter can present many logical HSMs to different tenants or workloads.
These figures are published on Marvell product pages, supported by product launch materials and by independent technical coverage that confirms the general ballpark of performance claims under typical test regimes. Readers should note that absolute throughput varies by algorithm, key size, and the host system’s configuration. Where precise operation-per-second numbers matter for capacity planning, customers should validate with benchmarks aligned to their workload profile.

Azure Cloud HSM and compliance posture​

Microsoft describes Azure Cloud HSM as a dedicated, single-tenant HSM cluster offering that enables customers to manage cryptographic keys within their own dedicated infrastructure while retaining the convenience of cloud management and connectivity. Microsoft has positioned Cloud HSM for users who require administrative control or dedicated tenancy without the operational burden of running physical HSM appliances. Marvell’s adoption for Cloud HSM brings LS2 into this single-tenant model and is described alongside Microsoft’s FIPS 140-3 Level 3 positioning. FIPS 140-3 Level 3 certification (a U.S. standard from NIST) and Common Criteria / eIDAS attestations (international/EU-focused frameworks) operate in different regulatory scopes, and having devices that either are certified or capable of certification against multiple frameworks is a practical advantage for cloud providers operating in multi-jurisdictional markets. However, certification specifics — such as the exact configurations that carry which certificates — should be validated by customers through the official certification records and Azure compliance documentation before assuming coverage for a particular workload. This nuance is especially important for government or financial customers with narrow acceptance criteria.

Market context and strategic implications​

HSM-as-a-service is growing, and hyperscalers want efficient building blocks​

The cloud HSM market has been among the faster-growing segments in cloud security infrastructure, driven by rising encryption requirements, privacy regulations, and the need for hardware-backed key protection for confidential computing scenarios. Industry analysts have projected robust growth for HSM-as-a-service offerings, and vendors like Marvell position themselves to win the underlying hardware share in cloud datacenters. Marvell’s pitch is that cloud-optimized HSM adapters are the best building block for hyperscale HSM services due to density and power efficiencies. For Microsoft, deepening a partnership with Marvell implies reduced time-to-market for new HSM-backed services and consolidated vendor relationships for the hardware layer. It also gives Microsoft continuity across its Key Vault, Managed HSM and Cloud HSM surface, simplifying internal operations and potentially lowering procurement complexity.

Competitive angle: what this means for other cloud providers and HSM vendors​

Marvell claims adoption among several hyperscalers and points to LS2 as a disruptive alternative to appliance-based HSM vendors. Traditional HSM vendors (those selling 1U/2U appliances) face pressure to either adapt their form factors or partner with cloud-centric silicon vendors to stay relevant in the HSM-as-a-service era.
Cloud providers that do not standardize on dense, PCIe-based HSM adapters may face higher operational costs for high-volume HSM services. Conversely, hyperscalers that standardize on cards like LS2 can scale HSM capacity more economically — which may, over time, change pricing dynamics for HSM-as-a-service and accelerate adoption across regulated sectors. Industry analyst commentary embedded in the press coverage also reflects a view that certified, cloud-optimized HSM hardware will expand the market for cloud-based key services.

Security and compliance analysis — strengths and limitations​

Strengths​

  • Vendor-backed certifications: eIDAS and Common Criteria EAL4+ are meaningful credentials for European identity and public-sector use cases, while FIPS 140-3 Level 3 supports U.S. federal and many regulated industry requirements. Having hardware that either holds or is certified under these frameworks reduces the compliance lift for customers relying on Azure-managed services.
  • Hardware isolation and partitioning: The LS2 design emphasizes isolated partitions, allowing strict tenant separation within a single card. This isolation model maps well to cloud multi-tenancy and to compliance regimes that require logical separation of keys and operations.
  • Performance at scale: For workloads that require high-volume cryptographic operations (payments, PKI, authentication at high throughput), the LS2’s optimized crypto engines and DPU-based offload can materially improve latency and throughput compared with legacy appliances. Public technical reviews document high AES/GCM and ECC throughput in controlled tests.

Limitations and caveats​

  • Certification vs. configuration: Certifications are issued for specific product configurations and validation processes. A claim that a product family is "eIDAS-compliant" or "FIPS 140-3 capable" does not guarantee that every vendor-supplied firmware, partition arrangement, or cloud deployment automatically falls under the same certificate. Customers with high-assurance requirements should verify the exact certification scope, certificate numbers, and the date of validation against authoritative certification databases and Azure compliance documentation. Where necessary, ask for the supporting attestation documents.
  • Proprietary integration risks: Moving to a cloud-optimized hardware architecture means relying on a vendor-specific hardware and software stack. That creates potential lock-in — not simply at the cloud-provider level (Azure) but also at the hardware layer (Marvell LiquidSecurity). For enterprises that value portability between clouds, confirm migration options, export controls on key material, and the support story for cross-cloud key mobility.
  • Claims that need independent verification: Marvell’s statements about adoption among “six of the ten largest cloud providers” and market-share metrics are notable but are vendor claims. Independent confirmation from cloud providers, analyst reports, or certification registries provides stronger evidence of breadth of adoption. Where a claim is business-sensitive or strategic, seek corroboration beyond vendor press materials. This article flags such vendor-origin claims as worth additional scrutiny.

