Cloud Computing Policies

Cloud computing services offer many advantages for information resources: on-demand, self-service provisioning, rapid elasticity, resource pooling, and highly granular resource metering are some examples. Along with traditional on-premise information resources, Technology Services encourages the consideration of cloud computing services to meet university needs.

However, along with its various advantages, the use of cloud computing services can also expose Texas A&M University to costly risks due to the fundamental nature of the technology involved. No matter where an information resource is hosted—whether on-premise or in a public cloud—information resource owners must continue to ensure that university data is properly managed, that all privacy requirements are met, and that compliance with all relevant standards and regulations is verified.

The term Cloud Computing is often used in different contexts to mean different things. Particularly when addressing policy and regulations around the use of technology, it is helpful to ensure that we are all using the same meanings to the words we use.

Here at Texas A&M, the term "Cloud Computing" has the meaning described in the National Institute of Standards and Technology Special Publication 800-145:

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

The document continues to describe five essential characteristics of cloud computing services, and three service models through which cloud computing services are delivered to consumers:

1. Infrastructure as a Service (IaaS)
2. Platform as a Service (PaaS)
3. Software as a Service (SaaS)

If you’d like to confirm whether or not your service or application is a cloud service as defined by NIST, you can use our Cloud Services Calculator.

Standard Administrative Procedure 29.01.03.M0.13 - Cloud Computing Services governs the use of all cloud services at Texas A&M. In short, this SAP says that information services that are hosted in the cloud must meet the same security controls that are applied to all other information resources at Texas A&M. Please note that the scope of this SAP is only for information resources classified as Moderate or High Impact. If you’re not sure about the impact level of your resource, you can use our Impact Calculator to assist.

In addition to that SAP, cloud services used by state agencies in Texas (including institutions of higher education) must comply with the requirements of the Texas Risk and Authorization Management Program. TX-RAMP status is required to be validated at the time of procurement, or any contract renewal. TX-RAMP eligibility requirements are available online, and detailed information about procurement procedures are available at IT Procurement: Purchasing Technology Safely and Securely.

According to SAP 29.01.03.M0.13, the CIO: 

shall maintain an "Approved List of Cloud Computing Providers" which enumerates commercial service providers that are approved for the purposes of hosting moderate or high impact information resources. A copy of this list may be obtained directly from the office of the CIO, and is available electronically on the Technology Services website.

The Reviewed Cloud Services page contains the list of approved cloud computing services and providers. If you’d like to request that a new product be added, you can do so on the Reviewed Cloud Services page. Please note that any cloud products must also have TX-RAMP certification.