In a SaaS deployment, users do not have direct access to the application or SQL. Most ransomware uses the security permissions of the user. SaaS programs like Acumatica do not allow direct access to the application or SQL. All users and apps work through a security level that requests access to the application and database. The user or an app never really has direct access to the files or has a mapped drive or UNC to the application and files. Ransomware and other malware requires access to the files to encrypt them and look at the users’ mapped drives for other locations to spread. Since access is through an API or Web Service, the virus cannot see drives or file locations. Applications like Excel or Word work through the same request level to retrieve data, so those apps are blocked just like a user from spreading malware.
The argument that SaaS applications are just as vulnerable as on-premises apps to user phishing or social hacking is unfounded. Even if the user is hacked the security they have cannot get to the application level where the malware can do damage. The workstation would be toast, but the SaaS application would not. A server hosted on AWS would be open to the same phishing schemes as on premises, but a SaaS application is not comparable.
Malware typically exploits some weakness in the operating system, firewalls, and applications like Excel to gain an opening. This is a moving target and very hard for a standalone IT shop to be up to the minute on the latest exploit. Amazon and Azure have thousands of people working on security and staying ahead of the hackers. They will always be the toughest to hack; the quickest to react to a hack; and, because of their strong disaster recovery abilities, the fastest to restore the application to a state before the malware did its damage.