Real-world implications: use cases and migration considerations​

Use cases that benefit most​

  • eID and passport/identity services: Governments and eID providers that require both regional certification (eIDAS) and high transactional throughput can use Azure’s Marvell-backed HSM services to offload hardware management while maintaining a compliant cryptographic boundary.
  • High-volume PKI and certificate issuance: Certificate authorities and enterprise PKI operators can exploit high key density and throughput to scale issuance without large fleets of appliances. Logical partitions enable multi-tenant or departmental isolation.
  • Payment tokenization and confidential computing: Workloads that require fast encryption/decryption for billions of transactions (payment processors, token service providers) will benefit from the LS2’s raw symmetric and AEAD throughput figures. Reviews emphasize AES-GCM performance in the hundreds of thousands to millions of ops per second depending on conditions.

Migration considerations for enterprises​

  • Assess compliance mapping: Verify which certifications apply to your configuration, and obtain attestation documents from Azure/Marvell where necessary.
  • Benchmark with representative workloads: Synthetic figures from vendors are useful, but real-world latency and concurrency characteristics will vary by workload and host architecture. Conduct pilot tests in Azure regions where Cloud HSM backed by LiquidSecurity will be offered.
  • Review key lifecycle and export policies: Understand how key import/export, backup, and recovery are handled inside the Cloud HSM model and whether the operational controls meet your audit and retention needs.

Competitive and regulatory risks​

  • Concentration risk: Deepening a reliance on a single hardware vendor for the cryptographic substrate introduces concentration risk. Specifying fallback options, multi-vendor strategies, or contractual protections may be necessary for mission-critical services.
  • Regulatory nuance across Europe: While eIDAS is an EU framework, implementation and acceptance can vary by member state and by specific use case (e.g., qualified electronic signatures vs. identification). Organizations must validate that the combination of Azure service, Marvell hardware, and the deployment architecture satisfies the precise legal and technical criteria for their intended use.
  • Supply-chain and firmware assurance: Any hardware-based security solution must consider firmware update processes, secure supply-chain assurances, and mechanisms for patching or revocation should vulnerabilities surface. Large cloud providers typically operate strong lifecycle processes, but customers with particularly stringent sovereignty or assurance requirements should request documentation about firmware signing, update controls, and incident response processes.

How this affects the broader HSM market​

The ongoing shift from appliance-based HSMs to cloud-optimized, PCIe adapter-based HSMs represents a structural change in how cryptographic services are marshaled at scale. Marvell’s success in placing LiquidSecurity at the heart of Azure’s HSM stack — and its push into European-compliant offerings — accelerates a trend where:
  • Cloud providers prefer dense, low-power HSM hardware that fits hyperscale economics.
  • Regulatory-compliance engineering (eIDAS, Common Criteria, FIPS) becomes a differentiator in cloud regions governed by sovereignty and identity requirements.
  • Traditional HSM appliance vendors face pricing and form-factor pressure, prompting possible product redesigns or partnerships.
Investors and security architects should watch how certifications, independent performance benchmarks, and adoption among other hyperscalers evolve, because these will be the strongest indicators that the form-factor shift is durable rather than opportunistic.

Practical next steps for IT and security leaders​

  • Map sensitive workloads to certification requirements: catalogue which applications demand FIPS, eIDAS, or Common Criteria attestations.
  • Engage Azure compliance and Marvell for attestation packages: request certificate numbers, configuration guidance, and evidence for the exact service region you will use.
  • Run pilot performance tests: benchmark your cryptographic workflows on Azure Key Vault / Managed HSM / Cloud HSM to measure latency, throughput, and cost at scale.
  • Factor vendor concentration into risk assessments: document fallback strategies or porting plans in the event of supply or support disruption.

Final assessment and outlook​

The Marvell–Microsoft expansion into European Azure cloud security services is an incremental but strategically meaningful development. By marrying Marvell’s cloud-optimized LiquidSecurity adapters with Azure’s Key Vault and Cloud HSM services — now with a stronger European compliance posture — Microsoft is positioning Azure to better serve identity-heavy, regulated, and sovereign workloads across the continent. The strengths are clear: high-density key storage, strong throughput, and certifications that speak directly to common buyer requirements in Europe. The principal caveats are procedural and operational: certifications must be validated against the exact deployed configuration, vendor-origin adoption claims merit independent corroboration, and customers should plan for concentration and migration risks inherent in platform-specific hardware integration. For enterprises and public agencies facing strict European compliance regimes, the expanded availability of Marvell-powered Azure HSM services is a useful development — provided teams validate certification scope, benchmark performance for real workloads, and embed supply-chain and vendor risk controls into procurement and architecture processes. The net effect should be to lower friction for adopting HSM-backed cryptography in the cloud while elevating the importance of precise compliance verification and operational due diligence.
Conclusion: as cloud cryptography moves from standalone appliances to integrated, high-density silicon in datacenters, partnerships like Microsoft’s and Marvell’s define the practical architecture for how keys will be protected at hyperscale. The expansion into Europe—backed by regionally relevant certifications—makes Azure’s HSM services more compelling to regulated customers, while also raising the bar for security teams to scrutinize certification scope, portability, and supply-chain assurances before full production adoption.
Source: Investing News Network Marvell Extends Collaboration with Microsoft, Expanding Azure Global Cloud Security Services in Europe
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
Azure HSM Expansion in Europe with Marvell LiquidSecurity Certifications
Replies
0
Views
19
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Marvell LiquidSecurity Expands with Azure Europe HSM for Cloud Sovereignty
Replies
0
Views
22
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Microsoft Expands Azure HSM with Marvell LiquidSecurity for EU eIDAS and Common Criteria
Replies
0
Views
20
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Marvell LiquidSecurity Expands EU Cloud HSM with eIDAS and Common Criteria in Azure
Replies
0
Views
27
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Marvell LiquidSecurity HSMs Earn eIDAS and EAL4+ Certs, Azure Expands Europe
Replies
0
Views
26
ChatGPT
ChatGPT
Back
Top