Marvell’s Next-Gen HSM Doubles Down on Cloud, Serviceability, and Convergence

Subscribe To Download This Insight

By Michela Menting | 3Q 2022 | IN-6678

Marvell Technology launches the LiquidSecurity 2 (LS2) module, its second-generation Hardware Security Module (HSM) targeted at Cloud Service Providers (CSPs). Tailored specifically for cloud infrastructure, and certified to cater to broad and varied applications, from payments to identity, the LiquidSecurity 2 Module is built to enable hyperscalers to expand their HSM-as-a-Service offerings.

Registered users can unlock up to five pieces of premium content each month.

Log in or register to unlock this Insight.

 

Marvell Releases LiquidSecurity 2 HSM

NEWS


Marvell Technology announced the release of its second-generation LiquidSecurity (LS2) module on September 14. Built upon its Octeon Data Processing Units (DPUs), the LS2 is a Peripheral Component Interconnect Express (PCIe) Hardware Security Module (HSM) targeted for use within the cloud infrastructures of hyperscalers. The LS2 is a significant step up from its first generation, the LS1. The number of partitions is extended from 32 to 45, key storage is increased tenfold, and key operations per second are more performant (35,000 to 42,000 for RSA-2K, 10,000 to 110,000 for ECC, and 300,000 to 1 million for AES GCM). Further, the secure machine offers additional dedicated cores and, new for this generation, can run custom code.

The Cloud Gamble for Marvell

IMPACT


Cavium introduced LS1 in 2015, which Marvell re-launched under its own brand in 2019 after acquiring the company. It focused on optimized processing specifically for cloud infrastructure, and it gained significant traction with leading Cloud Service Providers (CSPs). Marvell LS1 can be found in the Alibaba Cloud Managed HSM, Alibaba Cloud Data Encryption Service, and Alibaba Cloud KMS; Google Cloud HSM and Google Cloud Key Management Service (KMS); Amazon Web Services (AWS) KMS; Microsoft Azure Key Vault Managed HSM; and Oracle Cloud Infrastructure Key Management.

The impact that Marvell has had in the space is notable, and its security modules take advantage of its expertise in the data infrastructure processing market where it has been successful in pushing its Octeon product line into wireless infrastructure, carrier networks, and cloud data centers. It has a rather unique understanding of those infrastructure requirements: high compute performance, lower power usage, hardware acceleration, advanced interfaces, and software-based programmability, which it has effectively integrated into its DPU products. By leveraging these same features within the LS family, Marvell can provide an attuned security solution for hyperscalers.

LS2, in particular, focuses on CSPs’ expanding cybersecurity strategies around offering cryptographic services, including key management and encryption. More specifically, this seems to anticipate CSP forays into two specific markets: Europe and payments. Within Europe, the LS2 includes compliance with Common Criteria (CC) and electronic Identification and Trust Services (eIDAS) (EAL4+, PP CEN EN 419 221-5, with augmentations for AVA_VAN.5, ALC-DVS, and ALC-FLR.2). For payments, LS2 is undergoing Payment Card Industry PIN Transaction Security (PCI-PTS) HSM 4.0 certification, meaning it will be able to serve as a payment HSM. Previously, LSI functioned only as a general-purpose HSM. This converged platform will enable CSPs to expand their offerings.

CSPs already provide a number of Payment HSM-as-a-Service solutions, but these are branded offerings from Original Equipment Manufacturers (OEMs) in their marketplaces (e.g., Futurex, Utimaco, and Thales all offer their payment HSM services in various CSP marketplaces). But Marvell’s LS2 will enable CSPs to offer payment HSM services in direct competition to those other services. Granted, there is still a long way to go for CSPs and Marvell to reach the maturity and expertise of the established payment HSM vendors, but there is little doubt that this move will shake up the payment HSM market.

Convergence and Serviceability of the HSM Market

RECOMMENDATIONS


Marvell is moving quickly and aggressively in the HSM space, but rather than tackling the enterprise market directly at the moment, it is doing this through its core competency and target market, the hyperscalers. This is a smart move that is already working in its favor. The HSM market is mature and well-established, and the current leaders have a singular expertise that will be difficult to compete against directly. So, by punting on the cloud migration that enterprises are undergoing today, it is supporting CSPs’ need to ensure their cloud infrastructure can provide adequate crypto services for those corporate assets and operations. Many HSM vendors don’t view Marvell as a direct competitor in the traditional sense.

Nonetheless, this accompanying of CSPs on their crypto services journey has worked well so far. Now, the firm is focused on expanding CSP reach as they look to those high-security HSM applications in payment and identity markets that have traditionally been targeted by high-end HSM appliances from established HSM OEMs. How successful Marvell will be will depend not only on whether CSPs can capitalize effectively on the LS2’s new features to provide the types of high-level security required by financial and government markets, but also on whether those services are on par with those offered by HSM incumbents. CSPs will need to build expertise in cryptography that is not easy to obtain or cheap to acquire. What is clear however, is that the HSM market is extending surely into the cloud, providing new and lucrative opportunities where consumption-based models, converged platforms, and serviceability will be key attributes.

Services