SemiWiki.com - Podcast EP316: An Introduction to Hardware Security Modules (HSMs) and Marvell’s Unique LiquidSecurity Offering with Bill Hagerstrand
Episode Date: November 5, 2025Daniel is joined by Bill Hagerstrand, director of Security Business at Marvell Technology where he manages the market-leading Marvell LiquidSecurity® HSM business. Bill has more than 20 years of expe...rience in the semiconductor, AI/machine learning, and security markets. Bill explains what an HSM is, how it is configured and… Read More
Transcript
Discussion (0)
Hello, my name is Daniel Nenny, founder of semi-Wiki, the open forum for semiconductor professionals.
Welcome to the Semiconductor Insiders podcast series.
My guest today is Bill Hagerstrand, Director of Security Business at Marvell Technology,
where he manages the market-leading Marvell Liquid Security HSM business.
Bill has more than 20 years of experience in the semiconductor.
AI, machine learning, and security markets.
Welcome to the podcast, Bill.
You're welcome. Thanks for having me.
So, Bill, my first question is, what brought you to Marvell?
Yeah, I mean, I've been in the cybersecurity space now, especially in the HSM side for a little
over a decade, working at Talas and then a startup company called Fortanics, finally migrated
my way to Marvell, basically looking for a solution in the market space that was next generation,
something that the other HSM companies currently don't support in the market today.
And that's really what attracted me to Marvell.
And at Marvell, I run the Liquid Security product line on the marketing side.
So that's really a next generation HSM in the market space today.
Okay, so what is an HSM?
And what are the key advantages of using one versus alternative security methods?
Yeah, that's a good question.
I often say that an HSM is a physically secure location to manage keys, perform encryption
functions.
Just think of an HSM as like a confidential compute environment mainly for crypto.
They've been around for a few decades, first one being used for to secure PIN transaction
in ATM machines.
I think that's back in the 70s.
The market today is kind of split between general purposes.
HSMs and payment HSMs.
60% of the market is general purpose HSMs,
well, 40% of the HSM market targets the payment space.
They're typically deployed in three form factors,
either as one new appliances, PCI cards, or USB devices.
And they all need to meet government mandated NIST-FIPs
140-3 certification.
And in that certification, there are typically four levels.
Level 3 being the most common to HSMs.
And as an alternative, folks can do encryption and key management and software.
The majority of the software out there allows you to connect to an HSM through standard APIs like PKCS 11, Java JCE, Microsoft CNG, or Restful APIs.
Right.
So we all use HSMs, but we just don't really know it, right?
We do correct.
HSMs are the backbone, the root of trust for a lot of the applications.
in the market space today.
I mean, if you look at like Microsoft SQL or Oracle databases,
they all allow you to connect to an HSM on the back end
to increase the security posture.
So what are the key regulation and certification requirements
and challenges related to HSMs?
Yes, HSMs are difficult, not only to manage typically,
but through the certification process as well.
I mean, the main government certification required for HSM's
today is something called NIST Phipps 140-3.
The certification is on both the hardware
and the software components.
So every time you change either one,
you have to go through that certification process again.
Other certifications that are important for HSMs
are certifications like Common Criteria, EIDOS for Europe.
And if you want to do anything in the payment space,
you'll need to meet PCI certification as well.
Right.
So how did Marvell change and approve upon HSMs?
A while back ago, HSM's, we've been in the market space for some time.
A while back ago, I think we introduced the market to two items.
One is partitioning and the other one's clustering.
Just think of partitioning like partitions on a hard drive,
where we cryptographically separate storage resources on the card.
Now if you're a hyperscaler offering services,
each partition can be a unique customer.
So the more partitions that you support,
the more customers that you can manage on each of the cards.
And then a clustering not only provides HADR,
but allows you to share resources
amongst the different cards in your infrastructure.
Right.
And what are the key differentiators
or advantages of the Marvell liquid security?
I think the biggest benefit of Marvell's
liquid security products over comp is the performance.
The other big advantage that we have
over comp is something that I call multi-mode.
Basically, the ability to run fit,
non-fips and payments on the same hardware.
I mentioned earlier, the HSM market is split
between payments and general purpose,
which means that you have two different pieces of hardware,
software, and certifications that you have to manage.
We were able to put both the hardware and software certification
through the NIST-FIPs and PCI certification process.
So if you're a bank as an example,
you need to provide payment transactions.
You need to also keep your customers PI data confidential.
PII being personally identifiable information,
Social Security numbers, birth dates, etc.
Banks are currently forced to deploy separate hardware and software,
secure both.
So if you're doing payment transactions,
you've got to deploy payment HSMs.
You also have to deploy general purpose HSMs
to keep that PIA data confidential.
With Marvelli, you can do both on the same hardware and software resources.
So you can run payment transactions in one partition
printing PII information and another partition.
And it's a huge KAPEXOPIC savings for a lot of the hyperscalers and customers in the market
space.
Right.
And, you know, I was reading some of your announcements.
And let me ask you, why did Microsoft select liquid security for Azure?
And how are they using it?
And can you name a few other customers that you're working with?
Yeah, yeah.
That's a good question.
So Microsoft uses our HSMs and both their Azure Keybolt, what they're,
call their Azure Key Vault and their Azure Key Vault managed services. And I think, you know,
the main reason they chose this was because of our high performance. High performance
mean equals better CAPEX OPEC savings. So the more customers you can throw on each card,
the better savings you have is a as a hyperscaler offering your service. And the other
item that I think they chose us on was we're a customer first company. So we listen and
implement new features based on customers' feedback.
It's good to know that hyper-scalers today are using Marvell HSMs as a route of trust,
and literally to thousands of customers globally.
Okay.
Last question.
What's next for HSMs and also for liquid security?
You know, what are tomorrow's threats and challenges and opportunities for Marvell to focus on?
Yes.
So obviously, scaling up performance and partition counts,
so hyper-scalers can host more customers and offer more services.
that's an obvious path for us and liquid security.
I think quantum computers, you know, today and over the next few years,
are going to be the biggest threat to security moving forward.
Once they become readily available, they can brute force attack classical algos like RSA in just hours and days
and not millions of years.
So support for post-quarno crypto algorithms and accelerating those in hardware will be required
for the next generation HSMs.
As new post quantum crypto algorithms are developed, you'll have the need for what I call crypto agility or the ability to add new post quantum crypto algorithms as they become available.
Another thing that we're looking at is what we call dynamic resource provisioning.
So allowing the hyperscalers to dynamically allocate hardware resources to each partition, it makes the card uses more efficient.
So if a customer has, if a hyperscaler has a customer that has a need for our key,
every week versus a customer that needs a key every hour. They can allocate resources
accordingly to each of those customers. And then the last item I would say is
building out our ecosystem. Our goal is to drive more business and use cases to the
cloud. So identifying use cases that are mostly being done today with on-premise
HSMs and working with partners and hyperscalers to bring those use cases to the
cloud, I think are the main goals for us as a group to to
to grow our market share.
Oh, great.
Maybe we can come back and chat again about it.
It was great amazing to you, Bill, and thank you for your time.
Yeah, thank you as well.
That concludes our podcast.
Thank you all for listening, and have a great day.