{
"title": "Marvell LiquidSecurity Powers Microsoft Azure Cloud HSM, Delivering FIPS 140-3 Validated Single-Tenant Service",
"content": "Microsoft has expanded its strategic hardware security partnership with Marvell, announcing on August 18, 2025, that Azure Cloud HSM will now be powered by Marvell's LiquidSecurity family of PCIe hardware security modules. This extends a collaboration that already placed LiquidSecurity inside Azure Key Vault and Azure Key Vault Managed HSM, effectively standardizing Marvell's technology across Microsoft's most sensitive cryptographic infrastructure.

The move displaces traditional rack-mounted HSM appliances in favor of dense, DPU-accelerated adapter cards. For organizations bound by strict regulatory mandates—including FIPS 140-3 Level 3, eIDAS, and PCI DSS—the integration removes a major compliance hurdle while delivering the operational agility of a cloud-native service.

From Appliances to PCIe Cards: A Brief History

Hardware security modules have long served as the bedrock of encryption key protection, digital signing, and payment processing. Historically, they appeared as standalone 1U or 2U appliances managed in company data centers by specialized teams. Over the past decade, cloud providers and HSM vendors have pursued an alternative model: host HSM functionality inside cloud infrastructure and expose it as a service. Marvell's LiquidSecurity product line epitomizes this evolution. First introduced as a cloud-optimized PCIe HSM adapter, the second generation (LiquidSecurity 2, or LS2) pushes density, performance, and cryptographic agility even further. LS2 modules pack Marvell's OCTEON data processing units, which contain dedicated cryptographic acceleration engines—hardware blocks specifically designed to offload RSA, ECC, AES-GCM, SHA, and HMAC operations at line rate while consuming minimal power.

What Azure Cloud HSM Actually Delivers

Azure Cloud HSM is not a multi-tenant abstracted vault. It provisions a dedicated HSM cluster for each customer, giving organizations full administrative control over their keys. Key attributes include:

  • Customer-exclusive administration: You hold the admin credentials and define all access policies; Microsoft has no operational access to the keys.
  • Cryptographic isolation: Each cluster is a separate security domain, preventing cross-tenant key exposure.
  • FIPS 140-3 Level 3 validation: The hardware boundary meets the highest tier of the current U.S. federal standard, encompassing tamper-evident and tamper-responsive protections.
  • Broad API support: Integration with PKCS#11, OpenSSL, JCE/JCA, and other interfaces simplifies migration from on-premises HSMs.
By selecting Marvell LiquidSecurity for Azure Cloud HSM, Microsoft unifies its HSM hardware baseline across multiple services. Key Vault, Managed HSM, and Cloud HSM now share a common platform, promising consistent SLAs, streamlined firmware management, and uniform compliance attestations.

Inside Marvell LiquidSecurity: Technical Foundation

Marvell's LiquidSecurity family distinguishes itself from legacy HSMs in three critical ways:

  • Form factor: Half-height, half-length (HHHL) PCIe cards integrate directly into standard servers, eliminating the need for rack appliances and slashing datacenter footprint and energy draw.
  • Processor architecture: OCTEON DPUs feature dedicated cryptographic coprocessors that accelerate symmetric and asymmetric operations without burdening the host CPU.
  • Density and efficiency: LS2 adapters can store up to one million keys within the FIPS boundary while handling massive transaction throughput. Power consumption typically sits in the mid-tens of watts—a fraction of appliance-class HSM power draws.
Published performance figures vary by algorithm. Marvell claims tens of thousands of RSA or ECC signing operations per second and over a million AES-GCM operations per second. However, these are distinct workloads: symmetric operations are inherently faster than asymmetric ones, so direct comparisons are misleading. Organizations should benchmark their exact mix—TLS handshake rates, code-signing batches, or payment tokenization—to determine real-world fit.

The FIPS 140-3 Level 3 validation for the LS2 family was initially completed in June 2024, with subsequent updates in 2025 covering firmware revisions and additional algorithms. That certification is publicly verifiable in the NIST Cryptographic Module Validation Program database and provides the stringent assurance that regulated industries demand.

