Microsoft has selected Marvell's LiquidSecurity family of hardware security modules to anchor its Azure Cloud HSM service, extending a years-long collaboration that already underpins Azure Key Vault and Azure Key Vault Managed HSM. The deal brings FIPS 140-3 Level 3 validated, high-density PCIe-based HSMs directly into Microsoft's single-tenant cloud HSM clusters, giving regulated enterprises a compliant, high-throughput on-ramp for migrating cryptographic workloads without sacrificing hardware-backed key control.
Announced this week via Marvell and Microsoft, the integration marks a decisive shift in how hyperscalers consume hardware security. Rather than relying on appliance-style HSMs that devour rack space and power, Azure Cloud HSM will leverage Marvell's LiquidSecurity2 cards—compact, DPU-accelerated devices capable of managing 100,000 key pairs and executing over one million cryptographic operations per second on a single card. For Microsoft's most security-sensitive customers, the move slashes latency, improves density, and aligns with the strictest regulatory benchmarks, including NIST FIPS 140-3 Level 3 and Europe's eIDAS trust framework.
A Cloud-Optimized HSM Architecture Arrives in Azure
Azure Cloud HSM is Microsoft's answer to organizations that demand complete administrative control over cryptographic keys but balk at the operational overhead of managing physical HSM appliances. The service provisions a dedicated, single-tenant HSM cluster within Azure, maintained by Microsoft but governed by the customer, who retains exclusive key ownership and administrative rights. It connects directly to a customer's virtual network via a private, encrypted link, ensuring cryptographic operations never traverse the public internet.
FIPS 140-3 Level 3 certification is the table stakes here. The standard mandates rigorous physical tamper-resistance, secure key handling, and life-cycle assurance—requirements that have historically kept highly regulated workloads on-premises. By deploying Marvell's LiquidSecurity modules, which achieved the same certification, Azure Cloud HSM satisfies the hardware security expectations of government agencies, financial institutions, and healthcare providers.
LiquidSecurity's Hyperscale Credentials: Density, Throughput, and Form Factor
Marvell designed LiquidSecurity from the ground up to convert traditional HSM appliances into cloud-native building blocks. Each LiquidSecurity2 card slides into a standard PCIe slot, consuming a fraction of the power and space of a 1U or 2U rack-mountable HSM. Beneath the heat sink, an OCTEON DPU (data processing unit) handles cryptographic offload, freeing host CPUs and enabling dense multi-tenant partitioning while preserving strict key isolation between tenants.
The performance figures are eye-popping in an industry accustomed to appliance bottlenecks:
- Up to 100,000 encryption key pairs per card
- More than 1 million cryptographic operations per second per card
These numbers translate directly into economic and operational advantages for cloud providers. A single card can serve hundreds of customers, slashing per-tenancy hardware costs and shrinking the physical footprint required for cryptographic services. For Microsoft, that means being able to offer Azure Cloud HSM at a more attractive price point while maintaining—or improving—service availability.
Regulatory Reach Expands: From FIPS to eIDAS and Beyond
While FIPS 140-3 Level 3 opens doors in North American government and finance, Marvell and Microsoft have quietly been closing compliance gaps elsewhere. Recent certifications now validate Azure Managed HSM and Premium Key Vault devices using Marvell adapters against European eIDAS trust schemes. That clearance enables qualified electronic signatures and other trust services required under EU regulations, making Azure a viable platform for signature providers and public-sector agencies bound by EU law.
Microsoft's Soumya Subramanian, vice president of Cloud Security Engineering, emphasized the breadth of the partnership: "Through our longstanding collaboration, we are able to offer Microsoft Azure customers the most secure and compliant key management services available in public, sovereign or government clouds today." For enterprises navigating a patchwork of regional regulations, the combined FIPS and eIDAS coverage removes a major obstacle to cloud migration.
