Microsoft has selected Marvell’s LiquidSecurity hardware security modules (HSMs) as a underpinning for Azure Cloud HSM, the companies announced August 18, 2025. The deal extends an existing partnership that already sees LiquidSecurity cards inside Azure Key Vault and Azure Key Vault Managed HSM, but now brings the PCIe‑based, FIPS 140‑3 Level 3‑certified cryptography into Microsoft’s most demanding single‑tenant HSM service. For cloud architects and security teams, the move signals a shift toward hyperscale economics: higher key density, more operations per watt, and lower latency than traditional appliance‑style HSMs—all while keeping administrative control in the customer’s hands.

The Hardware Behind the Headlines

Marvell’s LiquidSecurity family, including the LiquidSecurity 2 (LS2) card, packs purpose‑built OCTEON DPUs and cryptographic accelerators onto a PCIe form factor. Each LS2 card can manage up to 100,000 encryption key pairs and process more than one million cryptographic operations per second, according to Marvell’s engineering specifications. Those figures—aggregate throughput across AES‑GCM, ECC, RSA, and other algorithms—are vendor‑reported and not yet broadly verified in independent benchmarks, but they represent a leap in density compared with legacy 1U or 2U HSM appliances that often top out at a few thousand keys per device.

For cloud providers, the math is compelling: more keys and operations per rack unit mean fewer physical devices, lower power draw, and reduced operational overhead. Azure Cloud HSM customers get the benefit through a managed service that abstracts the hardware while still delivering single‑tenant isolation.

Azure Cloud HSM: Single‑Tenant, Customer‑Controlled

Azure Cloud HSM is Microsoft’s premium offering for regulated and high‑assurance workloads. Unlike shared‑tenant Key Vault services, it provisions dedicated HSM clusters accessible only over private network links from a customer’s virtual network. Customers retain administrative control over cryptographic keys and operations, while Microsoft handles cluster availability, firmware updates, and physical security.

The service is designed for organizations that must meet stringent compliance requirements—financial services, government agencies, and sovereign cloud deployments—where hardware tamper resistance and strong auditability are non‑negotiable. The addition of LiquidSecurity HSMs strengthens the service’s certification posture.

Certification: FIPS 140‑3 Level 3 Across the Board

A critical piece of the announcement is the alignment of certification. Marvell’s LiquidSecurity modules have achieved FIPS 140‑3 Level 3 validation, and Microsoft has concurrently brought Azure Key Vault and Managed HSM firmware to the same standard. This combination means that Azure can now present a fully managed, FIPS 140‑3 Level 3‑compliant path for workloads that previously required on‑premises appliances. The certification covers both the hardware and the firmware, but customers must verify that the specific SKU, firmware version, and Azure region deployed match their audit requirements.

FIPS 140‑3 Level 3 mandates tamper‑evident and tamper‑response protections, along with identity‑based authentication and physical security mechanisms. That level of assurance opens the door for cloud migration of sensitive workloads in sectors like healthcare (HIPAA), payment processing (PCI DSS), and national security.

Why PCIe Matters for Performance

By packaging HSMs as PCIe cards rather than network‑attached appliances, Marvell and Microsoft slash the latency inherent in external HSM calls. Network round‑trips to a separate appliance can add milliseconds—a lifetime in high‑frequency signing, TLS offload, or payment gateway operations. A host‑attached HSM reduces that penalty significantly, making cloud‑based HSM services viable for latency‑sensitive applications.

Azure Cloud HSM clusters combine this local performance with synchronization and automatic failover mechanisms, maintaining high availability at the cluster level. The result is an architecture that blends appliance‑class certifications with the responsiveness of integrated hardware.

Strategic Implications for the HSM Market

The selection of Marvell’s LiquidSecurity for Azure Cloud HSM is more than a one‑off customer win; it accelerates a market transition. Industry analysts, including ABI Research, project the HSM‑as‑a‑service segment to grow at roughly 8.5% annually through 2029, driven by cloud providers’ need to support confidential computing and data sovereignty. Marvell, which pioneered cloud‑optimized PCIe HSMs, now has its largest hyperscale endorsement to date.

For Microsoft, the move fills a gap in its compliance portfolio and reinforces Azure’s appeal to regulated enterprises. It also supports broader Azure initiatives around confidential computing and sovereign clouds, where hardware‑rooted trust is essential. For Marvell, the deal validates a strategic pivot away from legacy markets (the company divested its Automotive Ethernet business to Infineon for $2.5 billion in cash earlier in 2025) and toward data‑center and AI infrastructure silicon.

Competing HSM vendors will likely respond with their own validated PCIe modules, alternative form factors, and roadmaps for post‑quantum cryptography (PQC). For buyers, this increased competition should expand choice, but it also heightens the need for thorough due diligence.