Why Enterprises Should Pay Attention

For CIOs and security architects, the Marvell–Azure combination offers concrete advantages:

Regulatory compliance made simpler FIPS 140-3 Level 3 becomes a checkbox item for Azure Cloud HSM. Government agencies, healthcare providers, and financial institutions can inherit that validation without managing physical hardware.

Single-tenant control without the ops burden Customers get full administrative authority and dedicated hardware isolation, yet Microsoft handles high availability, synchronization, firmware updates, and disaster recovery. This shifts the operational load from the customer's data center team to the cloud provider.

Lower total cost of ownership PCIe adapters consume mid-tens of watts versus hundreds for appliance HSMs, and their small size increases rack density. At scale, this translates to reduced per-key and per-transaction costs.

Cryptographic agility and post-quantum readiness Marvell's architecture supports field-upgradable firmware, enabling new algorithms—including post-quantum cryptography (PQC) primitives—to be injected without swapping hardware. For organizations planning decade-long crypto lifecycles, this future-proofing is critical.

The Other Side: Risks, Limitations, and Unanswered Questions

No security architecture is flawless. The following considerations warrant a hard look before migration:

Performance metrics can mislead Headline ops/sec figures often reflect peak synthetic loads with ideal key sizes. Real-world TLS, for example, mixes asymmetric handshakes and symmetric bulk encryption. Simulate production-like traffic to validate latency, throughput, and concurrency.

Attestation gaps Many auditors want cryptographic proof that keys were generated and reside inside the specific hardware module with known firmware. While Azure provides logging, not all HSM services offer on-demand, tamper-resistant hardware attestation. Confirm with Microsoft what artifacts are available and whether they cover the exact firmware version your auditors require. For example, a financial regulator might require a signed attestation from the HSM itself, not just a service-level log.

Firmware update risks Field-updatable firmware is essential for agility, but each update must be digitally signed, delivered securely, and auditable. A compromised update could expose keys. Scrutinize Microsoft's and Marvell's change control processes, rollback protections, and the transparency of their update pipelines.

Vendor concentration Standardizing on a single HSM vendor across Azure's entire key management portfolio creates a systemic dependency. A critical vulnerability in the LiquidSecurity firmware could cascade across Key Vault, Managed HSM, and Cloud HSM simultaneously. Mitigate through strong contractual SLAs and a dual-sourcing strategy for the most sensitive keys.

Geopolitical supply-chain concerns Some governments mandate that cryptographic hardware originate from specific countries or avoid certain supply chains. Validate that the LiquidSecurity modules meet your jurisdiction's requirements for component provenance and in-region support.

The Competitive Landscape

Azure isn't alone in offering cloud HSM services. Thales, Utimaco, and Fortanix provide HSM-as-a-service alternatives, often built on their own hardware or leveraging trusted execution environments. Traditional appliance vendors still sell Thales Luna and Utimaco SecurityServer units for those who insist on physical control. Marvell's PCIe approach, tightly integrated with hyperscale cloud infrastructure, gives Microsoft a density and power advantage. Analysts project that the global HSM market—valued at several billion dollars—will grow at a double-digit CAGR over the next three to five years, driven largely by cloud adoption and regulatory mandates. The shift from appliances to adapter cards is a key part of that growth story.

How to Decide: A Practical Framework

Azure now offers a spectrum of key management services. Use this guidance:

  • For deep PaaS or SaaS integration, start with Azure Key Vault or Managed HSM. They're multi-tenant or logically single-tenant and tightly woven into Azure services.
  • For exclusive administrative control and FIPS 140-3 Level 3 isolation, Azure Cloud HSM on Marvell LiquidSecurity is the right fit.
  • For absolute physical custody of HSMs across multiple regions, evaluate on-premises appliances or the older Azure Dedicated HSM. Be prepared to staff a 24/7 hardware security team.
  • For payment systems, verify that the HSM variant meets PCI PTS HSM requirements, not just FIPS.
  • For long-term post-quantum planning, confirm the roadmap for PQC algorithm support and that firmware updates can be verified independently.

Migration Checklist

Before moving keys, run through this operational checklist:

  1. Inventory workloads: Document every key type, algorithm, and application that will use the HSM.
  2. Map compliance: