The HSM Battle for the Cloud: Integrated Versus General Purpose

Microsoft announced its intent last month (April 2026) to release the Azure Integrated HSM firmware, driver, and software stack as open source. It is doing this through the Open Compute Project (OCP), within which it is also planning to launch a workgroup to accompany ongoing development. The firmware is already available on its Github repository. Microsoft first announced the technology back in October 2025, a mere infant in Hardware Security Module (HSM) years (practically neo-natal). This rapid pivot to open-source marks a major evolution in how HSMs have gone to market. Critically, this reveals what many in the field have known for some time about the future of the HSM market: demand for HSMs will not be product-driven anymore, but application-based.

The HSM has always been a means to an end, predicated on a go-to-market strategy forged around the product itself and its cryptographic capabilities: powerful, ever faster, with a rich (and proprietary) middleware ecosystem built over decades to support myriad applications. Those who bought HSMs were focused on the machines themselves. The only split emerging from the HSM’s 50-year history has been the creation of dedicated payment HSMs, and this almost right at the inception of the first general-purpose modules.

The first crack in that seemingly iron-clad market came with the cloud. The veracity and speed with which Marvell, a chip maker, penetrated and dominated the space with its LiquidSecurity line took incumbents by surprise. What mattered to the Cloud Service Providers (CSPs) was performant hardware stripped of the middleware. They built the ecosystem around it, and tailored it to their cloud infrastructure and the specific cryptographic applications they wanted to provide to their customers. Even the applications themselves were not viewed as the end product. Although CSPs offered key management and cloud HSM services, the goal was (and continues to be) to enable trust and security for their cloud offerings. HSM-enablement is simply a value-add, a competitive differentiator that provides compliance guarantees for cloud users.

The raison d’être of the Azure integrated HSM is key management, a critical application served by Azure Key Vault and Azure Managed HSM. Both latter services have been derivative offerings by Microsoft Azure for some time, existing without a dedicated focus on selling these as standalone solutions. They are effectively complementary to the broader Azure cloud portfolio. The development of the integrated HSM is the result of Microsoft’s pursuit of ever lower latency and greater throughput, even if these gains are marginal. But such margins matter today in an Artificial Intelligence (AI)-powered world. And they are likely to matter even more to an Edge AI one. Opening up the stack shows how critical the HSM is to CSPs’ trust positioning, and how quickly solutions that cater minutely to specific contexts can displace traditional powerhouses.

Traditional HSM vendors have been fixing on how to best serve the fast-growing cloud HSM market for the last few years. From adapting their form factors (Peripheral Component Interconnect Express (PCIe) cards to blades and secure elements), to embracing Representational State Transfer Application Programming Interfaces (REST APIs), to architecting for multi-tenancy, to launching their own cloud services, they’ve clearly made significant strides in a market that has been fairly uneventful to date. One of the key tenets of HSM marketability, and a forte of HSM vendors, has been Federal Information Processing Standard (FIPS) 140-3 certification (and Payment Card Industry (PCI) PIN Transaction Security (PTS) HSM for payment HSMs), as well as cryptographic prowess. But the CSPs have been quick to match those. The Azure integrated HSM is now FIPS 140-3 Level 3 certified (up from Level 2 in October 2025). Microsoft has been heavily involved in the PQC scene (from standardization to testing). With a few years of experience in key management and data protection, cryptography is not a foreign skill set anymore, it’s an entrenched expertise. The company, much like the other cloud providers, has significant resources to put into developing such security capabilities. The irony—for the legacy HSM market at least—is that these are not the end product. What CSPs are interested in today is addressing cloud demands around confidential computing, sovereignty, and AI security.

The Azure integrated HSM does not use third-party hardware; it is a custom chip embedded directly into the host servers of AMD v7 virtual machines for ultra-low latency in high-performance workloads, able to guarantee high assurance in real time. Microsoft has made no secret that this move is part of its broader strategy to integrate trust (note here though that this is Microsoft-developed trust) from the bottom of the stack to the top in order to achieve the Holy Grail of silicon-to-cloud security architecture by design. This is the goal behind other Microsoft-backed open projects such as Caliptra. The openness is the counter to the closed systems developed and commercialized by legacy HSM vendors.

Today, Azure’s integrated HSM is competing directly with traditional general-purpose HSMs. Right now, however, it is only doing so in one application within a specific context: key management for Virtual Machines (VMs) in Azure. Nonetheless, the resources and rapidity with which Microsoft has moved from third-party HSM partnerships for broad HSM/Key Management System (KMS) services to embedding a homemade chip right into the server is astonishing. And then to open up that middleware for anyone to develop dedicated applications for the integrated HSM is not just another crack in that legacy market, but a fault line that HSM vendors would do well to pay very close attention to.