The Numbers Game: Performance Claims and Reality

Marvell’s stated numbers—100,000 key pairs per card and >1M operations per second—are engineering targets intended for hyperscale scenarios. ABI Research and other firms provide market‑sizing estimates, but independent benchmarks of the LiquidSecurity2 card in real‑world, multi‑tenant workloads remain scarce. Prospective customers should treat these figures as directional and run their own pilot tests under representative conditions.

Key considerations for a pilot include:
- AES‑GCM bulk encryption throughput under concurrent sessions.
- ECC and RSA signing rates, especially for 256‑bit and 4096‑bit keys.
- Tail latency in key‑wrapping and unwrapping operations.
- Cluster failover behavior when a node fails.
- Power consumption at load, measured at the rack level.

Risks and Cautions for Enterprise Architects

Despite the promise, the LiquidSecurity‑powered Azure Cloud HSM carries risks that demand proactive management.

Vendor and Supply Concentration – Relying on a single HSM hardware supplier at hyperscale creates a systemic risk. A firmware vulnerability or supply interruption could impact large swaths of Azure’s HSM‑dependent services. Organizations should negotiate remediation SLAs and maintain contingency plans, possibly including a hybrid architecture that keeps some keys on‑premises or with an alternate vendor.

Certification Scope Creep – FIPS 140‑3 validation is tied to specific hardware/firmware combinations. A firmware update can invalidate the certification unless meticulously tracked. Buyers must demand a detailed certification matrix covering their deployed region and SKU, and contractually lock down procedures for re‑certification and rollback.

Multi‑Tenant Partition Isolation – Although Azure Cloud HSM offers single‑tenant clusters, the underlying LiquidSecurity cards support many partitions for density. Partitioning increases the surface for side‑channel or contention‑based attacks. Security teams should validate isolation guarantees against their threat models, particularly for workloads handling extremely sensitive material.

Post‑Quantum Readiness – The shift to quantum‑resistant algorithms will eventually force changes in HSM firmware and possibly hardware. Any HSM deployment today should include contractual commitments for PQC roadmaps and field‑upgradeability, minimizing disruption when the time comes.

Benchmarking Discipline – Vendor‑supplied performance numbers are not a substitute for empirical testing. Organizations must invest in a realistic pilot that stresses the system under production‑like concurrency and data patterns.

Action Plan for Procurement and Security Teams

To navigate this new option effectively, IT and security leaders should follow a structured approach:

  1. Inventory and Classify Workloads – List all HSM‑dependent applications and categorize them by regulatory requirement (e.g., FIPS level, eIDAS, PCI).
  2. Map to Cloud HSM Eligibility – Identify which workloads are suitable for Azure Cloud HSM single‑tenant clusters versus those that must remain on‑premises due to control or redundancy needs.
  3. Request Certification Matrices – Obtain from Microsoft and Marvell the exact SKU, firmware, and region coverage for FIPS 140‑3 Level 3 and any other trust frameworks relevant to your industry.
  4. Negotiate Operational SLAs – Cover patch cadences, vulnerability disclosure timelines, firmware rollback procedures, and zeroization steps.
  5. Run a Representative Pilot – Test with production‑like traffic to assess throughput, tail latency, and failover behavior. Use the algorithms and key sizes your applications actually employ.
  6. Demand PQC Roadmaps – Include contractual language that requires post‑quantum algorithm support and field‑upgradeability for long‑lived key material.
  7. Maintain Vendor Diversity – For mission‑critical keys, ensure you have an alternate vendor or hybrid architecture to avoid lock‑in.

What’s Next

Expect Microsoft to gradually roll out LiquidSecurity‑based Azure Cloud HSM instances across its global regions, with availability likely tied to hardware supply and certification milestones. Marvell will continue to invest in the LiquidSecurity roadmap, with a likely emphasis on even higher key densities, more granular partition isolation, and PQC acceleration.

The broader HSM market will watch this deployment closely. If Azure customers validate the promised performance and compliance benefits, other cloud providers may follow suit, accelerating the shift from appliance‑centric to PCIe‑based HSM‑as‑a‑service. That could further commoditize hardware‑backed cryptography and make strong encryption more accessible to organizations that previously could not justify the cost and complexity of on‑premises HSMs.

For now, the Azure–Marvell alignment changes the procurement calculus for hardware‑backed cloud cryptography. Its benefits are tangible—density, latency, compliance—but so are the tradeoffs around vendor concentration and the need for rigorous testing. The organizations that approach this new capability with the same diligence they apply to any foundational security infrastructure will be the ones that safely unlock its potential.