Cloud computing services offer many advantages for information resources: on-demand, self-service provisioning, rapid elasticity, resource pooling, and highly granular resource metering are some examples. Along with traditional on-premise information resources, the Division of Information Technology encourages the consideration of cloud computing services to meet university needs.

However, along with its various advantages, the use of cloud computing services can also expose Texas A&M University to costly risks due to the fundamental nature of the technology involved. No matter where an information resource is hosted—whether on-premise or in a public cloud—information resource owners must continue to ensure that university data is properly managed, that all privacy requirements are met, and that compliance with all relevant standards and regulations is verified.

Defining "Cloud Computing"

The term Cloud Computing is often used in different contexts to mean different things. Particularly when addressing policy and regulations around the use of technology, it is helpful to ensure that we are all using the same meanings to the words we use.

Here at Texas A&M, the term "Cloud Computing" has the meaning described in the National Institute of Standards and Technology Special Publication 800-145 

The document continues to describe five essential characteristics of cloud computing services, and three service models through which cloud computing services are delivered to consumers:

  1. Infrastructure as a Service (IaaS)
  2. Platform as a Service (PaaS)
  3. Software as a Service (SaaS)

Policies Governing Cloud Computing

In the fall semester of 2019, the president approved a new SAP that was recommended by the Information Risk, Policy & Security Committee (IRPSC) in order to provide guidance on the use of cloud services at Texas A&M. Standard Administrative Procedure 29.01.03.M0.13 - Cloud Computing Services took effect for IaaS products starting Sept 1, 2019, and is staged in for PaaS and SaaS products through Sept 1, 2020.

In short, this SAP says that information services that are hosted in the cloud must meet the same security controls that are applied to all other information resources at Texas A&M. Please note that the scope of this SAP is only for information resources classified as Moderate or High Impact. If you’re not sure about the impact level of your resource, you can use our Impact Calculator to assist.

List of Approved Cloud Service Providers

According to SAP 29.01.03.M0.13, the CIO:

shall maintain an "Approved List of Cloud Computing Providers" which enumerates commercial service providers that are approved for the purposes of hosting moderate or high impact information resources. A copy of this list may be obtained directly from the office of the CIO, and is available electronically on the Division of IT website.

This list is available here: Approved List of Cloud Services. To request that a new product be added to this list, please email it-security@tamu.edu.