update

msmbaldwin · msmbaldwin · commit 369920e06e95 · 2025-03-20T12:35:16.000-07:00
diff --git a/articles/security/fundamentals/key-management-choose.md b/articles/security/fundamentals/key-management-choose.md
@@ -47,18 +47,18 @@ Provisioning and hosting are managed by Microsoft across all solutions. Key gene
 
 Use the table to compare all the solutions side by side. Begin from top to bottom, answering each question found on the left-most column to help you choose the solution that meets all your needs, including management overhead and costs.
 
-|  | **AKV Standard** | **AKV Premium** | **Azure Managed HSM** | **Azure Dedicated HSM** | **Azure Payment HSM** |
-| --- | --- | --- | --- | --- | --- |
-| What level of **compliance** do you need? | FIPS 140-2 level 1 | FIPS 140-2 level 3, PCI DSS, PCI 3DS** | FIPS 140-2 level 3, PCI DSS, PCI 3DS | FIPS 140-2 level 3, HIPAA, PCI DSS, PCI 3DS, eIDAS CC EAL4+, GSMA | FIPS 140-2 level 3, PCI PTS HSM v3, PCI DSS, PCI 3DS, PCI PIN |
-| Do you need **key sovereignty**? | No | No | Yes | Yes | Yes |
-| What kind of **tenancy** are you looking for? | Multitenant | Multitenant | Single Tenant | Single Tenant | Single Tenant |
-| What are your **use cases**? | Encryption at Rest, CMK, custom | Encryption at Rest, CMK, custom | Encryption at Rest, TLS Offload, CMK, custom | PKCS11, TLS Offload, code/document signing, custom | Payment PIN processing, custom |
-| Do you want **HSM hardware protection**? | No | Yes | Yes | Yes | Yes |
-| What is your **budget**? | $ | $$ | $$$ | $$$$ | $$$$ |
-| Who takes responsibility for **patching and maintenance**? | Microsoft | Microsoft | Microsoft | Customer | Customer |
-| Who takes responsibility for **service health and hardware failover**? | Microsoft | Microsoft | Shared | Customer | Customer |
-| What kind of **objects** are you using? | Asymmetric Keys, Secrets, Certs | Asymmetric Keys, Secrets, Certs | Asymmetric/Symmetric keys | Asymmetric/Symmetric keys, Certs | Local Primary Key |
-| **Root of trust control** | Microsoft | Microsoft | Customer | Customer | Customer |
+|  | **AKV Standard** | **AKV Premium** | **Azure Managed HSM** | **Azure Cloud HSM** | **Azure Dedicated HSM** | **Azure Payment HSM** |
+| --- | --- | --- | --- | --- | --- | --- |
+| What level of **compliance** do you need? | FIPS 140-2 level 1 | FIPS 140-2 level 3, PCI DSS, PCI 3DS** | FIPS 140-2 level 3, PCI DSS, PCI 3DS | FIPS 140-3 level 3 | FIPS 140-2 level 3, HIPAA, PCI DSS, PCI 3DS, eIDAS CC EAL4+, GSMA | FIPS 140-2 level 3, PCI PTS HSM v3, PCI DSS, PCI 3DS, PCI PIN |
+| Do you need **key sovereignty**? | No | No | Yes | Yes | Yes | Yes |
+| What kind of **tenancy** are you looking for? | Multitenant | Multitenant | Single Tenant | Single Tenant | Single Tenant | Single Tenant |
+| What are your **use cases**? | Encryption at Rest, CMK, custom | Encryption at Rest, CMK, custom | Encryption at Rest, TLS Offload, CMK, custom | PKCS11, TLS Offload, CA private key protection, TDE, code/document signing | PKCS11, TLS Offload, code/document signing, custom | Payment PIN processing, custom |
+| Do you want **HSM hardware protection**? | No | Yes | Yes | Yes | Yes | Yes |
+| What is your **budget**? | $ | $$ | $$$ | $$$$ | $$$$ | $$$$ |
+| Who takes responsibility for **patching and maintenance**? | Microsoft | Microsoft | Microsoft | Microsoft | Customer | Customer |
+| Who takes responsibility for **service health and hardware failover**? | Microsoft | Microsoft | Shared | Microsoft | Customer | Customer |
+| What kind of **objects** are you using? | Asymmetric Keys, Secrets, Certs | Asymmetric Keys, Secrets, Certs | Asymmetric/Symmetric keys | Asymmetric/Symmetric keys, Certs | Asymmetric/Symmetric keys, Certs | Local Primary Key |
+| **Root of trust control** | Microsoft | Microsoft | Customer | Customer | Customer | Customer |
 
 ## Common key management solution uses by industry segments
 
@@ -78,9 +78,11 @@ Here is a list of the key management solutions we commonly see being utilized ba
 
 **Azure Key Vault (Premium Tier)**: A FIPS 140-2 Level 3** validated multitenant HSM offering that can be used to store both asymmetric and symmetric keys, secrets, and certificates. Keys are stored in a secure hardware boundary*. Microsoft manages and operates the underlying HSM, and keys stored in Azure Key Vault Premium can be used for encryption-at-rest and custom applications. Azure Key Vault Premium also provides a modern API and a breadth of regional deployments and integrations with Azure Services. If you are an AKV Premium customer looking for key sovereignty, single tenancy, and/or higher crypto operations per second, you may want to consider Managed HSM instead. For more information, see [About Azure Key Vault](/azure/key-vault/general/overview).
 