Market Momentum and Marvell's Strategic Pivot
The HSM-as-a-service market is projected to grow at 8.5% annually through 2029, according to ABI Research, fueled by the twin demands of confidential computing and cloud sovereignty. Marvell, which has been reshaping its portfolio toward data-center and custom silicon, sees the Azure endorsement as a validation of that strategy. The company recently completed a $2.5 billion divestiture of its automotive Ethernet business to Infineon, a transaction that sharpens its focus on hyperscale infrastructure and AI. Adding board member Rajiv Ramaswami, a veteran from the cloud software arena, further signals management's intent to embed itself deeper into the cloud supply chain.
Analyst expectations are bullish, with Piper Sandler and others highlighting Marvell's AI and data-center growth vectors. However, forward-looking revenue estimates—some pointing at double-digit year-over-year growth—hinge on customer execution, supply chain stability, and macro demand. Enterprises evaluating Azure Cloud HSM should note that such financial projections are not guarantees; they are, however, reasonable indicators of the strategic weight Marvell now places on its LiquidSecurity line.
What the Deal Means for IT Architects and Security Teams
For the CIO or cloud architect, the immediate takeaway is a reduction in friction. Workloads that once demanded an on-premises HSM—payment gateways processing thousands of transactions per second, certificate authorities signing millions of certificates, TLS offload engines for high-traffic web farms—can now run inside Azure with the same hardware-backed assurance. The PCIe form factor, coupled with Azure's cluster design and private link access, trims cryptographic round-trip times to the sub-millisecond range, a critical factor for latency-sensitive applications.
But the benefits extend beyond speed. The single-tenant model hands back control to compliance officers who must attest to key custody chains. Because each Azure Cloud HSM cluster is physically and logically isolated, customers can demonstrate that no other tenant—not even Microsoft—can access their keys. That capability alone justifies the service for many organizations still operating their own FIPS-validated appliances.
Technical Strengths and Real-World Caveats
No technology announcement is complete without a candid look at the trade-offs. LiquidSecurity brings undeniable strengths:
- Unmatched density per rack unit for cloud-scale deployments
- FIPS 140-3 Level 3 and eIDAS validation that satisfies the most stringent auditors
- Deep prior integration with Azure Key Vault and Managed HSM, lowering risk for the Cloud HSM rollout
Yet security architects must account for several limitations:
- Certification is not a panacea. FIPS validation covers specific cryptographic modules; it does not guarantee secure key lifecycle management, access governance, or compliance with internal policies. A validated HSM is necessary but insufficient without robust operational controls.
- Supply chain concentration risk. Microsoft now depends on a single vendor for a critical security component. While Marvell is a mature semiconductor player, any production hiccup, component shortage, or corporate instability could ripple into Azure's HSM capacity plans. The recent divestiture, though strategic, concentrates Marvell's exposure to the data-center segment.
- Platform lock-in potential. Integrating custom HSM hardware deeply into a cloud provider's fabric inevitably creates friction for future migration. Customers who eventually wish to move to another cloud or repatriate workloads will need to reconcile differences in HSM architectures, key formats, and administrative APIs.
- Cryptographic agility is a work in progress. Hardware HSMs have multi-year lifecycles. Although Marvell and Microsoft discuss quantum-resilient pathways, organizations must press for concrete timelines on post-quantum algorithm support, firmware update mechanisms, and migration tooling. "Quantum readiness" today is a roadmap, not a deployed feature.
Security Risk Analysis: What to Watch For
Given the sensitivity of key management, due diligence must probe deeper than marketing claims:
- Supply-chain provenance and firmware trust. How does Microsoft attest to the authenticity of each LiquidSecurity card? What secure boot and firmware verification processes are in place? Can customers audit the firmware update history for their cluster?
- Multi-tenant partition isolation. Although Cloud HSM is single-tenant by design, the underlying LiquidSecurity hardware may host multiple partitions. Customers with extreme threat models should verify that side-channel isolation meets their requirements, and that no cross-partition leakage vectors exist.
- Key ownership and escrow models. Azure Cloud HSM grants administrative control, but customers must clarify key export policies, backup/restore procedures, and whether any escrow mechanism exists. The legal definition of "customer-controlled" must align with regulatory mandates.
- Incident response SLAs. When a hardware or firmware vulnerability surfaces—think Rowhammer or Spectre-class attacks—how quickly does Microsoft patch, and how transparent are the disclosure timelines? Hardware-level flaws can take months to remediate; service-level agreements must spell out expectations.
