Key Generation and Rollover

What is claimed is: 1 . A computer-readable medium having instructions stored thereon that, when executed by a processor, cause the processor to generate and roll over keys for a cloud based identity management system, the generating and rolling over comprising: generating a key set including a previous key and a previous key expiration time, a current key and a current key expiration time, and a next key and a next key expiration time; storing the key set in a database table; storing the key set in a memory cache associated with the database table; and at the current key expiration time, rolling over the key set, including: retrieving the key set from the database table, updating the previous key and the previous key expiration time with the current key and the current key expiration time, updating the current key and the current key expiration time with the next key and the next key expiration time, generating a new key and a new key expiration time, updating the next key and the next key expiration time with the new key and the new key expiration time, updating the key set in the database table; and updating the key set in the memory cache. 2 . The computer-readable medium of claim 1 , wherein: the database table is a tenant-specific database table associated with a tenancy identifier; the memory cache is a tenant-specific memory cache associated with the tenancy identifier; and during said rolling over the key set, the providing further comprises: receiving, over a network, a request from a client application to retrieve the key set, the request including the tenancy identifier; retrieving the key set from the tenant-specific memory cache associated with the tenancy identifier; and sending the key set to the client. 3 . The computer-readable medium of claim 2 , wherein the request includes a client identifier, and the providing further comprises: prior to retrieving the key set, determining whether the client identifier is authorized to access the tenant-specific memory cache associated with the tenancy identifier. 4 . The computer-readable medium of claim 3 , wherein the new key expiration time includes a baseline expiration time and a random delta expiration time. 5 . The computer-readable medium of claim 4 , wherein the key set is a cloud gate key set, the baseline expiration time is 12 hours and the random delta expiration time is between 1 second and 600 seconds. 6 . The computer-readable medium of claim 1 , wherein the previous, current and next keys are symmetric keys. 7 . The computer-readable medium of claim 1 , wherein the previous, current and next keys are asymmetric key pairs that include a first key to encrypt data and a second key to decrypt data. 8 . The computer-readable medium of claim 1 , wherein during said rolling over the key set, the providing further comprises: prior to retrieving the key set from the database table, obtaining a lock on the key set, the lock providing exclusive access to the key set to prevent multiple threads from performing the rolling over; and after updating the key set in the database table, updating a last updated time of the current key and releasing the lock on the key set. 9 . The computer-readable medium of claim 8 , wherein during said rolling over the key set, the providing further comprises: after obtaining the lock on the key set, determining whether to roll over the key set based on a current time, the last updated time of the current key and a predetermined time period. 10 . The computer-readable medium of claim 1 , wherein during said rolling over the key set, the key set is rolled over when a difference between a current time and a last updated time of the current key is more than a predetermined time period. 11 . A method for generating and rolling over keys for a cloud based identity management system, the method comprising: generating a key set including a previous key and a previous key expiration time, a current key and a current key expiration time, and a next key and a next key expiration time; storing the key set in a database table; storing the key set in a memory cache associated with the database table; and at the current key expiration time, rolling over the key set, including: retrieving the key set from the database table, updating the previous key and the previous key expiration time with the current key and the current key expiration time, updating the current key and the current key expiration time with the next key and the next key expiration time, generating a new key and a new key expiration time, updating the next key and the next key expiration time with the new key and the new key expiration time, updating the key set in the database table; and updating the key set in the memory cache. 12 . The method of claim 11 , wherein: the database table is a tenant-specific database table associated with a tenancy identifier; the memory cache is a tenant-specific memory cache associated with the tenancy identifier; and during said rolling over the key set, the providing further comprises: receiving, over a network, a request from a client application to retrieve the key set, the request including a client identifier and the tenancy identifier; determining whether the client identifier is authorized to access the tenant-specific memory cache associated with the tenancy identifier; if the client identifier is authorized: retrieving the key set from the tenant-specific memory cache associated with the tenancy identifier; and sending the key set to the client. 13 . The method of claim 11 , wherein: the key set is a cloud gate key set; the new key expiration time includes a baseline expiration time and a random delta expiration time; the baseline expiration time is 12 hours; and the random delta expiration time is between 1 second and 600 seconds. 14 . The method of claim 11 , wherein, during said rolling over the key set, the providing further comprises: prior to retrieving the key set from the database table, obtaining a lock on the key set, the lock providing exclusive access to the key set to prevent multiple threads from performing the rolling over; after obtaining the lock on the key set, determining whether to roll over the key set based on a current time, the last updated time of the current key and a predetermined time period; and after updating the key set in the database table, updating a last updated time of the current key and releasing the lock on the key set. 15 . The method of claim 14 , wherein during said rolling over the key set, the key set is rolled over when a difference between a current time and a last updated time of the current key is more than a predetermined time period. 16 . A system comprising a server, coupled to a network, including a processor coupled to a memory storing instructions that, when executed by the processor, cause the processor to generate and roll over keys for a cloud based identity management system, the generating and rolling over comprising: generating a key set including a previous key and a previous key expiration time, a current key and a current key expiration time, and a next key and a next key expiration time; storing the key set in a database table; storing the key set in a memory cache associated with the database table; and at the current key expiration time, rolling over the key set, including: retrieving the key set from the database table, updating the previous key and the previous key expiration time with the current key and the current key expirati