Microsoft has formally selected Marvell’s LiquidSecurity family of hardware security modules (HSMs) to underpin its Azure Cloud HSM service, extending a partnership that already covers Azure Key Vault and Managed HSM. The move, announced jointly by the companies, replaces traditional rack-mounted network appliances with high-density PCIe cards built on Marvell’s OCTEON DPU architecture, promising higher throughput, lower latency, and a smaller data-center footprint for regulated cryptographic workloads — all while maintaining FIPS 140-3 Level 3 certification. It is a decisive signal that hyperscalers are ready to trust host-attached HSMs for even the most sensitive multi-tenant key management.
Azure Cloud HSM is Microsoft’s single-tenant, fully managed service that gives customers administrative control over cryptographic keys inside a dedicated HSM cluster, with Microsoft handling availability, patching, and lifecycle operations. The service has been validated to FIPS 140-3 Level 3, a standard that demands stringent tamper resistance and hardware assurance. By shifting to PCIe-based LiquidSecurity cards, Azure can compress the physical footprint of cryptographic processing while still offering the isolation and attestation that regulated industries — banks, governments, healthcare — require.
“We are excited to extend our collaboration with Microsoft on the Microsoft Azure Cloud HSM service with Marvell LiquidSecurity HSMs,” said Will Chu, senior vice president and general manager of Custom Cloud Solutions at Marvell, in the official announcement. “Together, we share a vision to modernize the HSM market and enable Azure customers to leverage the latest security standards for the most demanding, cloud-scale applications.” Soumya Subramanian, vice president of Cloud Security Engineering at Microsoft, added: “Through our longstanding collaboration, we are able to offer Microsoft Azure customers the most secure and compliant key management services available in public, sovereign or government clouds today.”
A New Breed of Cloud-Native HSMs
Traditional HSMs typically ship as 1U or 2U network appliances — standalone boxes that handle cryptographic operations and key storage but consume rack space, power, and introduce network latency for every transaction. Marvell’s LiquidSecurity 2 (LS2) turns that model inside out. It is a half-height, half-length PCIe card (the LS2) that plugs directly into a cloud host, using dedicated cryptographic engines and an OCTEON DPU to offload operations from the host CPU. This host-attached design eliminates the network round-trips that plague appliance-based architectures, cutting latency for TLS offload, certificate authority signing, code signing, and bulk encryption.
The density figures are what make hyperscale operators pay attention. According to Marvell’s specifications, a single LS2 card can manage up to one million cryptographic keys, sustain roughly 100,000 ECC P-256 operations per second, and deliver up to one million AES-GCM operations per second — all while allowing administrators to carve the card into 40 or more virtual partitions for multi-tenant isolation. Those numbers, while vendor-stated and awaiting independent benchmarking, suggest that one PCIe adapter can replace several appliance nodes for equivalent key capacity and throughput. For a cloud provider like Microsoft, that translates to fewer server slots, less power draw, and dramatically improved unit economics for HSM-as-a-service.
“Cloud continues to drive the pace in HSM spending as service providers work to ensure that the underlying infrastructure can support the growing demands of confidential computing and cloud sovereignty,” said Michela Menting, senior research director at ABI Research. “Marvell, which pioneered the category of cloud-optimized HSMs and remains the leader in the category, is poised to play a significant role in this evolution.” The market itself is projected to grow at about 8.5% annually through 2029, according to ABI Research, reinforcing the strategic importance of scaling HSM capacity in the cloud.
Compliance Meets Operational Pragmatism
A key pillar of the announcement is the alignment of FIPS 140-3 Level 3 certification across Marvell’s modules, Microsoft’s firmware, and the Azure Cloud HSM service. The Level 3 threshold is critical for organizations bound by PCI DSS, eIDAS, and government cryptography mandates, because it proves that the hardware can resist physical tampering and that keys are destroyed if an attack is detected. Microsoft has already achieved this validation on Azure Key Vault and Managed HSM, and the same certified code base is being extended to Cloud HSM.
However, certification is not a blanket guarantee. FIPS certificates are tied to specific firmware builds, hardware SKUs, and even regional deployments. Before relying on the service for an audit, customers must confirm the exact certificate number, firmware version, and Azure region that appear on the Cryptographic Module Validation Program (CMVP) listing. Microsoft publishes this information in its documentation, but the burden of validation remains on the security team.
