Security in the cloud has always followed a shared responsibility model. What the provider manages, the provider secures. What the customer deploys, the customer secures. Generally speaking, if you have no control over it in the cloud, then the onus of securing it is on the provider.
Serverless, which is kind of like a SaaS-hosted PaaS (if that even makes sense), extends that model to reach higher in the stack. That extension leaves the provider with most of the responsibility for security with very little left for the customer.
The problem is that the 'very little left' actually carries the bulk of risk, especially when we consider Function as a Service (FaaS).
Read the full article published May 23, 2019 here: https://www.networkcomputing.com/networking/serverless-security-shift by Network Computing.