Microsoft has deployed a custom-built security chip, the Azure Integrated HSM, across every Azure server to counter an annual cybercrime cost projected to reach $10.2 trillion by 2025.
The Azure Integrated HSM, first announced in late 2024, constitutes a central component of Microsoft’s comprehensive security architecture. This architecture was detailed at the recent Hot Chips 2025 event.
Microsoft presented data indicating that the global cost of cybercrime is equivalent to the world’s third-largest economy, positioning it behind the United States and China but ahead of nations like Germany and Japan. This figure also significantly exceeds the entire artificial intelligence market.
Microsoft asserts that the current scale of the cyber threat necessitates both architectural and operational changes. According to a report by ServeTheHome, Azure operates across more than 70 regions and 400 data centers, supported by 275,000 miles of fiber and 190 network points of presence. The company employs 34,000 engineers dedicated to security.
To address cybersecurity challenges at a hardware level, Microsoft shifted from a centralized hardware security module model to its proprietary Azure Integrated HSM. This custom ASIC is engineered to meet FIPS 140-3 Level 3 requirements, offering tamper resistance and localized key protection within individual servers. By embedding this chip in each system, cryptographic functions such as AES, PKE, and intrusion detection can be performed locally, reducing latency historically associated with centralized clusters.
ServeTheHome noted that developing an in-house chip required trade-offs, specifically regarding the scaling of hardware security modules for individual servers rather than at a cluster level. Microsoft highlighted this approach as striking a balance between performance, efficiency, and resilience.
Microsoft also outlined its “Secure by Design” architecture at Hot Chips, a key part of its Secure Future Initiative. This initiative incorporates Azure Boost, which offloads control plane services to a dedicated controller, isolating them from customer workloads.
The Datacenter Secure Control Module integrates Hydra BMC, enforcing a silicon root of trust on management interfaces. Confidential computing, supported by trusted execution environments, extends protection to workloads within multi-tenant environments. Caliptra 2.0, a collaborative effort with AMD, Google, and Nvidia, anchors security in silicon and now includes post-quantum cryptography through the Adams Bridge project.