Another nuance is the operational model itself. Azure Cloud HSM clusters are single-tenant, but the underlying LiquidSecurity cards can run up to 40 partitions per physical device. That partitioning is how Microsoft achieves density, but it also means that multiple customers’ keys may coexist on the same hardware, separated by cryptographic boundaries. For organizations that require physical separation for compliance, this model must be scrutinized against policy. The service, however, retains the critical property that only the customer holds administrative control over keys; Microsoft’s role is limited to ensuring cluster availability and patching.
Financial and Strategic Tailwinds for Marvell
The Azure Cloud HSM deal arrives at a moment of portfolio repositioning for Marvell. Just days before the announcement, the company completed the $2.5 billion all-cash sale of its Automotive Ethernet business to Infineon, sharpening its focus on data-center silicon. It also appointed Rajiv Ramaswami, CEO of Nutanix, to its board, adding cloud-infrastructure governance experience. Wall Street has taken note: Morgan Stanley and Stifel both raised price targets on Marvell shares, citing expanding hyperscaler relationships and the growing optics business.
These financial moves reinforce Marvell’s narrative as a specialized infrastructure silicon supplier, and the Microsoft selection serves as a high-profile validation of the LiquidSecurity architecture. It also pressures competitors both in the HSM market and among other cloud providers, who must now accelerate their own certification and density roadmaps to remain viable.
What Enterprise Architects Must Do Next
The performance and compliance numbers are compelling, but they originate from vendor engineering targets and controlled lab environments. Real-world deployments introduce variables — key types, concurrent operations, network congestion, failover patterns — that can materially affect throughput and latency. For enterprise teams tasked with migrating regulated workloads, the checklist is straightforward:
- Map workloads with hardware attestation requirements — payment processing, qualified e-signatures, internal CAs — and confirm that Azure Cloud HSM’s certification covers the necessary algorithms and key lengths.
- Verify the specific FIPS certificate against the deployed firmware and Azure region. Microsoft’s documentation links to active certificates; cross-reference them with your compliance auditor.
- Run a representative pilot that stresses the HSM cluster with TLS handshake volumes, certificate signing requests, and bulk key-wrapping operations. Measure tail latency under normal and failover conditions, and validate that partition isolation works as expected.
- Negotiate operational SLAs that cover firmware patch cadence, vulnerability disclosure timelines, incident response procedures (including key zeroization), and financial remedies if the HSM cluster fails to meet availability targets.
- Plan for cryptographic agility. Marvell has hinted at post-quantum readiness, but buyers should demand a written roadmap for algorithm upgrades and confirm that firmware updates can be rolled without breaking certifications or causing extended downtime.
The Bigger Picture: How Dense HSMs Reshape Cloud Security
Microsoft’s bet on LiquidSecurity is not an isolated experiment. It reflects an industry-wide pivot toward host-attached, DPU-accelerated security hardware that can keep up with the demands of confidential computing and sovereign cloud services. When a hyperscaler can deliver FIPS 140-3 Level 3 key management at a fraction of the cost and rack space of traditional appliances, it removes one of the last arguments for maintaining on-premises HSMs in many organizations.
That is good news for cloud adoption, but it also concentrates risk. A single vendor’s HSM family will handle a significant share of Azure’s cryptographic processing. While the cards are designed for high availability and are deployed in clusters, any systemic flaw — a firmware vulnerability, a supply-chain disruption, or a certification defect — could cascade across multiple regulated services. Smart security architects will incorporate multi-vendor contingency plans and, where possible, avoid locking their entire key management strategy into one hardware family.
Looking ahead, independent benchmarking will be the next milestone. As procurement offices and security labs get their hands on LS2-powered clusters, public performance data will either validate the headline throughput numbers or introduce the friction that so often tempers early enthusiasm. The competition over quantum-resilient upgrades is also intensifying; any HSM platform that cannot demonstrate a clear path to post-quantum cryptography will lose ground as governments and financial institutions begin to mandate algorithm migration.
Conclusion
The collaboration between Microsoft and Marvell on Azure Cloud HSM is a technically sound, market-savvy evolution of how cloud providers deliver certified key management at scale. By pairing FIPS 140-3 Level 3 LiquidSecurity cards with a managed, customer-controlled cluster model, Microsoft gives enterprises a credible path to offload their most sensitive cryptographic operations to the cloud. The density, latency, and compliance story is strong — but it is built on vendor commitments that must be verified, contractually anchored, and continuously monitored.
For the security architects and CTOs evaluating this service, the mandate is clear: treat the vendor specs as a conversation opener, not a contract. Demand transparency, pilot aggressively, and build cryptographic agility into your design from day one. Done well, Azure Cloud HSM on LiquidSecurity can unlock cloud migration for workloads that have stubbornly remained on-premises. Done poorly, it simply swaps one set of operational risks for another.