-**Azure Managed HSM**: A FIPS 140-2 Level 3 validated, PCI compliant, single-tenant HSM offering that gives customers full control of an HSM for encryption-at-rest, Keyless SSL/TLS offload, and custom applications. Azure Managed HSM is the only key management solution offering confidential keys. Customers receive a pool of three HSM partitions—together acting as one logical, highly available HSM appliance—fronted by a service that exposes crypto functionality through the Key Vault API. Microsoft handles the provisioning, patching, maintenance, and hardware failover of the HSMs, but doesn't have access to the keys themselves, because the service executes within Azure's Confidential Compute Infrastructure. Azure Managed HSM is integrated with the Azure SQL, Azure Storage, and Azure Information Protection PaaS services and offers support for Keyless TLS with F5 and Nginx. For more information, see [What is Azure Key Vault Managed HSM?](/azure/key-vault/managed-hsm/overview) 
+**Azure Managed HSM**: A FIPS 140-2 Level 3 validated, PCI compliant, single-tenant HSM offering that gives customers full control of an HSM for encryption-at-rest, Keyless SSL/TLS offload, and custom applications. Azure Managed HSM is the only key management solution offering confidential keys. Customers receive a pool of three HSM partitions—together acting as one logical, highly available HSM appliance—fronted by a service that exposes crypto functionality through the Key Vault API. Microsoft handles the provisioning, patching, maintenance, and hardware failover of the HSMs, but doesn't have access to the keys themselves, because the service executes within Azure's Confidential Compute Infrastructure. Azure Managed HSM is integrated with the Azure SQL, Azure Storage, and Azure Information Protection PaaS services and offers support for Keyless TLS with F5 and Nginx. For more information, see [What is Azure Key Vault Managed HSM?](/azure/key-vault/managed-hsm/overview).
 
-**Azure Dedicated HSM**: A FIPS 140-2 Level 3 validated single-tenant bare metal HSM offering that lets customers lease a general-purpose HSM appliance that resides in Microsoft datacenters. The customer has complete ownership over the HSM device and is responsible for patching and updating the firmware when required. Microsoft has no permissions on the device or access to the key material, and Azure Dedicated HSM is not integrated with any Azure PaaS offerings. Customers can interact with the HSM using the PKCS#11, JCE/JCA, and KSP/CNG APIs. This offering is most useful for legacy lift-and-shift workloads, PKI, SSL Offloading and Keyless TLS (supported integrations include F5, Nginx, Apache, Palo Alto, IBM GW and more), OpenSSL applications, Oracle TDE, and Azure SQL TDE IaaS. For more information, see [What is Azure Dedicated HSM?](/azure/dedicated-hsm/overview) 
+**Azure Cloud HSM**: A FIPS 140-3 Level 3 validated, single-tenant HSM-as-a-service offering that provides customers with dedicated HSM clusters for cryptographic key storage and operations within the Azure environment. Azure Cloud HSM grants customers full administrative control over their HSMs while Microsoft manages patching, maintenance, high availability, and hardware failover. This IaaS solution supports PKCS#11, OpenSSL, JCE/JCA, and CNG/KSP for applications including SSL/TLS offloading, certificate authority private key protection, transparent data encryption (TDE), and code/document signing. Azure Cloud HSM does not integrate with Azure PaaS/SaaS services or support Encryption at Rest scenarios. For more information, see [Azure Cloud HSM Overview](/azure/cloud-hsm/overview).
+
+**Azure Dedicated HSM**: A FIPS 140-2 Level 3 validated single-tenant bare metal HSM offering that lets customers lease a general-purpose HSM appliance that resides in Microsoft datacenters. The customer has complete ownership over the HSM device and is responsible for patching and updating the firmware when required. Microsoft has no permissions on the device or access to the key material, and Azure Dedicated HSM is not integrated with any Azure PaaS offerings. Customers can interact with the HSM using the PKCS#11, JCE/JCA, and KSP/CNG APIs. This offering is most useful for legacy lift-and-shift workloads, PKI, SSL Offloading and Keyless TLS (supported integrations include F5, Nginx, Apache, Palo Alto, IBM GW and more), OpenSSL applications, Oracle TDE, and Azure SQL TDE IaaS. For more information, see [What is Azure Dedicated HSM?](/azure/dedicated-hsm/overview).
 
 **Azure Payment HSM**: A FIPS 140-2 Level 3, PCI HSM v3, validated single-tenant bare metal HSM offering that lets customers lease a payment HSM appliance in Microsoft datacenters for payments operations, including payment PIN processing, payment credential issuing, securing keys and authentication data, and sensitive data protection. The service is PCI DSS, PCI 3DS, and PCI PIN compliant. Azure Payment HSM offers single-tenant HSMs for customers to have complete administrative control and exclusive access to the HSM. Once the HSM is allocated to a customer, Microsoft has no access to customer data. Likewise, when the HSM is no longer required, customer data is zeroized and erased as soon as the HSM is released, to ensure complete privacy and security is maintained. For more information, see [About Azure Payment HSM](/azure/payment-hsm/overview).
 