Practical Steps for Evaluation and Adoption
For teams considering a move, a structured evaluation plan can separate real value from hype:
1. Map workloads to requirements. Inventory applications that currently require on-premises HSMs (payment processing, certificate authorities, document signing). Document the specific regulatory controls that mandate FIPS 140-3 Level 3 or eIDAS.
2. Validate Azure's implementation. Request a technical deep-dive on Cloud HSM cluster topology, private link access patterns, backup/restore mechanics, and key-export policies for your tenant. Do not assume parity with Managed HSM.
3. Run representative benchmarks. Test signing, encryption, and TLS offload workloads at realistic scale. Measure p99 latency, throughput under concurrent connections, and behavior during Azure maintenance events (which can trigger key server failover).
4. Audit cryptographic lifecycles. Confirm algorithm support, key sizes, and modes for your specific use case. Demand a written roadmap for post-quantum migration, including target algorithms and timelines.
5. Negotiate operational guarantees. Embed patching SLAs, vulnerability disclosure obligations, and incident escalation paths into your cloud subscription or enterprise agreement. Hardware-driven services often fall outside default cloud SLAs.
6. Design for crypto agility. Even with a validated HSM, build application-layer abstractions that allow key rotation, algorithm migration, and, if necessary, a switch to an alternative HSM provider without prolonged outages.
Strategic Implications for the HSM Market
Microsoft's move is not an isolated event; it signals a broader market realignment. Cloud providers are racing to incorporate hardware-backed security directly into their infrastructure fabrics—not as optional add-ons, but as native building blocks. The selection of compact, high-density HSM cards over traditional appliances reflects an economic imperative: the only way to democratize HSM services is to slash per-operation costs through consolidation and multi-tenancy.
For Marvell, the deal burnishes LiquidSecurity's credentials as the de facto choice for hyperscalers. With Microsoft already running the cards across its key management stack, rival cloud providers must either adopt similar hardware or risk a compliance gap in their own offerings. The company's pivot away from automotive Ethernet and toward data-center silicon appears prescient, especially as AI workloads accelerate demand for in-line cryptographic acceleration.
For enterprises, the long-term impact is a gradual dissolution of the boundary between "on-premises security" and "cloud security." When the same FIPS-validated hardware that once lived in a corporate cage now sits in a Microsoft data center and is accessible via a private network, the argument for maintaining physical appliance fleets weakens considerably. Regulated industries—banks, payment processors, public-sector agencies—now have a credible cloud path that satisfies both auditors and latency budgets.
The Marvell–Microsoft partnership also raises the competitive bar for other HSM vendors. Thales, Utimaco, and smaller players must now contend with a cloud-optimized form factor that radically alters the traditional value proposition. Appliance-based HSMs may continue to serve niche on-premises needs, but the growth curve clearly bends toward cloud-native, PCIe-attached modules that can be pooled and sliced across thousands of tenants.
Conclusion: A Pragmatic Leap Forward, With Guardrails
Microsoft's selection of Marvell LiquidSecurity for Azure Cloud HSM is a calculated bet that dense, FIPS-validated, DPU-accelerated hardware can deliver the security guarantees of traditional appliances while unlocking the scale and elasticity of the cloud. For customers bound by FIPS 140-3 Level 3 or eIDAS mandates, the service removes a painful barrier to cloud adoption, all while boosting throughput and reducing operational overhead.
Yet the decision is not without risk. Concentrating a security-critical component in one vendor demands rigorous supply-chain assurance, transparent firmware governance, and contractual protections that go beyond typical cloud agreements. The promise of quantum readiness must be tempered with a healthy dose of skepticism until concrete migration paths materialize.
For enterprises willing to do the engineering and legal legwork, the payoff is significant: a single-tenant, hardware-backed HSM that can scale seamlessly with cloud workloads. For Marvell, the win entrenches its hyperscale ambitions at a moment when the HSM market is pivoting decisively toward service-based consumption. And for the rest of the industry, it sets a clear expectation: the future of hardware security is not in a rack-mountable box, but in a PCIe slot, disaggregated, and served on demand.